I'd like to take a moment to thank @SeriousHoax for testing ESET and @harlan4096 for testing F-Secure SAFE in the past few months -- it's been giving us super interesting data points. When I joined, both were prominent AVs but neither had a lot of independent testing data here (though I think most members here have tried these products in the past and formed an opinion of how they were years ago).
I've been watching both of these products closely, and just some observations I've made about each's detection performance:
ESET might have the best signatures at this point. It really nails the static on-demand scan with a level of consistency we don't see from many other engines currently tested. Maybe Kaspersky would do well here too but nobody's regularly testing it right now. With that said, if anything slips through the signature scanner, you're pretty much screwed with the default settings. Their HIPS doesn't really seem to do much in the Automatic setting, and I'm always surprised to see a modern AV allow cryptoransomware to actually encrypt bait files. That's a super easy behavior to block and Windows even gives AVs readily available APIs to intercept this behavior.
F-Secure has made a really good decision to switch away from BitDefender to Avira. That alone seems to have helped greatly with their static scanning detection ratios. Most of the static scanning hits in MH come from the Avira offline scanner or "fsocap" the Avira-based cloud scanner. For F-Secure, DeepGuard seems to provide a good second layer of defense. It seems to have specific "signatures" for autorun, Office exploits, Powershell fileless stagers, etc. It doesn't seem perfect though -- seems like a few Autorun based infections were allowed, though it wasn't clear to me from the test results if those processes were doing anything malicious yet. As far as the negatives/weaknesses, it seems like F-Secure is all about stopping things before or at the brink of infection. If malware manages to gain a foothold before triggering detection, F-Secure is poor at "cleaning" the malware. That's probably time to pull out NPE or another tool that does a better job at disinfecting if you don't nuke infected machines altogether. The other problem I've seen is that their on-demand scanner is so geared towards speed that it's incomplete at scanning. This behavior seems well documented in the Hub where a static scan picks up a few things, and then the moment you turn on realtime protection it identifies many more things. I've also had bugs where it told me an entire folder was clean and that definitely wasn't true. It doesn't affect real-world protection since it would be caught at runtime, but it does affect testing accuracy.
Anyway, these are really valuable data points and thanks again for spending all the time to do this. You can read years and years of AV-TEST/AV-Comparatives results and not gain this kind of insight.
I've been watching both of these products closely, and just some observations I've made about each's detection performance:
ESET might have the best signatures at this point. It really nails the static on-demand scan with a level of consistency we don't see from many other engines currently tested. Maybe Kaspersky would do well here too but nobody's regularly testing it right now. With that said, if anything slips through the signature scanner, you're pretty much screwed with the default settings. Their HIPS doesn't really seem to do much in the Automatic setting, and I'm always surprised to see a modern AV allow cryptoransomware to actually encrypt bait files. That's a super easy behavior to block and Windows even gives AVs readily available APIs to intercept this behavior.
F-Secure has made a really good decision to switch away from BitDefender to Avira. That alone seems to have helped greatly with their static scanning detection ratios. Most of the static scanning hits in MH come from the Avira offline scanner or "fsocap" the Avira-based cloud scanner. For F-Secure, DeepGuard seems to provide a good second layer of defense. It seems to have specific "signatures" for autorun, Office exploits, Powershell fileless stagers, etc. It doesn't seem perfect though -- seems like a few Autorun based infections were allowed, though it wasn't clear to me from the test results if those processes were doing anything malicious yet. As far as the negatives/weaknesses, it seems like F-Secure is all about stopping things before or at the brink of infection. If malware manages to gain a foothold before triggering detection, F-Secure is poor at "cleaning" the malware. That's probably time to pull out NPE or another tool that does a better job at disinfecting if you don't nuke infected machines altogether. The other problem I've seen is that their on-demand scanner is so geared towards speed that it's incomplete at scanning. This behavior seems well documented in the Hub where a static scan picks up a few things, and then the moment you turn on realtime protection it identifies many more things. I've also had bugs where it told me an entire folder was clean and that definitely wasn't true. It doesn't affect real-world protection since it would be caught at runtime, but it does affect testing accuracy.
Anyway, these are really valuable data points and thanks again for spending all the time to do this. You can read years and years of AV-TEST/AV-Comparatives results and not gain this kind of insight.
