Why TM scores poorly in AV Comparatives?

see here.....

Hi @claudiubotezatu,

We are very sorry for the late response.

The reason that Trend Micro's score is low compared to other Antivirus in the AV Comparatives is that the samples used in the AV Comparatives Malware Protection Test include both recent in-the-wild malware and also aging malware that has not been seen in the last 6 months and older. Those missed samples are inactive or dormant in-the-wild malware which has been dropped from our detection patterns.

 

With this said, we are more focused on real user detection whereas the AV Comparatives Malware Protection Test focuses on malware protection.

Hope this helps!

 

I have a question here as well, just to understand Trend Micro better. Although I could ask in the business part of the community too, but here the subject is already initiated.

I could also find the Smart Scan patent on Justia and read in depth :-)

So, the poor detection rate certainly has got something to do with the Smart Scan (using 2 seperate patterns). It looks like Smart Scan Agent Pattern needs to flag something suspicious and at that point the full definition will be retrieved from the server. Is that how it works?

Also, how do you decide which malware to drop? Because ransomware can wreak havoc even when it is very old. Infostealers may have dead C&Cs, but a lot of them possess an update function. Do you check these C&Cs using an automated system? Or do you just automatically clean up everything >6 months of age? I am very curious how the cleanup decision is taken (though I understand you may wish not to disclose).

Why some sort of hash-based detection is not still maintained on TM smart protection network?

Malicious files, even when old, should have reputation different than "safe". In that case, ATSE should be called on these files. Is PML not getting trained to detect these samples?

I understand that pattern needs to be minimalistic and requires maintenance, but why other layers don't cover these threats, such as behavioural analysis and policy enforcement?

I tested TM against some malware samples (Hypersensitive mode enabled).

1. Some samples were identified by TM malware signatures.

2. Some samples were first blocked by "Suspicious behavior detected" and then by signatures.

3. Some samples were blocked by "suspicious behavior detected" and no signature detection afterwards.

In case "1", local signature database is used? In case "2" no local database signature found, but cloud lookup flagged it?

I also do like to know how Hypersensitive mode actually works? Is it some kind of a "default-deny" method?

What i also do like to see when a program gets flagged by "Suspicious behavior blocked", why it gets blocked? Malformed PE-header? DLL sideloading? So what was the reason it gets blocked.