- Apr 24, 2016
In a test involving real attack scenarios, 26 protection solutions for consumer users and corporate users demonstrate their performance. In the series of Advanced Threat Protection tests, the lab investigates how successfully the products protect against ransomware. Each step of the malware attack is logged and evaluated, right through to an encryption. Many solutions do exactly what they promise: offer protection against ransomware. But not all solutions pass the test with flying colors.
The Advanced Threat Protection tests provide vendors and users with substantial findings as to how securely a product can protect against ransomware in real-life scenarios. 12 products for consumer users and 14 protection solutions for business users are subjected to the current test. The manufacturers of the products for consumer users are: Avast, AVG, Bitdefender, F-Secure, G DATA, K7 Computing, Kaspersky, Microsoft, Microworld, NortonLifeLock, PC Matic and VIPRE Security.
The solutions tested for business users are products from the following vendors: Acronis, Avast, Bitdefender (two versions), Comodo, F-Secure, G DATA, Kaspersky (two versions), Microsoft, Seqrite, Symantec, Trellix and VMware.
All the products have to successfully defend against ransomware in 10 real-life scenarios under Windows 10. The test involves threats such as files containing hidden malware in archives, PowerPoint files with scripts or HTML files with malicious content. The 10 charts on the “test scenarios” list the type of attack and each step taken to fend it off. The lab even specifies the definitions in MITRE ATT&CK technique codes. Anyone interested in finding out more about the specific technical steps involved in an Advanced Threat Protection test can refer to the published article New Lines of Defense:EPPs and EDRs Put to the Test Against APT and Ransomware Attacks for more detailed information.
Consumer users: live attack test with ransomware
In the current test, 12 consumer products from the following vendors are being subjected to the tests performed by the experts in the lab: Avast, AVG, Bitdefender, F-Secure, G DATA, K7 Computing, Kaspersky, Microsoft, Microworld, NortonLifeLock, PC Matic and VIPRE Security.
Each of the products has to prove its worth in the 10 scenarios with various modes of attack. All of the attacks involve the user receiving an e-mail with an attachment. This attachment is dangerous in each of the scenarios, for example infected PowerPoint files, scripts or packed archives containing malware. The test shows that all of the products already detect the attackers in the first steps (initial access or execution). 11 of the 12 protection packages also block any further execution of the attack at this stage and therefore receive the full total of 40 points. Only K7 Computing has a problem: although it detects the attack, it nonetheless still allows the attacker to create a file further down the line in scenario number 6. Although this file is harmless, 0.5 points are deducted from the overall score.
The end result of the test for home user products reveals that 11 products receive the full score of 40 points, while K7 Computing is awarded 39.5 points. Given that all of the products tested achieve at least 75 percent (30 points) of the maximum of 40 points, they all receive the “Advanced Certified” certificate.
Corporate users: live attack test with ransomware
The lab is testing 14 protection solutions for company networks in 10 real-life scenarios. Products from the following vendors are being put to the test: Acronis, Avast, Bitdefender (two versions), Comodo, F-Secure, G DATA, Kaspersky (two versions), Microsoft, Seqrite, Symantec, Trellix and VMware.
This test also involves the 10 defined scenarios. The primary mode of attack is an e-mail with an infected attachment. The attachment always contains dangerous attackers, for example in the form of Office files with scripts, which then execute further steps via tools such as PowerShell.
In the test, all of the products already detect the attackers in the first steps (initial access or execution). Only 10 of the 14 products, however, are able to detect the attacks and fully block them. The four products from Symantec, Seqrite, VMware and Trellix allow the attack to progress further.
The Symantec and Seqrite solutions fail to prevent the encryption of individual files in further steps, as does VMware, which additionally allows the background file of the desktop to be changed. It usually contains a reference to the attack by the ransomware group.
Trellix has the same problem as VMware – but the background image of the desktop is not changed once, but seven times. Although the file itself is harmless, points are deducted in each individual case.
In the final result, 10 products for corporate users achieve the full total of 40 points. These are followed by Symantec with 39.5 points, Seqrite and VMware with 39 points each and finally Trellix with 36.5 points.
All of the business products are awarded the “Advanced Approved Endpoint Protection” certificate because they achieve 75 percent (30 points) of the maximum protection score of 40 points.
In a test involving real attack scenarios, 26 protection solutions for consumer users and corporate users demonstrate their performance. In the series of Advanced Threat Protection tests, the lab investigates how successfully the products protect against ransomware. Each step of the malware...