TM, poor detection rate

Hello,

For several days I am following this on Virus Total:

https://www.virustotal.com/gui/file/667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf?nocache=1

3 days ago only 11 antiviruses had a detection; every 6 hours more and more added their own detection.

Even Microsoft Defender was among first 15 to add detection.

Now, we have 32 vendors showing detection.

But not TM.

As a matter of fact , I searched around 80 malwares on VT and the only "big players" constantly not showing a detection where TM and Webroot.

Question for TM: How do you manage to stay in business with such poor detection rate????

.

Responses

tm_kath

Veteran

•

762 Messages

•

15.1K Points

3 months ago

Hi @claudiubotezatu,

Thanks for sharing this with our community. Trend Micro has layered protection. Files are scanned during download and execution.

We've also raised this with our experts.

- TM_Kath

0

K

kotilainenseppo

Neophyte

•

22 Messages

•

402 Points

3 months ago

@claudiubotezatu

Please keep in mind, that Virustotal results are not direct measurement of what different AVs will detect/block. As a malware tester, i found Trend Micro really effective against unknown malwares and espicially against ransomwares. TM signature detection is average, which you will see on the VT results.

But where TM shines, it is BB/AI of it. These detections are not shown in VT detection list. Switch to TM Hypersensitive and you will get a lot better protection in all layers.

However, there's a cons too. I do like to see it to protect:

Protect the Keys

And especially there "Key Value Created" section.

So if i want to get TM down, make a .bat or what ever executable, that can modify those registry key critical values. Then do fast shutdown. And you have a system that, does not work.

(edited)

2

C

claudiubotezatu

Hustler

•

102 Messages

•

2.7K Points

@kotilainenseppo

Thank you for your answer!

Just go to "Malwarebazaar" (hxxps://bazaar.abuse.ch/) and pick any sample from top to bottom.

95% of the are detected by Windows Defender in VT

10% are detected by TM in VT

Even more, I downloaded and executed them on a test PC (not virtual machine); the detection rate of TM replicates that found on VT

"But where TM shines, it is BB/AI of it"

That could be, but the FP are very high (42 FP, highest rate on AV Comparatives)

Thanks!

(edited)

3 months ago

K

kotilainenseppo

Neophyte

•

22 Messages

•

402 Points

@claudiubotezatu

Hello, i'm using TM in "hypersensitive" mode. I've been testing various security solutions and combos a lot against various bazaar samples, executables, fileless(LOLBins) etc. There was quite a lot malware samples that TM did not detect by it's signatures(VT results), but on my testing all of them were blocked by it's BB(aka AEGIS/AI) "Suspicious File Blocked". In VT, you only see its detections by signature only, not "Suspicious File Blocked" detections.

I'm not sure if "hypersensivite" mode also affects to script based malwares. When i tested it against some script based malwares, it does allow some scripts to download(by using bitsadmin) droppers to the host machine, but those droppers were blocked because TM finds them suspicious, so malware cannot run.

I'm running TM with Voodooshield Cyberlock Pro and found this combo really, really effective against any kind of malwares.

And yes, 42 false positives is quite high, but personally i haven't come across any false positives(yet).

I'm not sure if TM these protects these critical registry keys, if not, they should be added.

You can do this with simple script(bat,vbs,js etc) then call force shutdown and your computer is basically unusable.

(edited)

3 months ago

tm_kath

Veteran

•

762 Messages

•

15.1K Points

3 months ago

just a quick update here @claudiubotezatu, for the status of the detection you raised, it is now detected as TROJ_FRS.VSNTLQ22.

- TM_Kath

(edited)

4

C

claudiubotezatu

Hustler

•

102 Messages

•

2.7K Points

@tm_kath

Thank you!

This was detected 2 days after my post , but it was used just as example.

Each an every day there are hundreds detected by Windows Defender and some other major players but not TM

See another example, as we speak:

https://www.virustotal.com/gui/file/8f8469ba4407f303bb18eb6e17b2360df9ebb53c2fc41b921ea2946469eed29d?nocache=1

3 months ago

K

kotilainenseppo

Neophyte

•

22 Messages

•

402 Points

Above sample is blocked by TM "Suspicious File Blocked". But no signature detection yet.

3 months ago

tm_kree

Technoid

•

701 Messages

•

27.2K Points

@claudiubotezatu @kotilainenseppo

Update on this one https://www.virustotal.com/gui/file/8f8469ba4407f303bb18eb6e17b2360df9ebb53c2fc41b921ea2946469eed29d?nocache=1 detected as Trojan.Win32.PRIVATELOADER.YXDADZ

AVs have different processes and technologies in detection. For Trend Micro Security, a series of layered protection will scan the monitored file or process before detection is reached, Is it safe or not, and what action does Trend Micro Security need to execute based on the detection?

Appreciate your insights!

More insights on How Trend Micro Security fares with competitors:

Test Trend Micro Internet Security 17.7 for Windows 10 (221520) | AV-TEST

Test antivirus software for Windows 10 - October 2022 | AV-TEST

(edited)

3 months ago

C

claudiubotezatu

Hustler

•

102 Messages

•

2.7K Points

Hello tm_kree,

In AV test , from 20 antiviruses tested 18 have 100% detection. While I un derstand that "AVs have different processes and technologies in detection" I am surprised that Windows Defender is always capable to create a signature fast for whatever is posted on Malware Bazaar while TM is lagging behind with 3-5 days, relying on "different" mechanisms.

Thanks.

3 months ago

Need Help?

Ask the Community