24 h with Huorong, a week with Comodo 12, a year with Bitdefender 2019 (or not)
While not being that much in the mood for writing, I had to clarify that I put a halt on my CCAV 2.0 journey. It worked well, but I wanted to try something else and… things escalated (sort of).
So here’s me, installing a Chinese AV! Um… how come, given that I definitely can’t stand Qihoo 360 (in spite of its rather useful HIPS notifications when a startup entry is added or sensitive Registry stuff is changed), and generally Chinese software is ugly and… well, first of all, ugly?
I found about Huorong Internet Security on a MalwareTips forum thread. (The download is here, but sometimes it may fail, or your DNS might not solve it; Google’s DNS is fine.) And the Chinese guy who presented it managed to persuade me that it’s worth trying it:
- Chinese and English (despite the website lacking an English version).
- “Best HIPS in the world.” Supports custom rules.
- Unlike Qihoo 360, this product catches Chinese adware and doesn’t whitelist them. (Crucial!)
- You can configure it to prompt you when a threat is found, rather than auto quarantining.
- Regular or High-speed (higher system load) scan mode.
- Own AV engine called Cobra (but Google translates it as Velvet). HVM (Huorong Virtual Machine): high capability of unpacking and detecting known threats/variants. Tiny virus database (below 5 MB) but covering most malware (one signature can match thousands of variants).
- Cons: Weak to new threats (no cloud engine yet); in some situations, performance is not so good.
I would add (on the positive side):
- Only 34 MB space once installed.
- Recognized by Microsoft as an antivirus software provider for Windows.
- Under “grayware” it can distinguish between adware, PUP/PUA, and “Kaspersky’s detected virus names starting with not-a-virus:” (which are not malware).
On the negative side, from my experience:
- Signature updates can be more than 24 hours old.
- Sometimes the update fails; try again and the update will most likely succeed.
- There is no way to temporarily disable the AV. Or even to disable it altogether! (That’s quite a deal-breaker.)
- On-demand folder scan is very slow (I didn’t check whether subsequent scans of the same files are faster).
OK then, I decided to just try it… alongside CCAV 2.0, as it didn’t complain about it, and the latter was light enough. Once Huorong installed, it will be the first one to detect a malware, and only then CCAV would have the chance to catch what Huorong missed (this is how their system hooks were chained).
I won’t describe much of anything, just click to enlarge the pictures below (they’re grouped in 6 galleries):
Quarantining needs to be configured in too many places, but the defaults are OK:
HIPS is fabulously strong (supposing it always works) and it covers pretty much everything one could think of!
The Toolbox is interesting (“Dianose” is only one of the many Chinglish labels):
There’s also a so-called System Diagnostics Toolkit, which helped me find something I didn’t know about the Kaspersky Anti-Ransomware Tool for Business and CCAV:
- CCAV adds quite a lot of system (ntdll.dll, kernel32.dll, KERNELBASE.dll, USER32.dll) hooks meant to allow sandboxing (CvavGuard32.dll!RunInSandbox) that intercept even the trusted binaries, which I find to be a waste and a potential performance issue.
- CCAV also “wraps” (intercepts) Kaspersky Anti-Ransomware Tool.
- Kaspersky Anti-Ransomware Tool stupidly intercepts even the Bluetooth service, Apache’s httpd, the VPN, Samsung Magician and other processes that couldn’t possibly perform any ransomware-related activity even if they wanted to… but CCAV also intercepted them (as a general AV, that’s justifiable for it).
In the end, Kaspersky’s Anti-Ransomware Tool was deemed useless and it was the first thing I uninstalled, even before Huorong.
But where does it stand detection-wise, our Chinese companion?
Funny thing, it was able to detect most of what I threw at it; for a useless figure, 94.2% of the very recent malware samples were detected on the spot!
The problem is with what it didn’t detect. At the time of the test, I selected 4 malware samples that were detected by many major vendors, and even by COMODO, but not by Huorong:
The fact that they were only 10-hr old on VirusTotal wasn’t a valid excuse. After all, COMODO is rated as having a rather poor detection rate (this seems to have changed lately), and yet it detected all of them…
…or did it? VirusTotal uses the “full” CIS/CAV/CW engine, not the cloud-only CCAV. And the problem is that 3 of the above 4 samples were only detected by the “full” Comodo, and not by Comodo Cloud AV!
Let’s put it this way, as I don’t know what it says:
In brief, Huorong Internet Security is small, light, powerful, with some limitations I could live with, but I can’t accept a detection rate that’s lower than COMODO’s!
Next stop, COMODO Antivirus, whose version 12 was just out of beta as I was testing Huorong!
Despite the bugs reported in the beta stage, I found CAV 184.108.40.20610 (CAV, not CIS, which means it lacks the firewall, but not the HIPS) perfectly stable, well-behaved and unobtrusive (again, no firewall), even with the HIPS active! (This was tested under Win7 though; that planetary crap called Win10 might behave differently though.)
The good thing in CAV 12 over CAV 11 was that the sandboxing configuration got better, similar to what I had in CCAV 2.0 beta. But the best thing was what it offered me in comparison to CCAV (beyond the improved malware detection): unknown binaries weren’t automatically uploaded to Valkyrie! (Well, they still accumulated in a fucking list though, and I had to manually “trust” each of them, but that wasn’t a show-stopper of any kind.)
CAV 12 now has a quite large signature DB (it expands to about 435 MB), and it tends to be as prone to false positives as Avast and AVG, which is not great, but not critically bad either.
To make it short: Comodo AV 12 is now a very usable free product, at least on Win7, and to my surprise I now recommend it over CCAV 2.0 Beta (or non-beta, should it reach that level). The only nasty thing is that uninstalling it leaves too many traces (files, Registry keys).
One week later, CAV 12 still performed quite well, but there was an offer I couldn’t turn down: ComputerBILD 8/2019 offered, for only 4.50 € (the price of the CD edition; no need to pay more for the DVD), a 1-yr license for Bitdefender Internet Security 2019!
Yes, I know that there are countless reports of Bitdefender’s UI taking 600 MB of RAM, if not more. But on my system, it typically takes less than 60 MB, and never more than 200 MB during a scan. Most of the time the UI is not active, and bdagent.exe only takes 4…6 MB. I don’t know what “Windows 10 Guinea Pig Edition” are some people running, but my Win7 system is just fine with Bitdefender IS 2019!
This kind of licenses come in 6+6 months, meaning that 10 days prior to the expiration of the first 6-mo period, another 6-mo activation needs to be made; otherwise, the pleasant surprise is that adding this license preserved whatever was left from the 30-day trial license!
The reason I never liked Bitdefender was that it didn’t ask before doing whatever it thought appropriate with whatever it thought it was malware, even if told to ask first; things are now simpler: it just won’t ask, so the safe choice is to select the quarantining or the blocking:
Restoring from quarantine automatically whitelists, which is great:
Even with the “unresolved” files added as exceptions, this idiot still cries “You’re infected!” after a system scan; BTW, scanning 9.4 M files took 3h43 on a SSD! (And the password protected count is wrong: only 51 files are password-protected archives; the other 1481 files are installers–most of which are stored by Windows under WinSXS and cannot be deleted–that could not be unpacked for analysis, but whose fault is that?)
This annoyance aside, I very much appreciate its Safe Files feature: I had to whitelist Firefox and Notepad3 to even save files to a location listed under Protected Folders!
Programs that can change several files in a short time might need to be added as exceptions to Ransomware Remediation (which, strangely, is disabled by default):
Time will tell whether I’ll stick to Bitdefender IS until the end of the license or not.
UPDATE–The first glitch in Bitdefender 2019!
As I was deleting a local file from within CoreFTP, “Safe Files” popped up and informed me that “This application attempted to change or delete files from [a protected folder] and was blocked.” Well, unfortunately it was not blocked! Incidentally, CoreFTP deleted the file to the Recycle Bin, but it could have as well deleted it for good. It’s also irrelevant that this was a voluntary deletion–how could I trust Bitdefender that it would intercept a 0-day ransomware once it proved it sometimes cannot?
Only then I noticed that, despite the laudatory reviews everywhere, the most recent AV-TEST (Jan.-Feb. 2019) downgraded Bitdefender’s protection level from a perfect 6 to 5.5, simply because in February, the 0-day protection was only 98.8%:
0-day malware… that’s exactly what Safe Files and Ransomware Remediation were supposed to help with! And I just experienced such a failure (thankfully, not from malware).
Apparently, after quite some time of perfect scores, Bitdefender lost 0.5 points everywhere:
To my surprise, Comodo (which once was credited by some reviewers with as low as 38% signature-based detections) has since more than one year a perfect protection score of 6:
That’s simply unbelievable. And yet, everyone is praising Bitdefender. OK, Bitdefender has fewer false positives, and very reassuring protection modules… except that I’m not trusting them anymore!
I guess I’ll try to squeeze some more value from the 4.50 € I paid for the license (the magazine also included a 1-yr LanguageTool Premium license, really a 59 € value, but originally I purchased it for Bitdefender). Or maybe not.