Known Problems with Most Common AV's

Not open for further replies.


Level 24
Top Poster
May 16, 2018
Many false and misguiding information is posted here, including personal opinions which doesn't reflect the products general usage problems. Not including the products version in which the bugs/problems listed still persists/are worked on by development of company X is another problem, as many new readers who want to chose appropriate Antivirus for their system, might mistakenly get steered away by reading this topic, if first post is not frequently updated with the latest news and code repaired/adjusted in X antivirus software. I like the idea, but by listing that somebody said that "product X has high memory usage/UI is childish" is just innacurate to "public" readers and doesn't help in any way.


ForgottenSeer 72227

There are some good points being made but some are becoming a stretch now IMO.

I agree,

I think this thread is a great idea and a very interesting one, but @Opcode is right. While there is a lot of great info here, I think we have to be mindful that some things are simply due to either personal preference (not a known problem) and/or just simply by design, but it is not really a known problem. Eset HIPS is a good example, some people may not like it (personal preference), or it may cause issues if not configured properly (user interaction), but it's not a known problem. One could argue that HIPS is more complex and requires some understanding on how to setup/configure it, but it's not really a problem unless it's causing issues/bugs when it is configured/used correctly.;)


Level 35
Thread author
Top Poster
Content Creator
Jun 24, 2016
Emsisoft RAM usage... Emsisoft just don't go out of their way to hide it or sacrifice disk usage (e.g. by not constantly swapping signatures from disk and out again). They have an optimization feature anyway ?

This isn't a known problem. That's just the design of the product.

This isn't a known problem either. You said it yourself, HIPS is HIPS. You're adding a point about a feature being a con for working as it was intended to work.

It wouldn't be a HIPS if... it wasn't a HIPS.

How is this a "known problem" ? That's not an issue with the functioning of their products.

1. Hitman Pro not being present isn't a "known" problem a SOPHOS user will face. They might be disappointed but that is a different story.
2. If ESET HIPS is configured improperly by accident or used by someone who doesn't know what they are doing then it can definitely cause problems... but that is a different story. It isn't ESET's fault if the product works.
3. Trend-Micro users aren't going to face a prompt about how there's an issue connecting to NSA servers.

There are some good points being made but some are becoming a stretch now IMO.
  • I think an antivirus merging labs with one of the biggest government corporations in the world is something some users would like to know before installing.
  • Mentioning ESET HIPS doesn't mean the HIPS is an issue, rather that it's not displayed in a way easy to use for all users. It becomes a problem when a public software has advanced features not everybody understands. In case someone wanted to use ESET because of it's HIPS, he/she should know that before installing. But of course this doesn't mean ESET has an issue with its HIPS, rather than it's not for everybody.
  • Same applies to HitmanPro, people will want to know it doesn't come/isn't the same before buying it. This doesn't mean it's a bug or related.
And I insist, if you want something to be removed, please PM me, else we will create a discussion over it with everybody.


Level 7
Jul 19, 2018
there are still some apps which can disable WD with 1 click on 1903 regardless of Tamper protection. I use 1 frequently to shutdown WD completely and install other AVs for testing
1 of them is Defender Control v1.5 (by Sordum)
tamper protection can't do anything to stop it. WD is off in 1 second

by the way, malware makers know that WD should be the first AV to bypass/neutralize when they create malwares => WD is the no.1 target -> poor the very first users to get the malwares
malware makers in other countries like Russia, China or India, they also have to bypass commonly used AVs in those countries (Kaspersky, Qihoo, Quickheal...)

Could OSArmor prevent those modifications?

Ekran Alıntısı.PNG
Last edited:


Level 29
Top Poster
Sep 13, 2018
Question from post #85: Could OSArmor prevent those modifications?

It depends, I guess, and also depends on the rules one has enabled. I used Evjl's Rain's example of Defender Control v. 1.5 and OSA blocked the download but with a different rule than suggested in post #85. If I disable OSArmor, and then attempt to disable Defender thru the Defender Control UI, this is again blocked using the same rule--in Lockdown Experimental section. Here is a snip of what I enable in Lockdown rules, but like any lockdown mode, there's a price tag of possibly higher false notifications. Fortunately, for me, these are very few. Edit: Not off-topic I hope.

defender control.PNG

osa block.png

lockdown exp.PNG
Last edited:


Level 3
Jan 27, 2019
Hum I'm surprised :rolleyes:
The less buggy seems to be G Data :unsure:

.................................or the less used ;)
Of course its the least used, no promos, giveaways, no ways to get their stuff for cofee price, just regular 30 day trial or buy for full price. Now lets think how many in the MT actually pays for the software they are using which translates into a small percentage.. oh, and the AV vendor market is so big, and such alternatives around.. makes sense doesn't it. G Data has same amount of bugs as any other security companies product made. Its a software, and software have bugs, its normal.


Of course its the least used, no promos, giveaways, no ways to get their stuff for cofee price, just regular 30 day trial or buy for full price. Now lets think how many in the MT actually pays for the software they are using which translates into a small percentage.. oh, and the AV vendor market is so big, and such alternatives around.. makes sense doesn't it. G Data has same amount of bugs as any other security companies product made. Its a software, and software have bugs, its normal.
All of these points should be added because every consumer of an AV should be given a bullet point list of every potential thing that might make them feel uncomfortable due to business policies and the product working as intended. /s obviously.
Last edited by a moderator:


Level 47
Top Poster
Mar 16, 2019
A very old 8-9 years old Bitdefender problem that hasn't been fixed yet. Check here
I'm struggling to point out the problem properly in a single sentence so have a look and put it in the known problem list any way you see fit.
Kudos to the person who came up with the name Bugdefender.
I wonder why it hasn't been added yet? @Robbie

Edit: The problem is: After detecting and removing a malware it's not possible to see hidden files until the system is restarted. Whether you tick "Show hiiden files and folder" from folder options or you manually tweak the registry, it doesn't work until you restart the system. A permanent issue of Bitdefender's disinfection system.
Last edited:
  • Like
Reactions: roger_m and JB007


Level 1
Aug 12, 2015
  • Still blocks the execution of some binaries, even with the protection disabled or with the files added as exceptions.
  • Uploading of suspicious files without asking the user first ("This file might be dangerous").
  • If Protected Folders (Safe Files) can be bypassed by some programs, what to think of real ransomware? (“This application attempted to change or delete files from [a protected folder] and was blocked.” No, CoreFTP actually managed to delete that file!)
  • It lacks the possibility to temporarily pause the protection from the system tray icon.
  • CCAV (Cloud) has a lower detection rate than CAV/CIS. Too bad, since it's very light (but it lacks HIPS).
  • CCAV (Cloud) 2.0.470195.867 Beta seems abandonware, and the official 1.21.465847.842 was released more than 8 months ago.
  • Valkyrie is almost useless; once you let it upload files for analysis, you'll probably end up looking at that list forever, with most uploads not being classified as safe or malware like, never.
  • Restores the hosts file to its original virgin state without notifiying the user.
Kaspersky, TrendMicro:
  • Sometimes, after a program (NOT signature) update, it "forgets" some of the exclusions. (Not easy to reproduce, but it happened more than once.)
McAfee (latest version is quite good and very light):
  • Quarantines files WITHOUT NOTIFYING THE USER! (Say you try to copy 100 files from a drive to another, such as in making a backup. You end up with 96 files on both drives, and unless you manually check the quarantine, you don't even know that they were detected and deleted!)
Qihoo 360 TSE (not tested on TS):
  • Note: all the ads can be disabled by using Windows Firewall Control to create a rule that blocks the outbound connections of “C:\Program Files (x86)\360\Total Security\PromoUtil.exe”.
  • It silently blocks the customization of the Notification Area Icons by changing HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutoTrayNotify from 0 to 1.
Sophos Home:
  • No quarantine, malware is simply deleted. No way to restore a FP.
Most security products:
  • Generic detection names shared both by ransomware and keygens (FPs), e.g. “Trj/CI.A” for Panda, “Win32:Malware-gen” for Avast/AVG, “Trojan.GenericKD.nnnnn” for Bitdefender, etc.
  • Even if some detection names include “not-a-virus:” (Kaspersky) or “crack”/“patch”/etc., they're still considered PUP/malware and treated as such, instead of just raising an information popup.
  • After extracting malware from an archive, or generally right after the malware files have been created, they are detected, but the AV insists that it needs to reboot in order to remove the files, despite them being easily deletable and never executed.
  • After detecting a malicious file, the AV starts a system scan that cannot be stopped (you mentioned Avira, but it's also WebRoot).
  • I don't understand the need to automatically scan a USB drive upon insertion. Once its filesystem is accessed, the realtime protection will scan the accessed files anyway, so why the need for a specific full scan?
All security products that include a Web filter:
  • Blocking supposedly malicious URLs that are invalid since ages, i.e. they cannot be accessed or the file to be D/L doesn't exist.
  • Blocking an entire file sharing site just because at some point there was a contaminated file on it. Heck, why not blocking the entire Internet?
Last edited:


Level 1
Aug 12, 2015
In my book that's actually a pro. It's done for a reason.
If you're referring to the hosts file, you're totally wrong. No, you don't have a right to a different opinion.
If the file were meant to only contain the well-known IPv4 and IPv6 definitions for localhost, then it shouldn't be there anyway. This can be hardcoded in the TCP/IP stack.
On the contrary, Microsoft specifically wrote in that very file: This is a sample HOSTS file and This file contains the mappings of IP addresses to host names. which you're supposed to add as needed. I personally need an entry " speedport.ip" and anti-telemetry entries can be added as legitimate actions (I'm not talking to entries meant to avoid license checking, but even so, this isn't anyone's business).
Last edited by a moderator:


Level 1
Aug 12, 2015
But of course it escalated quickly. How on Earth should I be denied the right to edit my hosts file?


Level 59
Honorary Member
Top Poster
Content Creator
Dec 30, 2012
Kaspersky v20(b)....CPU being hammered by avp.exe when browsing....Never happened with the previous release.I suspect it has to do with script injection..Can anyone confirm??
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.