![Superstar Superstar](https://sprcdn-assets.sprinklr.com/404/9745e52a-0db4-445b-b744-fb67ceb5d027-1171630835/5superstar_p.png)
Superstar
•
311 Messages
•
7.6K Points
Why TM scores poorly in AV Comparatives?
On each and every test , TM scores very poorly , around 97%.
Why is that and why no improvements????
Superstar
•
311 Messages
•
7.6K Points
On each and every test , TM scores very poorly , around 97%.
Why is that and why no improvements????
claudiubotezatu
Superstar
•
311 Messages
•
7.6K Points
3 months ago
see here.....
2
0
tm_vlad
Trend Security Expert
•
28 Messages
•
610 Points
2 months ago
Hi @claudiubotezatu,
We are very sorry for the late response.
The reason that Trend Micro's score is low compared to other Antivirus in the AV Comparatives is that the samples used in the AV Comparatives Malware Protection Test include both recent in-the-wild malware and also aging malware that has not been seen in the last 6 months and older. Those missed samples are inactive or dormant in-the-wild malware which has been dropped from our detection patterns.
With this said, we are more focused on real user detection whereas the AV Comparatives Malware Protection Test focuses on malware protection.
Hope this helps!
2
0
bvasilev
Superstar
•
190 Messages
•
7.6K Points
20 days ago
I have a question here as well, just to understand Trend Micro better. Although I could ask in the business part of the community too, but here the subject is already initiated.
I could also find the Smart Scan patent on Justia and read in depth :-)
So, the poor detection rate certainly has got something to do with the Smart Scan (using 2 seperate patterns). It looks like Smart Scan Agent Pattern needs to flag something suspicious and at that point the full definition will be retrieved from the server. Is that how it works?
Also, how do you decide which malware to drop? Because ransomware can wreak havoc even when it is very old. Infostealers may have dead C&Cs, but a lot of them possess an update function. Do you check these C&Cs using an automated system? Or do you just automatically clean up everything >6 months of age? I am very curious how the cleanup decision is taken (though I understand you may wish not to disclose).
Why some sort of hash-based detection is not still maintained on TM smart protection network?
Malicious files, even when old, should have reputation different than "safe". In that case, ATSE should be called on these files. Is PML not getting trained to detect these samples?
I understand that pattern needs to be minimalistic and requires maintenance, but why other layers don't cover these threats, such as behavioural analysis and policy enforcement?
(edited)
0
kotilainenseppo
Hotshot
•
31 Messages
•
642 Points
20 days ago
I tested TM against some malware samples (Hypersensitive mode enabled).
1. Some samples were identified by TM malware signatures.
2. Some samples were first blocked by "Suspicious behavior detected" and then by signatures.
3. Some samples were blocked by "suspicious behavior detected" and no signature detection afterwards.
In case "1", local signature database is used? In case "2" no local database signature found, but cloud lookup flagged it?
I also do like to know how Hypersensitive mode actually works? Is it some kind of a "default-deny" method?
What i also do like to see when a program gets flagged by "Suspicious behavior blocked", why it gets blocked? Malformed PE-header? DLL sideloading? So what was the reason it gets blocked.
7
0