AVLab.pl Advanced In-The-Wild Malware Test results for March 2025

[Trident]

That is my opinion too.

The rollback as well is poorly documented, there is no official documentation that explains it. Of course we can dive into the patents and find out even the mathematical formulas behind the clustering but that’s not the point.

My question is, if untrusted process cuteGirl.exe spawns PowerShell and through that destroys or exfiltrates data, would the actions of the not-monitored and trusted PowerShell be undone?

 

[Andy Ful]

My question is, if untrusted process cuteGirl.exe spawns PowerShell and through that destroys or exfiltrates data, would the actions of the not-monitored and trusted PowerShell be undone?

Probably not, but adding CMD, PowerShell, MSHTA (and maybe some more LOLBins) to monitored processes can improve the detection.
Anyway, Webroot can be easily tweaked to block unknown executables, which works as a slightly more comprehensive brother of Windows SmartScreen.
Fileless attacks are not so common at home, but they can also be mainly covered by blocking CMD, PowerShell, MSHTA, etc. (the simplest&fast method is via Windows Exploit Protection "Disable Win32k system calls"). Webroot mentioned this alternative in the documentation:

https://www-cdn.webroot.com/4715/9259/4048/Webroot_Evasion_Shield_WP.pdf

If one likes Webroot, the above setup at home is probably as good as tweaked top AVs. Of course, similar improvements can also be done with other solutions by tweaking the settings (which is slightly more convenient).

 

[cartaphilus]

That is my opinion too.

If someone were to perform that action wouldn't the journaling file go bonkers? It's already like what? 1.5 GB?

 

[gabriellm]

Dear Community!

We have published on our site for the month of March 2025. Among the appointments are added information on the malware families used (RATs, ransomware, stealers, etc.), and we have also added a breakdown of Enterprise and Home/Small Office products.

Details are available on the Recent Results webpage: Recent Results » AVLab Cybersecurity Foundation

And article: Advanced In-The-Wild Malware Test Results For March 2025 » AVLab Cybersecurity Foundation

If you have any wishes about what to include in the test in May, let us know in the comments.

We are also finishing work on the annual review of EDR-XDR solutions and publication is planned for May too.

Hello, Adrian!
Is there any reason for not including Kaspersky on the tests? I would like to see it to compare with other solutions! Last AV Comparatives, it got good results.

 

[Adrian Ścibor]

Hello, Adrian!
Is there any reason for not including Kaspersky on the tests? I would like to see it to compare with other solutions! Last AV Comparatives, it got good results.

Hi.

As I have explained many times before, we are not obliged to test every software if we do not receive compensation for the hardware resources and work involved due to sanctions imposed by Poland on Russia and, more generally, on Kaspersky worldwide.

The problem with Kaspersky at the moment is that the licence we bought in another country does not work in the place where we have our test server, although it is the same version.

I think Kaspersky may appear in our test this year.

An additional problem with Kaspersky is that their extended logs, which must be enabled to provide additional visibility into system information and malware behavior, often contain as much as 1-2GB for each malware sample!!!

We have to copy this data, which is done automatically, of course, but it slows down testing and means we can only use a smaller number of samples per month.

Now imagine 700 malware samples x 1-2GB each, how much space that takes up.