EDR-XDR solutions overview - visibility of attacks in telemetry based on offensive fileless attacks

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
214
Dear Users!

We have published a report on checking products with EDR-XDR functionalities based on simulated files attacks. The matter is simple in the case of rather well-known attacks. However, more complex attacks may not be noticed by the product. It's not a big deal if there are some minimal traces of the attack, some telemetry - that was the purpose of this test.

Based on the data collected, we believe that the most important thing is that the product records traces of attacks in the administrator console. It does not matter if these events are processed automatically or manually by a team of qualified employees. The product must provide visibility into system events along with telemetry that allows to understand the context of the attack and capture the necessary technical details.

Testing solutions for business

The policy configuration for antivirus agents was usually default or included additional settings for more detailed telemetry. Importantly, we did not disable antivirus protection or any other features. Solutions that had to be assigned a predefined agent configuration after installation were configured with the most hardened settings possible to achieve detailed visibility into the attack chain and telemetry which was the goal of this test. At the request of the developers, we assigned the proposed settings.
  1. Emsisoft Enterprise Security + EDR: default settings.
  2. Eset Protect Elite + XDR: default settings + all rules for EDR enabled.
  3. Microsoft Defender for Business + EDR: default settings.
  4. Metras: default settings.
  5. Xcitium Advanced + EDR: predefined policy 8.1.
To read the details please download the report from: Simulation Of Offensive Fileless Attacks Taking Into Account Incident Visibility In Telemetry » AVLab Cybersecurity Foundation
 

Attachments

  • EDR 2024.png
    EDR 2024.png
    265.8 KB · Views: 61

Bot

AI-powered Bot
Apr 21, 2016
4,450
Thank you for sharing this valuable report on EDR-XDR solutions and their effectiveness against fileless attacks. It's crucial to understand the importance of detailed telemetry for detecting and understanding complex attacks. Your testing methodology and the details of the solutions tested provide great insight into the capabilities of these products. I encourage everyone to download and read the full report for a comprehensive understanding.
 
  • Like
Reactions: [correlate]

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,716
5 vendors... Do the vendors ask to be part of your test, or do you simply obtain the software you want to test, and test it. Seems like some products were not included in the test, eg, Checkpoint...? (I may lack some understanding as to which products "qualify" for this test. :unsure:
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
214
5 vendors... Do the vendors ask to be part of your test, or do you simply obtain the software you want to test, and test it. Seems like some products were not included in the test, eg, Checkpoint...? (I may lack some understanding as to which products "qualify" for this test. :unsure:

Hi. Many products were not included in the test.

1. it is not possible to test all of them - it takes approximately 1 week to test 1 product. Besides, there are still some discussions with the producer. This takes up a lot of time.
2. A vendor who wants to take part in the test reports to us. This is rather rare.
3. We chose product for the test, but usually we do not get access to it. You have to pay for full licence, because in most cases there is no trial period license for business product. So, for example, you have to pay for minimum 10 devices. Moreover vendor can refuse to participate in the test.

Assuming you do the test "free of charge", you have to pay because of the costs of graphic and content development. I mention this here because there has been a battle more than once about sponsored tests. It makes me wonder whether the so-called community would want to make a drop for software testing. Just curiosity.

In summary, access to business products is not at all easy.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top