"We don't perform behavior blocking"

[novice 20]

Another reason of being disappointed. So, ESET focused on UEFI scanning but ""We don't perform behavior blocking"?????

[Marcos 5,074]

30 minutes ago, John Alex said:

Another reason of being disappointed. So, ESET focused on UEFI scanning but ""We don't perform behavior blocking"?????

I don't know if there are security solutions that would have the behavior blocker that would not ask users about the action to take if a suspicious behavior is detected. It it crucial to not ask users, especially in corporate environment. The fact that we don't have a behavior blocker doesn't mean that we are unable to monitor the behavior of files. In fact, advanced heuristics runs them in a virtual environment. In the past it also used to detect the behavior (detections known as "probably NewHeur_PE) but this has already been replaced with DNA and XDNA smart detections that are based on code emulation results.

The fact that a particular feature found in other solutions is not implemented in ESET products in a similar way like in some competitive products does not mean at all that the protection provided by ESET is worse. Competitive products miss a lot of features that ESET products have and still provide good enough protection to users. You have a plenty of security products out there and it is only your choice which one fits you best and will use on your system.

[novice 20]

5 hours ago, Marcos said:

I don't know if there are security solutions that would have the behavior blocker that would not ask users about the action to take if a suspicious behavior is detected

Take a look at EMSI software; their behavior blocker (former Mamutu) by default will not ask you.

And see these:

SYMANTEC:  Behavior Blocking: The Next Step in Anti-Virus Protection      https://www.symantec.com/connect/articles/behavior-blocking-next-step-anti-virus-protection

COMODO:       Behavior Blocker      https://help.comodo.com/topic-72-1-451-4767-.html

Emsisoft:        Emsisoft Anti-Malware 7.0: Behavior Blocker      hxxp://uk.pcmag.com/software/45475/gallery/emsisoft-anti-malware-70?p=10

 

"The fact that a particular feature found in other solutions is not implemented in ESET products in a similar way like in some competitive products does not mean at all that the protection provided by ESET is worse"

Well, this may be the answer why ESET performs slightly worse than  leading antiviruses

Edited December 26, 2017 by John Alex

[cyberhash 188]

Windows UAC does a decent job with stopping anything that requires admin/elevated privileges.

Anything that's monitoring (.exe patching, system drivers , services etc) would be technically challenging for a lot of users to decipher and apply the correct actions. There is a balance between being "more secure" and "more annoying". I can't see your average home user being happy at having to check and authorise potentially dozens of changes when a Windows CU & Office update falls on the same day, over and above updates for other applications in between.

Of course you could have this feature switchable/selectable but in reality it's a bit over the top when you already have other mechanisms in place to catch things.

EMSI scores no better that ESET's product in detection, plus it pulls more false positives and requires a lot more user intervention to prevent infection ............ (Source) the av-comparatives report that keeps getting quoted.

 

[francis de lorraine 0]

Hello i have two av licence one of emsisoft anti malware and of eset and today i went back to emsisoft because i find it unthinkable that an antimalware product is not behavioral protection here's my personal opinion . goodbye eset i'll come back maybe if the developers get to the page

[Marcos 5,074]

4 minutes ago, francis de lorraine said:

Hello i have two av licence one of emsisoft anti malware and of eset and today i went back to emsisoft because i find it unthinkable that an antimalware product is not behavioral protection here's my personal opinion . goodbye eset i'll come back maybe if the developers get to the page

This is clearly misunderstanding of how security products work. Do you think that the mentioned sw has more protection layers and employs more anti-malware techniques than ESET? Please refer to https://cdn1-prodint.esetstatic.com/ESET/US/docs/about/ESET-Technology-Whitepaper.pdf which explains in details how proprietary technologies in ESET products work.

[francis de lorraine 0]

hello i did not say it was a bad product but it lacks this something i found elsewhere and tests are done regularly i'm sorry 

[francis de lorraine 0]

fight mallware without a file for example among so many other

[Marcos 5,074]

27 minutes ago, francis de lorraine said:

hello i did not say it was a bad product but it lacks this something i found elsewhere and tests are done regularly i'm sorry 

If you counted the number of protection features that ESET products have and compared them with competitive products, you'd find out that many of them would lack several features since some are unique to ESET. Anyways, it's your choice to choose the AV that fits you best. Although there's a slim chance you'll never encounter malware even with no AV installed, we'll be here to protect you with highly efficient and reliable products if you decide to come back one day.

Last but not least it's not only the product that you purchase but also customer service and moderated forums where you can seek help if you encounter issues or where the vendor's staff can advise you with security concerns or questions that you might have. Not all vendors provide such services. We do our best to be here for our users even during weekends and fests.

[itman 1,659]

@Marcos "beat me to the punch" with part of what I was going to post. As such, I will stick with Emsisoft's behavior blocker. I used their Anti-malware product for a number of years and am very familiar with the interworking's of the behavior blocker.

First, a bit of history. The existing behavior analysis used by Emsisoft is an extension of their Manutu product developed over a decade ago. At the time, it was the only stand alone consumer security product offering what today is referred to as "behavior analysis." Cutting to the meat of the issue so to speak, what Emsisoft's behavior monitoring does is when suspicious behavior is detected from an unknown process, it dynamically applies a fixed set of monitoring rules to the process. If the process when executing subsequently triggers one of the monitoring rules, Eset will throw an alert which requires user interaction; allow or block. The primary issue with this approach is that it assumes the user has the security and technical knowledge to properly respond. There is also the issue of false positive rates which Emsisoft consistently scores above average on the AV lab tests.

What isn't very well known is Emsisoft's behavior monitoring works quite similar to existing security solutions that employ a HIPS such as Eset's. Specifically, not all app and system processes, files, and registry areas are being monitored for malicious activity against them; only areas normally targeted by malware. So this method of behavior monitoring is far from being malware "bullet proof."   

Edited December 30, 2017 by itman

[Marcos 5,074]

6 minutes ago, itman said:

If the process when executing subsequently triggers one of the monitoring rules, Eset will throw an alert which requires user interaction; allow or block.

I'm sure you meant Emsisoft If we add a behavior blocker, it will have to be unobtrusive and work automatically, utilizing smart heuristics and information from other protection modules to avoid asking the user for action selection (at least in default automatic mode).

[francis de lorraine 0]

good signatures OK ,but why so no similar behavior blocker has many other av for my the hips becomes obsolete so i do not quite understand the approach need i am seriously explained then how the product faces the zeros days for example knowing that most malwares detect if they run in virtualized environments ??

[itman 1,659]

Another point about behavior analysis is that it is marginally effective against the current and increasing use by malware developers of legit Windows system processes to deliver their malware payloads. I am sure most are aware of PowerShell based attacks. However, a number of other legit system processes have been deployed to deliver malware. A number of these have the capability of bypassing the default UAC setting level and silently elevating to admin privilege level. Your best protection against these types of attacks is setting UAC to its maximum level. However that will also increase the number of UAC alerts a person receives. It also means that users must have the system "smarts" to answer deny to these alerts when they appear unexpectedly.  Obviously, the average PC end user is clueless about such things.

[peteyt 393]

3 hours ago, Marcos said:

I'm sure you meant Emsisoft If we add a behavior blocker, it will have to be unobtrusive and work automatically, utilizing smart heuristics and information from other protection modules to avoid asking the user for action selection (at least in default automatic mode).

Is that a hint that something is in the works?