Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
My own "ransomware" vs Windows Defender
Message
<blockquote data-quote="MacDefender" data-source="post: 876711" data-attributes="member: 83059"><p>I agree that prompting is not a great approach, but I think the way that the prompting is phrased generates a different user reaction. For example, something like Windows SmartScreen or a self-signed certificate warning in a web browser is basically phrased as:</p><p>"This thing you're trying to do is not known to be safe. It could be anything. I'm gonna block it. Do you want to allow it?"</p><p></p><p>Meanwhile, most AV behavior blocker warnings come in the form of:</p><p>"I observed behavior from this program that looks like ransomware. I'm going to kill it in 10 seconds unless you tell me not to".</p><p></p><p>I still expect most users will react more seriously to the latter, compared to the former which pops up on virtually a weekly basis for the average person.</p><p></p><p></p><p>With that said, you're absolutely right that most of the times, ransomware is either existing variations of known ransomware or a new download mechanism to sneak known ransomware onto the system, or it performs a wide range of tasks beyond just encrypting files. These additional behaviors further serve to trigger antimalware software because they usually all use a "scoring" system where a certain number of suspicious activities added together will trigger an alert.</p><p></p><p>With that said, these kinds of tests are still interesting for testing the dynamic behavior blocking aspect. Other than ESET and a few others, the vast majority of the industry believes that a behavior blocker is an important part of their emerging threats / zero-days story. We have a ton of testers already who give us a lot of data points on how both static scanners and behavior blockers react to real ransomware. </p><p></p><p>I see these tests, instead, as a part of the scientific process of isolating each component of ransomware and seeing how an AV reacts to it. Just like the disclaimer in the MalwareHub, these individual data points do not justify saying one AV software is better than the other, but all of this has been very valuable in helping us to understand the strengths and weaknesses of these products, and I think they've projected pretty well onto predictions of how well this software works in the real world.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 876711, member: 83059"] I agree that prompting is not a great approach, but I think the way that the prompting is phrased generates a different user reaction. For example, something like Windows SmartScreen or a self-signed certificate warning in a web browser is basically phrased as: "This thing you're trying to do is not known to be safe. It could be anything. I'm gonna block it. Do you want to allow it?" Meanwhile, most AV behavior blocker warnings come in the form of: "I observed behavior from this program that looks like ransomware. I'm going to kill it in 10 seconds unless you tell me not to". I still expect most users will react more seriously to the latter, compared to the former which pops up on virtually a weekly basis for the average person. With that said, you're absolutely right that most of the times, ransomware is either existing variations of known ransomware or a new download mechanism to sneak known ransomware onto the system, or it performs a wide range of tasks beyond just encrypting files. These additional behaviors further serve to trigger antimalware software because they usually all use a "scoring" system where a certain number of suspicious activities added together will trigger an alert. With that said, these kinds of tests are still interesting for testing the dynamic behavior blocking aspect. Other than ESET and a few others, the vast majority of the industry believes that a behavior blocker is an important part of their emerging threats / zero-days story. We have a ton of testers already who give us a lot of data points on how both static scanners and behavior blockers react to real ransomware. I see these tests, instead, as a part of the scientific process of isolating each component of ransomware and seeing how an AV reacts to it. Just like the disclaimer in the MalwareHub, these individual data points do not justify saying one AV software is better than the other, but all of this has been very valuable in helping us to understand the strengths and weaknesses of these products, and I think they've projected pretty well onto predictions of how well this software works in the real world. [/QUOTE]
Insert quotes…
Verification
Post reply
Top