Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Learn more about Remediation Time – response time to security incidents (the results from protection test in January 2023)
Message
<blockquote data-quote="Trident" data-source="post: 1026425" data-attributes="member: 99014"><p>I see 3 types of products on this test.</p><p></p><p>-The so called “standard antivirus” which uses signatures, reputation, machine learning, behavioural analysis, behavioural blocking and others;</p><p>Examples: Bitdefender, Avast, Avira</p><p></p><p>-Mainly cloud-first products that rely on cloud detonation and hashing for majority of their detections;</p><p>Examples: Microsoft Defender, Immunet by Cisco;</p><p></p><p>-Prevention-first products which don’t care enough to identify malware via the means above, but rather attempt to stop any damage.</p><p>Examples:</p><p>Xcitium</p><p></p><p>Samples seem to have been pulled from honeypots and classified automatically based on over 100 rules. This is described on AVLab’s official page.</p><p></p><p>To compare the 3 categories of products accurately (and not apples with oranges), post-launch vs pre-launch ratio and remediation time are not important at all. More important would be <span style="color: rgb(65, 168, 95)">protected </span>vs <span style="color: rgb(184, 49, 47)">compromised</span><span style="color: rgb(0, 0, 0)">.</span></p><p></p><p>To establish the difference between compromised and protected, it would be <strong>vital</strong> that all samples are categorised/labelled first.</p><p>You can’t perform a proper test if you don’t know what you are dealing with and where to look.</p><p></p><p>The final payload will always be one or more of the following:</p><p></p><p>Infostealers:</p><p>Both pre-launch and post-launch can be considered protected, unless there was Credentials Access or other type of exfiltration. Access to certain folders as well as the network traffic will have to be inspected. If data could not be sent back “home”, e.g Intrusion Prevention/Web Filtering suspended the connection or behavioural analysis terminated the infection chain on time the solution <span style="color: rgb(65, 168, 95)">protected</span> the system. Otherwise it is <span style="color: rgb(209, 72, 65)">compromised</span>.</p><p></p><p>Ransomware:</p><p>Both pre-launch and post-launch could be counted as <span style="color: rgb(65, 168, 95)">protected</span>, unless there are files encrypted and this could not be reversed by the product.</p><p>In that case it should be counted as <span style="color: rgb(209, 72, 65)">compromised</span><span style="color: rgb(0, 0, 0)">.</span></p><p></p><p>PUAs:</p><p>Successfully installing and running the PUA in question should be considered an indicator of <span style="color: rgb(209, 72, 65)">compromise</span>.</p><p></p><p>Rarely the final payload may be a coinminer, another loader or C&C may be dead already. In this case just deleting the malware would be enough to consider the system <span style="color: rgb(65, 168, 95)">protected</span>.</p></blockquote><p></p>
[QUOTE="Trident, post: 1026425, member: 99014"] I see 3 types of products on this test. -The so called “standard antivirus” which uses signatures, reputation, machine learning, behavioural analysis, behavioural blocking and others; Examples: Bitdefender, Avast, Avira -Mainly cloud-first products that rely on cloud detonation and hashing for majority of their detections; Examples: Microsoft Defender, Immunet by Cisco; -Prevention-first products which don’t care enough to identify malware via the means above, but rather attempt to stop any damage. Examples: Xcitium Samples seem to have been pulled from honeypots and classified automatically based on over 100 rules. This is described on AVLab’s official page. To compare the 3 categories of products accurately (and not apples with oranges), post-launch vs pre-launch ratio and remediation time are not important at all. More important would be [COLOR=rgb(65, 168, 95)]protected [/COLOR]vs[COLOR=rgb(0, 0, 0)] [/COLOR][COLOR=rgb(184, 49, 47)]compromised[/COLOR][COLOR=rgb(0, 0, 0)].[/COLOR] To establish the difference between compromised and protected, it would be [B]vital[/B] that all samples are categorised/labelled first. You can’t perform a proper test if you don’t know what you are dealing with and where to look. The final payload will always be one or more of the following: Infostealers: Both pre-launch and post-launch can be considered protected, unless there was Credentials Access or other type of exfiltration. Access to certain folders as well as the network traffic will have to be inspected. If data could not be sent back “home”, e.g Intrusion Prevention/Web Filtering suspended the connection or behavioural analysis terminated the infection chain on time the solution [COLOR=rgb(65, 168, 95)]protected[/COLOR] the system. Otherwise it is [COLOR=rgb(209, 72, 65)]compromised[/COLOR]. Ransomware: Both pre-launch and post-launch could be counted as [COLOR=rgb(65, 168, 95)]protected[/COLOR], unless there are files encrypted and this could not be reversed by the product. In that case it should be counted as [COLOR=rgb(209, 72, 65)]compromised[/COLOR][COLOR=rgb(0, 0, 0)].[/COLOR] PUAs: Successfully installing and running the PUA in question should be considered an indicator of [COLOR=rgb(209, 72, 65)]compromise[/COLOR]. Rarely the final payload may be a coinminer, another loader or C&C may be dead already. In this case just deleting the malware would be enough to consider the system [COLOR=rgb(65, 168, 95)]protected[/COLOR]. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
