Parsh

Level 24
Verified
Trusted
Malware Hunter
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
csm_0417_Selbstschutz_consumer_Tab_Gesamtauswertung_en_26e4325aa9.jpg csm_0417_Selbstschutz_consumer_Tab_Einzelwerte_en_de0605a463.jpg 0417_Selbstschutz_consumer_Tab_Signiert_en.jpg
Endpoint (Corporate) Security
csm_0417_Selbstschutz_B2B_Tab_Gesamtauswertung_en_1dd0750a94.jpg csm_0417_Selbstschutz_B2B_Tab_Einzelwerte_en_8879430c7c.jpg 0417_Selbstschutz_B2B_Tab_Signiert_en.jpg

You can find more details on their report page.
 

Game Of Thrones

Level 5
Verified
well i think some modules in apps don't need this protection mechanisms, but it's good to have it fully in AVs, the point is, this mechanisms just make it harder to penetrate av itself but not making it impossible as i saw a sample that disables the Norton or Webroot and Eset( specially eset and webroot are really bad at self defense)
 
  • Like
Reactions: spaceoctopus

Xsjx

Level 13
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
View attachment 148746 View attachment 148744 View attachment 148747
Endpoint (Corporate) Security
View attachment 148745 View attachment 148743 View attachment 148748

You can find more details on their report page.
Hmm the '' Malware forums '' favorite doenst have 100 %
 

Winter Soldier

Level 25
If we consider the buffer overflow then we know how the AVs self-protection is so important.
Simply a buffer overflow allows you to run arbitrary code on the machine running the vulnerable software (in this case an antivirus).
The logic is always to point EIP(*)to a piece of string entered by the attacker (for example using a exploit).
So an attacker can enter executable code before or after the value that will overwrite EIP, and set the value at the address from which to begin to execute it.

(*)EIP
It is simply a pointer to the next instruction, so what the CPU has to execute immediately after the current instruction.
EIP can be exploited to run malicious code inserted by exploiting code bugs.
 

Parsh

Level 24
Verified
Trusted
Malware Hunter
this mechanisms just make it harder to penetrate av itself but not making it impossible as i saw a sample that disables the Norton or Webroot and Eset( specially eset and webroot are really bad at self defense)
The difficulty surely increases and these attack vectors are given very slim scope. That's it. That won't be 100% like you said and there will be some loopholes of AVs that the curious hackers will find at different times with different updates or old unpatched versions installed.

Hmm the '' Malware forums '' favorite doenst have 100 %
Ya mean Comodo?
If you see their rating for Comodo against malware, it's got just 3/5 points. You know why... though this self-protection is a different and less arguable thing.

Are those protections needed to AV-GUI processes too?
AVs I've used (Comodo, Kasp, Avast) do protect their GUI process (not the app) primarily because this process enables you to control the state and config of your AV. So yes, all of them must be!
 

Xsjx

Level 13
The difficulty surely increases and these attack vectors are given very slim scope. That's it. That won't be 100% like you said and there will be some loopholes of AVs that the curious hackers will find at different times with different updates or old unpatched versions installed.


Ya mean Comodo?
If you see their rating for Comodo against malware, it's got just 3/5 points. You know why... though this self-protection is a different and less arguable thing.


AVs I've used (Comodo, Kasp, Avast) do protect their GUI process (not the app) primarily because this process enables you to control the state and config of your AV. So yes, all of them must be!
I mean EmsiSOFT :p
 

Parsh

Level 24
Verified
Trusted
Malware Hunter
I mean EmsiSOFT :p
Oh okay :)
Well, considering their team and their method of working, they'll have to improve in this field. They've already made nice improvements in features, usability and BB. Let the product mature completely and with time, even other drawbacks should be covered.
 

spaceoctopus

Level 15
Verified
Content Creator
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
View attachment 148746 View attachment 148744 View attachment 148747
Endpoint (Corporate) Security
View attachment 148745 View attachment 148743 View attachment 148748

You can find more details on their report page.
Thanx for sharing! :)
 
  • Like
Reactions: Parsh

DJ Panda

Level 29
Verified
Kinda disappointed about the results for Avast.. Oh well, take it with a grain of salt. With tweaking Avast's protection is almost unbeatable. :p
 
  • Like
Reactions: spaceoctopus

Parsh

Level 24
Verified
Trusted
Malware Hunter
Kinda disappointed about the results for Avast.. Oh well, take it with a grain of salt. With tweaking Avast's protection is almost unbeatable. :p
While that's agreeable, the reports are indicative of their 'self' protection that you can't tweak except for the 'enable self-protection' toggle...
 
  • Like
Reactions: Sunshine-boy

Parsh

Level 24
Verified
Trusted
Malware Hunter
No self you can kill Avast processes so no protection
Not proces explorer but on a attack from a hacker.
You saying that 'you can kill Avast protection' + 'so no protection' contrasts with what you said just now!
How can Avast have NO protection? It's like saying that any amateur hacker can get past through its defense mechanism.
It does have the Self-protection module and ASLR and DEP implemented, though it apparently is at a little lesser extent compared to the rankers.
 

Xsjx

Level 13
You saying that 'you can kill Avast protection' + 'so no protection' contrasts with what you said just now!
How can Avast have NO protection? It's like saying that any amateur hacker can get past through its defense mechanism.
It does have the Self-protection module and ASLR and DEP implemented, though it apparently is at a little lesser extent compared to the rankers.
I mean If you kill Avast it doenst offer any protection anymore......
So you can get every setting you want if Avast is killed it does nothing anymore.
 

DJ Panda

Level 29
Verified
?

No self you can kill Avast processes so no protection
I have Avast set to require a pass to do anything on it. I also run a Standard User account so I doubt anything will happen anytime soon. Just practice smart habits and your safe... Believe me, when I had the rare trouble with Avast I would try to shut it down. Doesn't work...

Like the other users said, provide proof before you make some of these statements..