As for antivirus, there are tons of ads, tons of brands. but The big antivirus are actually quite different, and really depends on a persons needs. If you ask recommendation, I only use Kaspersky_lab and HR_sword, icesword. I use to only use HR_sword and Icesword cause Kaspersky is really shit at old hardware.... I'll tell you the reasons later. Basically there are 4 types of AV: Scans, Hips, anti-rootkit and real-time protection. Firstly, There we have the scans, They basically have a online database or a local database where they store the fingerprint or malware or virus and perform search with it. They will identified virus that have the matching or similar fingerprints. The reason Wanna-cry is hard to detect in antiviral is because its always changing, like wise, scans base AV is weak in different variants of the same type of viral. how good a scan based antiviral depends on how fast it updates it's database. good scans updates their database on the day or on the minutes of its discovery of a new viral. Then we have HIPS, Hips is like android notification, like when an apps want to access your storage, your pictures, you will receive a notification prompt before the apps gets it. It is useful in stopping a lots of software to prevents malicious codes to access the contents that they don't need. Some HIPS settings in antivirus is pretty complicated, if you have no idea what it is or how it works. You have a basic HIPS functions in your windows build in firewall, you will know it if you use it. Hips antivirus is an addition to that which is a much more complicated firewall than the build in firewall, usually. Those usually aim at advance users. while some antiviral do provides hips, but they are just the same as your firewall or worst than the firewall. the Antivirus famous for hips is ESS 9 but there are still loops holes for it and kill tons of innocent software and tools if you don't know the settings. After that anti-rootkit. Anti-rootkit tools are usually system diagnostics. while some western style of scanning methods of firewall do includes a scan to scan for malicious program for anti-rootkits. but even if there is no Scans, advance system administrator or network administrator would prefers the non-scan included one E.G icesword and huorongsword (click link to download) which is an root finding and diagnostic software. Unlike classic it's really difficult to look for the viral in the sea of your roots if you have tons and tons of roots. Lucky for you, scans now covers rootkits too which is idiot proof. Its very good to track botnets and zombies, which is most common viral now a days. Kaspersky Lab performing the rootkits scans. 1596 process that's a lots of things to take note of. Real time protection, sound high-tech. This is where the high tech is going on, with all the advance stuff like virtualization and the shits which kills older PC. they tends to have little performance impact on modern PC with Intel virtualization and other things like on access scanning. It basically scans the directory before you access it and runs the executable files in visualize environment before it lunch it. Too bad that different company have different meaning or definition of real time protection. Some of it are trash, they are there for just marketing. A full fledged real time protection in my definition comes with a network. example: KSN Antiviral with good real time protection will have many memes on it. cause the performance hit is unbearable with old hardware. Other optimization I have a friends who work in symantec, he explain to me about the level of the hardware and the internal methods and says about how Microsoft and symantec are in good partnership and are better optimized and how they have different approach than other AV in the markets. And a whole bunch on logic and complicated explanation which I still don't understand. ------<HR />------ There are tons of things to look out for when buying the antivirus, price, performance, system performs hits and marketing. Personally I prefers to buys one with cute girls. Preferably loli. Kaspersky in comiket C92, seriously, other weebs are selling Galgame, eroge, hentai comic and kaspersky is selling AV. that's also the reason why I brought it lol. the marketing totally works. Spoiler: karpersky C92 {} which is a copy of marketing methods from Windows/Microsoft. Spoiler: windows 10 Spoiler: windows 8 Spoiler: windows 7 窓辺ななみ there are tons of "marking" (2d girls) here that's why Microsoft too 92% of desktop shares. if microsoft do lewd stuff maybe even mobile phone became windows. lol.
It might also be worth noting the difference between heuristic and rule-based AVs. Most use a bit of both, but if you're just using a rule-based AV, some polymorphic viruses can bypass the filters.
Heuristics-based AV will do different things depending on how it's setup. In general, the AV will run the program in a sandbox to analyze its behavior before allowing it to run in userland. HIPS stands for Host Intrusion Prevention System. It can refer to a number of things depending on how it's setup. At the most basic level, it will deny a user application access to anything outside of the application itself unless authorized by the user (Similar to UAC in Windows). Some will learn to allow access to certain protected areas over time as you use it. Some will include heuristics and sandboxing, but HIPS and heuristics aren't necessarily the same thing.
The thing is, back in the day you needed AV, nowadays, the built in Microsoft one is good enough (it was crap before for a long time). Only thing one might want is malwarebytes to handle spyware. If you really want a paid one, BitDefender is probably the best. This is a good reference to see which AV is doing best as it changes by the year: https://www.av-comparatives.org/comparison/
yeah, now days hackers are running out of things to hack, AV are getting sophisticated. I think I know the meaning, I got all my resource and my that friend that work in symantec is chinese. I kinda put it in the realtime protection and HIPS zone...
I think I got that mess up, thanks to clarifying!.... but i'm too lazy to edit this long text.... Edit : this article is a pain..... edit : i'll try, but don't expect update soon.
At the end of the day, all types of AV are just trying to prevent applications from accessing or modifying protected areas of memory, system files, and other user applications in memory or at rest. Because of this, there is a lot of overlap between the different methods. A good AV will have a combination of all the methods you mentioned, as well as some others that you didn't cover. It's not uncommon for a scheduled scan on a good AV to scan for rootkits, use fingerprinting, and scan running processes. Likewise, a good AV will do rule-based and heuristic scans for any new file it detects. Also, for realtime scanning, a good AV will keep tabs on running processes, unauthorized system-level access (HIPS), and much more.
but not all are newbie or idiot friendly lol. some of the AV have their issues especially Hips, even in default and recommended setting and took very long to find-out what's wrong. Edit: but generally big brands would make it so that it suit the big audience which make it as simple and less customize so your less likely to mess up. but there are tons of good niche ones.
An average user shouldn't need to customize their AV. More than likely, if an average user is given access to advanced options, they'll just break the AV. For instance, Norton is a good AV for home users and for small businesses because it is simple and offers a wide range of detection techniques. Symantec, which owns Norton, is great for large businesses because you can integrate it into Active Directory and do policy-based scans and customizations. It's really only at the enterprise level that you need the flexibility and customizability afforded to domain and system administrators through AVs like Symantec.