October 25, 2023 | Text: Markus Selinger | Antivirus for Windows
  • Share:

33 Protection Products: Strong Defense against Ransomware and Data Stealers

The list of companies, universities, colleges or facilities such as hospitals and public administrations subject to attack is growing longer and longer. Classic protection products or corporate solutions must harness all their protective techniques to fend off cyberattacks. How well they can do so in 10 real-life attack scenarios is demonstrated by the Advanced Threat Protection test. In the latest test, the protection solutions are required to defend the Windows systems against data stealers and ransomware. In this, the attackers rely on the "DNS TXT Record” techniques, utilize malware programmed in Rust and encrypted connections per HTTPS.

33 products in the ATP test – here is how the products defended against data stealers and ransomware in the Advanced Threat Protection test
33 products in the ATP test –

here is how the products defended against data stealers and ransomware in the Advanced Threat Protection test

zoom

Law enforcement agencies such as Interpol, FBI and national police departments work very well together and have scored some successes. APT groups, such as HIVE, Emotet or QBot were indeed broken up, but their malware and their code remains in circulation. This inspires additional groups to make modifications and to develop new malware. As an additional variant, the cyber attackers use further techniques for the assault.

In the latest test, involving 10 real-life attack scenarios, the lab at AV-TEST examined 5 ransomware attacks and 5 attacks with data stealers. In the process, the attackers partly used the "DNS TXT Record" technique or relied on encrypted connections via HTTPS. Some of the malware samples were written in the relative new programming language, Rust. The advantage for attackers: Rust is very fast and allows many operations to be run in parallel. The greatest advantage, however, is that malware authored in Rust can evade the statistical analysis of many malware detection systems. That is why the latest test with its dynamic detection and defense is so important.

Attack techniques and Rust programming

The harnessed technique, "DNS TXT Record" can be briefly summarized as follows: With the tool DNS Lookup, Windows offers the opportunity to query the text information of a domain. Attackers take advantage of this scenario. They attack and then query a DNS TXT record per PowerShell. This does not contain any information, however, but rather an additional command line that is transferred and executed. This circumvented route seeks to elude detection by protection software.

The second technique is the use of HTTPS. The "Hypertext Transfer Protocol Secure" protects a connection not only against eavesdropping but also against manipulation. Attackers use this secure direct line so that the protection software cannot analyze the content. It is actually no problem, however, that protection systems open these connections, analyze them and then pass them on. This function only has to be used. But attackers rely on the protection function not be used. An analysis of Watchguard at the end of 2022 indicated that over 80 percent of the registered attacks occurred encrypted per HTTPS.

In July and August 2023, in 10 real-life scenarios, the lab at AV-TEST examined the security capabilities of 16 protection packages for consumer users and of 17 endpoint solutions for corporate users under Windows 10 Professional.

ATP test: security software for consumer users

Caught in the act: All 16 protection packages for consumer users under Windows were able to catch and fend off attacking malware, consisting of ransomware and data stealers, in the test scenarios

zoom ico
ATP test: security software for corporate users

In the Advanced Threat Protection test, staged in July-August, 16 endpoint products for corporate users performed flawlessly and thus received the maximum 35 points on the protection score

zoom ico

1

ATP test: security software for consumer users

2

ATP test: security software for corporate users

Techniques of data stealers and ransomware

In detecting and defending against malware, all the protection products combine various dynamic techniques, such as EDR – Endpoint Detection & Response. The "scenario" illustrations from 1 to 10 below indicate how all 10 attacks unfolded, along with the individual defensive steps.

The sequence of an attack in the Advanced Threat Protection test usually follows this pattern: a spearphishing e-mail, containing a malware attachment, ends up in a Windows system. This is where the protection systems detect the attacker immediately or as soon as it starts running. In the results chart, this is confirmed with the green field under "Initial Access“ or under "Execution". If that is the case, then the attack is already thwarted.

If this does not occur, the attackers go to work: The data stealers gather information on existing data and "exfiltrate" them to a C2 server afterwards. The ransomware also does collect information, but generally only sends a file list of all drives to the C2 server. Then, the data encryption and renaming of data begins. After encryption, a text file is displayed on the desktop, informing the user about the attack and demanding ransom.

For each detected and marked attack step, the lab awarded points. For data stealers, this meant up to 4 points, and for ransomware up to 3 points. The highest value in the protection score was thus 20 points for data stealers, plus a maximum of 15 points for ransomware. This means that in total, the lab awarded up to 35 points.

In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article ”Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

01
zoom ico
02
zoom ico
03
zoom ico
04
zoom ico
05
zoom ico
06
zoom ico
07
zoom ico
08
zoom ico
09
zoom ico
10
zoom ico

1

01

2

02

3

03

4

04

5

05

6

06

7

07

8

08

9

09

10

10

ATP test of products for consumer users

A total of 16 security products for consumer users faced off in the Advanced Threat Protection (ATP) test under Windows 2023. Included in the test were products from the following manufacturers: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Microworld, Norton, Panda, PC Matic, Protected.net and Trend Micro.

All products flawlessly fended off the attackers in the 10 scenarios. The deployed techniques "DNS TXT Record" or encrypted connections were of little benefit to the attackers, nor was the use of the Rust programming language for the malware. Thus, each product received the full 35 points on its protection score for this performance.

All products for consumer users received the certificate "Advanced Certified", as they achieved a protection score of 75% out of the 35 points (i.e. 26.3 points).

ATP test for corporate user solutions

The 17 protection products examined in the Advanced Threat Protection test for Windows endpoints for corporate users came from the following manufacturers: Acronis, AhnLab, Avast, Bitdefender (with two versions), Check Point, Kaspersky (with two versions), Malwarebytes, Seqrite, Sophos, Symantec, Trellix, Trend Micro, VMware, WithSecure and Xcitium.

In the area of corporate users, 16 out of 17 products evaluated delivered flawless performance. In none of the 10 scenarios were the ransomware and the data stealers able to penetrate the systems and unleash their destructive payload. For this, the 16 products received the full 35 points for the protection score.

Only Trellix had difficulties in one scenario and was not able to block the attacker completely. In the end, encryption occurred in individual files, and the solution had one point taken off as a result.

For this performance, the solutions also earned the certificate "Advanced Approved Endpoint Protection". The only exceptions here are Acronis and Panda. The products passed the test error-free, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfillment of all their criteria.

Error-free defensive performance of nearly all products

The latest Advanced Threat Protection test from July and August is really something special. 32 out of 33 evaluated products for consumer users and corporate users completed the test error-free and received the maximum 35 points.

In the 10 test scenarios, the attackers deployed the latest techniques, such as DNS TXT Record, encrypted connections or even the Rust programming language. But the protection programs know all these variants and respond accordingly in the detection and defense. All in all: nearly exemplary performance!

Consumer Users 08/2023

V3 Internet Security
Free Antivirus
Internet Security
Security
Internet Security
Standard
Premium
Total Protection
Defender Antivirus (Consumer)
eScan Internet Security Suite
Norton 360
Application Allowlisting
Total AV
Internet Security

Corporate Solutions 08/2023

Cyber Protect
V3 Endpoint Security
Ultimate Business Security
Endpoint Security
Endpoint Security (Ultra)
Endpoint Security
Endpoint Security
Small Office Security
Endpoint Protection
Endpoint Security
Intercept X Advanced
Endpoint Security Complete
Endpoint Security
Apex One
Carbon Black Cloud
Elements Endpoint Protection
Client Security

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.