Malware Bytes Realtime test against 1000+ recent samples

kC77 · Apr 4, 2022

OhioRebel said:
Can you share the results for GDATA?

well it was too slow to complete the test, most here can do 1000 samples in 6-15 minutes....
after 1 hour 30, g-data hadnt even got through 100, it was really slow at deciding what to do with the samples, now if it was this slow and 100% accurate i could understand..... but it did miss a lot

also IDS alerts were tirggered showing whatever was missed was talking to the outside world

being so slow, it would probably take around 20+ hours to complete this test (if it even could as it was already infected after 1/10th of the samples being ran)

but again this is an unrealistic/extreme test - G-Data is in a league of its own for how slow it is though, I wouldnt retest this

L0ckJaw · Apr 4, 2022

kC77 said:
well it was too slow to complete the test, most here can do 1000 samples in 6-15 minutes....
after 1 hour 30, g-data hadnt even got through 100, it was really slow at deciding what to do with the samples, now if it was this slow and 100% accurate i could understand..... but it did miss a lot

View attachment 265448

also IDS alerts were tirggered showing whatever was missed was talking to the outside world

View attachment 265449

being so slow, it would probably take around 20+ hours to complete this test (if it even could as it was already infected after 1/10th of the samples being ran)

but again this is an unrealistic/extreme test - G-Data is in a league of its own for how slow it is though, I wouldnt retest this

You keep bla bla slow , it’s not slow. Everything you test is fail,slow , can not and will not wait anymore….. if you want to become a serious tester FINiSH the tests !

M4RT1NE2 · Apr 4, 2022

I'm happy with Arcabit. The Bitdefender engine and Arcabit's own scanning engine work as it should.

kC77 · Apr 4, 2022

L0ckJaw said:
You keep bla bla slow , it’s not slow. Everything you test is fail,slow , can not and will not wait anymore….. if you want to become a serious tester FINiSH the tests !

no not everything ive tested is slow, the ONLY "slow" has been G-Data
every other product runs all samples on average 6-15minutes.... after 90 minutes g-data had only ran around 100 of the 1000. (and still totally compromised)

and as for successful passes, defender/avast free/f-secure safe/mbam all aced it.... and very close to passes were arcabit/ emsisoft

once again, just take test this with a grain of salt, its a very very very unrealistic and hard test, and is not representative of normal daily usage.
also when i say pass or fail, it doesn't mean any product is good or bad and shouldnt be used, its just that it failed to stop the execution of 1 or more of 1000 recent samples.
a pass (for my own testing) is a product that stopped all 1000 without any executions, I am only sharing my findings here, and please do as I have done to you and find that ignore button.

kC77 · Apr 4, 2022

Asterixpl said:
I'm happy with Arcabit. The Bitdefender engine and Arcabit's own scanning engine work as it should.

yeh Arcabit did very very well, it wasnt a product I'd heard of before, but is very good!

kC77 · Apr 4, 2022

SecureKongo said:
And if you could test Huorong someday it would be cool too. It has so many Firewall modules and quite a strong HIPS that I really would like to see in action once again. Thanks a lot for taking your time to share the results of your tests.

Huorong Internet Security v's 1000 Malware samples (.exe) done..... it didnt really do all that well!

Kongo · Apr 4, 2022

kC77 said:
Huorong Internet Security v's 1000 Malware samples (.exe) done..... it didnt really do all that well!

Thanks for the test. I knew that it wouldn't be able to keep up with F-Secure for example, but I expected the HIPS and Firewall to intercept at least a few attacks.

Andy Ful · Apr 5, 2022

kC77 said:
Hi yes sorry
HC with all SRP on, CD in Highest

The samples should be blocked by SRP or Forced SmartScreen when executing normally. When any AV is tested with H_C, then the result would be probably the same as for Defender.
So, it would be better to test Defender only with ConfigureDefender settings.

The test with MAX settings will give a 100% result (or close to that) due to the ASR prevalence rule.
The test with HIGH settings should miss a few samples (due to the EXE test error).

The peculiarity of EXE malware testing.

The peculiarity of EXE malware testing. Let's look at the distribution of malware in the wild by file types: https://static.poder360.com.br/2021/07/relatorio.pdf We know that archives contain mostly EXE files, documents, and scripts. So, we can conclude that roughly 1/3 of initial malware...

malwaretips.com

There is also one important question: Did the samples get MOTW?
If so then Avast uses CyberCapture for EXE files (detonation in the Sandbox) and all samples will be automatically blocked on execution for several minutes (up to a few hours). In the real scenario, about 2/3 EXE malware will be executed without the MOTW, so CyberCapture will not be triggered.

I am not sure if Norton did really miss any sample. It uses Download Insight for EXE files, which is as strong as Avast CyberCapture (or even stronger). In this case, you must carefully inspect the results for false-negative events.

As you correctly mentioned, "take test this with a grain of salt, its a very very very unrealistic and hard test, and is not representative of normal daily usage". Of course, the tests + discussion about results can help many readers to learn something.

kC77 · Apr 5, 2022

Andy Ful said:
The samples should be blocked by SRP or Forced SmartScreen when executing normally. When any AV is tested with H_C, then the result would be probably the same as for Defender.
So, it would be better to test Defender only with ConfigureDefender settings.
The test with MAX settings will give a 100% result (or close to that) due to the ASR prevalence rule.
The test with HIGH settings should miss a few samples (due to the EXE test error).

The peculiarity of EXE malware testing.

The peculiarity of EXE malware testing. Let's look at the distribution of malware in the wild by file types: https://static.poder360.com.br/2021/07/relatorio.pdf We know that archives contain mostly EXE files, documents, and scripts. So, we can conclude that roughly 1/3 of initial malware...

malwaretips.com

There is also one important question: Did the samples get MOTW?
If so then Avast uses CyberCapture for EXE files (detonation in the Sandbox) and all samples will be automatically blocked on execution for several minutes (up to a few hours).

I am not sure if Norton did really miss any sample. It uses Download Insight for EXE files, which is as strong as Avast CyberCapture (or even stronger). In this case, you must carefully inspect the results for false-negative events.

avast was similar to defender on highest mode... all samples 0 executions...
Norton failed massively... I think it got overwhelmed and the service crashed allowing hundreds of samples to run (test done twice same result)

Andrew3000 · Apr 5, 2022

kC77 said:
avast was similar to defender on highest mode... all samples 0 executions...
Norton failed massively... I think it got overwhelmed and the service crashed allowing hundreds of samples to run (test done twice same result)

In my tests I have never seen Norton crashing.
Have you tried reinstalling everything? Could be a bug.

kC77 · Apr 5, 2022

Andrew3000 said:
In my tests I have never seen Norton crashing.
Have you tried reinstalling everything? Could be a bug.

installed test... crashed... infected...

reset test vm
install again..update... reboot. test... service or tray icon vanished mid test... infected

as with anything that fails so bad (eset/sophos/Norton I ran tests twice to confirm)

this is a hard test though and not exactly normal having 1000 potential malwares run one after the other.

proof of total compromise / fail is captured here the second test (gif) norton-test2(fail).gif (needs to be downloaded)

marcopaone · Apr 6, 2022

Gj, Malwarebytes. A totally disaster as it has always been.
More holes than Emmental cheese.
I can say, "there is an operating system in these malware."
:^)

80 objects found with EEK.
25 NPE.
15 KVRT
10 ESET
F-Secure Scanner is dead.
Panda 2 malware, 28 unknown.
24 GetSusp

SeriousHoax · Apr 6, 2022

marcopaone said:
Gj, Malwarebytes. A totally disaster as it has always been.
More holes than Emmental cheese.
I can say, "there is an operating system in these malware."
:^)

80 objects found with EEK.
25 NPE.
15 KVRT
10 ESET
F-Secure Scanner is dead.
Panda 2 malware, 28 unknown.
24 GetSusp

View attachment 265576

Also, Malwarebytes can't detect scripts on the disk. It doesn't have signature for scripts. Scripts are handled by their exploit protection module. So usually I won't even consider it as an option for a second opinion scanner.

Search

Search

Malware Bytes Realtime test against 1000+ recent samples

kC77

Level 5

L0ckJaw

Level 19

M4RT1NE2

Level 14

kC77

Level 5

kC77

Level 5

kC77

Level 5

Kongo

Level 38

Andy Ful

From Hard_Configurator Tools

The peculiarity of EXE malware testing.

kC77

Level 5

The peculiarity of EXE malware testing.

Andrew3000

Level 11

kC77

Level 5

marcopaone

Level 7

SeriousHoax

Level 55

You may also like...