Recommended Posts

Posted (edited)

... in latest AV Comparatives /April 2018.

https://chart.av-comparatives.org/chart1.php

MSE free, 100%.

And everyone insists to update to the latest v11, which offers greater protection....  

Edited by claudiu
xxx

Share this post


Link to post
Share on other sites

So what persuaded you to go for ESET rather than MSE ?

Share this post


Link to post
Share on other sites

Out of curiosity!

Compared with MSE , ESET seems to be over sophisticated, with literally hundreds of settings, shields, adjustments, etc. Somehow I hopped that , with sophistication , performance will come, but in the last 12 months (or more) ESET performed in the second league  in AV Test and AV Comparatives.

Moreover, recently ESET is no longer in AV Test.

Compared with  ESET, MSE seems to be a skeleton of antivirus, yet in the last year performed better and better, with the recent result of 100% (some user dependent)

And is free.

That's why.

Share this post


Link to post
Share on other sites
Posted (edited)

A-V Comparatives has a posting on their web site here; https://www.av-comparatives.org/list-of-av-testing-labs/ in regards to AV Labs that adhere to AMTSO guidelines:

Quote

Some more information and documents about test methods, guidelines and best practices for tests can be found e.g. on the AMTSO website. All the above-mentioned testing labs follow the best industry practices

Of note is the recent SE Labs AV consumer product test here: https://selabs.uk/en/reports/consumers  . In this SE Lab test, Windows Defender scored dead last and Eset scored second best only slightly being nudged out by Kaspersky.

So how can it be that in some AV Lab tests WD scores well and in others terrible if the labs all adhere to AMTSO guidelines and best practices for tests? The simple answer is the malware samples selected for testing. All these "realtime" labs tests are limited in scope employing no more than 400 samples. There are also other variables involved which I note in the last paragraph of this posting.

SE Labs uses the least number of samples, 100. You can read about their testing methodology on their web site. They adhere to the principle that "malware quality is better than quantity." Referring to the recent consumer test, they also subdivided their sample selection into run-of-the-mill versus advanced threats. Windows Defender was clearly deficient in the advanced threat malware category.

Bottom line - AV Lab tests are a best guess approximation of how a given product will perform against malware threats. Since no two labs use the same identical malware sample selection, the tests at best should only be used as rough guide on how any security product will perform in real world attack scenarios. There are also a number of current issues in AV Lab testing. A must read in that regard is this Virus Bulletin article: https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-testing-world-turned-upside-down/ 

Edited by itman

Share this post


Link to post
Share on other sites
22 minutes ago, itman said:

 All these "realtime" labs tests are limited in scope employing no more than 400 samples. .

AV Test :

Protection against 0-day ..................228 samples

Detection of widespread and prevalent malware discovered in the last 4 weeks ..............4877 samples

 

So it is not about  400 samples, is more about 4000 samples from the last 4 weeks; the samples are the same for each and every AV tested, so why ESET doesn't perform better? It is not like they will test ESET with a set of "difficult" samples and the rest of them with "regular" samples.

 

Share this post


Link to post
Share on other sites

Well its not like i didnt read the report nor says the report are not reliable. They did their test and this is the result. And i didnt denied to that eset does misses some malware along the test.

But still, 98.2 is more than enough as protection, and in my experience, its pretty rare for client to get infected by malware when using eset. though "rare" here does not refer that eset can block 100% of malware in the world, but it sufficient enough for daily users protection. And even for advance user, using HIPS rules they can even blocked unknown Zero-Day Malware.

That said, compared to microsoft, they have a good detection in test, but in the real world, sadly, they often misses more than eset in my experience. I dont think the test are unreliable, they are reliable, but in the real world situation, its might not possible to create a 100% of real world situation. Still, 98% is already more than enough as protection. even 90% and above is already more than enough as protection.

Well what is the proof that im claiming that they cant create 100% real world situation? well you can access SE Labs test, VB100 labs test, and you will find that all of them have various different result for the same brand. SO yeah, you might want to chose MSE based on the result, but i assured you, in real world in my experience, ESET performed better.

Share this post


Link to post
Share on other sites

Continuing the WD/MSE "real word" theme, how is it deployed?

Go to security forums like wilderssecurity.com, malwaretips.com, etc. and the posters there that use WD never do so as a standalone security solution. They all employ additional security software such as NoVirusThanks OSAmor(exploit protection) and SysHardener(Win firewall outbound protection), Excubits solutions such as Bouncer, Fides, MZWriteScanner, and MemProtect for executable and memory protections, etc., etc. Some even deploy gov. strength security solutions such as Blue Ridge's AppGuard.

People who use such solutions on these forums fall into the category of "security enthusiasts." They love to experiment and tinker with various security protection methods and these security solutions allow them to do just that. Obviously this type of activity is not done by the average computer end user.

Eset on the other hand allows advanced users much of the above capability while at the same time giving like protections to the average user in the "out-of-the-box" default configuration. Additionally, all these protections are offered in one integrated solution thereby eliminated any cross-product conflicts. Finally, Eset's GUI interface allows for complex security configuration without having to resort to low-level rule coding many of these third party security solutions require. 

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Eset on the other hand allows advanced users much of the above capability while at the same time giving like protections to the average user in the "out-of-the-box" default configuration

I was more curious about the yellow bar in WIndows Defender score. I am not sure what alert is counted as a user dependent event... smart screen?

Share this post


Link to post
Share on other sites
Posted (edited)
5 hours ago, 0xDEADBEEF said:

I was more curious about the yellow bar in WIndows Defender score. I am not sure what alert is counted as a user dependent event... smart screen?

It's their cloud scanner. If it can't make a good/bad determination, WD Security Center will through an alert and leave it up to the user to decide. WD's cloud scanner does a two part scan on suspicious processes. Part one is a quick scan which the user has some control over in that it can be specified how long the scan runs; up to two minutes I believe. The part two scanning is similar to that performed by Eset's LiveGrid servers in which a much more thorough scan is performed.

I find it unfortunate that a lot of internal details about WD are not published. For example, WD is basically a signature based solution. It lacks advanced local heuristic scanning capability that the major AV vendors like Eset employ. Microsoft took the least cost approach, of course, when beefing up WD on Win 10 and opted for the cloud scanning route. This is the major reason that WD always is dead last in AV-C's Performance Comparative for example. It goes to the cloud much more frequently to make a good/bad determination than AV's with advanced heuristic capability.

SmartScreen is Edge's and IE web filtering mechanism. It can also be enabled for other browsers using Windows Defender Exploit Guard Network Connections protection which is only officially support on the Win Enterprise version. This feature will also scan other network connections besides browser based ones. It also has to be enabled via Group Policy or via PowerShell command. I have never been impressed with SmartScreen's protection in the browser. I have used IE for years and have always had SmartScreen enabled. During that entire period I received one alert due exclusively to SmartScreen detection.

Win 10 also introduced what is referred to as "native" SmartScreen. It is the equal to LiveGrid and performs white/blacklist checking of anything downloaded from the Internet, i.e. "has the mark of the web" associated with it in Microsoft lingo. I find it a nice backup protection to Eset's LiveGrid in that it will through an alert for unknown process execution. Problem is that there have been a number of bypasses to it due to defective certificate checking mechanisms and the like. 

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Another thing to note in regards to AV-Comparatives realtime testing is it is cumulative with results averaged over a 6 month period. Those are combined with other tests performed during the year and published in an annual summary here: https://www.av-comparatives.org/summary-report-december-2017/ .

For 2017, the lowest ranked product was Windows Defender. 

Edited by itman

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

For example, WD is basically a signature based solution. It lacks advanced local heuristic scanning capability that the major AV vendors like Eset employ

Actually WD has an emulation engine, but a rather poor one. Can be easily fingerprinted and bypassed.

6 hours ago, itman said:

This is the major reason that WD always is dead last in AV-C's Performance Comparative for example

I personally feel it is more because it lacks caching capability, so its emulation engine needs to busy emulate executables even they are not new to the machine. Not sure why they didn't add caching. One interesting note is that both ESET and WD have noticeable impact on program start up speed, but ESET is more due to AMS because the realtime scanner has caches.

Thanks for the info of the cloud scanner (I remember seeing some detection names with cl as the suffix, perhaps that's it?). I am a bit confused about the two-phase scan you mentioned. Is phase one a local sandboxing? and phase two a cloud sandboxing?

Share this post


Link to post
Share on other sites
11 hours ago, 0xDEADBEEF said:

Is phase one a local sandboxing? and phase two a cloud sandboxing?

Yes. And if one is observant, you can actually see the process suspended via local sandboxing.

In regards to local caching, I also believe that WD doesn't mark files as initially scanned and bypasses them on subsequent scans. I have observed WD periodic scans always taking the same amount of time to complete for what appears to be the same file subset being scanned.

Share this post


Link to post
Share on other sites
On ‎5‎/‎17‎/‎2018 at 8:54 AM, itman said:

Yes. And if one is observant, you can actually see the process suspended via local sandboxing.

Realized I need to explain this a bit more.

In Win 10 when a file is downloaded or one executed as a result of a download, it is native SmartScreen that will go to the Microsoft AI servers if the file is not explicitly white or blacklisted. You also have no control over initial scan duration unless you are using WD as your realtime AV solution. If the scanning is a result of an attempted execution attempt, the file will be suspended until a response is received from the Microsoft servers.

If a Window Defender manual scan is initiated, WD will also use the MS cloud as required and the scan will be paused until a response is received. This is not done in Eset scanning since it copies suspicious files to be scanned by LiveGrid to temp files that are then uploaded to its servers. If LiveGrid renders a verdict of safe, the temp file is deleted with no further action. If the file is not safe, then the original file will be blacklisted until Eset does further in depth server analysis. This will result in the a malware signature detection for the file is malicious or the file being removed from the blacklist if safe. 

 

Edited by itman

Share this post


Link to post
Share on other sites

The AV testing world is little more than a snapshot in time; one month KIS is 'the one', next month it's Bitdefender etc. Most companies have teams dedicated to passing these tests, essentially it's their attempt to 'game' tests for better scores and marketing bragging rights. Eset performs roughly the same each and every month in  a detection score of 98%-99% with very few, if any, FP.

Windows 10 updates that bork many a PC are reason enough not to use MSE! Please read sysadmin on Reddit if you need further proof. Plus MSE creates a system drag (refer to AV-C performance test); Eset had the lowest system impact which is important when one actually wants to use their PC for productivity or gaming.

 

Share this post


Link to post
Share on other sites
11 hours ago, TJP said:

Plus MSE creates a system drag (refer to AV-C performance test); Eset had the lowest system impact which is important when one actually wants to use their PC for productivity or gaming.

You are right about ESET having the lowest system impact, I ca feel it . It is disappointing though to see ESET not participating anymore in AVTest, in order to avoid criticism.

I doubt Microsoft has a dedicated team to pass AV test or AV comparatives.

Edited by claudiu

Share this post


Link to post
Share on other sites

Always take tests like these with a grain of salt, one day one AV could be first and the next day it could be another. Don't forget that tweaking the settings of any AV could massively improve its detection.

Share this post


Link to post
Share on other sites
55 minutes ago, Tornado said:

Always take tests like these with a grain of salt, one day one AV could be first and the next day it could be another. Don't forget that tweaking the settings of any AV could massively improve its detection.

Kaspersky, Avira, BitDefender and TrendMicro are consistently on top of 99.9%   (most of the time 100%)

There is no tweak which can improve security without affecting something else (like FP)

Edited by claudiu

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.