Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
How Antivirus Works? Dynamic and Behavioral Detection
Message
<blockquote data-quote="Andy Ful" data-source="post: 1117922" data-attributes="member: 32260"><p>Microsoft Defender and Kaspersky have excellent behavioral detection based on Machine Learning models. So why Kaspersky AV can score better in Real-World tests?</p><p>[URL unfurl="false"]https://malwaretips.com/threads/the-best-home-av-2023-2024-av-test-av-comparatives.134865/post-1117751[/URL]</p><p></p><p>The answer is probably included in the video:</p><p></p><p>[MEDIA=youtube]qmKa2_eITIY[/MEDIA]</p><p></p><p>As we can see, some FUDs (Fully UnDetectable malware) are detected only after the execution, when some malicious actions are already done. Microsoft decided to fight such malware as follows:</p><ol> <li data-xf-list-type="ol">Enabled SmartScreen (in Edge and for Windows Explorer).</li> <li data-xf-list-type="ol">Enabled ASR rules (especially the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria").</li> <li data-xf-list-type="ol">Post-execution behavioral detection.</li> </ol><p>If the user has enabled SmartScreen, the FUDs are mainly blocked, so there is no visible difference between Microsoft Defender (MD) and top AVs.</p><p></p><p>If SmartScreen is disabled or the user ignores SmartScreen alerts, enabling advanced settings in MD is necessary to prevent efficiently FUDs. If not, then MD uses post-execution behavioral detection which is as good as for Kaspersky, but <strong><span style="color: rgb(0, 168, 133)">Kaspersky can efficiently reverse the changes made by the Malware (like encrypted files),</span></strong> <span style="color: rgb(184, 49, 47)"><strong>and MD often cannot.</strong></span></p><p></p><p><strong>Edit.</strong></p><p>One could ask: Can such MD post-execution protection be useful?</p><p>Yes, it can (although imperfect). The first victim is infected, but others will be protected in a few minutes.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1117922, member: 32260"] Microsoft Defender and Kaspersky have excellent behavioral detection based on Machine Learning models. So why Kaspersky AV can score better in Real-World tests? [URL unfurl="false"]https://malwaretips.com/threads/the-best-home-av-2023-2024-av-test-av-comparatives.134865/post-1117751[/URL] The answer is probably included in the video: [MEDIA=youtube]qmKa2_eITIY[/MEDIA] As we can see, some FUDs (Fully UnDetectable malware) are detected only after the execution, when some malicious actions are already done. Microsoft decided to fight such malware as follows: [LIST=1] [*]Enabled SmartScreen (in Edge and for Windows Explorer). [*]Enabled ASR rules (especially the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"). [*]Post-execution behavioral detection. [/LIST] If the user has enabled SmartScreen, the FUDs are mainly blocked, so there is no visible difference between Microsoft Defender (MD) and top AVs. If SmartScreen is disabled or the user ignores SmartScreen alerts, enabling advanced settings in MD is necessary to prevent efficiently FUDs. If not, then MD uses post-execution behavioral detection which is as good as for Kaspersky, but [B][COLOR=rgb(0, 168, 133)]Kaspersky can efficiently reverse the changes made by the Malware (like encrypted files),[/COLOR][/B] [COLOR=rgb(184, 49, 47)][B]and MD often cannot.[/B][/COLOR] [B]Edit.[/B] One could ask: Can such MD post-execution protection be useful? Yes, it can (although imperfect). The first victim is infected, but others will be protected in a few minutes. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
