AV-TEST Self-Protection report (April '17)

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
csm_0417_Selbstschutz_consumer_Tab_Gesamtauswertung_en_26e4325aa9.jpg csm_0417_Selbstschutz_consumer_Tab_Einzelwerte_en_de0605a463.jpg 0417_Selbstschutz_consumer_Tab_Signiert_en.jpg
Endpoint (Corporate) Security
csm_0417_Selbstschutz_B2B_Tab_Gesamtauswertung_en_1dd0750a94.jpg csm_0417_Selbstschutz_B2B_Tab_Einzelwerte_en_8879430c7c.jpg 0417_Selbstschutz_B2B_Tab_Signiert_en.jpg

You can find more details on their report page.
 

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
220
well i think some modules in apps don't need this protection mechanisms, but it's good to have it fully in AVs, the point is, this mechanisms just make it harder to penetrate av itself but not making it impossible as i saw a sample that disables the Norton or Webroot and Eset( specially eset and webroot are really bad at self defense)
 
  • Like
Reactions: spaceoctopus

Xsjx

Level 13
Verified
Feb 21, 2017
613
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
View attachment 148746 View attachment 148744 View attachment 148747
Endpoint (Corporate) Security
View attachment 148745 View attachment 148743 View attachment 148748

You can find more details on their report page.

Hmm the '' Malware forums '' favorite doenst have 100 %
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
If we consider the buffer overflow then we know how the AVs self-protection is so important.
Simply a buffer overflow allows you to run arbitrary code on the machine running the vulnerable software (in this case an antivirus).
The logic is always to point EIP(*)to a piece of string entered by the attacker (for example using a exploit).
So an attacker can enter executable code before or after the value that will overwrite EIP, and set the value at the address from which to begin to execute it.

(*)EIP
It is simply a pointer to the next instruction, so what the CPU has to execute immediately after the current instruction.
EIP can be exploited to run malicious code inserted by exploiting code bugs.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
this mechanisms just make it harder to penetrate av itself but not making it impossible as i saw a sample that disables the Norton or Webroot and Eset( specially eset and webroot are really bad at self defense)
The difficulty surely increases and these attack vectors are given very slim scope. That's it. That won't be 100% like you said and there will be some loopholes of AVs that the curious hackers will find at different times with different updates or old unpatched versions installed.

Hmm the '' Malware forums '' favorite doenst have 100 %
Ya mean Comodo?
If you see their rating for Comodo against malware, it's got just 3/5 points. You know why... though this self-protection is a different and less arguable thing.

Are those protections needed to AV-GUI processes too?
AVs I've used (Comodo, Kasp, Avast) do protect their GUI process (not the app) primarily because this process enables you to control the state and config of your AV. So yes, all of them must be!
 

Xsjx

Level 13
Verified
Feb 21, 2017
613
The difficulty surely increases and these attack vectors are given very slim scope. That's it. That won't be 100% like you said and there will be some loopholes of AVs that the curious hackers will find at different times with different updates or old unpatched versions installed.


Ya mean Comodo?
If you see their rating for Comodo against malware, it's got just 3/5 points. You know why... though this self-protection is a different and less arguable thing.


AVs I've used (Comodo, Kasp, Avast) do protect their GUI process (not the app) primarily because this process enables you to control the state and config of your AV. So yes, all of them must be!
I mean EmsiSOFT :p
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I mean EmsiSOFT :p
Oh okay :)
Well, considering their team and their method of working, they'll have to improve in this field. They've already made nice improvements in features, usability and BB. Let the product mature completely and with time, even other drawbacks should be covered.
 

spaceoctopus

Level 16
Verified
Top Poster
Content Creator
Well-known
Jul 13, 2014
766
A new report from AV-TEST on self-protection of a large number of security software, both Consumer and Endpoint protection suites is out!
The test examined how well they deploy protection technologies such as ASLR & DEP, as usual.

A short introduction to ASLR and DEP for readers who are not familiar with these terms:
Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures.
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. When combined it becomes exceedingly difficult to exploit vulnerabilities in applications using shellcode or return-oriented programming (ROP) techniques.


Here are the highlights:
Consumer Security
View attachment 148746 View attachment 148744 View attachment 148747
Endpoint (Corporate) Security
View attachment 148745 View attachment 148743 View attachment 148748

You can find more details on their report page.
Thanx for sharing! :)
 
  • Like
Reactions: Parsh

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
Kinda disappointed about the results for Avast.. Oh well, take it with a grain of salt. With tweaking Avast's protection is almost unbeatable. :p
 
  • Like
Reactions: spaceoctopus

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Kinda disappointed about the results for Avast.. Oh well, take it with a grain of salt. With tweaking Avast's protection is almost unbeatable. :p
While that's agreeable, the reports are indicative of their 'self' protection that you can't tweak except for the 'enable self-protection' toggle...
 
  • Like
Reactions: Sunshine-boy

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
No self you can kill Avast processes so no protection
Not proces explorer but on a attack from a hacker.
You saying that 'you can kill Avast protection' + 'so no protection' contrasts with what you said just now!
How can Avast have NO protection? It's like saying that any amateur hacker can get past through its defense mechanism.
It does have the Self-protection module and ASLR and DEP implemented, though it apparently is at a little lesser extent compared to the rankers.
 

Xsjx

Level 13
Verified
Feb 21, 2017
613
You saying that 'you can kill Avast protection' + 'so no protection' contrasts with what you said just now!
How can Avast have NO protection? It's like saying that any amateur hacker can get past through its defense mechanism.
It does have the Self-protection module and ASLR and DEP implemented, though it apparently is at a little lesser extent compared to the rankers.
I mean If you kill Avast it doenst offer any protection anymore......
So you can get every setting you want if Avast is killed it does nothing anymore.
 

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
?

No self you can kill Avast processes so no protection

I have Avast set to require a pass to do anything on it. I also run a Standard User account so I doubt anything will happen anytime soon. Just practice smart habits and your safe... Believe me, when I had the rare trouble with Avast I would try to shut it down. Doesn't work...

Like the other users said, provide proof before you make some of these statements..
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top