AV-TEST Security vs. Ransomware: 34 Solutions in the Advanced Threat Protection Test

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 66
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,568
Consumer users: 12 products are error-free
In this test, a total of 17 products each faced off against 10 realistic attack scenarios with ransomware. 12 of the security packages were very successful. They detected the ransomware immediately and did not allow any further actions. For this they received the maximum 40 points of the protection score: AhnLab, Avast, AVG, Avira, F-Secure, Kaspersky, McAfee, Microsoft, NortonLifeLock, PC Matic, Protected.net and VIPRE Security.

This was followed by Bitdefender and K7 Computing with 39 out of 40 points. Both incurred a partial detection in one scenario. With Bitdefender, a small number of various files were encrypted. With K7 Computing, the encryption was indeed stopped, but the malware remained on the PC and continued to be a threat. Trend Micro had the same problem – but a total of three times. This resulted in only 37 points.

Malwarebytes committed two partial detections, whereby in one instance, some files were encrypted. In the second case, in addition to the encryption of some files, a registry key was set and the background image was modified. As all actions that could not be prevented resulted in points being taken off, there were only 36.5 points in total.

The security package from G DATA did not detect any attacker in two scenarios, and as a result, the ransomware executed. G DATA lost the four points twice and managed to land at 32 points.

Corporate users: many solutions work error-free
The solutions for corporate users evaluated in the test largely revealed excellent results. 12 of the 17 products tested achieved the full 40 points of the protection score.

Bitdefender followed with its two solutions at 39 points, as there was one partial detection each.

Seqrite had a few problems in three cases and received 37 points. There was one partial detection, for example, where individual files were encrypted. In the other cases, the ransomware was indeed detected and blocked, but it remained on the system. That is an additional risk.

Trend Micro had this difficulty a total of three times. The risk does still remain, but at least nothing was encrypted. There were also 37 points awarded to Trend Micro.

The corporate user solution from G DATA experienced the problem in two scenarios that it did not detect the attackers, and the ransomware deployed. This cost a full 8 points and in the end, the product still reached 32 points.
Ransomware fended off – with or without service
While many of the leading products are able to finish in flying colors in the traditional detection test, in the Advanced Threat Protection test from AV-TEST they also have to show their performance after detection or non-detection of the ransomware. Especially when it comes to the topic of ransomware, this is enormously important, because if ransomware makes its way through and is allowed to fully deploy, then the system is encrypted and the rest of the network is in grave danger.

The security packages for consumer users showed a positive result in the test. 12 of the 17 packages achieved the full 40 points. In the mix were the freeware Avast Free Antivirus and Microsoft Defender. Those seeking a reliable security packages with a wider range of features will find it in the paid products from AhnLab, AVG, Avira, F-Secure, Kaspersky, McAfee, NortonLifeLock, PC Matic, Protected.net or VIPRE Security.

The result for corporate solutions was also equally compelling. Here 12 out of 17 products reached the full 40 points: AhnLab, Avast, Comodo, Kaspersky (with 2 versions), Malwarebytes, Microsoft, Sangfor Technologies, Symantec (Broadcom), Trellix, VMware and WithSecure (formerly F-Secure Business). Corporate users will thus find a broad range of solutions bearing the certificate “Advanced Approved Endpoint Protection” to protect their network and their endpoints
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
This test uses well known techniques. But in the real life, the attackers use some new techniques each year. The protection against new techniques is rather poor for most AVs (like in the Magniber example).

In targeted attacks, many reputation-based protections can fail when the malware is signed by the EV certificate.

The sandboxing-based protection can be also bypassed in several ways. For example, Avast CyberCapture can be bypassed by using the legal executable which is vulnerable to DLL hijacking. Other AVs can be fooled by using some LOLBins to run DLLs or load DLLs in an unusual way, etc.
The monitoring in the sandbox can be fooled by using execution delays, anti-sandbox checks, or multistage attacks with unique encryption keys (not available in the sandbox).

The increase in ransomware attacks proves that anti-ransomware protection is generally insufficient to protect government (central and local), organizations, institutions, businesses, healthcare, financial services, ... .:(

The situation can be better when the protection layers are managed by a qualified IT team. But in reality, most of the attacked targets try to save money and do not have such a team.
 
Last edited:
F

ForgottenSeer 95367

The situation can be better when the protection layers are managed by a qualified IT team. But in reality, most of the attacked targets try to save money and do not have such a team.
This is the reality almost everywhere. Save money, cut corners, do not hire qualified staff, do not train employees. It is the primary reason for most of the IT security problems.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
There are some interesting articles noted on Wilderssecurity:

The last article (posted today) is mostly related to the attacks on small businesses. Here are the most popular initial attack vectors:

What these attacks have in common​

There are a few similarities among these attacks that it is important to recognize:
  • These attacks were not single-day or single-week event. They were carried out over multiple months.
  • VPN is constantly targeted. Why? Because it leads to your infrastructure and assets.
  • Credentials are either stolen through phishing attacks or purchased on the dark web.
  • Your email credential links with Microsoft 365 are designed for convenience, but they also mean that SSO leads to many potential routes into your infrastructure.
By overlaying the three case studies on top of the MITRE ATT&CK framework, you can see the resources and tools the attackers have. Any combination of these tools and methods could introduce challenges in defending your organization, and there are hundreds of possible combinations.
 

Jan Willy

Level 9
Verified
Well-known
Jul 5, 2019
424
I wonder what would happen if the security software trusts No signed certificates?
I believe that NVT OSArmor will block it by means of next rule:

1661344712787.png
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
149
This test uses well known techniques. But in the real life, the attackers use some new techniques each year. The protection against new techniques is rather poor for most AVs (like in the Magniber example).

In targeted attacks, many reputation-based protections can fail when the malware is signed by the EV certificate.

The sandboxing-based protection can be also bypassed in several ways. For example, Avast CyberCapture can be bypassed by using the legal executable which is vulnerable to DLL hijacking. Other AVs can be fooled by using some LOLBins to run DLLs or load DLLs in an unusual way, etc.
The monitoring in the sandbox can be fooled by using execution delays, anti-sandbox checks, or multistage attacks with unique encryption keys (not available in the sandbox).

The increase in ransomware attacks proves that anti-ransomware protection is generally insufficient to protect government (central and local), organizations, institutions, businesses, healthcare, financial services, ... .:(

The situation can be better when the protection layers are managed by a qualified IT team. But in reality, most of the attacked targets try to save money and do not have such a team.
Exactly and a good point made @Andy Ful - reasonable deduction- Now that ransomwares have plenty of miles of good results on their side, they easily can produce almost a countless variety of alternative techniques. There is without a doubt novel and more innovative NOT well known methods they will experiment with and those are the ones that plow right through typical AV's despite their best efforts.
 
Jun 22, 2020
99
I think Bitdefender and Kaspersky have same level of protection in depending test. For example in this test Kaspersky is better but in av comparative Bitdefender have better result. I feel that the protection of these 2 cannot be compared, since as I mentioned before, in some tests like this Kaspersky is superior and in others Bitdefender, therefore it is very difficult to know which is superior.
Greetings to all.
 

Shadowra

Level 26
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
1,504
Not even in dreams I look at this rag that calls itself "Anti-Ransomware test" 😑

I take the example of GDATA which also has DeepRay, Beast and also other modules...what makes me laugh is that we have no information about the activated defenses...because if a malware is going to try to infect the system, it will automatically go into Beast and get stopped...
Same with FSecure and DeepGuard
 
F

ForgottenSeer 95367

There are some interesting articles noted on Wilderssecurity:

The last article (posted today) is mostly related to the attacks on small businesses. Here are the most popular initial attack vectors:
  • These attacks were not single-day or single-week event. They were carried out over multiple months.
  • VPN is constantly targeted. Why? Because it leads to your infrastructure and assets.
  • Credentials are either stolen through phishing attacks or purchased on the dark web.
  • Your email credential links with Microsoft 365 are designed for convenience, but they also mean that SSO leads to many potential routes into your infrastructure.
Targeting:
  • VPN
  • SSO
  1. Phishing attacks for the above is shrewd and crafty.
  2. Both of the above, once cracked, provide "Keys to the Kingdom."
  3. These forward attacks are not mitigated by security software.
  4. Really an enterprise attack, but still can be a problem for home users that use VPN and SSO to access systems.
 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
386
I am talking about signed ones.

Then a Custom rule should work with OSArmor. For example:

Code:
[%PROCESS%: C:\Users\*] [%SIGNER%: *] [%PARENTSIGNER%: *] [%RULENAME%: Block all Signed Processes in Userspace]

I attempted to install a digitally signed executable as both Administrator and H_C's "Install by smartscreen" option from my Downloads folder and this rule blocked it.

OSA Block rule.png

EDIT

of course the rule could be customized to block signed process anywhere else, including system-wide, but then such a highly restrictive rule for signed processes will lead to problems.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top