Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Modern protection without signatures – comparison test on real threats (Advanced In The Wild Malware Test)
Message
<blockquote data-quote="Andy Ful" data-source="post: 977472" data-attributes="member: 32260"><p>Congrats on the 3rd place.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p></p><p>It seems that the scenario of this particular test is as below:</p><ol> <li data-xf-list-type="ol">The system is already infected.</li> <li data-xf-list-type="ol">The malware is trying to download/drop/execute the payload.</li> </ol><p>So, only the actions against point 2 are tested. The testing methodology <strong>intentionally</strong> ignores the initial web-based threats and is focused on the protection against the payloads. It is an interesting approach similar to Malware Protection testing. The difference between this test and Malware Protection tests made by AV-Test or AV-Comparatives is that the samples are (on average) a few days old in AVLab tests and a few weeks old in AV-Test/AV-Comparatives tests. Also, the Malware Protection tests are used as a kind of reference (subsidiary) tests to the Real-World tests.</p><p></p><p>Anyway, it is not generally true that Level 3 of this test represents modern protection without any signatures or shows the true effectiveness of protection against fresh/unknown malware. I think that the author had in mind only the local offline signatures. Also, the true effectiveness of protection is narrowed here only to EXE payloads (scripting methods are skipped).</p><p></p><p>Such a scenario is related to the business networks where the payloads are often applied to the clean machines via lateral movement. The efficient protection requires at least some kind of Network Protection, or a behavior blocker independent of MOTW, or some Advanced Threat Protection features. The solutions that do not have such additional protection (like Defender free on defaults) should not be used in the business environment.</p><p>In the case of Defender, one should use in SMBs the Microsoft Defender for Endpoint or another paid subscription, or activate the Defender's advanced features.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 977472, member: 32260"] Congrats on the 3rd place.(y) It seems that the scenario of this particular test is as below: [LIST=1] [*]The system is already infected. [*]The malware is trying to download/drop/execute the payload. [/LIST] So, only the actions against point 2 are tested. The testing methodology [B]intentionally[/B] ignores the initial web-based threats and is focused on the protection against the payloads. It is an interesting approach similar to Malware Protection testing. The difference between this test and Malware Protection tests made by AV-Test or AV-Comparatives is that the samples are (on average) a few days old in AVLab tests and a few weeks old in AV-Test/AV-Comparatives tests. Also, the Malware Protection tests are used as a kind of reference (subsidiary) tests to the Real-World tests. Anyway, it is not generally true that Level 3 of this test represents modern protection without any signatures or shows the true effectiveness of protection against fresh/unknown malware. I think that the author had in mind only the local offline signatures. Also, the true effectiveness of protection is narrowed here only to EXE payloads (scripting methods are skipped). Such a scenario is related to the business networks where the payloads are often applied to the clean machines via lateral movement. The efficient protection requires at least some kind of Network Protection, or a behavior blocker independent of MOTW, or some Advanced Threat Protection features. The solutions that do not have such additional protection (like Defender free on defaults) should not be used in the business environment. In the case of Defender, one should use in SMBs the Microsoft Defender for Endpoint or another paid subscription, or activate the Defender's advanced features. [/QUOTE]
Insert quotes…
Verification
Post reply
Top