Ask ExeTools: Best Antivirus & AntiMalware 2017
 

Hello friends,

Based on your research and experience which antivirus & antimalware software is the best? Commercial or otherwise.

"Best" meaning reliable, good to great detection rates etc.

Malwarebytes for Malware. I use - very good

Antirus AVG for virus and ransomware - It is very light and does not consume as much resource

and online scanning I use eset online scanner -
for me one of the best virus scanner cleaner online

hxxps://www.pcmag.com/article2/0,2817,2372364,00.asp

For antivirus I use Eset Nod32 and for anti-malware I use Malwarebytes.

What exactly is the difference between "antivirus" and "antimalware" supposed to be?

Most companies sell "anti-virus" and "internet security" products. The first include only "anti-virus", the last include "anti-virus" + "firewall" + "<insert any number of words which somehow should sound to a stupid end-user like they do something important>".

Since the Windows Firewall has a default "allow all outgoing traffic" rule which you cannot change I would say it's mandatory to use an "internet security" product, not only to block (non-malware) "call home" software, but also to block malware which is not yet detected from connecting to its control server.

When you see any tests conducted by a website or a magazine, the rating will always be something like "60% detection rate, 30% resource usage, 5% user interface, 5% other features". This sadly means two things:

• Many products just have no way of configuration. You just get a big red "on/off" button and a "you are secure" text, but you cannot configure anything you might care for.
• Many of the "internet security" products with good rating include completely functionless "firewall", "secure banking", "child protection", etc. modules, just because these things are not tested and have no real influence on the final rating.

Two examples: In nearly all tests Kaspersky and BitDefender are on #1 and #2 in the list. These products might have a good detection and resource usage rate, but:

• BitDefender has pretty much no configuration settings at all. It just runs and that's it. Even the "advanced configuration" menu has just something like "allow NetBIOS yes/no" and "configure proxy for internet connection" and nothing else.
• Kaspersky has many (and good) configuration possibilities. However, the way the software works is that any unknown application will have full internet (and system) access on the first launch, since you can only configure a application after the first launch. You cannot change that behaviour by any setting, this makes the firewall (and HIPS) completely useless. To make it even more useless: All user-defined rules are deleted 30 days after the last edit, making a known applications "unknown" again. No "test" will notice that, since they only use default settings and don't run for more then 30 days.

So my suggestion:

• Always use a combined antivirus+firewall solution. Firewall-only products don't really exist any more and they probably don't play nice with anything expect Windows Defender.
• Do not use more that one "real-time" solution at the same time. Maybe with the exception of "Windows Defender", all other products will badly influence each other, making the system slower and less secure.
• Use addons like Ad-blockers and JavaScript-blockers in your webbrowser. Do not rely on your anti-virus to detect anything which is not saved on your harddisk and just exists in your webbrowser's memory
• Make sure that your anti-virus will scan encrypted connections (off by default in many solutions for compatibility reasons) and make sure that it won't downgrade the encryption parameters just because the programmers were to lazy to implement anything else than "RC4 40bit".
• Set any "preview" options in your email software to disabled. Disable anything which downloads data from the internet when you open an email. This makes sure you can delete a suspicious email without automatically executing the included malware. (if you ever meet a programmer who allowed JavaScript in emails, hit him somewhere it really hurts)
• Always update your important software: OS, anti-virus, webbrowser. Even if you have a pirated Windows version you will get Windows updates.
• Regulary update other software: media players, picture viewers, download managers, etc.
• Don't use cracked software. Cracked software might contain malware. ;)

Yes, it's always better to "patch" it ourselves ;)

Yes, but seriously, for "normal users" (meaning those who are not security experts for example) , I would say that McAfee Antivirus+Firewall is a good solution.
We'd been using it and recommending it to our clients for more than 25 years and it had always stood strong.
Just the McAfee AV+Firewall is enough - don't go for the 10-in-1 suite etc which just slow down your system...

Sysmantec (norton) AV used to be good but now it has become too much of a bloat ...

Finally, remember that many of the "reviews" online and in mags are mostly paid (many are not aware of it).

So its best to take them with a pinch of salt.

You may notice that the "good" AV companies rarely bother to pay them to get them better reviews, which is why one does not see them very high up on the list.

Around 20 years ago, I remember that AVG AV used to be on the top of the review lists but it did a very sorry job of catching any real malware.

The Windows Defender is just Entry-level at best, even now, and fails to catch many of the sophisticated malware that's around. Further, it does slow down the system quite a bit.
I know since I removed it off long ago after benchmarking.

Finally. most of the security professionals do not have any AV on their system at all :)
Just good security practices keep the system safe.

Windows firewall control with windows defender and lil bit of caution while executing any random file. I do take back up of the system at regular interval though

All antivirus is a scam, just use Windows Defender and don't be a complete turd when dealing with downloaded files...

All antivirus products have complicated engines with a large amount of attack surface increasing your risk. So ensure you do not add such complicated software to your TCB.

If you want to know if a particular executable is flagged as malicious, you should probably just install a few in a couple of different virtual machines, or use virustotal.

However virustotal does not have the more CPU intensive desktop versions of many antivirus and so the unpacking/emulation functionality built into most desktop antivirus is not present, so running them yourself in different virtual machines makes sense.

Awhile ago I tested a few different antivirus to see how good they were at detecting flagged code that I obfuscated with simple methods. I found that kaspersky and f-secure had the best unpacking/emulation functionality.

At the end of the day, the features you might need for your antivirus are specific to your use case. (do you need good historical signatures of DOS malware or not?) (do you need signatures for esoteric platforms like z/OS?) (do you need high quality centralized administration to manage a large corporate network?)

Malware doesn't only spread by voluntary downloading and executing unknown software.

There are more than enough drive-by-downloads you catch on legitimate and well known websites. What are you supposed to do there? Stop using your computer for 4 or 6 weeks until Windows or your webbrowser gets an update?

More likely you will trust that an anti-virus which gets updated several times a day will prevent these kind of exploits until they get fixed by software updates.

Win10 here.

I usually used Windows Defender and BWMeter firewall/meter for internet blocking/etc.

But... I want my Antivirus disabled for long periods of time, i could use exceptions in folders, as i tend to have tons of "weird" files in my pc, not only cracks or keygens, that i know they are not virus/malware, but the antivirus tend to block, delete them. But also i tend to deal with programming and using packers, hacks, etc...

So... in Windows defender i can disable completely the antivirus, but it will be enabled automatically after some time. I hate coming back to my pc and seeing 1000 detections... Finally switched to Eset, i disable it until next reboot (usually weeks).

Of course, i know what i am doing, if i need to scan something or execute something i send it to virustotal or even to a online sandbox.

Regards!

All the major hacks and Advanced Persistent Threats (APT) stats show that AV solutions don't work; sure it might flag a really really well-known malware family in your mailbox or dubious website; but any 0day variant will - by definition - not be detected; even heuristics won't help much for bigger campaigns (malware developers test as well you know :) )

It's also shockingly easy to take any random well known malware family and make it undetectable; it's even - probably the easiest - part of the OSCE exam.

Then add the fact that for performance reasons it will not even detect really old malware anymore and performance-impact is still noticable; I can't recommend ANY (locally installed) antivirus/malware solution to start with.

Even very expensive enterprise ones still have false positives and true negatives and thus using AV-solutions can actually give a false sense of security; you're not as secure as you think your are.

Have it on the mailserver doesn't really hurt; but for local stuff, just do your updates, use a restricted account and the OS built-in firewall (assuming recent OSes, not talking WinXP here). For playing with untrusted downloads just use a VM with optionally Sandboxie within that VM and rollback to your snapshot afterwards, just to be sure.

For non-tech savy people / "end users", just scare them to death to never ever click any fake updates, download or bill they got sent by e-mail and install the AV that got first place in a big AV test for this Quarter (like: best effort for the given moment).

It is a famous "cat and mouse" game as you always have to stay current. Yes you can always wrap something and make it undetectable but the importance of staying current is an issue.

I always go with Windows Defender, a properly configured router, and care when running strange binaries by sandboxing/VM. Yes the random malware that infects legitimate sites like the one that occurred recently in CCleaner right after Avast, an antivirus company acquired it, is hilariously ironic in this case but its not so common that it cannot be dealt with as a one off.

The problem with AV, is its hard to measure future detection rates. And we don't care about the past so much here. The question on detection rate, is if some arbitrary malware comes out, how long it would take before that particular AV detects it or if not what % will it achieve. So we are left with our own empirical evidence and feelings and some configurability on top of a black box engine which we indeed can do nothing but speculate about.

Most of the malware nonsense is just fun and games anyway and questionable beyond at a big enterprise or for a sysadmin maintaining a lot of computers, or for really naïve users who would never be able to do a self repair.

It is only interesting if we are talking about BIOS hacking, and hypervisor chips and what the real racketeers hiding behind agencies are up to. Then well, really, someone probably already "owns yours box" especially if you browse this forum. And since they can physically break in and enter with almost no effort, unless you are going to design an unhackable chipset, you probably won't even be able to guard a new purchase past a week. But if anyone manages to beat the big crooks, it would be interesting. But its non trivial and would require a huge amount of work. And you are not getting much help from big hardware business these days who are largely trying to lock up their corners of the financial markets by complying and bending over backwards to the nearest government power structure. But the AV companies stay out of here too. And the hardware companies have dumped firmwares containing extremely sophisticated monitoring and harassment packages and keep their lips shut.

I don't remember of having any issue with virus since a DOS 11 disks game a friend gave me like.. 25 years ago (the so called virus was even able to change it's filename, that was super cool at that time I loved it).

Using trusted sources, being smart with what you use + set up proper backups <--
Then, just pray not to get any new kind of worm - there also is a bit of chance here sometimes.

There will always be someone looking for new vulnerabilities, that would pass your AV + Firewall solutions. And since you can't spend all your time to search yourself for the same (not even talking about the skills required - i certainly don't have them), somehow you just have to continue your usual life, and most probably everything will be ok for years without anything wrong happening.


I still use ESET smart security. Don't know if it's really worth it, but as Kerlingen pointed out, you need at least to be able to block outgoing traffic (for malwares, and of course you want to control app that are calling home while reversing) plus I guess having a basic AV which is not using to much resources is still something to do ; but as I said, I rely *way* more on my backups than on anything else...

im happy with smadav, it suits my needs. any unreliable software source are run inside vmware for extra safety :)

I keep Malwarebytes around for browser exploits..

I highly recommend GlassWire as a firewall though! It's extremely light, and has really nice monitoring, graphs, and control.

Maybe I'm misunderstanding you but you can configure profiles to block outbound traffic by default. The problem is that it's oftentimes not that useful in practice as you need to manually define rules upfront for all apps that should be allowed to access the internet. This easily gets cumbersome if an application uses multiple processes/services of which some need network access (like in case of VMWare Workstation). What's not uncommon either is legitimate installers which launch sub-processes (which need network access) from previously extracted images with randomized filenames. If you've configured the Windows Firewall to block outgoing traffic by default, it will do so without giving the user any hints whatsoever which can make it difficult to figure out what rules to add to get a particular app to work properly.

There're third-party add-on tools to workaround that problem, though. They listen for certain ETW events if I remember correctly and display a message if an app tries to access the network, alongside with options to create (temporary) outbound rules.

Another thing to keep in mind is that rules can be added programmatically which is something some installers do. While this is generally convenient, it can be annoying in cases where one doesn't want (legitimate) software to phone home for example.

No wonder really as AV software has in the past turned out to be an attack vector (MsMpEng Type Confusion anyone?).

https://xkcd.com/1200/ :)

By the time you're depending on active antimalware/antivirus to do its job, it's usually too late anyway, especially if the malware is undetected. It can help, but it shouldn't be your only defense.

A secure browser with ad blocking, a properly configured firewall, sandboxing/virtualization software, locked down file system permissions, along with some common sense and safe practices is the way to go.

I personally use Chrome (with uBlock Origin and uMatrix), Comodo Personal Firewall, Sandboxie, VMWare, Microsoft EMET, and finally Microsoft Security Essentials, along with some other niche security software.

kaspersky is the best it will also scan USB pin drive automatically when inserted also well work for malware and rootkit and have great firewall built in if you go for internet security,kaspersky also provide room for window defender to run by side usually other antivirus disable the window defender upon install nod32 is also good choise

Hi,

Avast acquired Piriform, maker of CCleaner, but recently CCleaner was infected by malware and distributed to 2.3 million users. It was a two-stage backdoor that allows a remote attacker to execute code on an affected system.

hxxps://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

hxxps://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

So i believe any antivirus is better for the known threats, not unknown ones.

Regards,
cp74

No. No. No. Just no.

I already explained here why it's the worst firewall implementation one can think of.

I'm using BitDefender as antivirus (some features turned off is a must) - it scores 100% at av-comparatives.
https://chart.av-comparatives.org/chart1.php

For malware - Malwarebytes.

I'm not using firewall, because I'm behind NAT. If I need to filter something I just use hosts file.

Also on Windows - UAC turned off, and built in Administrator account enabled (using it). Win+R, cmd.exe;

Agnitum had a nice personal firewall project you certainly remember : Outpost.
I felt it was just giving all the information you needed is a simple yet very useful interface. Open connections, open ports, open applications but really just the way it's supposed to be. Config was easy and you really could see and understand everything that was happening live.
Somehow, other firewalls do a lot in the back, and you don't always know what's going on or find about it way later.

Unfortunately & on many versions I had too many issues with it and always had to switch back (to zonealarm at that time :p). I wish they would continue the project and make it better.

MS Defender

Yes, Outpost very nice - for many years.

MS Defender or work in wmvare or sandbox

In vmware I have a third-party antivirus installed :D

Each AV user may have different views according to their needs or experience using them.
I have not used Antivirus or Antimalware for a long time ...until Now.
(Kaspersky, AVAst, McAfee, NoDIce, Malwarebytes..etc.) .. As well as Windows Defender - I always disable/turn off it.
reasons : - spend the pc memory
- slow down my pc activities.
- always annoying my activities.
- my PC is very old (1 GB RAM only!!)
I use it if I feel I need it....;)

Commercially… CylanceProtect with FireEye HX, and ESET (or something that is leveraging AMSI) Gartner also recently published an article on Microsoft ATP changing the landscape.

Home use, MalwareBytes, CylanceProtect, ESET/SEP (mainly because of customization allowed)

And the obligatory FireFox w/NoScript, and make sure your using Sysmon.

I think Avira is the best. I've used it for many years now and it's been very reliable and fast. I have McAfee on my work computer and I can always tell its hogging my system.

Avira = Avast = MsMpEng
They are good at caching keygen-warez-ware. Avoiding these av vendors if you want to catch real viriis (IMO).

I think all has been said in meanwhile...
Earlier I was using Bitdefender and since couple of years Avast.
Both helped me to stop some invaders, but this is not against other programs.
Think you should decide it by your own

One thing you should know, all AVs are going in the wrong direction (collecting signatures for malwares)... at least this is the best they have, for now!

From my personal experience in bypassing AVs, ESET and Kaspersky were pain in the a** until you figure out how to do it ;)

Best AV is ones common sense.

I use the following on my browsing PC (Win 7).

Firewall: TinyWall with lockdown mode. No incoming connections, all apps are blocked with only a small whitelisted ones. So outbound communication from any apps.

Always run as a normal user with elevation on need basis. Same is applicable for *nix and Windows OSes.

For development, I have another PC which contains Comodo Antivirus (Home / Edition - Freeware)

Won't open any downloaded executable files if found suspicious. Usually scan it with virustotal for safety if I feel fishy! (It's purely a gut feel, but has saved my **s many times!)

For most of the office documents, I've multiple universal viewers which can preview the file in read only mode. No VBScript / JScript executables.

Disabled the autorun on all removable drives.

No thumbnails stores enabled. A bit of lockdown and hardening on the windows side. Disabled most of the services which are not required / not used and manually enable them after enabling it using the Autoruns utility (from https://live.sysinternals.com).

So, mostly the services will be disabled and cannot be even run manually.

A bit of hardened and optimized TCP/IP Stack.

Being a reverser since school days (those who knew IBM DOS 4.0 / MS DOS 5.0 days!! :rolleyes:) also look for certain packed files / unpack them, run a quick analysis for infection / networking stuff, if I'm in a paranoid mode! :D

Apart from that as l don't run Antivirus!

Most of my mails are pure plain text, won't open html mails that easily.

Extra careful with attachments. Don't open attachments that easily even if it is from a known contact.

And no Java / JRE (though I have it on the dev. PC!), disable / remove all plugins (who uses it these days!! :eek: ) from the browsers.

Firefox Quantum with Noscript and Ghostery, Multiple Adblockers like Anti-Anti Adblock, AdGuard, URL Tracker removers like cleanurls) will help cutdown any web based malware infections.

Using Brave browser for some Google sites.

Mostly non-standard and smaller, portable applications (Complete set of apps from https://portableapps.com/) for most of the needs and doesn't trust MS, ADOBE, ORACLE, GOOGLE products that easily. Using alternates for most of their stuff.

Have multiple VirtualBox with a bit of patching with manually configured services and without networking and only read-only folders mapped for ingress file copying.

Regular backups of all documents, Photos to Backup HDDs and important ones to cloud with a container based encryption (I don't want Google, DropBox, Mega or whomsoever to peer at my files!)

For encryption, I mostly use command line OpenSSL toolkit (which is compiled in my system)

Never has a virus or malware attack ever since I stopped writing them (from 1999) and before got fried multiple times! (that's a learning process!! :o)

All in all, the take away is that a bit of feeling paranoid about security with a little common sense and some lean / less resource hungry firewall, CCleaner, MalwareBytes antimalware, Comodo Antivirus, Less privileged user and some working knowledge will get you a long way!)

If possible switch to Linux for most of the day-to-day activities / development and keep windows only for browsing and some casual stuff and for reversing.

Hope it helps!!! Though the above being lot of off-topic stuff, just wanted to share what I do partially for staying safe!!

Peace and comments welcome!! ;)

As antivirus I prefer Avira, because is free and don't consume that many computer resources.

Antiviruses in their classical meaning are completely useless and by definition fall far back behind offensive side. And quite often they even increase attack surface, basically doing the opposite of what they're supposed to do.

My bet is on sandboxing/isolation. And since it may be tedious to start a full-fledged VM for every downloaded executable and bigger software tend to have more bugs including security ones, light and secure software relying on documented Windows principles like ReHIPS is my choice.

Hasn't this topic just been posted to death.. So many what do you use for protection posts...

This, the best antivirus is Common Sense 2017, and now it's time to update to version 2018.

sandoxie is the only "antivirus" you need, run the suspicious exe within and decide for yourself whether it's safe or not. Use restriction for full protection.

good tip but you also have to take into account that some malware have anti sandboxie tricks and they don't reveal their malware behavior if they detect they are running under sandboxie

Well if you run them only in the sandbox, it doesn't really matter, right?
If they don't trigger the payload, good for you :)