Andy Ful

Level 36
Content Creator
Trusted
Verified
The below is important in the test:
"This assessment measured the ability of security products to protect an endpoint from a live infection, and, in the event of a system being compromised, the time taken to detect the infection and remediate the system. The timeto-detect-and-remediate component relied on each security product being manually forced to conduct a scan every thirty minutes over a 24-hour period."
.
The necessity of such tests (postinfection detection) was already discussed on Malwaretips in the thread:
Q&A - Do you really understand AV test results?
.
The MRG-Effitas test is still not perfect, because it does not measure how quickly the AVs can detect the malware in the period of 24 hours.
The AV that detects the malware after 5 hours will score the same as another AV that can do it after 23 hours.
 

Mahesh Sudula

Level 12
Verified
Avira sucks..but grabs first place in all of the tests except Virus Bulletin
I dont understand god!! Avira Avira Avira:sleep:
But i think results would be quite opposite if test is done proactively or a real world financial malware
Atleast VB is free from Avira Money laundry.
Avira signatures rocks(y):)
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Avira sucks..but grabs first place in all of the tests except Virus Bulletin
I dont understand god!! Avira Avira Avira:sleep:
...
Why do you think so?
The last Avira test by Virus Bulletin was performed in August 2016, and Avira scored better than Avast, AVG, Bitdefender, Eset, Fortinet, and ThreatTrack. In fact, Avira had the best Reactive result as compared to any AV that passed that test.(y)
Virus Bulletin :: Comparative Results
Virus Bulletin :: Comparative Vendors
.
The Real World tests are based on Reactive Protection (malware was in the wild before the test). Avira has a very good AI in the cloud, so it will score very well in such tests.
 
Last edited:

Burrito

Level 7
Very Interesting.

Testing is good, and the MRG test methodology is fine.

All the standard complaining about tests -- I don't get it.

Anyway...

Malwarebytes. It used to be so good... I use it on 4 computers -- I'm sticking with them. I wonder when they are going to make their comeback?

Webroot. For years... testing has indicated that this is an inferior product. Why do some people keep buying into the hype?

Bitdefender and Kaspersky.... strong as always.

Well done Avira.

F-Secure. I didn't read it that carefully, does it ever address false positives in this test?

Norton. On all the tests combined, it missed nothing. And on all combined, it remediated one threat in 24 hours. It just barely missed Level 1.

Trend. A normally strong product with a surprisingly poor showing.

This test is another good data point to evaluate products. Thanks for posting OP.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Last edited:

Slyguy

Level 40
Malwarebytes has been crap for years. Webroot has always been crap, from day one.

Trend's weakness I believe is the fact they can be very slow to respond to outbreaks and submissions. I've had to manually open a ticket and submit threats to them, then follow up over 3 days before it was detected. Trend is also poor with specific types of malware and some riskware. Otherwise, Trend is generally considered a solid product, just not the speediest reaction time. I'd almost always augment Trend with something like VoodooShield or OSArmor.
 

Mahesh Sudula

Level 12
Verified
Malwarebytes has been crap for years. Webroot has always been crap, from day one.

Trend's weakness I believe is the fact they can be very slow to respond to outbreaks and submissions. I've had to manually open a ticket and submit threats to them, then follow up over 3 days before it was detected. Trend is also poor with specific types of malware and some riskware. Otherwise, Trend is generally considered a solid product, just not the speediest reaction time. I'd almost always augment Trend with something like VoodooShield or OSArmor.
I don't think webroot is that worst..since i have seen its detections for latest zero day samples even when big heads are on the way!They are similar to Drweb..whereas Drweb works. Webroot is an ok av to run alongside any AV.
Their Identity Protection (Banking) is among the first one's to clear MRG Effitas Banking Certification test.
They do seem to have stuff but may require few more years to prove that
 

Slyguy

Level 40
I still use MBAM 1.75 to do on demand scans. No ads, no spam, no bloated services. Just good old fashion MBAM like it used to be, checking for pups and other crap.

Actually, I use Chicalogic since Chicalogic still updates and doesn't spam you with upgrading to version 3.

Chica PC Shield (Windows)
 
Reactions: JB007

Andy Ful

Level 36
Content Creator
Trusted
Verified
Did you miss PC Matic Home Security 99.9% RAP with 13754 False Positives? :eek::ROFLMAO:. Considered as "Buggy" back then by Virus Bulletin, I wonder how it is doing now. :D I think Avira is "dark horse" in AV security field this year.
I wrote: "In fact, Avira had the best Reactive result as compared to any AV that passed that test":)(y)
You are right, the Reactive testing scores of Avira are surprisingly good.
 

Arequire

Level 22
Content Creator
Verified
A 24 hour or shorter infection can be sufficient time given to the malc0der to wipe out your bank account.
I truly don't understand why they have a "blocked in 24 hours" category. It's absurd. If malware executed and performed malicious activity then it should be counted as a miss. Detecting the sample in X number of hours after the infection took place is irrelevant if, like you said, your bank account was drained or all you valuable files were encrypted.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
I truly don't understand why they have a "blocked in 24 hours" category. It's absurd. If malware executed and performed malicious activity then it should be counted as a miss. Detecting the sample in X number of hours after the infection took place is irrelevant if, like you said, your bank account was drained or all you valuable files were encrypted.
You are wrong.
This is the same as in the case of the shooter who kills the people demonstrating on the street (big demonstration). If the shooter will be disarmed after 5 minutes, the event of being killed is much more probable than in the case of disarming him in 5 seconds.(y)
 
Last edited:

Brie

Level 7
i got a virus from online with webroot.

bitdefender TS froze my PC. i uninstalled it. money wasted.
 

Arequire

Level 22
Content Creator
Verified
You are wrong.
This is the same as in the case of the shooter who kills the people demonstrating on the street. If the shooter will be disarmed after 5 minutes, the event of being killed is much more probable than in the case of disarming him in 5 seconds.(y)
I'd argue it'd be based on the efficiency of the shooter and the weapon used.Some teenager using a semi-auto handgun who's never shot a gun before is not going to be as effective as someone who's been front-line military using an assault rifle.

If applied to malware, you could argue that some types of malware sat on your system for 5 minutes wouldn't be very devastating, but if you left ransomware alone for 5 minutes then you'd come back to a ton (if not all) your data scrambled.
What if that ransomware turns out to be something like Petya? Well then you come back to a bricked PC and the general population would have absolutely no idea how to fix something like that.

You'll also notice that it's not considered a behaviour block, so is that 24 hour limit signature-only? What happens if the behaviour block happens 6 hours after the malware's been executed? Would that be considered a behaviour block or a "within 24 hours" block?
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
I'd argue it'd be based on the efficiency of the shooter and the weapon used.Some teenager using a semi-auto handgun who's never shot a gun before is not going to be as effective as someone who's been front-line military using an assault rifle.
Please think it over again.
Regardless of the shooter efficiency, it is always better to disarm him in 5 seconds than after 5 minutes. And it is especially important for the front-line military shooter case.
.
What if that ransomware turns out to be something like Petya? Well then you come back to a bricked PC and the general population would have absolutely no idea how to fix something like that.
It does not matter at all. In the above case, you have to change 5 seconds to 5 days and 5 minutes to approximately one year. After one year of not detecting Petya, all computers in the world would be probably infected. Still, the first scenario is much better.

You'll also notice that it's not considered a behaviour block, so is that 24 hour limit signature-only? What happens if the behaviour block happens 6 hours after the malware's been executed? Would that be considered a behaviour block or a "within 24 hours" block?
.
That is why MRG Effitas procedure is not perfect, but still better as compared to standard detection test. If the malware was detected after 6 hours, that event should be counted more than detection after 18 hours. The test methodology is unclear how they counted this.
.
The postinfection detection can have many sources:
  1. After the infection in MRG Effitas Lab, AV could recognize the sample as suspicious and alarmed the AV Cloud. The reaction of the cloud can depend on malware type and complexity. In some cases, this can take from some milliseconds up to several hours. The file will be usually recognized as malware, but not always. In some cases, the sample will be analyzed manually by the expert.
  2. AV AI was meanwhile trained by fighting the similar malware.
  3. Someone in the world that uses the concrete AV (outside the MRG Effitas Lab) was infected meanwhile and the AV cloud was alarmed.
  4. Someone in the world uploaded the malware to analysis that recognized the sample as malware during the test time.
  5. If the AV uses external signatures (from Bitdefender, Kaspersky, etc.) they can be updated during the test. There is always some delay as compared to the original fingerprints in the (Bitdefender, Kaspersky) cloud.
 
Last edited: