Nice video! It's kinda frustrating how vendors are not transparent about the technical details of their producs. Do you know any good resources that go into detail about how EDR/AV work, what kind of signatures they use, how they create those signatures (automatic or manual)?
The Art of Computer Virus Research and Defense is the only good in-depth resource I know about antivirus defense. Everything else that I know is from work. AV vendor's information on that is always rather superficial/marketing-ish, which makes a lot of sense. Why should they make it easier for competitors to use their ideas as well as malware developers to evade their products? These are companies after all. Academic papers also discuss specific defense techniques in depth -- however, sometimes they are detached from being practically usable.
@MalwareAnalysisForHedgehogs That's right, it makes total sense for vendors to be secretive... I was ranting 😅 It's kinda sad that old book is the only good resource out there, but I'll check it out anyway. Thanks, keep up the good work 👍
can you make a whole series on malware detection for beginner ? loved you explanation since I'm beginner didn't understand entire thing but got some good knowledge like FP should be low and swiss cheese model.
Nice video! I'm curious. How accurate/reliable are those AV comparison websites? I think there are only 2-3 websites. As an end user, it's very difficult to know how company A and company B compare. Are there any real tangle differences between AV companies for their antivirus/antimalware/etc protections? Except for these 2-3 websites, AV comparison doesn't appear to be something that's done.
AV vendors do not share with each other how they implement their protection mechanisms. Due to that everyone is inventing their own and that does result in different strengths and weaknesses. However, proper AV testing is extremely difficult. First problem is the test set: How do you get malware that is not detected on a large scale? How do you make sure it is actually malware and not an FP file? And that it is actually working during the test? Second problem is initial infectors -- AVs take context into account, that is how the malware arrives on the system. AV testing cannot fully and accurately simulate the initial infections. AV protection that concentrates more on initial infection prevention than the final payloads might have a disadvantage. So the comparison of AVs is not only difficult for end users but also for experts. I do believe that the test institutes are the best available and most accurate tests that exist. But they are far from perfect. Btw, if you ever see RUclips videos that presume to compare AVs by running a bunch of malware files: These are definitely inaccurate.
Good content, you helped me clarify a couple things about how they work. Thanks and keep this content coming, man!
Thank you, I am happy I could help you!
Nice video! It's kinda frustrating how vendors are not transparent about the technical details of their producs. Do you know any good resources that go into detail about how EDR/AV work, what kind of signatures they use, how they create those signatures (automatic or manual)?
The Art of Computer Virus Research and Defense is the only good in-depth resource I know about antivirus defense. Everything else that I know is from work.
AV vendor's information on that is always rather superficial/marketing-ish, which makes a lot of sense. Why should they make it easier for competitors to use their ideas as well as malware developers to evade their products? These are companies after all.
Academic papers also discuss specific defense techniques in depth -- however, sometimes they are detached from being practically usable.
@MalwareAnalysisForHedgehogs That's right, it makes total sense for vendors to be secretive... I was ranting 😅
It's kinda sad that old book is the only good resource out there, but I'll check it out anyway.
Thanks, keep up the good work 👍
can you make a whole series on malware detection for beginner ?
loved you explanation since I'm beginner didn't understand entire thing but got some good knowledge like FP should be low and swiss cheese model.
I recommend that you play around with ClamAV and read some tutorials for it.
Currently I have no such series planned.
Nice video!
I'm curious. How accurate/reliable are those AV comparison websites? I think there are only 2-3 websites.
As an end user, it's very difficult to know how company A and company B compare. Are there any real tangle differences between AV companies for their antivirus/antimalware/etc protections? Except for these 2-3 websites, AV comparison doesn't appear to be something that's done.
AV vendors do not share with each other how they implement their protection mechanisms. Due to that everyone is inventing their own and that does result in different strengths and weaknesses.
However, proper AV testing is extremely difficult. First problem is the test set: How do you get malware that is not detected on a large scale? How do you make sure it is actually malware and not an FP file? And that it is actually working during the test?
Second problem is initial infectors -- AVs take context into account, that is how the malware arrives on the system. AV testing cannot fully and accurately simulate the initial infections. AV protection that concentrates more on initial infection prevention than the final payloads might have a disadvantage.
So the comparison of AVs is not only difficult for end users but also for experts.
I do believe that the test institutes are the best available and most accurate tests that exist. But they are far from perfect.
Btw, if you ever see RUclips videos that presume to compare AVs by running a bunch of malware files: These are definitely inaccurate.