AV-Comparatives Real-World Protection Test - July-August 2022

To Bellgamin and Rasheed- although this may or may not pertain to this discussion, but do either of you use a 3rd party file manager like Xplorer2 or XYplorer?

 

But, the only case where it is definitely malware is where something is detected by signatures. Most antivirus will block or quarantine files detected by heuristics, but it doesn't necessarily mean that the files are suspicious. Avast and AVG have CyberCapture. If you try to open an unknown suspicious file, before launching it, it is uploaded to the cloud, run in a sandbox and checked for suspicious behaviours. If it is given a clean verdict, then it is run on your computer, otherwise it is blocked. ESET Smart Security Premium and endpoint versions of Kaspersky include comparable features.
https://support.avast.com/en-au/article/antivirus-cybercapture-faq/#pc

 

Exactly the point I was trying to make, no prompts for testing. So that's why I didn't understand all the fuzz about my comments. But for power users, it might be cool to have an AV with a slightly more aggressive behavior monitor. But I rather rely on tools like SpyShelter and OSArmor for this.

I somtimes do use XYplorer free version, why? To clarify, I use Win Explorer 99% of the time, I wish that M$ would improve it, because it's quite basic and has been pretty much the same since Win XP. However, replacements aren't that good either.

 

Yes, but I don't see the point that you're trying to make. If these apps are falsely flagged as malware, then we call them false positives. Like I said, it doesn't matter how an AV is detecting malware, as long as they don't produce many false positives and don't leave the decision up to the user, it's all good. And it would also be nice if AV's didn't need to rely on the cloud, but apparently it's way too difficult to analyze files on the local machine, so we can forget about that.

 

I thought you were talking about blocking files which are definitely malicious. If you want to include files or actions that are suspicious at the expense of false positives then that's fine for cases where there is a high degree of certainty that the file or action may be malicious. But there will be cases where an antivirus suspects a behaviour may be malicious, but without a high degree of certainly. In which case, if an antivirus only has the option to act automatically, it would be best to ignore such actions, to avoid excessive false positives. On the other hand if an antivirus asks the user what action to take, there will be the option to block the action if it is malicious. Of course users may make the wrong choice and allow malware to cause harm, but it's better than ignoring the action altogether.

 

Yes, but that's the whole point of a good AV. It should catch as many malware samples as possible, without producing many false positives. I'm just saying that this ''user dependent'' stuff shouldn't even be mentioned in these kind of tests, since the AV doesn't know if a file is actually malware or not.

AV's should only be judged on the ability to auto-block malware, in my view. If I'm correct, only Norton and McAfee produced ''user dependent'' alerts in this test. And as mentioned before, I believe Win Defender will never produce such alerts, but of course Win SmartScreen will alert about unknown files, but in many cases these files are clean.

 

@cruelsister -- no file manager here except what came with the OS.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Higher-risk users need aggressive AVs. I consider that AV aggressiveness must result in FPs/alerts at the current stage of security AI et alia.

Further, I still am convinced that AVs with little or no user decisions are sacrificing a degree of security in order to achieve that. So I like options for higher-risk users, advanced or not. If higher risk users are NOT advanced, they jolly well better GET advanced if their job or business would be damaged by a security failure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In other words, you are saying that an AV that runs across a malware-typical behavior should either be automatically blocked or else automatically allowed by an AV?

Suppose that the malware-type behavior is done by an actual malware app. If automatically allowed, you have an infected computer.

On the other hand, suppose that the malware-type behavior is done by an non-malware app in a perfectly legitimate way. If automatically blocked, the user (having no alert of the blockage) will wonder why his computer has started acting up.

Why are the above occurrences very rare even though an AV is handling malware-type behaviors automatically? Because EITHER their users are NOT higher-risk users OR (like Rasheed) they use other security apps such as OSArmor & Spyshelter to offset the security compromises made by "no alerts" AVs.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

P.S. Folks with one or more wildcat net surfers using their computer(s) might even want to consider kiosk software.

P.P.S. BTW, a kiosk-based computer once beat me at chess, but it was no match for me at kickboxing

 

Completely agree with auto-block comment. If users have to make judgements as to a file being malware- the program is not worth anything in reality. I use WD and it does not allow (or want) users to make possibly critical decisions.

 

I think the tests are find as they are, considering that they show what amount of detections were user dependent, which makes it clear what antiviruses blocked everything automatically. For those like yourself who only care about automatic blocking, you can see what antiviruses required no user action.

In my case and this is not relevant to testing, I would like antiviruses to give me to option never act automatically. But that's a very rare feature these days.

 

Yes, I guess so. But as said before, these type of ''user dependent'' alerts actually give the user a chance to allow the malware to run, so the AV is not really sure, and many users may ignore this warning if it's some app that they really would like to run. So I believe this stuff gives a false display of results, since you can't predict how users will react. The only thing that really counts is the ability to auto-block malware without causing many false positives.

Yes exactly, that's why M$ has probably chosen not to implement a more aggressive behavior blocker into the AV, but for power users I guess it would be nice to have. On the other hand, it might trigger many false positives. I believe behavior blocking is best left to third party tools like SpyShelter, OSArmor and HitmanPro.Alert for example.