Battle Planned: Real-world Test of Trend Micro, ZoneAlarm, Eset and Webroot

How to test?

  • Defaults

  • Tweaked


Results are only viewable after voting.
Compare list
ZoneAlarm, Eset, Webroot, Trend Micro
Platform(s)
  1. Microsoft Windows

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Recent claims have led to plan and execute a video-recorded real-world test that will test the solutions below:
  • Webroot - highly advocated product. User claims that the product includes "sandbox"/"isolation"
  • Trend Micro - claims include that me and Shadowra have tested it in unrealistic conditions
  • ZoneAlarm - product was criticised and its users were deemed to have "insufficient evaluation skills"
  • Eset - this will be included just to regulate the test -- it is a highly reputable and regarded product.
So the framework:
On the first stage, the products will be tested with several malicious and phishing links. I will put all links in an HTML page so I can just drag and drop on top of the browser and start clicking, instead of copy/pasting from a document. I will take extra care to remove PUPs and will pre-analyse everything on various sandboxes, to ensure it is malicious.

On the second stage, products will be tested against malware that I am actively hunting on my mac. This malware will be uploaded to a sharing portal and downloaded. I consider this to be a valid real world scenario -- attackers can for example, take over an Instagram account (happens very frequently) and share a malicious link there. You believe it is a trusted document coming from an acquaintance, so you rush to open it.
This malware as well will be in an HTML table so I can just click.

On the third stage, products will be tested against phishing and malicious documents that I am creating myself. These will be downloaded too. They will be as well on an HTML table, so I can just easily click.

No malware will be introduced through unrealistic means, such as malware packs.
If malware has been allowed to execute (not deleted right away), system will be monitored with Process explorer, potentially wireshark and will be scanned with Norton Power Eraser.

The framework predicts 2 verdicts only: pass and fail. Every product will be allowed to miss 1 phishing website and 0 malware samples to pass. (feedback?)

In terms of settings, I need your opinion.
ZoneAlarm (the criticised product) is a fully automated solution with no tweaks.It only allows components to be turned on and off but does not offer settings such as heuristics aggressiveness, anti-phishing aggressiveness, etc, My question is, should I in this case, tweak other products. How many users tweak their products really? I need feedback before I kickstart.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Oh it was ferociously advocated for yesterday, you may have missed and the topic was cleaned.
Personally I have not tested Webroot against ay kind of malware, but I can say that their browser extension is very effective. Regarding its performance, though it is said to be very light, it consierably slowed down app launch which made me uninstall it.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Personally I have not tested Webroot against ay kind of malware, but I can say that their browser extension is very effective. Regarding its performance, though it is said to be very light, it consierably slowed down app launch which made me uninstall it.
Don't worry, tonight we'll see how effective this solution is.
 

lyldz

Level 3
Verified
Well-known
Jun 4, 2016
137
In my personal opinion, many users just install, activate, and use these applications without making any changes. Very few of us want to modify the basic settings and have control over the security level. To be fair, it seems more appropriate to test based on the default settings.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Don't worry, tonight we'll see how effective this solution is. It was advocated by a user who is very protective of their "American Jewels" - Trend Micro, Norton, Webroot. Their comments on everything non-American are not flattering (don't wanna pull the comments from the Kaspersky ban thread).
Well, I am not a tester. I am just a casual user and performance is the most important factor for me. I have watched many tests that showed Trend Micro's Hypersensitive Mode protect the system successfully. I remember in a test, HSM failed to protect the system against script malware. I hope you do test TM with both HSM turned on and off and see how it goes. Thank you in advance.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Well, I am not a tester. I am just a casual user and performance is the most important factor for me. I have watched many tests that showed Trend Micro's Hypersensitive Mode protect the system successfully. I remember in a test, HSM failed to protect the system against script malware. I hope you do test TM with both HSM turned on and off and see how it goes. Thank you in advance.
I may display Trend in hypersensitive mode, but just on the side, like behind the scene sort of thing. For the framework and verdict to be accurate, maybe I will keep all of them on default? What do others think? Because ZoneAlarm does not have modes.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
I may display Trend in hypersensitive mode, but just on the side, like behind the scene sort of thing. For the framework and verdict to be accurate, maybe I will keep all of them on default? What do others think? Because ZoneAlarm does not have modes.
Yes I believe it is better to test the three products on default settings. Maybe you can do a bonus test with custom settings.
 

Faxx

Level 1
Sep 7, 2017
16
If you are going to touch any default for the other products then for ZA I would only tick on the "malicious websites" under the content filtering settings. Although based on your methodology may not make any difference.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
BTW, in the case of TM, if you run many malware samples, it will automatically enable Hypersensitive Mode to protect the system.
Yes, over 10 I believe. In addition, over 10 malware samples, it will automatically restart the scan and activate something that in business products is called aggressive scan. But I am not sure at this point that we will reach 10 malware samples, as it will not be needed. My expectations are that some products will fail from the first 2-3. We'll see.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Yes, over 10 I believe. In addition, over 10 malware samples, it will automatically restart the scan and activate something that in business products is called aggressive scan. But I am not sure at this point that we will reach 10 malware samples, as it will not be needed. My expectations are that some products will fail from the first 2-3. We'll see.
Have you prepared the samples? Would you share more information about what those samples do?
Upon failure with one sample (malware missed and establishes C&C communication), product is disqualified and no other samples are tested.
Hahahaha what a brutal test. I am very curious now.
 

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,126
Upon failure with one sample (malware missed and establishes C&C communication), product is disqualified and no other samples are tested.

Maybe keep going through all samples, so we can see what an utter failure the tested version can be? Otherwise, the die hard fans may say, "well, what about...."? if you just stop at one, or especially if it's the 1st or 2nd sample tested?
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,745
My personal opinion is the vast majority of users will install a product and never look at the settings beyond adding their license key when needed. For a real-world test, the default settings should be used.

A separate test could be done with maximized settings, and HIPS rules for ESET, but that would be a real-world test only for those users who have any idea of what they are doing
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
1723560066135.png
 
F

ForgottenSeer 114834

Testing should align with the product's design. For advanced user products, configure settings accordingly. Automated products should be tested as designed.

Deviating from this approach would not provide a comprehensive evaluation of the product's features and functionality as specified in the design.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top