SE Labs - Q1 2018 Report

D

Deleted member 65228

For some reason, this thread has been hijacked and turned into a discussion about Behavior Blockers, and an argument regarding the capability of products produced and published by a security software vendor named ESET has rose from the ground. For an awkward reason, the primary cause of the incident is because of misinformation and a lack of understanding regarding how a particular product being bashed actually works. This does not surprise me one bit.

Exploit protection, ransomware protection, botnet protection, a Host Intrusion Prevention System.. All of it is "proactive" according to the definition of the word, and thus all of those components can be described with the adjective "proactive". Funnily enough, anyone who is incapable of comprehending this likely should not be in an English discussion telling people they are wrong for the use of their words, when they could have done a simple Google search and discovered that the adjective was being used correctly. It really is not that difficult, and I imagine that all members who are in active discussions about how a security product works on this forum are capable of using a basic search engine.

Furthermore, all of the above mentioned components which are present in ESET Smart Security (which is what the test the Original Poster, @L0ckJaw linked to, included in the testing) can be described as forms of either "proactive protection", "behavioral-based protection", or even both. They are not labelled under a group dubbed "Behavior Blocker", "Behavior Shield", "Behavior Guard" or the alike, and they do not need to be labelled under a group dubbed those names. The group naming of the components does not remove the fact that all of them are indeed either "proactive", "behavioral based" or both.

Time and time again, threads get hijacked by people who spread misinformation and start arguments out of no where, likely because they want to show off and seem more important to other people - even though all you are doing by spreading misinformation is making yourself look like a fool. Time and time again, there is tons of misinformation polluted at the expense of this, primarily because the perpetrator does not understand what they are arguing nor usually possess any real-world experience in the security industry... especially when it comes down to how security software components might work. This has an effect on other people and is not fair on those who it has an effect on, because people browse forums and read content to learn more, correct themselves, and where applicable help others by contributing. When intentional, provoking, negative, contribution shows up by a particular select few clown individuals who think they know how things work better than those who work in the industry or the companies themselves, it ruins things for other people. They will justify it with any excuse they can come up with, recently the justification is tied to the local Malware Hub on this forum or a YouTube review.

These same people will not have an open-mind for learning more and being corrected, and thus will never ever change for as long as this is the case. This results in the same thing happening constantly, sometimes with a break in-between the incidents.

I see a pattern with ESET products and arguments and it is almost always the exact same individuals behind it, simply due to false statements being made about the capabilities of the product/s. It is perfectly fine to not be a fan of ESET as a vendor and/or their products, and it is perfectly fine to express your opinions just like everyone else has the ability to do so (as long as they follow the forum rules), but there is a distinct difference between expressing a personal opinion and consistently spreading misinformation and false statements about a particular vendor and their products, simply because you happen to favor to another vendor. If you want to express a personal opinion about you disliking a vendor or a product of theirs, then that is fine, but please, do not go around making false statements because the expense of this is confusion for other people who are minding their own business and are trying to learn more.

Eventually all the people who are affected one way or another by the same, repetitive individuals who are unable to accept that another vendor might have potential and good technology in another persons eyes (and thus feels it is mandatory to try and shove false statements down others people's throat), are going to get up and leave.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
I do not understand one thing. That test is titled: Home Antimalware Protection. When you look inside, you can see that substantial part of the test is related to targetted attacks????
So, I downloaded the documents from SE Labs website related to their testing methodology:
Endpoint Protection Methodology 1.0
https://selabs.uk/download/endpoint-protection-methodology-1-0.pdf
Targeted Attack Replay Guide
https://selabs.uk/download/targeted-attack-replay-guide.pdf
.
After reading the above documents, one will know some important pieces of information about SE Lab tests:
  1. They are performed on Windows 7 (Service Pack 1).
  2. The system has vulnerable third-party applications as specified by SE Labs on a case-by-case basis (e.g. Oracle Java SE Runtime Environment 7, no updates).
  3. For the targetted the attacks the Metasploit is used and probably MS Office documents.
Some of the above can be just a mistake related to not updating information in the methodology documents, because testing Windows Defender on Windows 7 seems funny to me.
Anyway, this test is rather strange, because the targetted attacks against home computers are very rare.
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,782
I do not understand one thing. That test is titled: Home Antimalware Protection. When you look inside, you can see that substantial part of the test is related to targetted attacks????
So, I downloaded the documents from SE Labs website related to their testing methodology:
Endpoint Protection Methodology 1.0
https://selabs.uk/download/endpoint-protection-methodology-1-0.pdf
Targeted Attack Replay Guide
https://selabs.uk/download/targeted-attack-replay-guide.pdf
.
After reading the above documents, one will know some important pieces of information about SE Lab tests:
  1. They are performed on Windows 7 (Service Pack 1).
  2. The system has vulnerable third-party applications as specified by SE Labs on a case-by-case basis (e.g. Oracle Java SE Runtime Environment 7, no updates).
  3. For the targetted the attacks the Metasploit is used and probably MS Office documents.
Some of the above can be just a mistake related to not updating information in the methodology documents, because testing Windows Defender on Windows 7 seems funny to me.
Anyway, this test is rather strange, because the targetted attacks against home computers are very rare.

So that is the reason why Windows Defender got low scores.
 
F

ForgottenSeer 72227

For some reason, this thread has been hijacked and turned into a discussion about Behavior Blockers, and an argument regarding the capability of products produced and published by a security software vendor named ESET has rose from the ground. For an awkward reason, the primary cause of the incident is because of misinformation and a lack of understanding regarding how a particular product being bashed actually works. This does not surprise me one bit.

Exploit protection, ransomware protection, botnet protection, a Host Intrusion Prevention System.. All of it is "proactive" according to the definition of the word, and thus all of those components can be described with the adjective "proactive". Funnily enough, anyone who is incapable of comprehending this likely should not be in an English discussion telling people they are wrong for the use of their words, when they could have done a simple Google search and discovered that the adjective was being used correctly. It really is not that difficult, and I imagine that all members who are in active discussions about how a security product works on this forum are capable of using a basic search engine.

Furthermore, all of the above mentioned components which are present in ESET Smart Security (which is what the test the Original Poster, @L0ckJaw linked to, included in the testing) can be described as forms of either "proactive protection", "behavioral-based protection", or even both. They are not labelled under a group dubbed "Behavior Blocker", "Behavior Shield", "Behavior Guard" or the alike, and they do not need to be labelled under a group dubbed those names. The group naming of the components does not remove the fact that all of them are indeed either "proactive", "behavioral based" or both.

Time and time again, threads get hijacked by people who spread misinformation and start arguments out of no where, likely because they want to show off and seem more important to other people - even though all you are doing by spreading misinformation is making yourself look like a fool. Time and time again, there is tons of misinformation polluted at the expense of this, primarily because the perpetrator does not understand what they are arguing nor usually possess any real-world experience in the security industry... especially when it comes down to how security software components might work. This has an effect on other people and is not fair on those who it has an effect on, because people browse forums and read content to learn more, correct themselves, and where applicable help others by contributing. When intentional, provoking, negative, contribution shows up by a particular select few clown individuals who think they know how things work better than those who work in the industry or the companies themselves, it ruins things for other people. They will justify it with any excuse they can come up with, recently the justification is tied to the local Malware Hub on this forum or a YouTube review.

These same people will not have an open-mind for learning more and being corrected, and thus will never ever change for as long as this is the case. This results in the same thing happening constantly, sometimes with a break in-between the incidents.

I see a pattern with ESET products and arguments and it is almost always the exact same individuals behind it, simply due to false statements being made about the capabilities of the product/s. It is perfectly fine to not be a fan of ESET as a vendor and/or their products, and it is perfectly fine to express your opinions just like everyone else has the ability to do so (as long as they follow the forum rules), but there is a distinct difference between expressing a personal opinion and consistently spreading misinformation and false statements about a particular vendor and their products, simply because you happen to favor to another vendor. If you want to express a personal opinion about you disliking a vendor or a product of theirs, then that is fine, but please, do not go around making false statements because the expense of this is confusion for other people who are minding their own business and are trying to learn more.

Eventually all the people who are affected one way or another by the same, repetitive individuals who are unable to accept that another vendor might have potential and good technology in another persons eyes (and thus feels it is mandatory to try and shove false statements down others people's throat), are going to get up and leave.


I tip my hat off to you sir, a very well written post!

While I am new to this forum, I have been reading many technology/security forums for quite a while. I do not claim to be an expert in security, nor am I an expert in every security software that is out there, but I have read many forums like this one to see this happening over and over again every time a test like this is done. I do partially blame vendors for this though. They are constantly marketing features (ie: banking protection) as a required feature to have. Many vendors use checklists to compare not only their software, but how their software compares to their competition. As such, you get conversations like, well x product must be better then y product because it as feature a,b,c and y product doesn't. Meanwhile, y product has very similar capabilities and tools that are either called something different, or just use another form of technology to do the exact same thing. While I understand its how you try to win customers over to buy your product, it adds a lot of confusion, especially if someone doesn't do their research and learn anything about it.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
So that is the reason why Windows Defender got low scores.
The results are quite probable for Windows Defender engines on unpatched Windows 7 with unpatched, vulnerable popular software like:
Adobe Flash Player, Adobe Reader, Apple QuickTime and Oracle Java.
Such testing methodology would be rather suited for Enterprises.
The best results scored those products which have some anti-exploit modules.
Also, the results are highly dependent on the samples used for the targetted attacks. For example, Bitdefender IS scored 25/25 in the actual test, but only 16/25 in October-December 2017.
 
Last edited:

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
The results are quite probable for Windows Defender on unpatched Windows 7
Are we sure SE Labs didn't mislabel Microsoft Security Essentials as Windows Defender? As far as I'm aware the Defender integrated into Windows 7 is marketed as just "antispyware" and only receives partial signature updates as compared to MSE or the current iteration of Defender on Windows 10.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
Are we sure SE Labs didn't mislabel Microsoft Security Essentials as Windows Defender? As far as I'm aware the Defender integrated into Windows 7 is marketed as just "antispyware" and only receives partial signature updates as compared to MSE or the current iteration of Defender on Windows 10.
You are probably right. They definitely do not use the old Defender antispyware.
They used 4.12.17007.18022 (Antimalware) and 1.263.870.0 (Antivirus) which are similar to Defender engines on Windows 8+ .
In the previous test, they used Microsoft Security Essentials build ver. 4.10.209.0. that scored very similarly.
The results are quite reliable for Microsoft Security Essentials and are far behind the reliable results of Windows Defender on Windows 10.
 
D

Deleted Member 3a5v73x

Seems like a believable score from Webroot, I wish sometimes these independent AV tests labs test Webroot "journaling" after 24/48h, that is a "rollback", when as soon as Cloud has determined that program is malicious, Webroot will automatically put those monitored programs in "Blocked" status and will initiate reversal of any actions. I've seen myself Webroot recovering system from a Cerber encryption, but that was more than a 48h after. It is actually hard to test Webroot's malware protection effectiveness properly. Anyway, who would relay on a encrypted systems "rollback" by a 3th party AV rather than doing clean install of Windows after? I wouldn't, because traces of malware remnants might still be left on the system.

No questions about other AV vendors in this test, ESET is where it should be at and have proven over these years to be a reliable, stable and strong 3th party AV company. I don't get why some of you are so surprised about that, one should have followed ESET's history.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
I noticed that Kaspersky is constantly scored as the top product, but it is understandable when you see how it mitigates APTs:
Strategies for Mitigating Advanced Persistent Threats (APTs)
Look at the table "ASD Strategies that can be implemented effectively using Kaspersky Lab’s product range." at the end of the above article.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
I have the impression that such tests, try to convince the home users about the necessity of using advanced security technology. In fact, pretty much the same can be accomplished on home users' computers by simple Windows hardening, blocking/restricting scripts and disabling remote Windows features.
Of course, that should be the users' choice. They can either take advanced medication or keep the healthy diet to feel good.
Anyway, SE Labs tests show the well-known truth, that AVs/IS based on signatures are not efficient against targetted attacks.
 

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
ESET is where it should be at and have proven over these years to be a reliable, stable and strong 3th party AV company. I don't get why some of you are so surprised about that, one should have followed ESET's history.

I agree with you on that. ESET is a well regarded company. More in the way of Enterprise customers. Regular consumers wont have an idea of all the settings and tweaks that can be made. Their one company that does spend a great deal in R&D (research & development).
 

jetman

Level 10
Verified
Well-known
Jun 6, 2017
477
I think the SE Labs reports are the best- very comprehensive and I trust them to be a bit more impartial than some of the other labs out there.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top