I don't get it, when a product failed to protect in the Real World Test, did it fail to block malware from running, or did it fail to block a malicious URL from loading? I honestly believe they make these tests a bit too complex to figure out. And if it's truly about failing to block malware from doing any damage, then it's shocking that highly rated companies like Sophos, CrowdStrike, Cisco and FireEye performed this badly.
Assume either of those: If one can't connect to a web site serving up malware, you can't be infected by it. Ditto for a redirect for example. If the redirect is blocked, you never reach the malicious web site.
But yes of course, but I'm not really interested in whether these AV solutions can block malicious URL's, I care about if they can block malware no matter how this malware is delivered. So no matter if malware is downloaded and run by the user, or is trying to load via some automatic exploit, it should be stopped. In my opinion, malware doesn't even have to be blocked from running, for me it's important that they can't do any damage. I wish these type of tests would at least explain what type of malware these AV solutions failed to block and which damage was done. Now it's way too vague.
In a perfect malware detection world, that would be the case. Also if this was the case, the vendor would offer a 100% guaranty against malware infection which none do. Again, the most realist approach is to block as many threat vectors as you can.
Only somewhat agree with this. It really depends on the anti-malware product being used and whether or not the end user has the know how to recognize when something "doesn't look right", based on how the anti-malware product is reacting to the installation (infection) process. This I agree with. This is all that matters from my humble POV. Yes, although I'd rather stop the infection chain at the beginning steps. I know you and many others are sandbox fans, and that's great, but I'd prefer to stop the malware infection process at the beginning, rather than containing it after it's running.
No I agree, but my comment was based upon the fact that these reports are not always clear. But I assume when they say a system is "compromised", AV's could not block the malware from running. But the question that comes to mind is, even if they failed to block them from running, why on earth didn't they stop them from doing any damage. Don't these AV's have multiple protection layers? And why not mention which samples these AV's failed to block? I don't understand your point. The AV has one job, and that's to block malware from running or at least to block them from doing any damage without relying on the user. That's why certain AV's have added post-execution behavior blocking, there is always a change that malware has somehow found a way to run, AV's should then look for suspicious behavior like for example code injection, file reading and modification and keylogging. See above, some malware attacks are more complex than others. I would also rather block malware from running instantly, but it's not always possible. In this case you should be able to contain and block suspicious behavior even if it's in fase 2 or 3 of the attack.
I guess it's because I'm looking at it from the perspective of using anti-malware protection that isn't necessarily based on only antivirus as the main protection. I confess I haven't used 3rd-party AV in years, only using Windows Defender, and that only as secondary protection in my setup. I don't put too much faith in signature based or even the AI based products. There's risk of FP's or worse, they miss something malicious.
I actually haven't used an AV in 12 years, I relied completely on VirusTotal and behavior blocking tools. But I was pleasantly surprised by how light Win Defender is, so I will probably stick with it. But anyway, what I'm saying is that the tools that were tested are quite advanced with multiple layers of protection, let's take Sophos and CrowdStrike for example. So how on earth did they fail to block so many malware samples? It would be nice if this report explained what exactly went wrong. https://www.sophos.com/en-us/products/endpoint-antivirus.aspx https://www.crowdstrike.com/endpoint-security-products/falcon-endpoint-protection-pro/
