cyberhash

Exactly ! and something that people should take into consideration. Multiple targets are always going to be harder to hit than a single one. Plus competition always drives innovation in every industry and keeps it healthy

MS from what i can see are just playing catch up against other vendors and not really bringing anything new to the table. Looked at a few things after they announced they will be upping the stakes with protection in the fall update. Lets be honest, there are about 12 security patches for office per month and at least 2 for windows itself. If you cant code something secure to start with, then doing the cleaning up operations are going to be a bit more messy. Who's going to entrust a whole system to the master at failing in the first place ?? Just don't think that having all your eggs in one basket is a good idea.

@TomFace They have improved MBAM 3 a lot since this original thread was created. Have used in myself for a scan only and it no longer has issues with installing and uninstalling and freezing. Have never used it in "Realtime mode" along side ESSP, so i can't advise if it has any issues there.

Also have the same messages appearing about the modules being updated. Seems to happen every 30 or 60 mins , only started over the past 2 days.

Yes protection is what people pay for and why it sells, as it's overall very effective at doing its job. No antivirus comes with a guarantee against being infected as the goalposts are continually moving, and therefore people should be cautious while being online. If there was no need to be cautious, then there would be no need for any online security whatsoever. Likewise if antiviruses were 100% effective then there would be no need to be cautious. Which is why employing good habits when online and using an antivirus are both critical to online safety. It's simple risk reduction and nothing very complex. I used the term "ordinary" specifically as i very much doubt even your "baddest of internet badboys" would ever manage to land on 400 malware infected sites in a single month, or the 1955 tested over 5 months.

This is why i stick by my explanation based on your average web user, and real user experiences being a far better indication of a products reliability. I think of myself as being quite active on the internet and probably visit at most 30 different websites per day, clean websites if you would like to call them that (eg my bank , credit card, energy provider, forums, security and news sites to name a few). I would never achieve visiting 400 sites per day like these AVC tests are doing, neither would i purposely visit 400 sites that are hosting some form of malware. Of course detection is important, but risk taking plays just as big a role. A cut and paste from their own words are .......... Preparation for every testing day Every morning, any available security software updates are downloaded and installed, and a new base image is made for that day. Before each test case is carried out, the products have some time to download and install newer updates which have just been released, as well as to load their protection modules (which in several cases takes some minutes). If a major signature update for a product is made available during the day, but fails to download/install before each test case starts, the product will at least have the signatures that were available at the start of the day. This replicates the situation of an ordinary user in the real world. Sounds cynical, but i don't think their "ordinary user in the real world" is neither ordinary or in the real world. As knowingly visiting 400 malware laden websites is only something that someone on a path to self created destruction would take. This in turn leads to over inflated and artificial results. @0xDEADBEEF The HIPS that ESET uses is more powerful than most people give it credit for, but it's set up by default for a home user(that's not on the path to destruction as above). Everyone can go in and edit the HIPS settings for themselves and make their system more robust, than at its basic (safe and non intrusive) settings. ESET products have also been the at the front line on many major outbreaks of ransomware before many of the other major vendors have and this is something that is very much overlooked. In addition to Threatsense being the first of its kind being applied to any home user product when it was first introduced, and i don't doubt that their cloud services will also improve over time. Just as threats evolve and change, so do the methods of detection and protection. All the vendors of these tests will probably look at the detail of them properly and may influence their methods of detection. This is a good thing for every end user but ....... I think that the fact that these forums are not flooded with "Help i'm infected" posts actually shows that the products ESET make and sell are working and protecting "Ordinary" users very well. Which leads me back to my first post where "Real user feedback and experiences" are a better indicator of somethings performance than a chart.

Like @TomFace has said above , this topic has frequented every security forum since the start of time and there is no definitive answer to the testing methodology. They don't even give the names of the samples used in the tests. Wilders was a good place as it was "numerous" personal experiences which added up to a more informed and collective point of view. Bit more like security "politics" and personally i think there is more information drawn from a large user base of different products than a single pdf/spreadsheet written up by 1 person/organisation. Just because 1 person likes orange juice on their test, does not mean everyone will. Give the orange juice to 20000 people and you get back a less biased result. Seen it happen before when people see a datasheet of some test results and jump ship to another product and then regret it. Not just in the security world, but it happens with phones , tv's , cars too. There is probably very little difference in the capability of the top AV suites out there if it was all looked at from a balanced point of view. Hence why all vendors offer a free trial period to allow all people from all places to evaluate the software before making a choice to purchase. If you install something and use it for a long period of time and it's trouble free and does the job it was intended to do and works the way you want it to, then there really is no need to look for alternatives. This rule goes for any vendors product and not just for users of ESET products in case you think i am biased in any way. If at any point along the way that my system was infected and i found out that another product could have prevented it then i would certainly re evaluate my position. Plus i would also consider the way my system was compromised. If i opened an email that had an attachment that promised me $/£1,000,000 , i should really blame myself. Realtime "User Interaction" protection will never be available and still the biggest threat by far if you want to go down the barchart/piechart/stats route.

I think "real world experiences" paint a better picture than any tests can ever achieve. From my own personal experience i have never been infected by anything major since using ESET's products, which i have done since their first version of NOD32. Then again the weak point in any security app is more likely to be the user. From opening an email with a pdf/word document attached or trying to download pirated products, or visiting bad sites/links. Back when everyone was a member of Wilders Security Forums it was easier to draw a conclusion as to what performed better as you had users of every security product giving opinions and feedback to a wider audience in one place. Then on top of detection, you have to look at other matters that affect each product. Like false positives , system impact, borked updates, bad definitions including flagging of windows files as bad. ESET has done consistently well in these area's too and should always be taken into consideration when making a choice/purchase. I don't doubt that Microsoft is improving as you now have forced telemetry built into your o/s that was never there before. In addition to them now trying to draw more attention to their own security products. But i still get a feeling that you won't beat a company who's sole business is in security and have been in that business for a long time.

I thought av-comparatives was the only one that was impartial with its reviews. @0xDEADBEEFLikewise i don't think that o/s version should really dictate the outcome of the test, If the same sample sets are being used on all the products tested.

I think the reason why i see a lot more low rep files is that you are using an old build of windows 10 and why in the past i have seen Microsoft signed files with the red warning flag against them. The reason i mentioned the problem of using a live reputation based system with files is that someday LiveGrid may actually have an outage or not reachable for whatever reason, but at that same point in time you might have updates installing for windows. I really wouldn't fancy the idea of having to click hundreds of pop up screens to do a update in windows, because my connection with the LiveGrid server is not reachable. I like the way it works just now, where the loss of connection would make no difference in the short period of time where it was offline, and having a downloadable database(stored locally,as a backup) of every legitimate or non legitimate file in the world is impossible. Where as your test with a single executable via a live reputation test is plausible and workable. ESET has always had a great record when it comes to false positives and a live reputation based blocker could destroy that if the service was ever unreachable. Although this wouldn't fall into a false positive category , leaving users to make hundreds of choices and one wrong click could prove troublesome.

Today's update (Windows 10 KB4025342) which was pretty minor shows exactly the issue i was talking about where system files are updated and don't yet have any reputation. On the upcoming September update you can bet that there will even more system files are updated with LiveGrid showing no reputation.

I understand what you are saying, where something along the lines of sandboxing unknown apps would be beneficial to some users. But to run something inside a sandbox you would have to be doubting the credibility of the application in the first place ?. Plus you already have UAC in windows. If for example i go and get some new Nvidia drivers from their own website. These drivers that are updated regularly, some times weekly. But because they were only released 15 minutes ago, and my AV product deems this as new and a potential threat. A nag screen pops up when i go to install this and offers me choices of what route i want to go. People will eventually do what has been proven before with UAC in windows and turn the feature off, leaving themselves more exposed. People hate nag screens and especially ones that don't actually need a nag screen to begin with. I cant speak for everyone but i think employing a similar thing in LiveGrid, without granular control of the options could possibly lead to people disabling LiveGrid completely as they have the other modules to fall back on. Just now it runs silent and informative for home users. This is just my thoughts, but there will be plenty that also agree with you @itman

LiveGrid can be disabled in the (F5)advanced setup > tools menu from the gui. But not recommended as this can block newer types of threat, as it actively sends data as well as receiving. Leaving your machine potentially vulnerable. On your original post : Tool Reputation The below screen shot clearly shows the tool as an unknown process. However Eset let the tool run uncontrolled w/o alert during all my testing with it: Your screenshot shows that the file you have run (has an alert) and does not have the GREEN for GOOD tick on the risk column. It's leaving the decision to you as to run or close the app, by far the best choice i would think. What you are suggesting appears to be more a case of mass blacklisting via LiveGrid. Block everything until its known what the particular file is/does, then once a team of(nuclear powered)staff verify the 260,000,000,000 samples per day then they whitelist it. Or if you are meaning that HIPS failed your testing then im sure that once those methods are looked at and tested by ESET then the HIPS module itself will be updated to pick up that particular type of attack. I don't doubt that you have never seen any low reputation system files on your machine via LiveGrid. After every large update since moving onto windows 10, i have seen instances of system files with low reputation and it takes time before they actually reflect the amount of users that are running the same(file/build). Hence the reason why i said on my last post that its informative and not definitive. Just because something has a low user base does not mean that its a bad file or process. And by design ESET allows you to make an informed decision by yourself as to how to deal with them, and does not force an action for you.

LiveGrid has never tried to be anything more than informative. In September when the fall update for windows 10 arrives, you can bet there will be another batch of unknown (low reputation) processes showing in there that are legitimate but allowing users to block those items during a windows update could in a good scenario be dangerous and on a bad day leave a system unusable. For example, if Microsoft update "svchost, dllhost , lsass" ....... just because its been updated does not mean it's trying to do anything suspicious. Leaving these choices to an average home user would most probably end in disaster. We all love our security but there comes a point where home users can actually do more damage via a few clicks of a mouse when getting into areas of things they have very little knowledge of.

Seemingly the next update for windows 10 is going to be using a similar method to what you mentioned above, by restricting write access to *certain* folders and files.