MRG Effitas Q2 and Sophos

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
This is fairly old news, a month ago MRG Effitas included Sophos Intercept X in their tests


Sophos did pretty well , I found the fileless section interesting in that report and also the financial malware section as its BB seemed to do very well there, while Defender did poorly ( on default settings though ).

If I recall, excluding cooperation with the Sophos firewall device which is not used in the tests anyhow, SHP is meant to be fully equivalent to Intercept X.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
About Windows Defender, at first I thought the same too but someone pointed me out that the Fileless test is the only test which is done in Window 7. So the thing is, Windows 7 doesn't even have Windows Defender. How did they test then? Did they test Microsoft Security Essential instead? If so then that's not a fair test at all.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,720
About Windows Defender, at first I thought the same too but someone pointed me out that the Fileless test is the only test which is done in Window 7. So the thing is, Windows 7 doesn't even have Windows Defender. How did they test then? Did they test Microsoft Security Essential instead? If so then that's not a fair test at all.
That's a very good question. I think if it was in Window 10 the results may look a bit different.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
About Windows Defender, at first I thought the same too but someone pointed me out that the Fileless test is the only test which is done in Window 7. So the thing is, Windows 7 doesn't even have Windows Defender. How did they test then? Did they test Microsoft Security Essential instead? If so then that's not a fair test at all.

Good spot !

I looked at their exploit protection https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG_Exploit_Protection.pdf and there they say where they use W10 vs W7 in detail.

if the exploit test is to be taken seriously (no clue if this is or is-not the case), it looks like Sophos is the only suite with good exploit protection, probably due to HMP.A .
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Good spot !

I looked at their exploit protection https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG_Exploit_Protection.pdf and there they say where they use W10 vs W7 in detail.

if the exploit test is to be taken seriously (no clue if this is or is-not the case), it looks like Sophos is the only suite with good exploit protection, probably due to HMP.A .
In the methodology section they said they used Windows 7 virtual machine. For test case 1 & 6 they wrote about the os being Windows 7 but other samples they haven't written anything about the os. But at the bottom they wrote Windows 10/7. So, it's very confusing.
Anyway, yes Sophos did an impressive job here. Everything were blocked by their exploit protection, no signatures were needed. Same for Bitdefender.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
About Windows Defender, at first I thought the same too but someone pointed me out that the Fileless test is the only test which is done in Window 7. So the thing is, Windows 7 doesn't even have Windows Defender. How did they test then? Did they test Microsoft Security Essential instead? If so then that's not a fair test at all.

So true and there is no AMSI support in Windows 7, a feature that is a game changer against fileless malware.

 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
So true and there is no AMSI support in Windows 7, a feature that is a game changer against fileless malware.


AMSI is a good point, I’m not sure if SHP supports AMSI, last year it didn’t
 
  • Like
Reactions: oldschool

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
The article below is quite older (2017), when most vendors didn't yet support AMSI,


HMP.A did well with powershell malware, still, it's 2019 now and I'd like to see SHP support AMSI to be able to take the product seriously.

Overall though I'd say participating in reviews is a positive step as are the good results, as next steps I'd like to see it participate in the German and Austrian testing as well and add AMSI support too, this product has potential but it needs to implement a long roadmap before it can be a serious contender
 
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top