Interesting stuff. So Cybereason, CrowdStrike and FireEye ended up in the bottom when it comes to the Real-World Protection Test. Surprising since they are all highly respected companies. I would like to know more details about this, why would they fail to spot malware on this test, when they did quite well on the Malware Protection Test. It shouldn't matter how malware is delivered normally speaking.
It obviously does. In the Malware Protection test, the samples were already present on the disk. In the Real-World test, assume most of the malware was downloaded via a browser. Or the malware was assisted in execution by the browser. Starting to get the picture?
I'm going to agree with both of you. It "shouldn't" matter, but it obviously does as you stated. A product should be more suspicious of something downloaded from a browser, but it also shouldn't miss it because it wasn't.
I think most products are but more to the point here was that it would appear (to me anyway) that most products these days are willing to call something malware just because it was downloaded by a browser and tagged as such until it is proven otherwise. What if in a real world situation you were already infected and installed a product to deal with said infection and it just ignores it because it was "already there"? It just seems lazy and ineffective to me.
The Next Gen products you referred to are weak on network protection. These products are installed in commercial environments where it is assumed that the network perimeter is being secured by a dedicated network appliance. Another possible factor is Next Gen products are weak against script based malware; especially those deployed using legit Win "living of the land" techniques.
Yes, that's what I'm afraid of, and it would be pretty painful since they always brag about how good they are at detecting this stuff.