🎉 Welcome to our new Trend Micro Community! Explore the new look! Read More

why tm scores poorly in av comparatives

claudiubotezatu
Posted Mon, 22 Apr 2024 21:50:46 GMT by claudiubotezatu

see here.....

claudiubotezatu
Posted Tue, 23 Apr 2024 22:49:43 GMT by claudiubotezatu

Anyone????

claudiubotezatu
Posted Thu, 25 Apr 2024 09:43:26 GMT by claudiubotezatu

Anyone????

bvasilev
Posted Sat, 06 Jul 2024 01:50:04 GMT by bvasilev

I have a question here as well, just to understand Trend Micro better. Although I could ask in the business part of the community too, but here the subject is already initiated.

I could also find the Smart Scan patent on Justia and read in depth :-)

So, the poor detection rate certainly has got something to do with the Smart Scan (using 2 seperate patterns). It looks like Smart Scan Agent Pattern needs to flag something suspicious and at that point the full definition will be retrieved from the server. Is that how it works?

Also, how do you decide which malware to drop? Because ransomware can wreak havoc even when it is very old. Infostealers may have dead C&Cs, but a lot of them possess an update function. Do you check these C&Cs using an automated system? Or do you just automatically clean up everything >6 months of age? I am very curious how the cleanup decision is taken (though I understand you may wish not to disclose).

Why some sort of hash-based detection is not still maintained on TM smart protection network?

Malicious files, even when old, should have reputation different than "safe". In that case, ATSE should be called on these files. Is PML not getting trained to detect these samples?

I understand that pattern needs to be minimalistic and requires maintenance, but why other layers don't cover these threats, such as behavioural analysis and policy enforcement?

kotilainenseppo
Posted Sat, 06 Jul 2024 07:18:25 GMT by kotilainenseppo

I tested TM against some malware samples (Hypersensitive mode enabled).

1. Some samples were identified by TM malware signatures.

2. Some samples were first blocked by "Suspicious behavior detected" and then by signatures.

3. Some samples were blocked by "suspicious behavior detected" and no signature detection afterwards.

In case "1", local signature database is used? In case "2" no local database signature found, but cloud lookup flagged it?

I also do like to know how Hypersensitive mode actually works? Is it some kind of a "default-deny" method?

What i also do like to see when a program gets flagged by "Suspicious behavior blocked", why it gets blocked? Malformed PE-header? DLL sideloading? So what was the reason it gets blocked.

claudiubotezatu
Posted Sat, 06 Jul 2024 11:57:10 GMT by claudiubotezatu

@kotilainenseppo​ 

I did test TM with samples from "Malwarebazaar"  in hypersensitive mode.

Most of them were detected on execution as "suspicios" , but not all .

What puzzles me the most   , in AV Comparatives test from Mar2024 , they used 10,053 malwares collected one month in advance and offered TM the possibility to detect them on access and execution.

TM failed miserably , with a detection rate of 97%, while Microsoft (free) had 99.94% detection rate.

Yet, nobody from TM bothered to investigate or answer in any meaningful way.

kotilainenseppo
Posted Sat, 06 Jul 2024 14:01:58 GMT by kotilainenseppo

Was your system compromised, when you tested TM against your malwaere samples?

Don't be silly about AVC testing procedure vs TM. The Real World results is all about to protect the system. TM is very, very good about that.

claudiubotezatu
Posted Sat, 06 Jul 2024 15:31:02 GMT by claudiubotezatu

@kotilainenseppo​ 

"Was your system compromised, when you tested TM against your malwaere samples?"

No, I just did it out of curiosity.

TM scores very well in "Real World results", but so does Microsoft Defender, so why pay for something which , overall performs worse than a free solution?

.

kotilainenseppo
Posted Sat, 06 Jul 2024 15:37:32 GMT by kotilainenseppo

So be happy with the "Defender".  I'm happy with my TM.

bvasilev
Posted Sat, 06 Jul 2024 15:55:17 GMT by bvasilev

@kotilainenseppo​ 

malformed PE header is not detected by behavioural blocking, this is static analysis’ job. 

When you go to the logs, you can see which rule exactly triggered the block in some cases. More information is displayed in business products but to home users it is irrelevant. 

kotilainenseppo
Posted Sat, 06 Jul 2024 16:08:03 GMT by kotilainenseppo

Yes. basic kernel mode dll sideloadin, kernel modifications detected by Apex One. Home version seems to use the same "engine".

Props for TM, how to check runtimes and lolbins so fast.

claudiubotezatu
Posted Sat, 06 Jul 2024 19:17:58 GMT by claudiubotezatu

@kotilainenseppo​ 

It is not about being happy or not! I already have TM , 5 licenses /2 years not being used right now, because I switched to Defender.

Would be nice to get a logical explanation for the poor detection rate from TM. 

Anime_007
Posted Sun, 07 Jul 2024 01:06:34 GMT by Anime_007

@tm_vlad​ I agree that TM should improve this situation with regard to malware based detection. "Those malwares which are old and not seen recently are dropped from our detection patterns" . Maybe TM needs to learn something from Kaspersky (Kaspersky Security Network), Bitdefender or Norton etc over how to maintain database and improve detection percentage in tests conducted by AV comparatives or any other tests.

You must be signed in to post in this forum.