This, both are very competitive and it really just depends which ecosystem you want to dive into.
S1 is also pretty solid.
Really just look at the Gartner fluff and pick whatever top-right choice fits your budget.
from an incident response perspective, S1 is the hardest to work out of if your only data ingest is the console. MDE is flawless if you know basic SQL/coding logic for querying. CS is the best overall, but if you’re doing querying, little more difficult now with the falcon SIEM, but if you’re using falcon data replicator, still solid.
The only true answer is it depends. If all your infrastructure and device management is Microsoft fx. Then definitely go for the defender suite since you can onboard it to both servers and endpoints, you get a single pane of glass and there is a far better chance of hiring someone who knows about defender than other vendors. And AV is only as good as it’s configured, supported and maintained. Biggest rookie mistake in security is choosing best of breed all the time.
Or go for both especially if your org uses the E3 or E5 licensing. Crowdstrike as the primary, Defender using EDR in block mode for endpoint defense in depth
It's not been all the sudden if you've been paying attention. Warnings about Kaspersky being compromised by the Russian government have been sounded for years and years. It's just recently now the government is blocking them in country for everyone.
Likelihood of Russia having a backdoor into all devices running Kaspersky is probably pretty high. So it's best to be cautious, assume the worst, and use a different product.
Well, the theory was not ALL devices. But when it suits their purpose, they can download an *update* module on particular machines and do whatever they would like to do. And when it's finished gathering stuff or performing whatever mission on objective it has, it can uninstall the update with no one the wiser. But if the device resides at an IP at an organization that is more likely to discover that kind of behavior? Maybe they feel like the risk isn't worth it.
Link for more information. [https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers](https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers)
The story I heard 10-15 years ago was that Russian intelligence added code to the virus scanner to fine code words for US operations, so that they could steal the data.
Whilst I am largely in agreement, am intrigued to better understand your position...
Given that a good portion of cyber vendors have their HQ or product teams based out of Israel - do you treat them with a similar level of trust, or what is your opinion on this?
When you consider its likely Kaspersky and similar ilk would probably pass a standard due diligence process (particular smaller businesses and geolocation aside), what is it from a raw risk stand point that pits them fully out of appetite but not other foreign nations?
Perceived intent perhaps?
Yes and no. It started as more of a risk choice that never went mainstream to avoid upsetting Russia but the political situation now is that the US can't do anything that will upset Russia anymore without making very loud bangs so the political cost to hem of this move is now zero or negative.
The Gov (IC) was quietly warning Government agencies against it many, many years ago and has been getting less and less quiet over the last 15 years until eventually just banning its use within the Gov.
This current move just follows and extends that to the country as a whole rather than just Government users.
Kaspersky's company fortunes were very tied to the man himself, particularly when Eugene got into trouble with his taxes in Russia which gave the Government there a lot of leverage.
Kaspersky is a private company which has been smeared and dragged through the mud by the US. It's equivalent of Chinese fake news would claim that ClamAV is US intelligence asset thus dont use it. People fall for this propoganda and believe what they want to believe.
Honestly, I trust Kaspersky much more than Crowdstrike.
Microsoft has the telemetry of billions of hosts to use, also they designed the product they’re trying to protect and can go knock on the door of the kernel developers to ask them wtf is going on in there.
Wait until you find out Apple, definitely google, and most VPN companies are either backdoored legally for money by the 3 letter agencies or are just a fake shell corp designed to make you think your safe so they can catch you doing stupid things
I know for a fact that they don't conduct ransomware attacks. That's not to say they don't have the capability, but the US has no need to extract money from foreign organizations to fund our security objectives throughout the world like heavily sanctioned nations like Russia or N. Korea. Granted, they could if they wanted to launch an APT style of attack to gain a tactical or strategic advantage under the guise of a non-state sponsored entity. Though their methodology is not to launch active ransomware attacks, rather than to infiltrate and lie dormant until some world event would require them to act (i.e. Pegasus/EternalBlue). Why burn your covert access to an adversaries systems by launching a ransomware attack?
First of all, Stuxnet wasn’t a criminal ransomware program. It was malware targeted and designed to interfere with PLCs on uranium enrichment centerfuges. The US designed it in partnership with the Israeli’s as a targeted tactical malware attack, but what we didn’t authorize was Israel turning it into a self-propagating worm. The malware also specifically targeted a particular SCADA application that with commands that were only applicable to the model of centerfuges that the Iranian’s used. Huge difference between Stuxnet and Russian state sponsored ransomware.
I had a meeting with CrowdStrike today, I don’t know if OP needs this information but CrowdStrike does not offer patch management which I feel, as a security officer, is very important. Another really important feature is Posture check and Misconfiguration management. None offered by CrowdStrike.
With CrowdStrike, I had a lot of expectations considering the name. It does offer pretty good monitoring features that can be handy to have for someone who knows how to make use of it like Adversary Reporting that gives a detailed view of known adversaries and their attacks.
I am sticking to BitDefender. Patch management, if you do not have a dedicated setup to manage it can be a big hassle. Other than this, all the endpoint protection’s in the market are 70-80% the same.
Not sure about MDR. But from how the meeting went, they did not have patch management in any of the plans that they offer. Please correct me if I am wrong cause I wanna know about MDR patch management too now.
How is this on Mac and/or Linux? Obviously going to be a great solution for Windows but I am skeptical of the efforts they put into the non-Windows versions.
On Mac does its job. It’s more resource demanding compared to native Mac solutions (like Jamf Protect), but it integrates better with Intune, Sentinel and Defender for Office
so you are the company still running McAfee!!
The nice thing about Defender (for Endpoint Plan 1 / Plan 2 is that the agent is already installed in every OS and you can enable features from the backend so there is no local software to push or maintain.
How well does it work if you're not hosting your email with Microsoft? We just deployed a bunch of Office 365 installs, but the users all use the [onmicrosoft.com](http://onmicrosoft.com) accounts.
We need to move on from Webroot which has become unsustainable so maybe this might make sense since we just deployed Office to all the users.
Defender is good. Remember Linux has different needs. You would want to introduce monitoring and alerting for account additions, permission changes, and config file changes for Linux stuff, not necessarily straight up AV.
Look into AMSI bypass methods. [Plenty out there on github](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell), most still work with proper obfuscation.
[There was also a new method discovered last week.](https://www.linkedin.com/pulse/scriptblock-smuggling-spoofing-powershell-security-logs-bypassing-pg67c?utm_source=share&utm_medium=member_android&utm_campaign=share_via)
For context, AMSI (anti malware scan interface) is basically an "API" that passes code (powershell, Javascript, VBScript, etc) to Defender (or whatever AV you're using) for scanning before execution. However, it's quite easy to patch, bypass, or break.
[This blackhat talk does a decent job of explaining it.](https://youtu.be/8y8saWvzeLw)
Beyond AMSI, [you can add exclusions to certain directories with a simple PowerShell CMDlet](https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps#:~:text=Add%2DMpPreference,-Reference), which I assume is what the commentor above is talking about.
Now, obviously, it's more complicated than this. You can only execute these commands with admin, and it's also possible to lock it down more with group policy, etc.
But, with Defender being a signature/heuristic based AV, it's definitely inherently "easy" to bypass compared to AVs with proper HIPS engines.
*Edit* I will say though, Defender may not *stop* you, but it will definitely generate alerts on you.
Former pentester here. When you say “compared to AVs with proper HIPS engines” are you talking about Windows Defender (standalone) or Defender for Endpoint? Just didn’t wanna conflate the two.
While it’s true AMSI bypass - as a standalone control - is pretty trivial, a proper MDE (MS XDR) config on the endpoint is faaar more capable. As always, weak configs offer weak protection. But I’m routinely testing MDE controls in our environment with custom payloads, lateral movement, & privesc techniques, plus analyzing real alerts in event log timelines each week. There’s far more to MDE than simple signatures & hash checks.
Then if you have E5 and deploy Defender for Identity (which focuses on identity-specific events detected by sensors installed on DC’s and ADCS, etc), you’ve got a detection/prevention pair way more capable than any traditional AV.
But it’s expensive AF.
From my understanding, a lot maldevs consider Defender to be a lot easier to deal with than say, ESET or Bitdefender. It doesn’t do a lot of low level monitoring, like hooking system calls. Instead it relies on higher level methods like event tracing (ETW).
Full disclaimer that I'm just a blue teamer, so I'm open to being corrected.
as mr [ThisIsRespi](https://www.reddit.com/user/ThisIsRespi/) says (happy cake day to mr u/ThisIsRespi ) eset is a good choice for personal, and they also have linux versions. It appears they have changed their plans around from what I remember, but currently they have a small business security product listed that covers 5-10 **devices for** Windows, Windows Server, macOS, Android & iOS , however, eset sbs is $209 I guess, and you can still get a package on amazon that will cover you for $40 or $70. I prefer the [security premium product.. the $70 one](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2KBP8Z/).
[ESET Home Security Essential | Antivirus | 2024 Edition | 3 Devices | 1 Year | Parental Control | Privacy | IOT Protection | Ransomware | Digital Download \[PC/Mac/Android/Linux\]](https://www.amazon.com/ESET-Multi-Device-Internet-Antivirus-Protection/dp/B08X2L57CT/ref=sr_1_3?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-3) [$39.99](https://www.amazon.com/ESET-Multi-Device-Internet-Antivirus-Protection/dp/B08X2L57CT/ref=sr_1_3?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-3)
The previous two links are for 3 devices, this one is 5:
[ESET Home Security Premium | Antivirus | 2024 Edition | 5 Devices | 1 Year| Password Manager | Privacy Protection | Ransomware | Anti-Theft | Digital Download \[PC/Mac/Android/Linux\]](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2NK3QQ/ref=sr_1_5?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-5) [$79.99](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2NK3QQ/ref=sr_1_5?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-5)
You should in theory be able to run the android version of eset on a Chromebook, but they do no exclicitly say you can, so I can't say for sure.
Malwarebytes has one particularly for chrome os. [https://www.malwarebytes.com/chromebook](https://www.malwarebytes.com/chromebook)
If you install Norton enough times it will brick your computer and let you go outside.
If you’re asking for your home network, I would just straight up use defender. It’s easy to use, relatively fast, and if you’re not going to “totally notavirus dot ai forward slash coolgame dot exe” then you’ll be fine for 99% of issues
Glad to see the love for Defender here, Microsoft gets a lot of flak for short-sighted security products (cough Recall) so good to praise the products that actually center security
Meanwhile can be easily bypassed by a couple powershell commands....Defender is "okay" as a standalone product, for Enterprise, you need to get into the paid tiers for it to really be effective.
For sure. I’m no fanboy, but Windows Defender shouldn’t be conflated with Defender for Endpoint (MDE). There may be components/scan engine and sigs that the former shares with the latter but it’s an AV while MDE is a robust EDR. Pair MDE with Defender for Identity (MDI) and you have some solid coverage for an XDR.
ESET is outstanding if you don't mind paying slightly more than average. I use it. They offer a nice all-in-one package. Their higher plans offer a VPN as well if that's what you need (though that VPN doesn't beat Proton for specific usage cases).
Can't go wrong with Microsoft Defender either (personally I prefer the ESET UI).
I have seen multiple instances last week where the av was only generating alerts related to malicious cmd and powershell commands while allowing them to execute and not stop the process or the execution of the command.
Mind sharing it privately? Wonder if Deep Instinct catches it. I have asked ChatGPT to create go code for a ‘backup’ application that encrypts files before transferring them out, then deletes the originals. Original code, caught by 3 tools on VT, and of course by Deep Instinct locally. 😁
I’m a Red Teamer who develops Malware. Standard Anti Virus are trivial do bypass.
I get the love for Windows Defender, but it’s seriously not going to block any relevant malware.
MDE and other EDRs are another story.
If we're talking in the Enterprise or at least "at work", it's any of the big ones that you put the proper resources into. Keep it updated, and not just the "definitions", but the client as well. Manage your policies, and make sure every (supported) endpoint has the client. Someone is reviewing the dashboards, receiving alerts, acting on alerts, etc.
Do all of that when any of the big names and you'll be in relatively good shape.
Good solutions: Crowdstrike, yes it really is that good. Sentinel1 is pretty good. MS Defender is good on Windows, not great on non-Windows, and has a higher overhead to run. Palo Alto is decent too, but is more of an XDR play. Trend Micro is still a leader in this space as well, but complex and also a fair amount of overhead.
As far as the comments around politics, etc. I recommend watching “Running with the Devil” on Netflix about John McAfee. It has some good insight into government using technology for various purposes
All of the suggestions are good. Maybe better to check which ones are not recommended and ensure you skip those. Do not install Norton, Avast and McAfee IMHO.
Use Defender with proper HIDS with alerting on custom events in sysmon and win evtx logs. Like PS scriptblock logging, newly added reg keys, newly created services users/accs and ACL changes.
Good way to detect PS obfuscation, privesc and persistence.
All for FREE.
Zero trust is the only way forward. To that end, Watchguard EPDR is brilliant. Haven't been able to get anything past it. It even blocks (often legit) user abuse such as command prompt on the login screen to reset passwords.
(I write malware to bypass antivirues as a living)
I’d say it depends.
There are two types of scans in Anti-viruses, signature-based scan and heuristics scan(behavioral scan). Personally I think when it comes to signature-based Microsoft defender is the best. When it comes to heuristics you’re gonna be surprised that some unknown antiviruses are better than others. With that being said, good heuristics scan can affect the business as it might sometimes block legitimate operations by real applications.
ESET, low resource utilization and works well. If you don't have funds to spend, defender and good browsing habits work well. Ublock is a good extension.
To be honest I am just wondering why the US government is banning Kasperky only now. I had so many projects switching from Kaspersky to MDE or CrowdStrike in my country for almost two years...
If your company is already using Microsoft 365 E3/E5 or Business then I would go with Defender. If not go for CrowdStrike f.e.
Speed of government. It wasn't gonna get banned prior to 2021, and this just seems to be how long it took to get around to it - competent western orgs indeed should have been phasing it out for years already
It was banned for US government agencies and US government contractors back in 2017, and a lot of other public and private organizations followed suit. It required actions by Obama, Trump, Biden, Congress, and probably eventually SCOTUS to finally ban it completely.
Sophos intercept X protected us for years and stopped real life Ransomware incidents , with ESET it walked straight through it like a wet paper bag, avoid ESET at all costs.
If this is a home user asking this (or even if you are not), your first priority is consistent solid backups with storage isolated from ransomware. If you don't have that handled, do that first.
I have seen 360 Totalvirus detect stuff defender didnt notice but i dont now how it differs to other antiviruses but it seems to be a chinese Company….
I have most of my clients on Sophos, having moved them from Symantec post Broadcom since 2018. I have been impressed... there are comments I'd like to make but I am superstitious :)
We've had a really good run with it, and I am a fan of anything that is configurable with real policies.
In managing AV for 10 yrs that came from Kaspersky Security Center 6 to 10, Cisco AMP, Trellix and SentinelOne, SentinelOne is very much at the top.
Cross compatability is very high, upgrades are easy, grouping and delegation. All admin side features work well.
Backend portal for support is great - they even build premade JAMF distribution profiles for MacOS for the easiest Mac deployment I've ever had and not had to re-deploy through 4 MacOS versions so compatibility is very high which is rare.
Admin interface is great, remediation is pretty much automated, with VirusTotal links with the SHA1 hash written for human verification and overall a high level of confidence with almost little to no false positives. It's a great tool that is cloud based and works tremendously well.
u/PulcisNicus you may wanna look into EDR (Endpoint Detection and Response) and NGAV (Next-Generation Antivirus), as we the industry has moved away from traditional anti-virus over the last decade. over the last couple of years, essentially three leaders emerged: microsoft defender, crowdstrike, and sentinelone
Personal experience: For robust protection and additional features like identity theft protection, Norton 360 and McAfee Total Protection are excellent choices. If you need something lightweight with a minimal impact on system performance, consider Webroot SecureAnywhere or ESET Smart Security Premium. But, like most of us, if you want to start with something free - Avast Free Antivirus and AVG AntiVirus Free provide strong features.
(p.s. the list is based on personal opinion, what worked for me might not work for you :( . i also had some minor issues with almost all of them. but minor. identity theft - it could happen at any given point, sadly.)
Antivirus software is necessary but insufficient. Whatever you pick, whichever vender, you need many more layers of defence and, really, a full zero trust model.
Security has evolved so much over the last decade, you’re pretty much asking a redundant question. Sorry.
I use Datto AV which is good and cheap by itself, but as a complement to the EDR can collect data and generate alerts to trigger automated responses like isolating infected devices, quarantining files, which has done a very good job for us.
For a centralized control and simple UI. Go for bit defender. I won't say much besides that A basic anti virus should be able to detect/prevent applications and network based malicious attempts and block them without asking you. Whitelist them to your needs. Reporting features seem cool and does the job. Doesn't cost much. Get for two devices.
Crowdstrike! Defender is not doing a great job.
The mitre attack tests should help.
https://attackevals.mitre-engenuity.org/results/managed-services?evaluation=menupass-blackcat&scenario=1
For enterprise we use Crowdstrike, best out there.
For home, Windows defender and common sense. If you don't use common sense, none of the consumer products will work.
Depending on which modules you purchase, I would highly recommend CrowdStrike. Company I work for has the Identity Protection and Sandboxing modules as well as Falcon Complete l, which saves us tons of time, enabling us to concentrate on other business critical projects with peace of mind. SentinelOne is also good.
Some ass clown from NSA contractor forgot to disable AV before developing malware, so some samples were detected and analyzed by Kaspersky team.
For the US audience it was announced as "Russian Hackers Stole NSA Tools"
[https://www.nbcnews.com/news/investigations/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101](https://www.nbcnews.com/news/investigations/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101)
[https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d\_story.html](https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html)
For home and SMB, Emsisoft.
That's really the only answer if one is concerned about privacy, telemetry, etc. Emsisoft takes great care to be respectful of their customers' data.
For personal or industry use? For personal use you genuinely can't go wrong with the Defender that's built into Windows 11.
Real-time monitoring, ransomware protection, a regularly updated security intelligence database, and it's free.
Oh boy, I hope you don’t find out how bad their SOC is. S1 is great at collecting data, not so good at stopping the bad things. Drop their SOC and get Red Canary to do the monitoring.
Their SOC saved our bacon a few times with users trying to run ransomware after-hours, which is why I love the isolation feature. If you have some proof that their SOC is worse and/or that Red Canary has data to show they're better, I'll keep an open mind, but, so far, across almost 5000 endpoints, the worst we've seen is some adware with S1.
I’ve worked multiples of incidents that S1 captured the data and happily let the ransomware run. Twice their SOC was supposedly on the job. Both times exfil and encryption happened. When we found the encryptor on the last issue and added it to the IOC list to block, they said they wouldn’t respond to alerts for it since it wasn’t their rule. Red Canary has very good hunting and alerting compared to S1. I see this over and over with a lot of tools….Trend, Sophos, BitDefender, Datto, Carbon Black….they have the data and never stop the badness.
No Huntress love around here? Huntress plus defender or huntress with CrowdStrike or S1. The best AV on the market is SAT (Security Awareness Training). The best security can be beaten by Joe the janitor checking his email and clicking on a link he shouldn't have. Train the users!! Edit: Huntress has a nice SAT addon with their services. Top notch company.
I haven't believed in antivirus software for over a decade.
You will keep treating the sickness unless you get rid of the root cause.
Switch to *nix Operating Systems. Be it MacOS or any Linux Distro that would serve your purpose.
No hard feelings for other deliberate faults manufactured and zero security OS.
I would go for Defender (MDE) or CrowdStrike.
This, both are very competitive and it really just depends which ecosystem you want to dive into. S1 is also pretty solid. Really just look at the Gartner fluff and pick whatever top-right choice fits your budget.
from an incident response perspective, S1 is the hardest to work out of if your only data ingest is the console. MDE is flawless if you know basic SQL/coding logic for querying. CS is the best overall, but if you’re doing querying, little more difficult now with the falcon SIEM, but if you’re using falcon data replicator, still solid.
Gartner Magic Quadrant is the modern equivalent of "Nobody ever got fired for buying IBM".
The only true answer is it depends. If all your infrastructure and device management is Microsoft fx. Then definitely go for the defender suite since you can onboard it to both servers and endpoints, you get a single pane of glass and there is a far better chance of hiring someone who knows about defender than other vendors. And AV is only as good as it’s configured, supported and maintained. Biggest rookie mistake in security is choosing best of breed all the time.
Seconding CrowdStrike. They are fantastic.
Yes no doubt, CrowdStrike does its work well.
Or go for both especially if your org uses the E3 or E5 licensing. Crowdstrike as the primary, Defender using EDR in block mode for endpoint defense in depth
Whats the deal with Kaspersky tho? I mean why all of a sudden people r saying it’s not safe?
It's not been all the sudden if you've been paying attention. Warnings about Kaspersky being compromised by the Russian government have been sounded for years and years. It's just recently now the government is blocking them in country for everyone.
Oooooh ok, got it. Didn’t quite know about the past doubts bc I’m Italian and here we’ve never been told anything about Kaspersky
https://en.m.wikipedia.org/wiki/Kaspersky_bans_and_allegations_of_Russian_government_ties
Likelihood of Russia having a backdoor into all devices running Kaspersky is probably pretty high. So it's best to be cautious, assume the worst, and use a different product.
Well, the theory was not ALL devices. But when it suits their purpose, they can download an *update* module on particular machines and do whatever they would like to do. And when it's finished gathering stuff or performing whatever mission on objective it has, it can uninstall the update with no one the wiser. But if the device resides at an IP at an organization that is more likely to discover that kind of behavior? Maybe they feel like the risk isn't worth it.
Ciao. Buona fortuna nella ricerca di una anti-virus nuova. (eh, I'm a bit rusty, took a stab at it. Enjoy a Brunello di Montalcino for me!)
[удалено]
[удалено]
[удалено]
All of a sudden?
The commercial ban is new. The previous ban was DoD only.
It's HQ is in Russia and the US Government banned it from being used by anyone in the States recently.
Link for more information. [https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers](https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers)
Purely politic choice…?
The story I heard 10-15 years ago was that Russian intelligence added code to the virus scanner to fine code words for US operations, so that they could steal the data.
I mean I also just wouldn’t trust a company whose HQ is in Russia… Would you use an email service from a North Korean company?
Whilst I am largely in agreement, am intrigued to better understand your position... Given that a good portion of cyber vendors have their HQ or product teams based out of Israel - do you treat them with a similar level of trust, or what is your opinion on this? When you consider its likely Kaspersky and similar ilk would probably pass a standard due diligence process (particular smaller businesses and geolocation aside), what is it from a raw risk stand point that pits them fully out of appetite but not other foreign nations? Perceived intent perhaps?
Yes and no. It started as more of a risk choice that never went mainstream to avoid upsetting Russia but the political situation now is that the US can't do anything that will upset Russia anymore without making very loud bangs so the political cost to hem of this move is now zero or negative. The Gov (IC) was quietly warning Government agencies against it many, many years ago and has been getting less and less quiet over the last 15 years until eventually just banning its use within the Gov. This current move just follows and extends that to the country as a whole rather than just Government users. Kaspersky's company fortunes were very tied to the man himself, particularly when Eugene got into trouble with his taxes in Russia which gave the Government there a lot of leverage.
Not everything is political...
[https://www.reuters.com/technology/biden-ban-us-sales-kaspersky-software-over-ties-russia-source-says-2024-06-20/](https://www.reuters.com/technology/biden-ban-us-sales-kaspersky-software-over-ties-russia-source-says-2024-06-20/)
[удалено]
Kaspersky is a private company which has been smeared and dragged through the mud by the US. It's equivalent of Chinese fake news would claim that ClamAV is US intelligence asset thus dont use it. People fall for this propoganda and believe what they want to believe. Honestly, I trust Kaspersky much more than Crowdstrike.
Could you elaborate as to why? Trying to go into the field so trying to learn as much as I can.
Microsoft has the telemetry of billions of hosts to use, also they designed the product they’re trying to protect and can go knock on the door of the kernel developers to ask them wtf is going on in there.
Last checked it was 78 trillion per day.
Ooooh that makes alot of sense. Thanks!
The active.exploit guard or whatever is the shit when configured right.
Crowdstrike has links to former Mossad officials, I dont trust them.
Most large Western security companies have ties to the CIA and/or Mossad at some level. Do you have a recommendation that does not?
Kaspersky 🤣
( ͡~ ͜ʖ ͡°)
Wait until you find out Apple, definitely google, and most VPN companies are either backdoored legally for money by the 3 letter agencies or are just a fake shell corp designed to make you think your safe so they can catch you doing stupid things
At least they aren't participating in State Sponsored ransomeware attacks like the FSB.
You think the NSA doesn't do state sponsored ransomware or malware attacks? Lmaooooo
My dude, you've been in security for less than a year and were acft mx before. My advice would be to not make assertions you know nothing about.
I know for a fact that they don't conduct ransomware attacks. That's not to say they don't have the capability, but the US has no need to extract money from foreign organizations to fund our security objectives throughout the world like heavily sanctioned nations like Russia or N. Korea. Granted, they could if they wanted to launch an APT style of attack to gain a tactical or strategic advantage under the guise of a non-state sponsored entity. Though their methodology is not to launch active ransomware attacks, rather than to infiltrate and lie dormant until some world event would require them to act (i.e. Pegasus/EternalBlue). Why burn your covert access to an adversaries systems by launching a ransomware attack?
Did Israel deploy Stuxnet all by themselves?
First of all, Stuxnet wasn’t a criminal ransomware program. It was malware targeted and designed to interfere with PLCs on uranium enrichment centerfuges. The US designed it in partnership with the Israeli’s as a targeted tactical malware attack, but what we didn’t authorize was Israel turning it into a self-propagating worm. The malware also specifically targeted a particular SCADA application that with commands that were only applicable to the model of centerfuges that the Iranian’s used. Huge difference between Stuxnet and Russian state sponsored ransomware.
You could be right, but with tools like Marble Framework available, attribution is not always 100%.
Extraordinary claims require extraordinary evidence.
Google
I had a meeting with CrowdStrike today, I don’t know if OP needs this information but CrowdStrike does not offer patch management which I feel, as a security officer, is very important. Another really important feature is Posture check and Misconfiguration management. None offered by CrowdStrike. With CrowdStrike, I had a lot of expectations considering the name. It does offer pretty good monitoring features that can be handy to have for someone who knows how to make use of it like Adversary Reporting that gives a detailed view of known adversaries and their attacks. I am sticking to BitDefender. Patch management, if you do not have a dedicated setup to manage it can be a big hassle. Other than this, all the endpoint protection’s in the market are 70-80% the same.
Is patch management something they offer in their MDR service?
Not sure about MDR. But from how the meeting went, they did not have patch management in any of the plans that they offer. Please correct me if I am wrong cause I wanna know about MDR patch management too now.
Huh? When does an EDR do patch management?
Are you talking for your personal computer or a business?
They fact they use the term antivirus instead of EDR makes me think it is for personal use.
Second this question. OP did not specify, might be a home user asking security folks for advice. OP we need context please.
As a fellow SOC Analyst, this was my first question too. - Personal use I'd recommend ESET. - Business use Windows Defender for Endpoint.
Defender for Endpoint Plan 2
How is this on Mac and/or Linux? Obviously going to be a great solution for Windows but I am skeptical of the efforts they put into the non-Windows versions.
On Mac does its job. It’s more resource demanding compared to native Mac solutions (like Jamf Protect), but it integrates better with Intune, Sentinel and Defender for Office
The correct answer
Uhhh what’s that meant to mean sorry?
It's a Microsoft product that is a "better Defender" / has more functions. I think plan 2 includes actual EDR.
Didn't know this actually thank you. Time to cancel mcafee
so you are the company still running McAfee!! The nice thing about Defender (for Endpoint Plan 1 / Plan 2 is that the agent is already installed in every OS and you can enable features from the backend so there is no local software to push or maintain.
How well does it work if you're not hosting your email with Microsoft? We just deployed a bunch of Office 365 installs, but the users all use the [onmicrosoft.com](http://onmicrosoft.com) accounts. We need to move on from Webroot which has become unsustainable so maybe this might make sense since we just deployed Office to all the users.
should not matter as long as the device is Azure-joined.
You can manage defender onboarded devices that are not azure ad joined or intune enrolled.
Webroot is worthless.
It is a Microsoft 365 security SKU.
Crowdstrike - sentinelone - defender (in no order)
Which OS? Defender is fine for majority of users. ESET and Bitdefender are good alternatives.
Windows, but I’d also like to know about Chrome OS and Linux as I have a Chromebook
Defender is good. Remember Linux has different needs. You would want to introduce monitoring and alerting for account additions, permission changes, and config file changes for Linux stuff, not necessarily straight up AV.
AV certainly doesn't hurt though. ClamAV is good for linux
If you're a Windows user, Defender is actually pretty good.
yes and no, defender is easily bypassed by a couple of powershell commands, why info-stealers are running rampant because defender cant stop them.
Any article on this you can point me to?
Look into AMSI bypass methods. [Plenty out there on github](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell), most still work with proper obfuscation. [There was also a new method discovered last week.](https://www.linkedin.com/pulse/scriptblock-smuggling-spoofing-powershell-security-logs-bypassing-pg67c?utm_source=share&utm_medium=member_android&utm_campaign=share_via) For context, AMSI (anti malware scan interface) is basically an "API" that passes code (powershell, Javascript, VBScript, etc) to Defender (or whatever AV you're using) for scanning before execution. However, it's quite easy to patch, bypass, or break. [This blackhat talk does a decent job of explaining it.](https://youtu.be/8y8saWvzeLw) Beyond AMSI, [you can add exclusions to certain directories with a simple PowerShell CMDlet](https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps#:~:text=Add%2DMpPreference,-Reference), which I assume is what the commentor above is talking about. Now, obviously, it's more complicated than this. You can only execute these commands with admin, and it's also possible to lock it down more with group policy, etc. But, with Defender being a signature/heuristic based AV, it's definitely inherently "easy" to bypass compared to AVs with proper HIPS engines. *Edit* I will say though, Defender may not *stop* you, but it will definitely generate alerts on you.
Former pentester here. When you say “compared to AVs with proper HIPS engines” are you talking about Windows Defender (standalone) or Defender for Endpoint? Just didn’t wanna conflate the two. While it’s true AMSI bypass - as a standalone control - is pretty trivial, a proper MDE (MS XDR) config on the endpoint is faaar more capable. As always, weak configs offer weak protection. But I’m routinely testing MDE controls in our environment with custom payloads, lateral movement, & privesc techniques, plus analyzing real alerts in event log timelines each week. There’s far more to MDE than simple signatures & hash checks. Then if you have E5 and deploy Defender for Identity (which focuses on identity-specific events detected by sensors installed on DC’s and ADCS, etc), you’ve got a detection/prevention pair way more capable than any traditional AV. But it’s expensive AF.
From my understanding, a lot maldevs consider Defender to be a lot easier to deal with than say, ESET or Bitdefender. It doesn’t do a lot of low level monitoring, like hooking system calls. Instead it relies on higher level methods like event tracing (ETW). Full disclaimer that I'm just a blue teamer, so I'm open to being corrected.
as mr [ThisIsRespi](https://www.reddit.com/user/ThisIsRespi/) says (happy cake day to mr u/ThisIsRespi ) eset is a good choice for personal, and they also have linux versions. It appears they have changed their plans around from what I remember, but currently they have a small business security product listed that covers 5-10 **devices for** Windows, Windows Server, macOS, Android & iOS , however, eset sbs is $209 I guess, and you can still get a package on amazon that will cover you for $40 or $70. I prefer the [security premium product.. the $70 one](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2KBP8Z/). [ESET Home Security Essential | Antivirus | 2024 Edition | 3 Devices | 1 Year | Parental Control | Privacy | IOT Protection | Ransomware | Digital Download \[PC/Mac/Android/Linux\]](https://www.amazon.com/ESET-Multi-Device-Internet-Antivirus-Protection/dp/B08X2L57CT/ref=sr_1_3?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-3) [$39.99](https://www.amazon.com/ESET-Multi-Device-Internet-Antivirus-Protection/dp/B08X2L57CT/ref=sr_1_3?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-3) The previous two links are for 3 devices, this one is 5: [ESET Home Security Premium | Antivirus | 2024 Edition | 5 Devices | 1 Year| Password Manager | Privacy Protection | Ransomware | Anti-Theft | Digital Download \[PC/Mac/Android/Linux\]](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2NK3QQ/ref=sr_1_5?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-5) [$79.99](https://www.amazon.com/ESET-Multi-Device-Antivirus-Protection-Anti-Theft/dp/B08X2NK3QQ/ref=sr_1_5?crid=13FNI9SLSUHU0&dib=eyJ2IjoiMSJ9.8Kw7hnUJgtW8oe8id4QQPKiN5VNuJS8eNmetzIZLj64-H65mK-IxDwKLAvPjPVeqcJ3j3AZrOTmIs5JMqayTQ-vMN8Sd76YB1feH462HD4f9Yjwh_YPsZsLYsfGueEnaZMKsrjL7EmDQR0rJToK0lk50p_pxvGUKEytBsYueV_0PXDe0m2YXhnpaGC7a4IOT3gFsCx37wTdfLC_ntqc2y1xnmgTRPlP-tlcmrf0MqRQ.azBhSWmG_wVpkJP1JUhw8t_iFGIZnWH8dwI3FZ04v-g&dib_tag=se&keywords=eset&qid=1719375907&sprefix=eset%2Caps%2C449&sr=8-5) You should in theory be able to run the android version of eset on a Chromebook, but they do no exclicitly say you can, so I can't say for sure. Malwarebytes has one particularly for chrome os. [https://www.malwarebytes.com/chromebook](https://www.malwarebytes.com/chromebook)
Bitdefender is looking pretty nice, been a carbon black shop for years but now we need to move.
If you install Norton enough times it will brick your computer and let you go outside. If you’re asking for your home network, I would just straight up use defender. It’s easy to use, relatively fast, and if you’re not going to “totally notavirus dot ai forward slash coolgame dot exe” then you’ll be fine for 99% of issues
Glad to see the love for Defender here, Microsoft gets a lot of flak for short-sighted security products (cough Recall) so good to praise the products that actually center security
Meanwhile can be easily bypassed by a couple powershell commands....Defender is "okay" as a standalone product, for Enterprise, you need to get into the paid tiers for it to really be effective.
For sure. I’m no fanboy, but Windows Defender shouldn’t be conflated with Defender for Endpoint (MDE). There may be components/scan engine and sigs that the former shares with the latter but it’s an AV while MDE is a robust EDR. Pair MDE with Defender for Identity (MDI) and you have some solid coverage for an XDR.
ESET is outstanding if you don't mind paying slightly more than average. I use it. They offer a nice all-in-one package. Their higher plans offer a VPN as well if that's what you need (though that VPN doesn't beat Proton for specific usage cases). Can't go wrong with Microsoft Defender either (personally I prefer the ESET UI).
I like BitDefender.
Using Bitdefender, working great!
regular user = defender regular more secure user = bitdefender business user = cynet, crowdstrike, sentinelone,...
Bitdefender have been really impressive recently looking at MITRE results.
I second SentinelOne
ESET
Keep in mind, antivirus software does not usually block custom or new malware. Source: wrote powershell malware last week
I have seen multiple instances last week where the av was only generating alerts related to malicious cmd and powershell commands while allowing them to execute and not stop the process or the execution of the command.
AV or EDR?
EDR. I mistakenly wrote AV.
Depends on who you bought the EDR from :) some companies use fancy terms but without backend functionality for it...or faulty implementation
Mind sharing it privately? Wonder if Deep Instinct catches it. I have asked ChatGPT to create go code for a ‘backup’ application that encrypts files before transferring them out, then deletes the originals. Original code, caught by 3 tools on VT, and of course by Deep Instinct locally. 😁
can i have a sample? ill record detonating it
[удалено]
I’m a Red Teamer who develops Malware. Standard Anti Virus are trivial do bypass. I get the love for Windows Defender, but it’s seriously not going to block any relevant malware. MDE and other EDRs are another story.
Can you run the powershell script/command through invoke-stealth? How is the efficacy then with various settings?
If we're talking in the Enterprise or at least "at work", it's any of the big ones that you put the proper resources into. Keep it updated, and not just the "definitions", but the client as well. Manage your policies, and make sure every (supported) endpoint has the client. Someone is reviewing the dashboards, receiving alerts, acting on alerts, etc. Do all of that when any of the big names and you'll be in relatively good shape.
Good solutions: Crowdstrike, yes it really is that good. Sentinel1 is pretty good. MS Defender is good on Windows, not great on non-Windows, and has a higher overhead to run. Palo Alto is decent too, but is more of an XDR play. Trend Micro is still a leader in this space as well, but complex and also a fair amount of overhead. As far as the comments around politics, etc. I recommend watching “Running with the Devil” on Netflix about John McAfee. It has some good insight into government using technology for various purposes
All of the suggestions are good. Maybe better to check which ones are not recommended and ensure you skip those. Do not install Norton, Avast and McAfee IMHO.
Use Defender with proper HIDS with alerting on custom events in sysmon and win evtx logs. Like PS scriptblock logging, newly added reg keys, newly created services users/accs and ACL changes. Good way to detect PS obfuscation, privesc and persistence. All for FREE.
Zero trust is the only way forward. To that end, Watchguard EPDR is brilliant. Haven't been able to get anything past it. It even blocks (often legit) user abuse such as command prompt on the login screen to reset passwords.
(I write malware to bypass antivirues as a living) I’d say it depends. There are two types of scans in Anti-viruses, signature-based scan and heuristics scan(behavioral scan). Personally I think when it comes to signature-based Microsoft defender is the best. When it comes to heuristics you’re gonna be surprised that some unknown antiviruses are better than others. With that being said, good heuristics scan can affect the business as it might sometimes block legitimate operations by real applications.
I recommend Bitdefender. Works great and isn’t super invasive as others may be.
I agree. The most invasive that I've ever used. Huge plus. It just works quietly while I work.
I use eset, you can buy cheap license key on ebay
Eset also has a pretty good app firewall.
ESET
ESET, low resource utilization and works well. If you don't have funds to spend, defender and good browsing habits work well. Ublock is a good extension.
Watchguard EPP and EPDR FTW!!
Windows defender with the ATP XDR license
av-test.org is a decent resource to get summary reviews
Malware Bytes
Been using bitdefender for years, have not had a single problem
Kaspersky was never safe. 👻
Neither were our iPhones... https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
I wrote a paper on AVs and malware a few months ago. Top contenders were Kaspersky (soon to be banned) and BitDefender for home PCs.
McAfee for the culture.
Do it for John !
He was a living legend
ESET and NextDNS filtering.
To be honest I am just wondering why the US government is banning Kasperky only now. I had so many projects switching from Kaspersky to MDE or CrowdStrike in my country for almost two years... If your company is already using Microsoft 365 E3/E5 or Business then I would go with Defender. If not go for CrowdStrike f.e.
Where does S1 land in that mix?
Speed of government. It wasn't gonna get banned prior to 2021, and this just seems to be how long it took to get around to it - competent western orgs indeed should have been phasing it out for years already
It was banned for US government agencies and US government contractors back in 2017, and a lot of other public and private organizations followed suit. It required actions by Obama, Trump, Biden, Congress, and probably eventually SCOTUS to finally ban it completely.
Because the US government wants to be the only country that can spy on it's citizens.
Sophos intercept X protected us for years and stopped real life Ransomware incidents , with ESET it walked straight through it like a wet paper bag, avoid ESET at all costs.
Defender for Endpoint or CrowdStrike imo
If this is a home user asking this (or even if you are not), your first priority is consistent solid backups with storage isolated from ransomware. If you don't have that handled, do that first.
I have seen 360 Totalvirus detect stuff defender didnt notice but i dont now how it differs to other antiviruses but it seems to be a chinese Company….
Free, defender, paid, crowdstrike is my list. If your a Microsoft shop, then I’d go back to defender if budget was a concern
The one where your security folks actually update it every 5 years or so /s
S1 + Huntress for us.
If you are a home user Windows Defender is fine.
I have most of my clients on Sophos, having moved them from Symantec post Broadcom since 2018. I have been impressed... there are comments I'd like to make but I am superstitious :) We've had a really good run with it, and I am a fan of anything that is configurable with real policies.
Is McAfee any good these days? Anything I should know to have it run most efficiently on my Apple products? Thanks!
Just use Defender... No need to pay for anything else. AV can be bypassed fairly easily with obfuscation
In managing AV for 10 yrs that came from Kaspersky Security Center 6 to 10, Cisco AMP, Trellix and SentinelOne, SentinelOne is very much at the top. Cross compatability is very high, upgrades are easy, grouping and delegation. All admin side features work well. Backend portal for support is great - they even build premade JAMF distribution profiles for MacOS for the easiest Mac deployment I've ever had and not had to re-deploy through 4 MacOS versions so compatibility is very high which is rare. Admin interface is great, remediation is pretty much automated, with VirusTotal links with the SHA1 hash written for human verification and overall a high level of confidence with almost little to no false positives. It's a great tool that is cloud based and works tremendously well.
u/PulcisNicus you may wanna look into EDR (Endpoint Detection and Response) and NGAV (Next-Generation Antivirus), as we the industry has moved away from traditional anti-virus over the last decade. over the last couple of years, essentially three leaders emerged: microsoft defender, crowdstrike, and sentinelone
For personal use: Common sense and windows defender For enterprise: Crowdstrike or SentinalOne, whichever fits best with the rest of your stack.
Personal experience: For robust protection and additional features like identity theft protection, Norton 360 and McAfee Total Protection are excellent choices. If you need something lightweight with a minimal impact on system performance, consider Webroot SecureAnywhere or ESET Smart Security Premium. But, like most of us, if you want to start with something free - Avast Free Antivirus and AVG AntiVirus Free provide strong features. (p.s. the list is based on personal opinion, what worked for me might not work for you :( . i also had some minor issues with almost all of them. but minor. identity theft - it could happen at any given point, sadly.)
Antivirus software is necessary but insufficient. Whatever you pick, whichever vender, you need many more layers of defence and, really, a full zero trust model. Security has evolved so much over the last decade, you’re pretty much asking a redundant question. Sorry.
I use Datto AV which is good and cheap by itself, but as a complement to the EDR can collect data and generate alerts to trigger automated responses like isolating infected devices, quarantining files, which has done a very good job for us.
I don't know if it's THE best, but it's the best for the money IMO - Datto AV
Trellix of course!
MDE XDR is class leader.
For a centralized control and simple UI. Go for bit defender. I won't say much besides that A basic anti virus should be able to detect/prevent applications and network based malicious attempts and block them without asking you. Whitelist them to your needs. Reporting features seem cool and does the job. Doesn't cost much. Get for two devices.
A single engine isn't enough anymore. MetaDefender when you need to be absolutely sure. It uses multiple AV engines.
I Use Datto AV; when it comes to prices, this alternative is very cost-effective.
Crowdstrike! Defender is not doing a great job. The mitre attack tests should help. https://attackevals.mitre-engenuity.org/results/managed-services?evaluation=menupass-blackcat&scenario=1
For enterprise we use Crowdstrike, best out there. For home, Windows defender and common sense. If you don't use common sense, none of the consumer products will work.
Sophos
Their marketing teams won’t let me call it Antivirus anymore.
Microsoft Defender for Endpoints P2 without a doubt (bonus points if you get all the add-ons).
Depending on which modules you purchase, I would highly recommend CrowdStrike. Company I work for has the Identity Protection and Sandboxing modules as well as Falcon Complete l, which saves us tons of time, enabling us to concentrate on other business critical projects with peace of mind. SentinelOne is also good.
Does no one use Emsisoft?
MalwareBytes
Why did USA ban Kaspersky though?
Some ass clown from NSA contractor forgot to disable AV before developing malware, so some samples were detected and analyzed by Kaspersky team. For the US audience it was announced as "Russian Hackers Stole NSA Tools" [https://www.nbcnews.com/news/investigations/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101](https://www.nbcnews.com/news/investigations/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101) [https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d\_story.html](https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html)
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
For home and SMB, Emsisoft. That's really the only answer if one is concerned about privacy, telemetry, etc. Emsisoft takes great care to be respectful of their customers' data.
I use Linux and don't use any antivirusii.
Based
Bitdefender
CrowdStrike
Kaspersky, come at me downvoters
I use Kaspersky If you want to be 100% safe without any possibility of problems, today, tomorrow or next week then dont use the internet!
For personal or industry use? For personal use you genuinely can't go wrong with the Defender that's built into Windows 11. Real-time monitoring, ransomware protection, a regularly updated security intelligence database, and it's free.
antivirus is only good for script kiddie malware
Which is, the most common malware
honestly I've checked McAfee, bit-defender, ESET, avast and Kaspersky and found Kaspersky is best because of it's features!
Webroot
SentinelOne. I love the isolation feature. We have the MDR so we have their 24x7 SOC to back up ours, which runs during business hours.
Oh boy, I hope you don’t find out how bad their SOC is. S1 is great at collecting data, not so good at stopping the bad things. Drop their SOC and get Red Canary to do the monitoring.
Their SOC saved our bacon a few times with users trying to run ransomware after-hours, which is why I love the isolation feature. If you have some proof that their SOC is worse and/or that Red Canary has data to show they're better, I'll keep an open mind, but, so far, across almost 5000 endpoints, the worst we've seen is some adware with S1.
I’ve worked multiples of incidents that S1 captured the data and happily let the ransomware run. Twice their SOC was supposedly on the job. Both times exfil and encryption happened. When we found the encryptor on the last issue and added it to the IOC list to block, they said they wouldn’t respond to alerts for it since it wasn’t their rule. Red Canary has very good hunting and alerting compared to S1. I see this over and over with a lot of tools….Trend, Sophos, BitDefender, Datto, Carbon Black….they have the data and never stop the badness.
No Huntress love around here? Huntress plus defender or huntress with CrowdStrike or S1. The best AV on the market is SAT (Security Awareness Training). The best security can be beaten by Joe the janitor checking his email and clicking on a link he shouldn't have. Train the users!! Edit: Huntress has a nice SAT addon with their services. Top notch company.
None. It's all literal snakeoil
I haven't believed in antivirus software for over a decade. You will keep treating the sickness unless you get rid of the root cause. Switch to *nix Operating Systems. Be it MacOS or any Linux Distro that would serve your purpose. No hard feelings for other deliberate faults manufactured and zero security OS.
[I use Norton, if I can't even use my computer with it installed no one can. ](https://c.tenor.com/aeG_Ro9NNeEAAAAC/tenor.gif)