Real-World Protection Test March 2017

In the test with Emsisoft the system was not compromised. 94.5% were blocked but 5.5% was user dependent.

 

You arent seeing the whole picture, user dependent is only bad when warnings arent clear and false positives are high, and none of this are present when using Emsisoft.
Emsisoft has been consistent at 100 % protection, its behavior blocker is very strong, even against ransomwares.

I think Emsisoft could tweak its behavior blocker to score high in tests (less "user dependent"), but it will probably result in higher false positive numbers and no real protection gain.

This is the user dependent alert:

http://blog.emsisoft.com/wp-content/uploads/2015/12/ZeroLocker.png

Informative and easy to use and with cloud"s help a average user will almost never have to deal with it anyway.

 

Detected 100% -- 94.5% blocked + 5.5% user alerted and given choice with a recommendation to quarantine.

OoPs - what Nightwalker and TonyW said.

 

McAfee had good detection but too many FP's.

 

Odd. I have Avira and MBAM 3 without the issue you describe.

 

Good Evening! Back to Vipre...Advanced Security...2017...in tandem with Zam...the new Vipre runs flawlessly; the main improvements adding Bitdefender Engine...and eliminating minor bugs Hips and Firewall Settings and Page loading etc. It in my view being extremely User Friendly! Making Southern Florida...Great Again...Lol! Y'all have a Super Downtown...Groooovy Weekend! The Best from your Canadian Brothers...Sisters...and Mothers! Sincerely...Securon

 

Nice to see Microsoft doing well

 

I have considered Vipre because of it's string of excellent results in AV Comparatives RW Testing. Also it's an "old coat" familiar product that seriously fell from grace that now has risen from the ashes -The Phoenix of security suites. That was great to see. The old Sunbelt crew was tenacious and worked so hard to improve it. But it's firewall has given me pause.

I know that PC Mag can be off the wall in it's evaluation of security products, but still, when I read something like the following I can not ignore it:

"...Even with all systems running in high gear, Vipre didn't do well when I attacked the test system with exploits generated by the CORE Impact penetration tool. Out of about 30 exploits, it blocked exactly one at the network level. Its antivirus component wiped out the malicious payload for a few others. But overall Vipre did little to defend against exploits..."

http://www.pcmag.com/article2/0,2817,2471672,00.asp

The test was of Vipre IS Pro 2016.

IIRC most of the products popular with Wilders members block 80% - 100% of the Core Impact tool's exploits.

Dunno if 2017 Vipre has improved on the firewall.

 

Good Evening! Firewall's Hawki are always part Goodness and Badness...I like you can remember the old Sunbelt Firewall...and Counterspy...Ah the Olden Goldies! I believe Vipre...and Sunbelt ran into difficulties when Sunbelt was sold too Threat Track... but was re-engineered by obviously competent personnel...and the Hits Just Keep on Coming! A great story of Revival!

 

Good Evening! From an Historical perspective prior to Threat Tract Vipre was owned by another Company... GFI Software earlier this month spun off its security business into a new company called ThreatTrack, whose core assets came from the 2010 acquisition of Sunbelt Software. Love Google to make up for Senior Moments...Lol! But I feel that GFI...was primarily interested in the Business End User market...and wasn't focusing on the Consumer product...merely my observation...like all Mergers and Take Overs...it can and is usually far more complicated. Well Onward and Upward. Interesting Times Indeed! Sincerely...Securon

 

Most AV vendors performed well.The results will keep changing each month.Also have checked the amount of samples used? its somewhere around 350.Which is too small for even just a day forget a month.

Again,these tests are always interesting but it will definately not dictate how well the product does in real world considering AV-C never tells us what they consider as bypass.Just use what works for you.

 

Again and again in every thread re AV-C tests, you are repeatedly saying the same thing.

The story re the amount of samples used by AV-C explained so many times. Here is one more =
http://weblog.av-comparatives.org/sample-quality/

--------------------
AV-Comparatives Certified as First EICAR Trusted IT-Security Testing Lab
https://www.av-comparatives.org/eicar-trusted-lab/

 

I am talking about real world test to be on topic:
https://www.av-comparatives.org/wp-content/uploads/2017/04/avc_factsheet2017_03.pdf

the link you posted is for malware protection NOT for real world

"The results are based on the test set of 329 live test cases (malicious URLs found in the field), consisting of working exploits (i.e. drive-by downloads) and URLs pointing directly to malware. Thus exactly the same infection vectors are used as a typical user would experience in everyday life. The test-cases used cover a wide range of current malicious sites and provide insights into the protection given by the various products (using all their protection features) while surfing the web."

 

Again the link never specified what is called as bypassed? If you want to talk about malware protection test remember the tests has samples that were already collected NOT downloaded in presence of the product.Now speaking about the general factors to a bypass count:

a)If the sample runs do they call it a bypass without checking whether it did any change or damage to the system or tried to steal user data in presence of the AV. (This should apply for both Real world and malware protection)
b) the tests don't know anything about the relationship of the samples. If you detect the dropped binary and miss the dropper the system still remains protected.Is this counted as bypass? (RW,MP)
c) the tests are carried long after the real infection took place, so it's kind of useless from today's point of view.Consider one of the VT link from the blog post.The first one is 4 months old.Do you think this malware specifically would still be spreading in the real world or would be alive? (specifically applies for MP because samples are pre-collected not downloaded from the malware URL in presence of the AV).
~ Removed VirusTotal Results as per Policy ~

d) there is little of no info on how the testbeds are created. All these 99.1% and such scores are not real for truely 0 day malware. The overlap of the product's detections is not as great as clementi/marx tests suggest.

There has to some detail on what is called as a bypass.Eg: with comodo if you run a malware it gets sandboxed and the file can't do anything and still testing orgs call it a miss.If the sample does no damage or stealing it can't be called bypass.

I am never in denial of the certification or the org.Honestly,it makes little difference to the matter.What I am asking is for clarification on what they don't seem to explain.These are just certain things to me that come to mind.Just my 2 cents.Its not I don't like the tests its interesting for me as a malware hunter and researcher but these are just my points.

Thanks,
TI

 

a- if it is an AV , it is a bypass of the detection. it is why FUD malware are made in the first place.
b- nope. what matters are the dropped files.
c & d- all depends of what the test is about, if it is a prevalence test, the age of the malware doesn't matter (opposed to 0-days tests).

Exact, but for an AV , which is supposed to detect the sample in the first place before the other modules kicks-in, it is a bypass of the detection, not of the product.
Anyway the signature model is clearly obsolete and unreliable. AV are made for beginners because they don't have the technical skills to use anything else.

 

The link I posted was an example re AV-C sample methology.

 

Say to the AV industry to to accept your standards and regulations instead of the European Expert Group for IT-Security (EICAR) or Anti-Malware Testing Standards Organization (AMTSO) i.e.

 

Sorry but I don't understand your anger against my opinion.You can seriously ignore what I say if it offends you but you choose to keep arguing over something that has nothing to do with you.Am I not entitled to my opinions and queries here? I would honestly suggest you to watch your condescending and rude tone my friend.My statements and queries are all aimed at testers and trying to get answers for my queries.I didn't expect this kind of a tone from a elder like you who is of a high caliber.

When did I ask AV industry to accept anything?Those were just some things (opinion/queries) i wanted clarification.What is wrong in that? AMTSO that has been around for ages and surely the AV industry tries to make the tests better so its surely not just me.This is just my opinion no need to get all worked up on it just because I have some queries that I would like to know whether or not they consider it as bypassed.Simple as that!

Honestly what certification says these tests are "perfect" they are a label saying these test methods are valid which they are.With millions of samples coming everyday what sort of tests would be valid anyway.The goal is to make it as accurate not perfect which can never be.

guest just pointed out some lethal points which makes sense to the tests and therefore more vendors are moving towards cloud and other stuff because traditional AV updates is just not enough.

a)AV is never a topic here.It's the whole product when it comes to this type of test.So you are right.
b)Correct but do testers count it this way is the question.
c/d)in real world I think this would be solved since they test the actual URL.So that point may just Apply for Malware protection where they already have a set of samples.

 

indeed, anyway, there is no such thing as a real world test; you want realism? put a human in front of the test machines, send them weaponized emails , compromised links and and infected USBs. Then maybe you will have something close to "reality" . Im amazed that was not even considered by those so called "independent" tests labs...

a- not saying AV vendors focuses on their proactive abilities (BB, HIPS, sandbox, etc...) , the real time engine become less and less prominent. It is a clear sign that the signature model is destined to perish , now some start to use Machine Leaning instead.
b- i guess not.
c- i agree.

 

Agreed! B) I think we have to wait until a reply from them

 

MSE Results are good enough for f/time protection it seems! Hurray!