AV-Comparatives Real-World Protection Test February-June 2018

[novice 20]

1 minute ago, itman said:

If only a few samples exist in the wild, their targets are restricted to a specific area or business concern, etc., the likelihood of quick detection by existing monitoring methods are quite low.

Still I did not get it: if ESET encountered 10 times a certain malware which otherwise was detected by a significant number of vendors, why did not add a rule or something to have that particular malware detected?

Why was necessary for an user to pinpoint the problem and to persuade ESET to implement a detection????

[itman 739]

13 hours ago, novice said:

Still I did not get it: if ESET encountered 10 times a certain malware which otherwise was detected by a significant number of vendors, why did not add a rule or something to have that particular malware detected?

I guess you do still do not understand my previous reply on this occurrence. An "in-the-wild" occurance of 10 statistically equates to a near zero probability of capture, analysis, and mitigation using existing capture methods. The Eset forum response as to "10 times" was in regards to the "in-the-wild" instance of the malware; not how many times an Eset product detected it.

The OP's complaint at the time was that three days had elapsed since his posting about his detection and still no specific signature for it had been issued by Eset. I can't recollect if the OP actually official submitted the malware via Eset in-product method to do so. I just recently did so for a malware sample Eset wasn't detecting that also originated geographically from this region with a low "in-the-wild" count. Eset promptly responded with detection capability in a few hours; the exact elapsed time I don't know since I wasn't specifically monitoring for that.

[camelia 6]

What is Windows Defender? 🤣🤣

Came

[TomFace 538]

38 minutes ago, camelia said:

What is Windows Defender? 🤣🤣

Came

In Windows 7 (which is what I run) it acts as an antispyware program.

In Windows 10, I "think" it tries to act as an A/V scanner. See https://forum.eset.com/topic/19330-another-av-to-complement-eset/?do=findComment&comment=94318  

A Win 10 user can add their input.

Regards,

Tom

 

[novice 20]

7 hours ago, itman said:

The Eset forum response as to "10 times" was in regards to the "in-the-wild" instance of the malware; not how many times an Eset product detected it.

I do not think so. Marco's answer was very clear :" It's been seen on less than 10 machines in total "  which suggests that "10 machines with ESET"

Would be impossible for ESET to know that my machine (with Kaspersky let's say) encountered that specific malware.

Regardless how are you trying to sugarcoat it, the fact remains: for a while now ESET is subpar compared with other players on the market. Strange thing, all these players which performed better than ESET , have a free version to offer (Avast!, Bitdefender, Avira, Kaspersky, Microsoft)

 

[itman 739]

4 minutes ago, novice said:

I do not think so. Morco's answer was very clear :" It's been seen on less than 10 machines in total "  which suggests that "10 machines with ESET"

@Marcos, care to clarify the above comment you made?

[TomFace 538]

4 hours ago, novice said:

I do not think so. Marco's answer was very clear :" It's been seen on less than 10 machines in total "  which suggests that "10 machines with ESET"

Would be impossible for ESET to know that my machine (with Kaspersky let's say) encountered that specific malware.

Regardless how are you trying to sugarcoat it, the fact remains: for a while now ESET is subpar compared with other players on the market. Strange thing, all these players which performed better than ESET , have a free version to offer (Avast!, Bitdefender, Avira, Kaspersky, Microsoft)

 

I do not see any link to the quote that "novice" is claiming that Marcos posted in this Forum.

Could you share it "novice"?

Regards,

Tom

[novice 20]

25 minutes ago, TomFace said:

I do not see any link to the quote that "novice" is claiming that Marcos posted in this Forum.

Could you share it "novice"?

Regards,

Tom

 

[itman 739]

Quote

It's already detected as Python/Filecoder.AM. It's a Chinese ranomware written in Python with Chinese instructions

I just checked the VirusRadar database and the signature for this variant was created on 7/28/2017.

It really appears what happened in this instance was the malware was not properly submitted for analysis. This is what caused the unusually long delay in signature creation.

One other thing that should be mentioned here. It is imperative that LiveGrid settings allow for submission of suspicious files for analysis. This is one of the primary methods Eset captures "in-the-wild" malware originating from Eset software installations.

[novice 20]

3 hours ago, itman said:

It really appears what happened in this instance was the malware was not properly submitted for analysis. This is what caused the unusually long delay in signature creation.

If the malware has " been seen on less than 10 machines in total" what other "proper" submission is to be expected???

That means the "LiveGrid" of 10 machines somewhere in the word reported this malware , hence the conclusion "has been seen"

[itman 739]

1 hour ago, novice said:

That means the "LiveGrid" of 10 machines somewhere in the word reported this malware , hence the conclusion "has been seen"

Since you seem fixated on this point, we are referring to an incident that happened almost 2 years ago. I have previously posted the same did not occur with a malware submission I recently submitted. So move on to something else.

[novice 20]

18 minutes ago, itman said:

Since you seem fixated on this point, we are referring to an incident that happened almost 2 years ago. I have previously posted the same did not occur with a malware submission I recently submitted. So move on to something else.

Yes, you are right, let's lock this thread and move it somewhere else , so will be invisible to the common user and pretend this problem never existed; you have some time now till next AV comparative review , for another good explanation.

[itman 739]

As far as Eset's 0-day detection capability goes, it is often overlooked that they have one of the best malware research organizations in the world. Case in point.

Microsoft published an article here: https://www.microsoft.com/security/blog/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/ where they were alerted to a double 0-day malware instance courtesy of Eset's malware research group.

[peteyt 114]

On 6/21/2019 at 9:00 PM, novice said:

I do not think so. Marco's answer was very clear :" It's been seen on less than 10 machines in total "  which suggests that "10 machines with ESET"

Would be impossible for ESET to know that my machine (with Kaspersky let's say) encountered that specific malware.

Regardless how are you trying to sugarcoat it, the fact remains: for a while now ESET is subpar compared with other players on the market. Strange thing, all these players which performed better than ESET , have a free version to offer (Avast!, Bitdefender, Avira, Kaspersky, Microsoft)

 

Really - Did you not see how many false positives WD had and how many detections also needed the user to decide.

 

Eset has stuff like HIPS to help people with the knowledge but as Itman and others in the past have stated, the average user would not want to be asked to make a decision and in general it is not recommended. If the user doesn't know they could accidentally class a virus as safe or vise versa, classing something like a system file as a virus and causing issues. This is why it is always best that the average user doesn't have to make decisions.

And that is the problem with things that look for virus behaviour. They can't always tell the difference. It's also important to note when people using things such as endpoint protection post about having a user infected with ransomware the user usually doesn't have the latest version installed which includes the ransomware shield and has not got RDP locked down. Often eset itself hasn't been password protected so the hacker can simply use techniques to break into the computer remotely but in a way that seems like a genuine user remote accessing it. All that is left is to disable the protection and infect it.

So simply put no security will ever be 100 percent. Also I could run a test right now and loads and make one security program appear the worst and then do another test and make the same one appear the best. It is down to the user to decide what they like/prefer. Also a bit of basic security skills help e.g. avoiding bad websites and so on. I have never been infected with eset and when I have downloaded stuff knowing it contained things like adware in the past, Eset has always for me detected it.

[novice 20]

16 hours ago, peteyt said:

Really - Did you not see how many false positives WD

I prefer a FP compared with a Ransomware not being detected

16 hours ago, peteyt said:

Eset has stuff like HIPS

I have HIPS in "Smart mode"; never had a warning from HIPS in over 2 years

16 hours ago, peteyt said:

So simply put no security will ever be 100 percent

That is true. However , there are competitors able to score 100% or close to it ,each and every test.

16 hours ago, peteyt said:

one security program appear the worst

Nobody has intention to make ESET look bad; the tests are the same for all players involved

16 hours ago, peteyt said:

I have never been infected with eset

This is a strange logic. Is like saying :" I drink a glass of water every day and I did not get cancer; hence the water is protecting me against cancer"

I have been using MSE  for over 6 years on certain computers and I never got infected, so what conclusion should I make????

[peteyt 114]

28 minutes ago, novice said:

I prefer a FP compared with a Ransomware not being detected

I have HIPS in "Smart mode"; never had a warning from HIPS in over 2 years

That is true. However , there are competitors able to score 100% or close to it ,each and every test.

Nobody has intention to make ESET look bad; the tests are the same for all players involved

This is a strange logic. Is like saying :" I drink a glass of water every day and I did not get cancer; hence the water is protecting me against cancer"

I have been using MSE  for over 6 years on certain computers and I never got infected, so what conclusion should I make????

Again you have ignored most of my points. As I mentioned most of the ransomware things I have seen are from people who's computer was unpatched and so managed to get access remotely appearing as a genuine remote user, disabled the security and wala. Most people don't realise that the AV is just one of many protections. It's why I never get people who still use XP, especially connected to a network. An AV is no good if it's on a risky OS.

False positives are also not a good thing and I explained exactly the issue which you seemed to skip. You have no problem with false positives? So what if a file is marked as safe and actually does more damage than good, or is classed as dangerous and actually is a system file and corrupts the OS.

As for 100 percent protection, I don't know why I am bothering like many repeating it for the 100th time. There is no such thing. Obviously an AV may pass 100 percent on one test, but as I've mentioned I've seen tests that show one AV as being great and found another test that actually makes them look bad - because all tests are different, using different methods, samples etc. 

For example Eset passed 100 percent in the latest Virus Bulletin test. I'm sure it has the most awards or the most 100 percent in a row. My point is these tests are designed for basic advisory. If you based which AV you would be using each year over certain tests, you would probably have to change each year. The best thing is to find what AV works best for you. 

https://www.virusbulletin.com/virusbulletin/2019/04/vb100-certification-report/

There's a saying that goes something like this if you keep looking under rocks you will eventually find a snake. This is why I said I have never been infected, because I also keep safe. No antivirus will protect you 100 percent if you go looking for trouble constantly. Also I have seen tests on youtube and places where certain parts of Eset are disabled to test it, which makes no sense. In the real world, you would not disable protection layers and often these layers are designed to work together and compliment each other.

I should also add I have tried multiple security programs in the past, and I have stuck with Eset as for me it has the right balance and uses low system resources at least in my case. I see BitDefender is often claimed to be great and at the top of scores or was a few years back, but I came from BitDefender to Eset as it was unreliable, crashing and what not. I don't think I have ever had Eset crash on me.

[itman 739]

1 hour ago, novice said:

I have been using MSE  for over 6 years on certain computers and I never got infected, so what conclusion should I make????

Blanket statements like this are meaningless without a frame of reference. For example, none of those devices are used on a daily basis for Internet activities via browser. Do those devices employ supplemental security protection? If used for browser activities are those restricted to accessing know safe web sites? Etc., etc.

Overall, consider yourself very lucky. There is no way that using Win 7 and MSE equates to the protection provided by Win 10 and Windows Defender.

[Rami 50]

ESET along with uBlock and uMatrix(if you are that much paranoid) is more than enough for me

I have used ESET for many years , I never had any trouble with it , but to be honest I've tried another Security solutions and I've always wanted to try Kaspersky , for for it's heaviness I was forced to leave it just to be back to ESET , ESET has something special with it's lightness or I don't know maybe it's the years of usage that will make you keep using the same product , but why change it when you are happy with it?

But in your case novicee , If I were you and I see that I am that mad at ESET, I would just change them If I were you, there is no point to keep arguing that there are better products at the market, I guess they are doing their best also

[itman 739]

10 minutes ago, Rami said:

But in your case novicee , If I were you and I see that I am that mad at ESET, I would just change them If I were you, there is no point to keep arguing that there are better products at the market, I guess they are doing their best als

👍

[novice 20]

28 minutes ago, Rami said:

But in your case novicee

First steps in correcting a problem is to acknowledge there is a problem.

Blindly defending ESET no-matter-what doesn't help anyone.

Let's close this discussion here.

43 minutes ago, itman said:

Blanket statements like this

I was talking about 2 PC used to browse the internet daily  (wife and daughter)

Win 7/64, fully updated , admin account, UAC set to max, IE with SmartScreen filter enabled.

[Rami 50]

28 minutes ago, novice said:

First steps in correcting a problem is to acknowledge there is a problem.

Blindly defending ESET no-matter-what doesn't help anyone.

Let's close this discussion here.

I was talking about 2 PC used to browse the internet daily  (wife and daughter)

Win 7/64, fully updated , admin account, UAC set to max, IE with SmartScreen filter enabled.

No I am not defending anyone ,as I don't work for them or have a share in their income , but I told you I have tried another security solutions , from Norton to Trend Micro , Panda , Kaspersky , Avast , Avira , whatever you want , I've been only comfortable with ESET , and to be honest most of the times ESET was able to block/defend my machines from whatever place I am entering, the product never disappointed me, and even if something crossed under their eyes , it happens

Even though that AVs gets smarter each day , malware also will become smarter and evade detection and AVs , as both sides of the developers are smart , It's like a race.

And about HIPS , Try to use Log all blocked attempts and  your logs of HIPS will be filled with blocked records.

[itman 739]

5 hours ago, novice said:

Win 7/64, fully updated , admin account, UAC set to max, IE with SmartScreen filter enabled.

Assuming you have configured IE11 for max. protections including and most important EPM, AppContainer will protect you against most browser based non-user initiated downloaded malware. There is also the "security through obscurity"  factor. Since IE11 usage these days is in the single digit category, malware authors have turned their attention to Chrome and FireFox. Also although IE11 in its heyday topped the vulnerability charts, most of those have been resolved. Forget IE11 SmartScreen as a protection mechanism except for possibly unknown executables. I used IE11 for years and during that time had no more than two or three alerts from it.

UAC at maximum level is your biggest native protection since it will prevent most but not all hidden privileged escalation attempts.

Your biggest risks on these PCs are user initiated downloads and in-browser based Javascript malware such as coin miners. MSE PUA protection is for all practical purposes non-existent. Only recently in Windows Defender has it become reasonably effective and only if manually enabled. I certainly woundn't use these PCs for any e-commerce activities since AppContainer won't prevent IE11 banking Trojan web site injection. Finally, MSE lacking any web filtering capability will only increase the odds of being adversely impacted by web site/server in-browser based malware.

-EDIT- Go to this web site using one of your Win7/IE11/MSE PCs and see what the results are in regards to coin miner protection: https://cryptojackingtest.com/ . Note: if SmartScreen blocks access to the site, that's a false detection.