Battle Planned: Real-world Test of Trend Micro, ZoneAlarm, Eset and Webroot

[Trident]

So, in your test from where will the files be executed?

They will be downloaded from the web, because Webroot has 3 sets of heuristics. It uses more aggressive set of heuristics on files that are written by browsers. ZoneAlarm on the other side, sends them for inspection. It also sends for inspection when created by other processes too, but that's another question. I want the test to look realistic, to avoid criticism that product was not operating to its full potential.

 

[Andrew3000]

From my tests Webroot has always failed. The only good thing is the cloud. Unknown malware (basically all since it have a low detection rate) is generally added to the cloud almost immediately if it is saved on the computer (just wait a while and scan the file again). The problem is that everything happens too late when the system is already infected and remediation is impossible since the famous journaling system that webroot militates against has never been seen in action. It has no use other than to send information directly to the company as the level of protection is poor. We shall soon see it in the test!

 

[cruelsister]

Yes- when a file is downloaded whatever AM application will pass judgement by various means prior to that file being run. But you mentioned that those not so detected will be executed. So from where (specifically) will they be executed.

 

[Trident]

Yes- when a file is downloaded whatever AM application will pass judgement by various means prior to that file being run. But you mentioned that those not so detected will be executed. So from where (specifically) will they be executed.

They will execute from temp, desktop, downloads, whatever I decide to click (run or save). But the point is, the aggressive screening of downloads is not bypassed. Many products control false positives by using more aggressive screening of downloads, as opposed to local files.

 

[Divine_Barakah]

From my tests Webroot has always failed. The only good thing is the cloud. Unknown malware (basically all since it have a low detection rate) is generally added to the cloud almost immediately if it is saved on the computer (just wait a while and scan the file again). The problem is that everything happens too late when the system is already infected and remediation is impossible since the famous journaling system that webroot militates against has never been seen in action. It has no use other than to send information directly to the company as the level of protection is poor. We shall soon see it in the test!

So in this case the first user who gets infected is the scapegoat hahahah.

 

[Kiss]

Hello, could you put GDATA on this list, it is a powerful antivirus that is not much talked about, I would like to know how the protection of this German giant is currently, I know that in the past it has always been one of the best, but I don't know how it is currently

 

[Divine_Barakah]

Hello, could you put GDATA on this list, it is a powerful antivirus that is not much talked about, I would like to know how the protection of this German giant is currently, I know that in the past it has always been one of the best, but I don't know how it is currently

@Trident it seems you're going to be a full-time tester hahahah

G Data is one of the products that I like. Support is great and the product is not bloated. It is one of the few products that allows u to choose what components to install.

 

[ForgottenSeer 114834]

And btw if you disgaree with the way MT users conduct test, please do your own and share a vid of the test in the way you see right.

Let's touch up on some facts here.

Many products are designed for intermediate to advanced users. Many members here to try to convince these products are so simple average users can use them, when clearly in this thread they state differently. Most of these users can not handle software as it's designed but trash talk it when it's at its minimal settings as if its not capable, when's its those users who are not.

Testing, is all over the place here, some want things tweaked others want it at defaults. CIS for example is always tweaked when tested here, why, because it's an application geared towards advanced users that know how to handle it hence why everyone else needs a guide. At defaults even CS herself would call it suboptimal. CS does not test full capabilities but focuses on modules, which is fine as long as you remind the users that's the case and that it does not reflect on the products full abilities. Stop me if I'm not making any sense here.

Just because users here do not know how to tweak these advanced products does not mean these products are not capable of stopping infections. The only way to know for sure is to actually test them as designed with real world routes of infection. Even then some expert will step in and tell you the amount of samples matters as well.

So why many of you find this entertaining, the harsh reality is it unnecessarily reflects poorly on the product when users watching are buffaloed into thinking the product is a failure from watching these inaccurate testings.

Last but not least, I'm the one pointing this out, I do not need to succumb to your taunts of me testing to prove points, you all are doing a fine enough job of that on your own.

I do hope at least some users coming by this thread, reads this and is enlightened by the facts. Everyone else can perceive it however they wish.

 

[Divine_Barakah]

Let's touch up on some facts here.

Many products are designed for intermediate to advanced users. Many members here to try to convince these products are so simple average users can use them, when clearly in this thread they state differently. Most of these users can not handle software as it's designed by trash talk it when it's at its minimal settings as if its not capable, when's its those users who are not.

Testing, is all over the place here, some want things tweaked others want it at defaults. CIS fir example is always tweaked when tested here, why, because it's an application geared towards advanced users that know how to handle it hence why anyone else needs a guide. At defaults even CS herself would call it sub optimal. CS does not test full capabilities but focuses on modules, which is fine as long as you remind the users that's the case and that it does not reflect on the products full abilities. Stop me if I'm not making any sense here.

Just because users here do not know how to tweak these advanced products does not mean these products are not capable of stopping infections. The only way to know for sure is to actually test them as designed with real world routes of infection. Even then some expert will step in and tell you the amount of samples matters as well.

So why many of you find this entertaining, the harsh reality is it unnecessarily reflects poorly on the product when users watching are buffaloed into thinking the product is a failure from watching these inaccurate testings.

Last but not least, I'm the one pointing this out, I do not need to succumb to your taunts and have of me testing to prove points, you all are doing a fine enough job of that on your own.

I do hope at least some users coming by this thread, reads this and is enlightened by the facts. Everyone else can perceive it however they wish.

I agree about CF. It is a product that I don't have the know-how to setup. It is one of the product to got hyped here on MT, but I have never tried it before. CS came up with a set of settings that according to many MT users deliver great protection. You have a point here.

The best thing you can do, in my opinion is to come up with the optimal settings for Webroot and test it.

 

[Trident]

I agree about CF. It is a product that I don't have the know-how to setup. It is one of the product to got hyped here on MT, but I have never tried it before. CS came up with a set of settings that according to many MT users deliver great protection. You have a point here.

The best thing you can do, in my opinion is to come up with the optimal settings for Webroot and test it.

I will test Webroot specially, in the most aggressive configuration that is “Warn before running any new, unknown file” or something of this sort, and will configure firewall to prompt for any new, untrusted processes. And it will still fail, because all that affects solely executables.

 

[Divine_Barakah]

I will test Webroot specially, in the most aggressive configuration that is “Warn before running any new, unknown file” or something of this sort, and will configure firewall to prompt for any new, untrusted processes. And it will still fail, because all that affects solely executables.

I do get that the whole thing has become a challenge that everyone wants to win hahahah

Personally, life is easy. I choose what works for me and I ditch what does not. I only share my experience and I welcome opinions and suggestions.

BTW I really can't wait for the tests. I'm too curious.

 

[Trident]

I do get that the whole thing has become a challenge that everyone wants to win hahahah

Personally, life is easy. I choose what works for me and I ditch what does not. I only share my experience and I welcome opinions and suggestions.

BTW I really can't wait for the tests. I'm too curious.

I am not sleeping tonight anyway, so it’s coming.

 

[ForgottenSeer 114834]

I am not sleeping tonight anyway, so it’s coming.

Make sure you utilize not in the wild samples too, because that's realistic. I'm so over this nonsense.

 

[mlnevese]

I do get that the whole thing has become a challenge that everyone wants to win hahahah

Personally, life is easy. I choose what works for me and I ditch what does not. I only share my experience and I welcome opinions and suggestions.

BTW I really can't wait for the tests. I'm too curious.

I agree with that... all products will fail at some point against something, so use what you are comfortable with. I'm yet to see the ultimate test that will convince me to change whatever I'm using at the moment for something else and never change again...

 

[Divine_Barakah]

I agree with that... all products will fail at some point against something, so use what you are comfortable with. I'm yet to see the ultimate test that will convince me to change whatever I'm using at the moment for something else and never change again...

If the product is working well on your system, does not generate much FPs, does not slow your system down, has great customer support, and is affordable then you should stick to it.

I only change products bc I get bored hahaha

 

[Trident]

Make sure you utilize not in the wild samples too, because that's realistic. I'm so over this nonsense.

The samples are in-the-wild, hence I am getting them. Most of them are executables. Unfortunately for you, MSI files are included as well, which do not fall under the Webroot default deny, but will be emulated by ZoneAlarm in real time.
You don’t like that? Address it with Webroot.

I am not composing zoo viruses for the test.

I am not even stressed about the test cuz I’ve been doing it for long and I know how every product will react. I am just proving it to you and to the readers.

Your argument is not valid.

You wanted realistic test, I’ve spent over 2 hours creating attachments that look like what attackers send by email to users. Now you want in-the-wild malware, which it is.

You want tweaks, specifically for you, Webroot will be in its most aggressive setting.

Anything else that you need?

 

[ForgottenSeer 114834]

The samples are in-the-wild, hence I am getting them. Most of them are executables. Unfortunately for you, MSI files are included as well, which do not fall under the Webroot default deny, but will be emulated by ZoneAlarm in real time.
You don’t like that? Address it with Webroot.

I am not composing zoo viruses for the test.

I am not even stressed about the test cuz I’ve been doing it for long and I know how every product will react. I am just proving it to you and to the readers.

Your argument is not valid.

You wanted realistic test, I’ve spent over 2 hours creating attachments that look like what attackers send by email to users. Now you want in-the-wild malware, which it is.

You want tweaks, specifically for you, Webroot will be in its most aggressive setting.

Anything else that you need?

You to get off your high horse and start acting like the professional you claim to be. Maybe remove that stick from your four point of contact.

Asking that testing being done properly seems to be a tough pill for you to swallow. Even if the products do fail, yaaaaaah team, you finally tested it closely to a proper way. Maybe you can then do something useful with the results.

 

[Trident]

You to get off your high horse and start acting like the professional you claim to be. Maybe remove that stick from your four point of contact.

Asking that testing being done properly seems to be a tough pill for you to swallow. Even if the products do fail, yaaaaaah team, you finally tested it closely to a proper way. Maybe you can then do something useful with the results.

I can argue if tweaking Webroot to the max considering that Webroot advises non-advanced users to not touch heuristics settings, is the proper way. But since I don’t wanna hear moaning and groaning, Webroot will be in default-deny mode, which on another thread you were criticising and classifying as unsuitable for the average user.

All AMTSO-approved tests are in defaults, yet, we are giving you what you want — a maxed out Webroot. We are assuming that you are better than the AMTSO and we listen to you.

I don’t wanna hear anymore remarks.

Administration Guide

Heuristics​

The collection of heuristics Policies control behavior for the local drive, internet, network, CD/DVD drives, and when the machine is offline. You should not modify any of the default settings without guidance from technical support.

 

[ForgottenSeer 114834]

I can argue if tweaking Webroot to the max considering that Webroot advises non-advanced users to not touch heuristics settings, is the proper way. But since I don’t wanna hear moaning and groaning, Webroot will be in default-deny mode, which on another thread you were criticising and classifying as unsuitable for the average user.

All AMTSO-approved tests are in defaults, yet, we are giving you what you want — a maxed out Webroot. We are assuming that you are better than the AMTSO and we listen to you.

I don’t wanna hear anymore remarks.

Do I salute you now or call you sir I'm so confused as to how you think you are in charge here. I know I will be accused of having to have the last word even though you down right throw that hook and line right in front of everyones faces.

(I would say well played, but it lacks creativity and generally speaking, entices yawns from me.)

 

[Trident]

Do I salute you now or call you sir I'm so confused as to how you think you are in charge here. I know I will be accused of having to have the last word even though you down right throw that hook and line right in front of everyones faces.

(I would say well played, but it lacks creativity and generally speaking, entices yawns from me.)

Of course I am in charge. I am the one doing the test. You’ve got 0 control over it.