C
 Superstar

 Superstar

 • 

291 Messages

 • 

7.2K Points

Sunday, December 25th, 2022 9:38 PM

Closed

TM, poor detection rate

Hello,

For several days I am following this on Virus Total:

https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf?nocache=1

3 days ago only 11 antiviruses had a detection; every 6 hours more and more added their own detection.

Even Microsoft Defender was among first 15 to add detection.

Now, we have 32 vendors showing detection.

But not TM.

As a matter of fact , I searched around 80 malwares on VT and the only "big players" constantly not showing a detection where TM and Webroot.

Question for TM: How do you manage to stay in business with such poor detection rate????

.

Brand User

Trend Security Expert

 • 

766 Messages

 • 

15.4K Points

1 year ago

Hi @claudiubotezatu,

Thanks for sharing this with our community. Trend Micro has layered protection. Files are scanned during download and execution.

We've also raised this with our experts.

- TM_Kath

Hotshot

 • 

27 Messages

 • 

562 Points

1 year ago

@claudiubotezatu 

Please keep in mind, that Virustotal results are not direct measurement of what different AVs will detect/block. As a malware tester, i found Trend Micro really effective against unknown malwares and espicially against ransomwares. TM signature detection is average, which you will see on the VT results. 

But where TM shines, it is BB/AI of it. These detections are not shown in VT detection list. Switch to TM Hypersensitive and you will get a lot better protection in all layers.

However, there's a cons too. I do like to see it to protect:

Protect the Keys

And especially there "Key Value Created" section.

So if i want to get TM down, make a .bat or what ever executable, that can modify those registry key critical values. Then do fast shutdown. And you have a system that, does not work. 

(edited)

 Superstar

 • 

291 Messages

 • 

7.2K Points

@kotilainenseppo​ 

Thank you for your answer!

Just go to "Malwarebazaar"  (hxxps://bazaar.abuse.ch/) and pick any sample from top to bottom.

95% of the are detected by Windows Defender in VT

10% are detected by TM in VT

Even more, I downloaded and executed them on a test PC (not virtual machine); the detection rate of TM replicates that found on VT

"But where TM shines, it is BB/AI of it"

That could be, but the FP are very high (42 FP, highest rate on AV Comparatives)

Thanks!

(edited)

Hotshot

 • 

27 Messages

 • 

562 Points

@claudiubotezatu 

Hello, i'm using TM in "hypersensitive" mode. I've been testing various security solutions and combos a lot against various bazaar samples, executables, fileless(LOLBins) etc. There was quite a lot malware samples that TM did not detect by it's signatures(VT results), but on my testing all of them were blocked by it's BB(aka AEGIS/AI) "Suspicious File Blocked". In VT, you only see its detections by signature only, not "Suspicious File Blocked" detections.

I'm not sure if "hypersensivite" mode also affects to script based malwares. When i tested it against some script based malwares, it does allow some scripts to download(by using bitsadmin) droppers to the host machine, but those droppers were blocked because TM finds them suspicious, so malware cannot run. 

I'm running TM with Voodooshield Cyberlock Pro and found this combo really, really effective against any kind of malwares.

And yes, 42 false positives is quite high, but personally i haven't come across any false positives(yet). 

I'm not sure if TM these protects these critical registry keys, if not, they should be added. 

You can do this with simple script(bat,vbs,js etc) then call force shutdown and your computer is basically unusable.

(edited)

Brand User

Trend Security Expert

 • 

766 Messages

 • 

15.4K Points

1 year ago

just a quick update here @claudiubotezatu, for the status of the detection you raised, it is now detected as TROJ_FRS.VSNTLQ22.

- TM_Kath

(edited)

 Superstar

 • 

291 Messages

 • 

7.2K Points

@tm_kath​ 

Thank you!

This was detected 2 days after my post , but it was used just as example.

Each an every day there are hundreds detected by Windows Defender and some other major players but not TM

See another example, as we speak:

https://www.virustotal.com/gui/file/8f8469ba4407f303bb18eb6e17b2360df9ebb53c2fc41b921ea2946469eed29d?nocache=1

Hotshot

 • 

27 Messages

 • 

562 Points

Above sample is blocked by TM "Suspicious File Blocked". But no signature detection yet. 

Brand User

Trend Security Expert

 • 

866 Messages

 • 

34.9K Points

@claudiubotezatu @kotilainenseppo 

Update on this one https://www.virustotal.com/gui/file/8f8469ba4407f303bb18eb6e17b2360df9ebb53c2fc41b921ea2946469eed29d?nocache=1  detected as Trojan.Win32.PRIVATELOADER.YXDADZ

AVs have different processes and technologies in detection. For  Trend Micro Security, a series of layered protection will scan the monitored file or process before detection is reached, Is it safe or not, and what action does Trend Micro Security need to execute based on the detection?

Appreciate your insights!

More insights on How Trend Micro Security fares with competitors:

Test Trend Micro Internet Security 17.7 for Windows 10 (221520) | AV-TEST

Test antivirus software for Windows 10 - October 2022 | AV-TEST

(edited)

 Superstar

 • 

291 Messages

 • 

7.2K Points

Hello tm_kree,

In AV test , from 20 antiviruses tested 18 have 100% detection. While I un derstand that "AVs have different processes and technologies in detection"  I am surprised that Windows Defender is always capable to create a signature fast for whatever is posted on Malware Bazaar while TM is lagging behind with 3-5 days, relying on "different" mechanisms.

Thanks. 

Need Help?

Ask the Community

Latest Tech Insights

Loading...