App Review Real World, Evasive Malware and Performance Test by Trident

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
What exactly happened with Norton IPS detection that they were a miss anyway?
Norton had multiple misses. Even though the redline stealer was blocked from communicating by inspecting the packets, there was another miss as well and the system was still infected. This malware is highly evasive though, it’s cherry-picked to be difficult.
 

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
971
Norton had multiple misses. Even though the redline stealer was blocked from communicating by inspecting the packets, there was another miss as well and the system was still infected. This malware is highly evasive though, it’s cherry-picked to be difficult.
So, protection wise only, was it better at those evasive malwares than kaspersky & fsecure?
Congratulations for the test and your choices by the way
 
  • Like
Reactions: JB007 and Trident

TuxTalk

Level 14
Verified
Top Poster
Well-known
Nov 9, 2022
650
1680361864834.png

My keeper :)
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Any chance of you adding Microsoft Defender at Agressive level with DefenderUI? @Trident
At that point it should not be tested, because as soon as you disable ZoneAlarm real time protection (which malware did but then the system rebooted with BSOD and my recording was gone) Microsoft Defender turns on and it asked me to send some files, which I did. So this malware now may be known to Microsoft. Some malware has managed to render it useless later on. There was a java archive in the Microsoft Defender folder. It will have unfair advantage over others.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
At that point it should not be tested, because as soon as you disable ZoneAlarm real time protection (which malware did but then the system rebooted with BSOD and my recording was gone) Microsoft Defender turns on and it asked me to send some files, which I did. So this malware now may be known to Microsoft. Some malware has managed to render it useless later on. There was a java archive in the Microsoft Defender folder.
Understandable. Thank you anyway for the effort :)
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
So, protection wise only, was it better at those evasive malwares than kaspersky & fsecure?
Congratulations for the test and your choices by the way
Unfortunately all three left the system compromised. Norton had more misses on this occasion than F-secure and Kaspersky and I did not tweak Application Control here, all products are tested with their default settings. Because the samples were not many (I could've done a large pack but that would not be evasive, it will be packed with well known malware), there is no point to count hits and misses. Rather it is a pass and fail situation. Apart from Bitdefender, they all failed. Needles to say is that users absolutely do not need the Java platform. Users can install it and block the Javaw.exe execution. Not installing it at all is not protection, as malware can easily download it and launch the installer with an /s argument (silent).

To be honest, they all did better than I expected them to do on this test.
 
Last edited:

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
971
Unfortunately all three left the system compromised. Norton had more misses on this occasion than F-secure and Kaspersky and I did not tweak Application Control here, all products are tested with their default settings. Because the samples were not many (I could've done a large pack but that would not be evasive, it will be packed with well known malware), there is no point to count hits and misses. Rather it is a pass and fail situation. Apart from Bitdefender, they all failed. Needles to say is that users absolutely do not need the Java platform. Users can install it and block the Javaw.exe execution. Not installing it at all is not protection, as malware can easily download it and launch the installer with an /s argument (silent).

To be honest, they all did better than I expected them to do on this test.
Really nasty malware. It seems strange to me that at defaults, Bitdefender is the only one from those big players who managed to nail it.
 

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
971
Another interesting perspective would be the answer to this: Who warned the user better about malware that it could not remove at all?
I think such information is crucial to the user, as such malware often makes someone use extra tools for removal, or even formatting the disk.
At last, a less infected system with a silent AV seems worse that a more infected system with an AV that has warned about heavy threats present, no matter how well it removed it.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Another interesting perspective would be the answer to this: Who warned the user better about malware that it could not remove at all?
I think such information is crucial to the user, as such malware often makes someone use extra tools for removal, or even formatting the disk.
At last, a less infected system with a silent AV seems worse that a more infected system with an AV that has warned about heavy threats present, no matter how well it removed it.
Well Norton advised that Power Eraser should be ran. Power Eraser was capable of cleaning the system (almost).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hi,
Thanks for the video. Can you repeat this test a few times in the next few months (the same AVs)? It would be interesting to see if the results are consistent over time. In such tests, there is usually a big random factor. (y)
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Hi,
Thanks for the video. Can you repeat this test a few times in the next few months (the same AVs)? It would be interesting to see if the results are consistent over time. In such tests, there is usually a big random factor. (y)
I sure can. In the future, I can collaborate maybe with @SeriousHoax, @Shadowra and anyone else willing. I will do the malware hunting and we can test together.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I just reproduced the test with F-Secure (thanks @Trident for the pack ;) )
The malware tried to escape, but this time DeepGuard blocked a lot.
But the machine ends up infected (remaining JS script and Java running)

View attachment 274086

View attachment 274087
It blocked a lot on my test as well. It blocked everything (including on the desktop there was one script which I downloaded from a link in the real world protection test on purpose). But the java malware was a miss and wscript was running.

DeepGuard unfortunately doesn’t delete, it just blocks.
 
Last edited:

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
It blocked a lot on my test as well. It blocked everything (including on the desktop there was one script which I downloaded from a link in the real world protection test on purpose). But the java malware was a miss and wscript was running.

DeepGuard unfortunately doesn’t delete, it just blocks.

And Emsisoft ?
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Can you add Emsisoft Antimalware to your test above?
I am going out and by the time I come back this pack will already be old. I collected everything yesterday between 2 and 3 PM. Maybe @Shadowra can test Emsi and we’ll see the scoring.
C:/Program Files
C:/Program Files (x86)
C:/Program Files/Common Files
C:/ProgramData
Need to be examined to determine the size on disk.
They usually write in the Users directory as well, but not that much information.

The RAM usage can be seen in task manager as well.

If it’s an online installer, does it install the latest version of the software or does it download program update?

Does it bombard with notifications?

It uses Bitdefender engine, so I would imagine everything will be detected.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top