Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
TrojanZipperPOC and ESET signatures Case Study
Message
<blockquote data-quote="MacDefender" data-source="post: 876979" data-attributes="member: 83059"><p>Of the ones I’ve personally used extensively, I’ve been most impressed by F-Secure and Emsisoft. They were the most consistent in blocking the behaviors of replication + startup item registration, directly encrypting the user’s files using various techniques, and downloading and executing a secondary payload without showing a UI.</p><p></p><p>The ones I’ve tested that perform poorly are ESET (which frankly we agree basically has no behavior blocker, but their features descriptions and white papers really make it sound like they do have a behavior blocker) and Norton as well as default versions of SEP. Norton recently (last few months) added a Data Protector which helped against encryption based PoCs but I still had a lot of trouble getting it to trigger on the other potentially malicious behaviors.</p><p></p><p>Of the ones I haven’t personally tested, Kaspersky and WiseVector stand out. Both of them have been tested by others here against most of my samples and they did as well as or even better than my top choices. I especially am impressed by Kaspersky System Watcher’s rollback mechanism, which gives it a bit more freedom to allow the malware to do more things knowing that it can probably roll back the actions. With that said it’s been shown to not always work perfectly, sometimes even with rollbacks it still loses a half dozen files or so.</p><p></p><p>I have been choosing AV software for more reasons than just the BB though. Right now I mostly alternate between F-Secure and Norton. Norton’s SONAR reports are really neat and that usually serves as a front line defense for me for determining if I should scrutinize a download more closely. And both of these products tend to go on sale frequently and price is still an important factor.</p><p></p><p>in the future, I plan on getting a KTS license the next time I see it go on sale in the US. I would like more time testing that product.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 876979, member: 83059"] Of the ones I’ve personally used extensively, I’ve been most impressed by F-Secure and Emsisoft. They were the most consistent in blocking the behaviors of replication + startup item registration, directly encrypting the user’s files using various techniques, and downloading and executing a secondary payload without showing a UI. The ones I’ve tested that perform poorly are ESET (which frankly we agree basically has no behavior blocker, but their features descriptions and white papers really make it sound like they do have a behavior blocker) and Norton as well as default versions of SEP. Norton recently (last few months) added a Data Protector which helped against encryption based PoCs but I still had a lot of trouble getting it to trigger on the other potentially malicious behaviors. Of the ones I haven’t personally tested, Kaspersky and WiseVector stand out. Both of them have been tested by others here against most of my samples and they did as well as or even better than my top choices. I especially am impressed by Kaspersky System Watcher’s rollback mechanism, which gives it a bit more freedom to allow the malware to do more things knowing that it can probably roll back the actions. With that said it’s been shown to not always work perfectly, sometimes even with rollbacks it still loses a half dozen files or so. I have been choosing AV software for more reasons than just the BB though. Right now I mostly alternate between F-Secure and Norton. Norton’s SONAR reports are really neat and that usually serves as a front line defense for me for determining if I should scrutinize a download more closely. And both of these products tend to go on sale frequently and price is still an important factor. in the future, I plan on getting a KTS license the next time I see it go on sale in the US. I would like more time testing that product. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
