Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Shout-out to our ESET and F-Secure Malware Hub testers :)
Message
<blockquote data-quote="MacDefender" data-source="post: 848403" data-attributes="member: 83059"><p>I'd like to take a moment to thank [USER=78686]@SeriousHoax[/USER] for testing ESET and [USER=36043]@harlan4096[/USER] for testing F-Secure SAFE in the past few months -- it's been giving us super interesting data points. When I joined, both were prominent AVs but neither had a lot of independent testing data here (though I think most members here have tried these products in the past and formed an opinion of how they were years ago).</p><p></p><p>I've been watching both of these products closely, and just some observations I've made about each's detection performance:</p><p></p><p>ESET might have the best signatures at this point. It really nails the static on-demand scan with a level of consistency we don't see from many other engines currently tested. Maybe Kaspersky would do well here too but nobody's regularly testing it right now. With that said, if anything slips through the signature scanner, you're pretty much screwed with the default settings. Their HIPS doesn't really seem to do much in the Automatic setting, and I'm always surprised to see a modern AV allow cryptoransomware to actually encrypt bait files. That's a super easy behavior to block and Windows even gives AVs readily available APIs to intercept this behavior.</p><p></p><p>F-Secure has made a really good decision to switch away from BitDefender to Avira. That alone seems to have helped greatly with their static scanning detection ratios. Most of the static scanning hits in MH come from the Avira offline scanner or "fsocap" the Avira-based cloud scanner. For F-Secure, DeepGuard seems to provide a good second layer of defense. It seems to have specific "signatures" for autorun, Office exploits, Powershell fileless stagers, etc. It doesn't seem perfect though -- seems like a few Autorun based infections were allowed, though it wasn't clear to me from the test results if those processes were doing anything malicious yet. As far as the negatives/weaknesses, it seems like F-Secure is all about stopping things before or at the brink of infection. If malware manages to gain a foothold before triggering detection, F-Secure is poor at "cleaning" the malware. That's probably time to pull out NPE or another tool that does a better job at disinfecting if you don't nuke infected machines altogether. The other problem I've seen is that their on-demand scanner is so geared towards speed that it's incomplete at scanning. This behavior seems well documented in the Hub where a static scan picks up a few things, and then the moment you turn on realtime protection it identifies many more things. I've also had bugs where it told me an entire folder was clean and that definitely wasn't true. It doesn't affect real-world protection since it would be caught at runtime, but it does affect testing accuracy.</p><p></p><p></p><p>Anyway, these are really valuable data points and thanks again for spending all the time to do this. You can read years and years of AV-TEST/AV-Comparatives results and not gain this kind of insight.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 848403, member: 83059"] I'd like to take a moment to thank [USER=78686]@SeriousHoax[/USER] for testing ESET and [USER=36043]@harlan4096[/USER] for testing F-Secure SAFE in the past few months -- it's been giving us super interesting data points. When I joined, both were prominent AVs but neither had a lot of independent testing data here (though I think most members here have tried these products in the past and formed an opinion of how they were years ago). I've been watching both of these products closely, and just some observations I've made about each's detection performance: ESET might have the best signatures at this point. It really nails the static on-demand scan with a level of consistency we don't see from many other engines currently tested. Maybe Kaspersky would do well here too but nobody's regularly testing it right now. With that said, if anything slips through the signature scanner, you're pretty much screwed with the default settings. Their HIPS doesn't really seem to do much in the Automatic setting, and I'm always surprised to see a modern AV allow cryptoransomware to actually encrypt bait files. That's a super easy behavior to block and Windows even gives AVs readily available APIs to intercept this behavior. F-Secure has made a really good decision to switch away from BitDefender to Avira. That alone seems to have helped greatly with their static scanning detection ratios. Most of the static scanning hits in MH come from the Avira offline scanner or "fsocap" the Avira-based cloud scanner. For F-Secure, DeepGuard seems to provide a good second layer of defense. It seems to have specific "signatures" for autorun, Office exploits, Powershell fileless stagers, etc. It doesn't seem perfect though -- seems like a few Autorun based infections were allowed, though it wasn't clear to me from the test results if those processes were doing anything malicious yet. As far as the negatives/weaknesses, it seems like F-Secure is all about stopping things before or at the brink of infection. If malware manages to gain a foothold before triggering detection, F-Secure is poor at "cleaning" the malware. That's probably time to pull out NPE or another tool that does a better job at disinfecting if you don't nuke infected machines altogether. The other problem I've seen is that their on-demand scanner is so geared towards speed that it's incomplete at scanning. This behavior seems well documented in the Hub where a static scan picks up a few things, and then the moment you turn on realtime protection it identifies many more things. I've also had bugs where it told me an entire folder was clean and that definitely wasn't true. It doesn't affect real-world protection since it would be caught at runtime, but it does affect testing accuracy. Anyway, these are really valuable data points and thanks again for spending all the time to do this. You can read years and years of AV-TEST/AV-Comparatives results and not gain this kind of insight. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
