Hot Take Kaspersky is overestimated, while Microsoft defender is underestimated

[Parkinsond]

I have downloaded the latest 15 ps1 samples from MalwareBazaar; made two copies, each one in a separate folder.
Scanned one folder by Kaspersky free antivirus and the other by Microsoft defender.

Both detected only 7 samples; samples missed by K were not exactly those missed by MD.
Both deleted detections successfully; there was no significant difference in duration of scan or deletion.

MD just need better web protection and harder self-defense, with the ability to roll back encrypted files by ransomware to be on par with K.

 

[Bot]

Thanks for sharing your experience. It seems both Kaspersky and Microsoft Defender have their strengths and weaknesses. Your suggestion about improving MD's web protection and self-defense is noteworthy.

 

[n8chavez]

That's a small sample size. If you're going to come to that conclusion, which I generally tend to agree with, you'd need a MUCH larger sample size in order to be convincing.

 

[Parkinsond]

That's a small sample size. If you're going to come to that conclusion, which I generally tend to agree with, you'd need a MUCH larger sample size in order to be convincing.

Agree; consider it as a pilot study.

 

[cartaphilus]

One has to realize that unless you are a prolific O-Day pirated games/app downloader or a highly important official then the risk of being infected by some rare strain that no other AV detects is extremely low!

Most AVs have definitions by day 2 of malware hitting the web.....unless it's a very small user sample thus highly targeted (spearfishing) bug.

 

[piquiteco]

MD just need better web protection and harder self-defense, with the ability to roll back encrypted files by ransomware to be on par with K.

It's very difficult for a home user to get infected these days, if not "impossible" even using MD. Unless they don't know what they're doing and go around the web clicking on everything they see, downloading pirated software, pirating games, disabling their antivirus and so on. Today, the biggest risk is for corporate users, not home users. I even downloaded a PS1 sample and I thought it wouldn't detect it, but it did, as you can see below.

Spoiler

 

[Parkinsond]

One has to realize that unless you are a prolific O-Day pirated games/app downloader or a highly important official then the risk of being infected by some rare strain that no other AV detects is extremely low!

Most AVs have definitions by day 2 of malware hitting the web.....unless it's a very small user sample thus highly targeted (spearfishing) bug.

and the missed samples by K and MD were also missed by other AVs; for example sample 4 was missed by K, but detected by MD, and ESET only, sample 9 was missed by MD, but detected by K and B, sample 11 was missed by both K and MD and also by ESET and B, but detected by Avast-AVG.

The only guarantee of safety is your way of thinking and behavior, no matter what security suite installed on your PC.

 

[Parkinsond]

It's very difficult for a home user to get infected these days, if not impossible even using MD. Unless they don't know what they're doing and go around the web clicking on everything they see, downloading pirated software, pirating games, disabling their antivirus and so on. Today, the biggest risk is for corporate users, not home users. I even downloaded a PS1 sample and I thought it wouldn't detect it, but it did, as you can see below.

Spoiler

View attachment 288716

This trojan was one of the included sample


Agree, corporate sector is the main target (those who you can get lost of money from), but home user is exposed to accidental infection too.


My son caught infection from game mods before (he like gaming too much); one upon a time, I had the bad passion of installing and testing new and uncommon software, even from unofficial sources.
Fortunately, both of our files were not encypted with such infections.

 

[Digmor Crusher]

It's very difficult for a home user to get infected these days, if not impossible

Not impossible as the forums that do malware removal such as Bleeping Computer and Malwarebytes are always busy with people looking for help.

 

[Parkinsond]

Not impossible as the forums that do malware removal such as Bleeping Computer and Malwarebytes are always busy with people looking for help.

The degree of possibility relies on my e-behavior.

 

[piquiteco]

Not impossible as the forums that do malware removal such as Bleeping Computer and Malwarebytes are always busy with people looking for help.

Yes, you're right, I'll correct the "impossible" in my post. It's just that when I sometimes quote a domestic user, sometimes I compare myself and people who are well informed and have a certain knowledge like many members here on MT and that's not quite how it is.

 

[Parkinsond]

Yes, you're right, I'll correct the "impossible" in my post. It's just that when I sometimes quote a domestic user, sometimes I compare myself and people who are well informed and have a certain knowledge like many members here on MT and that's not quite how it is.

and all the time, "prevention is better than cure"; my aim is pre-execution, not post-execution measures.

 

[Brahman]

I have downloaded the latest 15 ps1 samples from MalwareBazaar; made two copies, each one in a separate folder.
Scanned one folder by Kaspersky free antivirus and the other by Microsoft defender.

Both detected only 7 samples; samples missed by K were not exactly those missed by MD.
Both deleted detections successfully; there was no significant difference in duration of scan or deletion.

MD just need better web protection and harder self-defense, with the ability to roll back encrypted files by ransomware to be on par with K.

I would like to see an increase in sample size before coming to conclusions, 15 is too small a sample size to conclude on anything.

 

[piquiteco]

and all the time, "prevention is better than cure"; my aim is pre-execution, not post-execution measures.

Yes, it's true, that's why you never trust your AV alone, you always use a combination like CyberLock, Hard configurator, OSArmor and many others.

 

[Parkinsond]

I would like to see an increase in sample size before coming to conclusions, 15 is too small a sample size to conclude on anything.

Agree; but getting more sample means most of them will not be so fresh; my target is zero-day stuff.

 

[Zero Knowledge]

The problem is how would you know if your infected these days? The scene has come a long way from IRC bots. I just assume I am somewhat pwned in some capacity. If the malware resides in memory it just gets deleted upon shutdown/reboot and deletes log/event viewer files or manipulates them how would you know? Also how could you know your BIOS or UEFI is infected or your network card or your GPU? How would you know your HD/SDD firmware is infected? These may be edge cases and I'm sure bazang would call me paranoid but someone in their 20's could grow into an important government official or business leader. It's a worry.

 

[Parkinsond]

The problem is how would you know if your infected these days? The scene has come a long way from IRC bots. I just assume I am somewhat pwned in some capacity. If the malware resides in memory it just gets deleted upon shutdown/reboot and deletes log/event viewer files or manipulates them how would you know? Also how could you know your BIOS or UEFI is infected?

I have the obsession of BIOS infection all the time, but I do not have the courage to flash; I may end up with a broken rig.

 

[Zero Knowledge]

I have the obsession of BIOS infection all the time, but I do not have the courage to flash; I may end up with a broken rig.

Older PC's yes it's a worry but anything created in the last 5 years it's very safe to flash official BIOS including CPU microcode. You either get it through on manufacturers website or their update tools/suite or last resort Windows update. The days of borking your PC/Laptop/Mobile/Tablet through firmware updates is over and has been stress free for years.The only thing you need to worry about is the manufacturer leaking private keys, which is a problem in the current environment.

 

[Parkinsond]

Older PC's yes it's a worry but anything created in the last 5 years it's very safe to flash official BIOS including CPU microcode. You either get it through on manufacturers website or their update tools/suite or last resort Windows update. The days of borking your PC/Laptop/Mobile/Tablet through firmware updates is over and has been stress free for years.

I have two, one manufactured 2012 and the other one 2008

 

[piquiteco]

How would you know your HD/SDD firmware is infected?

I was chatting with @Parkinsond and my internet connection went down and I went offline. I thought it was the Firewall that was blocking something and it wasn't, the local connection was OK, I accessed the router settings and had access, even so without access to the internet, that's when I noticed that I wasn't accessing the secondary router, I had to go there and turn it off and wait a few minutes and turn it on and the web connection worked again. BTW @Zero Knowledge you touched on a very important subject, the other day a security researcher found a flaw or bug in the SSDs manufactured if my memory serves me right it was on the BleepingComputer website I don't know if it was all the manufacturers of these SSDs. All I know is that in the SSD the manufacturer left a small capacity place where Malware could take advantage of this flaw and remain persistent even after formatting and that AVs wouldn't even detect it because it would be undetectable in that area. I found the news published on December 30, 2021 Firmware attack can drop persistent malware in hidden SSD area. I found the SSD news that I said, I keep things and I was right, it's obvious that technology news sites are one of the favorite home pages of my browser Bleeping Computer is one of them. I had to find it, otherwise people might think I'm making it up or even lying.