Advanced Threat Protection against the latest Data Stealers and Ransomware Techniques
Protection solutions for consumer Windows PCs or corporate user workstations require the best protection against the latest attack techniques. The lab at AV-TEST examined a total of 25 security products under Windows 11 in terms of how well they detect and fend off the new attack technique "Inline Execute Assembly” from data stealers and ransomware. The Advanced Threat Protection test provides a clear insight into those products that capably protect against the latest threats – and those that don't.
You don't have to be a security specialist to know that the cyber threat has massively increased over the past few years. Attacks on Windows systems, subsequent data theft or data encryption and blackmail for release of the data are unfortunately a common fact of life. That's why it is important that security products for consumer users or corporate users always be up-to-date with technology and able not only to detect but also to truly thwart the most insidious attacks. The Advanced Threat Protection test is designed to do just that with 25 security products under Windows 11. The lab carried out the evaluation in March and April 2023 and has now published the comprehensive data.
25 protection solutions against data stealers and ransomware
Among the most commonly used weapons of attack are data stealers and ransomware. They are similar in the initial phases of attacks. As soon as it is on the system, the data stealer gathers information on important files and transmits it to the attacker. While ransomware also keeps a lookout for important files, it does so with the intention of subsequently encrypting them.
In this evaluation, the testers were looking for a particular attack technique: the "Inline Execute Assembly". In very simple terms, what is otherwise a very innocuous Windows process is abused in a .Net runtime environment. A process is singled out, infected with malware code, then launched. In addition, the Antimalware Scan Interface (AMSI) is circumvented using an AMSI bypass. That is the scan API provided by Microsoft, which is used by antivirus solutions. Furthermore, the event tracing integrated in Windows is disabled so that the process routine cannot be traced any further. Once all of that is successful, the malware has free rein. A good security solution can still prevent further action, however, such as the siphoning off or encryption of data.
In this test, the lab sent 5 samples of data stealers and 5 samples of ransomware via spearphishing e-mail to the test systems. Afterwards, they first ended up on the system and became active in the next step. Already in these two steps, many products detected the danger and fended off the attack. If that is not the case, the data stealers are able to gather information on the data that they "exfiltrate" to a C2 server. The ransomware also collects information, but with the intention of sending out a file list to the C2 server while the encryption of data is being launched. The 10 scenario graphics show the attack routines. Cases 1 through 5 describe the attack of data stealers and cases 6 through 10 the attacks of ransomware.
Yet another special feature in this test: the lab awarded points for detecting significant attack steps. For successful defensive steps, this meant up to 4 points for every data stealer and up to 3 points for ransomware. Thus, the best possible protection score in this test was 35 points.
In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article ”Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
Advanced test: protection for consumer users
A total of 10 products for consumer users faced off in the Advanced Threat Protection test under Windows 11. The products involved were from AhnLab, Bitdefender, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Microworld, Norton and PC Matic.
With the exception of Microworld, all the providers of security products were able to achieve a perfect result. All the scenarios were nipped in the bud. The systems were never endangered. Each product received 35 points on its protection score for this performance.
Microworld had a problem in each scenario with a data stealer and ransomware, in that it detected nothing. Both attackers gathered or encrypted the data undisturbed. That is why Microworld had 4 points and 3 points respectively taken off in one instance. This resulted in a total of 28 points for the protection score.
Each product for consumer users achieving a protection score of 75% out of the 35 points (i.e. 26.3 points) received the certificate "Advanced Certified". All products in this test received the certificate.
Advanced test: protection of corporate users
The 15 products for corporate users in the Advanced Threat Protection test for endpoints under Windows 11 came from Acronis, AhnLab, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Malwarebytes, Microsoft, Seqrite, Symantec, Trellix, VMware, WithSecure and Xcitium.
The largest group with 12 products passed the test with top scores, each receiving the full 35 points for the protection score: Acronis, AhnLab, Bitdefender Version Ultra, Check Point, Kaspersky (both versions), Malwarebytes, Microsoft, Seqrite, Symantec, WithSecure and Xcitium.
While Bitdefender Endpoint Security detected the attackers in all 10 test scenarios, it was unable to completely stop the attackers in 2 cases involving ransomware. It did execute several countermeasures, but in the end a partial encryption of individual files occurred in both cases. This led to a deduction of points. The result was 33 out of 35 possible points for the protection score.
Trellix delivered impeccable performance in 9 cases, but encountered huge problems with one of the data stealers. The product was in fact able to detect the attacker, but was powerless to do anything about it. In this case, only 0.5 out of 4 points were achieved. The test outcome was a protection score of 31.5 points.
The product having the greatest difficulties in the test was from VMware. It was able to neither detect nor stop a data stealer, allowing the attack to unfold. This resulted in a full 4 points being taken off, and in the end, a protection score of 31 points.
Each corporate user product achieving a protection score of 75% out of the 35 points (i.e. 26.3 points) received the certificate "Advanced Approved Endpoint Protection". All products received the certificate, except for Acronis. The product passed the test error-free, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfillment of all their criteria.
Who’s afraid of data stealers and ransomware
The current Advanced Threat Protection test extends far beyond classic detection tests. Staying abreast of the latest data stealer and ransomware samples with the deployed attack technique "Inline Execute Assembly" presents a tough challenge for many security solutions. That is why the latest result is all the more favorable, where most of the products examined delivered error-free defense of the Windows systems: 9 out of the 10 products for consumer user and 12 of the 15 solutions for corporate users.
The remaining manufacturers with their products need to learn from their mistakes and become even better. At least there were only errors and no catastrophic failures.