Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-28-2017, 10:08
SOLAR SOLAR is offline
Friend
 
Join Date: Aug 2004
Posts: 126
Rept. Given: 6
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 12
Thanks Rcvd at 6 Times in 6 Posts
SOLAR Reputation: 2
Question Ask ExeTools: Best Antivirus & AntiMalware 2017

Hello friends,

Based on your research and experience which antivirus & antimalware software is the best? Commercial or otherwise.

"Best" meaning reliable, good to great detection rates etc.
Reply With Quote
  #2  
Old 10-28-2017, 12:31
Zipdecode's Avatar
Zipdecode Zipdecode is offline
Unpack Safenet :)
 
Join Date: Oct 2005
Posts: 264
Rept. Given: 309
Rept. Rcvd 116 Times in 46 Posts
Thanks Given: 174
Thanks Rcvd at 66 Times in 23 Posts
Zipdecode Reputation: 100-199 Zipdecode Reputation: 100-199
Malwarebytes for Malware. I use - very good

Antirus AVG for virus and ransomware - It is very light and does not consume as much resource

and online scanning I use eset online scanner -
for me one of the best virus scanner cleaner online

hxxps://www.pcmag.com/article2/0,2817,2372364,00.asp
__________________
Once finished the game, the king and the laborer they return to the same box

Last edited by Zipdecode; 10-28-2017 at 17:22.
Reply With Quote
The Following User Says Thank You to Zipdecode For This Useful Post:
abhi93696 (10-28-2017)
  #3  
Old 10-28-2017, 12:41
runio runio is offline
Friend
 
Join Date: Jul 2016
Location: Earth
Posts: 14
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 6
Thanks Rcvd at 12 Times in 8 Posts
runio Reputation: 0
For antivirus I use Eset Nod32 and for anti-malware I use Malwarebytes.
Reply With Quote
  #4  
Old 10-28-2017, 17:34
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 307
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 268 Times in 83 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
What exactly is the difference between "antivirus" and "antimalware" supposed to be?

Most companies sell "anti-virus" and "internet security" products. The first include only "anti-virus", the last include "anti-virus" + "firewall" + "<insert any number of words which somehow should sound to a stupid end-user like they do something important>".

Since the Windows Firewall has a default "allow all outgoing traffic" rule which you cannot change I would say it's mandatory to use an "internet security" product, not only to block (non-malware) "call home" software, but also to block malware which is not yet detected from connecting to its control server.

When you see any tests conducted by a website or a magazine, the rating will always be something like "60% detection rate, 30% resource usage, 5% user interface, 5% other features". This sadly means two things:
  • Many products just have no way of configuration. You just get a big red "on/off" button and a "you are secure" text, but you cannot configure anything you might care for.
  • Many of the "internet security" products with good rating include completely functionless "firewall", "secure banking", "child protection", etc. modules, just because these things are not tested and have no real influence on the final rating.

Two examples: In nearly all tests Kaspersky and BitDefender are on #1 and #2 in the list. These products might have a good detection and resource usage rate, but:
  • BitDefender has pretty much no configuration settings at all. It just runs and that's it. Even the "advanced configuration" menu has just something like "allow NetBIOS yes/no" and "configure proxy for internet connection" and nothing else.
  • Kaspersky has many (and good) configuration possibilities. However, the way the software works is that any unknown application will have full internet (and system) access on the first launch, since you can only configure a application after the first launch. You cannot change that behaviour by any setting, this makes the firewall (and HIPS) completely useless. To make it even more useless: All user-defined rules are deleted 30 days after the last edit, making a known applications "unknown" again. No "test" will notice that, since they only use default settings and don't run for more then 30 days.

So my suggestion:
  • Always use a combined antivirus+firewall solution. Firewall-only products don't really exist any more and they probably don't play nice with anything expect Windows Defender.
  • Do not use more that one "real-time" solution at the same time. Maybe with the exception of "Windows Defender", all other products will badly influence each other, making the system slower and less secure.
  • Use addons like Ad-blockers and JavaScript-blockers in your webbrowser. Do not rely on your anti-virus to detect anything which is not saved on your harddisk and just exists in your webbrowser's memory
  • Make sure that your anti-virus will scan encrypted connections (off by default in many solutions for compatibility reasons) and make sure that it won't downgrade the encryption parameters just because the programmers were to lazy to implement anything else than "RC4 40bit".
  • Set any "preview" options in your email software to disabled. Disable anything which downloads data from the internet when you open an email. This makes sure you can delete a suspicious email without automatically executing the included malware. (if you ever meet a programmer who allowed JavaScript in emails, hit him somewhere it really hurts)
  • Always update your important software: OS, anti-virus, webbrowser. Even if you have a pirated Windows version you will get Windows updates.
  • Regulary update other software: media players, picture viewers, download managers, etc.
  • Don't use cracked software. Cracked software might contain malware.
Reply With Quote
The Following 4 Users Say Thank You to Kerlingen For This Useful Post:
abhi93696 (10-28-2017), alekine322 (11-29-2017), chessgod101 (10-29-2017), tonyweb (10-30-2017)
  #5  
Old 10-28-2017, 19:24
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,058 Times in 595 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by Kerlingen View Post
...[*]Don't use cracked software. Cracked software might contain malware.
Yes, it's always better to "patch" it ourselves

Yes, but seriously, for "normal users" (meaning those who are not security experts for example) , I would say that McAfee Antivirus+Firewall is a good solution.
We'd been using it and recommending it to our clients for more than 25 years and it had always stood strong.
Just the McAfee AV+Firewall is enough - don't go for the 10-in-1 suite etc which just slow down your system...

Sysmantec (norton) AV used to be good but now it has become too much of a bloat ...

Finally, remember that many of the "reviews" online and in mags are mostly paid (many are not aware of it).

So its best to take them with a pinch of salt.

You may notice that the "good" AV companies rarely bother to pay them to get them better reviews, which is why one does not see them very high up on the list.

Around 20 years ago, I remember that AVG AV used to be on the top of the review lists but it did a very sorry job of catching any real malware.

The Windows Defender is just Entry-level at best, even now, and fails to catch many of the sophisticated malware that's around. Further, it does slow down the system quite a bit.
I know since I removed it off long ago after benchmarking.

Finally. most of the security professionals do not have any AV on their system at all
Just good security practices keep the system safe.
Reply With Quote
The Following 2 Users Say Thank You to TechLord For This Useful Post:
alekine322 (11-29-2017), tonyweb (10-30-2017)
  #6  
Old 10-28-2017, 20:52
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 117
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 26
Thanks Rcvd at 52 Times in 26 Posts
Conquest Reputation: 29
Windows firewall control with windows defender and lil bit of caution while executing any random file. I do take back up of the system at regular interval though
Reply With Quote
The Following User Says Thank You to Conquest For This Useful Post:
tonyweb (10-30-2017)
  #7  
Old 10-29-2017, 21:01
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 95
Thanks Rcvd at 761 Times in 363 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
All antivirus is a scam, just use Windows Defender and don't be a complete turd when dealing with downloaded files...
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 8 Users Say Thank You to mr.exodia For This Useful Post:
alekine322 (11-29-2017), cybercoder (11-01-2017), foil (11-01-2017), mm10121991 (11-29-2017), Pansemuckl (11-02-2017), TechLord (10-30-2017), tonyweb (10-30-2017), zeffy (11-06-2017)
  #8  
Old 10-30-2017, 11:18
surferxyz surferxyz is offline
Friend
 
Join Date: Jan 2005
Location: Planet Earth
Posts: 70
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 19 Posts
surferxyz Reputation: 8
All antivirus products have complicated engines with a large amount of attack surface increasing your risk. So ensure you do not add such complicated software to your TCB.

If you want to know if a particular executable is flagged as malicious, you should probably just install a few in a couple of different virtual machines, or use virustotal.

However virustotal does not have the more CPU intensive desktop versions of many antivirus and so the unpacking/emulation functionality built into most desktop antivirus is not present, so running them yourself in different virtual machines makes sense.

Awhile ago I tested a few different antivirus to see how good they were at detecting flagged code that I obfuscated with simple methods. I found that kaspersky and f-secure had the best unpacking/emulation functionality.

At the end of the day, the features you might need for your antivirus are specific to your use case. (do you need good historical signatures of DOS malware or not?) (do you need signatures for esoteric platforms like z/OS?) (do you need high quality centralized administration to manage a large corporate network?)
Reply With Quote
  #9  
Old 10-30-2017, 17:49
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 307
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 268 Times in 83 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Quote:
Originally Posted by mr.exodia View Post
All antivirus is a scam, just use Windows Defender and don't be a complete turd when dealing with downloaded files...
Malware doesn't only spread by voluntary downloading and executing unknown software.

There are more than enough drive-by-downloads you catch on legitimate and well known websites. What are you supposed to do there? Stop using your computer for 4 or 6 weeks until Windows or your webbrowser gets an update?

More likely you will trust that an anti-virus which gets updated several times a day will prevent these kind of exploits until they get fixed by software updates.
Reply With Quote
  #10  
Old 10-30-2017, 19:15
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 195
Rept. Given: 105
Rept. Rcvd 25 Times in 16 Posts
Thanks Given: 337
Thanks Rcvd at 73 Times in 34 Posts
an0rma1 Reputation: 25
Win10 here.

I usually used Windows Defender and BWMeter firewall/meter for internet blocking/etc.

But... I want my Antivirus disabled for long periods of time, i could use exceptions in folders, as i tend to have tons of "weird" files in my pc, not only cracks or keygens, that i know they are not virus/malware, but the antivirus tend to block, delete them. But also i tend to deal with programming and using packers, hacks, etc...

So... in Windows defender i can disable completely the antivirus, but it will be enabled automatically after some time. I hate coming back to my pc and seeing 1000 detections... Finally switched to Eset, i disable it until next reboot (usually weeks).

Of course, i know what i am doing, if i need to scan something or execute something i send it to virustotal or even to a online sandbox.

Regards!
Reply With Quote
  #11  
Old 10-30-2017, 23:02
SKiLLa SKiLLa is offline
Friend
 
Join Date: Jul 2016
Location: Europe
Posts: 29
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 18
Thanks Rcvd at 17 Times in 16 Posts
SKiLLa Reputation: 0
All the major hacks and Advanced Persistent Threats (APT) stats show that AV solutions don't work; sure it might flag a really really well-known malware family in your mailbox or dubious website; but any 0day variant will - by definition - not be detected; even heuristics won't help much for bigger campaigns (malware developers test as well you know )

It's also shockingly easy to take any random well known malware family and make it undetectable; it's even - probably the easiest - part of the OSCE exam.

Then add the fact that for performance reasons it will not even detect really old malware anymore and performance-impact is still noticable; I can't recommend ANY (locally installed) antivirus/malware solution to start with.

Even very expensive enterprise ones still have false positives and true negatives and thus using AV-solutions can actually give a false sense of security; you're not as secure as you think your are.

Have it on the mailserver doesn't really hurt; but for local stuff, just do your updates, use a restricted account and the OS built-in firewall (assuming recent OSes, not talking WinXP here). For playing with untrusted downloads just use a VM with optionally Sandboxie within that VM and rollback to your snapshot afterwards, just to be sure.

For non-tech savy people / "end users", just scare them to death to never ever click any fake updates, download or bill they got sent by e-mail and install the AV that got first place in a big AV test for this Quarter (like: best effort for the given moment).
Reply With Quote
The Following User Says Thank You to SKiLLa For This Useful Post:
niculaita (11-01-2017)
  #12  
Old 10-30-2017, 23:47
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 612
Rept. Given: 16
Rept. Rcvd 40 Times in 24 Posts
Thanks Given: 553
Thanks Rcvd at 901 Times in 416 Posts
chants Reputation: 40
It is a famous "cat and mouse" game as you always have to stay current. Yes you can always wrap something and make it undetectable but the importance of staying current is an issue.

I always go with Windows Defender, a properly configured router, and care when running strange binaries by sandboxing/VM. Yes the random malware that infects legitimate sites like the one that occurred recently in CCleaner right after Avast, an antivirus company acquired it, is hilariously ironic in this case but its not so common that it cannot be dealt with as a one off.

The problem with AV, is its hard to measure future detection rates. And we don't care about the past so much here. The question on detection rate, is if some arbitrary malware comes out, how long it would take before that particular AV detects it or if not what % will it achieve. So we are left with our own empirical evidence and feelings and some configurability on top of a black box engine which we indeed can do nothing but speculate about.

Most of the malware nonsense is just fun and games anyway and questionable beyond at a big enterprise or for a sysadmin maintaining a lot of computers, or for really naïve users who would never be able to do a self repair.

It is only interesting if we are talking about BIOS hacking, and hypervisor chips and what the real racketeers hiding behind agencies are up to. Then well, really, someone probably already "owns yours box" especially if you browse this forum. And since they can physically break in and enter with almost no effort, unless you are going to design an unhackable chipset, you probably won't even be able to guard a new purchase past a week. But if anyone manages to beat the big crooks, it would be interesting. But its non trivial and would require a huge amount of work. And you are not getting much help from big hardware business these days who are largely trying to lock up their corners of the financial markets by complying and bending over backwards to the nearest government power structure. But the AV companies stay out of here too. And the hardware companies have dumped firmwares containing extremely sophisticated monitoring and harassment packages and keep their lips shut.
Reply With Quote
  #13  
Old 11-01-2017, 10:06
tusk tusk is offline
Friend
 
Join Date: Jun 2016
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 12 Times in 8 Posts
tusk Reputation: 0
I don't remember of having any issue with virus since a DOS 11 disks game a friend gave me like.. 25 years ago (the so called virus was even able to change it's filename, that was super cool at that time I loved it).

Using trusted sources, being smart with what you use + set up proper backups <--
Then, just pray not to get any new kind of worm - there also is a bit of chance here sometimes.

There will always be someone looking for new vulnerabilities, that would pass your AV + Firewall solutions. And since you can't spend all your time to search yourself for the same (not even talking about the skills required - i certainly don't have them), somehow you just have to continue your usual life, and most probably everything will be ok for years without anything wrong happening.


I still use ESET smart security. Don't know if it's really worth it, but as Kerlingen pointed out, you need at least to be able to block outgoing traffic (for malwares, and of course you want to control app that are calling home while reversing) plus I guess having a basic AV which is not using to much resources is still something to do ; but as I said, I rely *way* more on my backups than on anything else...
Reply With Quote
  #14  
Old 11-01-2017, 14:59
smallfox smallfox is offline
Friend
 
Join Date: Sep 2002
Posts: 56
Rept. Given: 32
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 15
Thanks Rcvd at 5 Times in 4 Posts
smallfox Reputation: 0
im happy with smadav, it suits my needs. any unreliable software source are run inside vmware for extra safety
Reply With Quote
  #15  
Old 11-01-2017, 23:12
foil foil is offline
Friend
 
Join Date: Feb 2017
Location: 0xFFFFFFFF
Posts: 12
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 7 Times in 7 Posts
foil Reputation: 0
I keep Malwarebytes around for browser exploits..

I highly recommend GlassWire as a firewall though! It's extremely light, and has really nice monitoring, graphs, and control.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best Antivirus Engine mantovano General Discussion 102 02-16-2011 18:13
Antivirus API just4urim General Discussion 4 02-06-2005 02:49
Anti Antivirus = ? Virus ?? Trojan ?? drasd_20002 General Discussion 3 06-05-2003 00:03


All times are GMT +8. The time now is 22:14.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )