March 09, 2022 | Antivirus for Windows
  • Share:

Defending against Ransomware: 28 Protection Solutions Put to the Test under Windows 10

The fight against ransomware is a two-front battle waged both on home PCs and corporate workstations. How well does security software protect against these diabolical encryption attackers? In the current November test, 15 Internet security suites for consumer users and 13 solutions for corporate users showed how well they stacked up in ten realistic scenarios against an attack via e-mail, script, macro or ransomware. The Advanced Threat Protection test proves that detection of the attacker alone is not always sufficient. That is why the lab clearly spells out in the test results all the steps, from the time the attack is launched until it is fended off – or until encryption occurs.

28 programs in the advanced attack test

Security software for Windows in the test against ransomware

zoom

In its series of so-called Advanced Threat Protection tests, the lab at AV-TEST put 15 well-known Internet security suites for consumer users and 13 solutions for corporate users to the test under Windows 10. In ten defined scenarios, the testers explain step-by-step how the attacks unfold and what happens in between. The evaluation clearly shows that detection of malware alone does not always protect against the consequence of partial or complete encryption.

15 well-known protection packages for consumer users from the manufacturers Avast, AVG, Bitdefender, BullGuard, F-Secure, G DATA, Kaspersky, Malwarebytes, Microsoft, Microworld, Norton, PC Matic, Protected.net, Quick Heal and VIPRE Security were put to the test.

For corporate users, 13 endpoint solutions underwent a test regimen. The products involved were from Avast, Bitdefender (two versions), Comodo, F-Secure, G DATA, Kaspersky, Malwarebytes, Microsoft, Seqrite, Sophos, Symantec and VMware.

The overview tables of the 15 and 13 tested protection solutions respectively show the summarized evaluation of the 10 attacks and the maximum achievable score of 36 points in this November test. It should be noted that the maximum point score in Advanced Threat Protection differs from test to test. It is always dependent on the type of scenario and the number of steps evaluated in each phase, for which points are awarded accordingly.

28 protection packages put to the test: ransomware can also be fended off

In the classic tests involving malware prevention, there is always only the result "attacker identified" or "attacker not identified". In the Advanced Threat Protection tests, detection is only the first step recorded in the overall test regimen. All of the steps registered in the lab are later spelled out in the evaluation charts, which are modeled after a MITRE ATT&CK matrix graphic. That sounds complicated – but it's not. The chart clearly shows all the steps of an attack scenario and how the protection software reacts. If an assault is completely thwarted under one of the first two steps "Initial Access" or "Execution", the attack is considered successfully prevented, and a product receives the maximum points toward its protection score (3 to 4). As an easier overview, the field in the chart is then highlighted in green. If a field remains orange, the corresponding test item is considered unsuccessful (no detection). If there is an orange field at the end of the chart, the attack is considered undetected, whereas a yellow field indicates only partial detection of the attack. In terms of ransomware, this means that some, but not all, of the files were encrypted (some files encrypted). If the last field is highlighted in orange, everything was encrypted (files encrypted).

In the current November test, the products subjected to 10 attacks could achieve a possible 36 points for a maximum protection score. Those achieving lower scores experienced problems in one or more scenarios.

Software for consumer users against ransomware

The Advanced Threat Protection test in November subjected several protection packages to grueling trials against ransomware attacks

zoom ico
Solutions for corporate users against ransomware

10 of the 13 tested endpoint solutions under Windows 10 delivered perfect prevention results in the Advanced Threat Protection test against ransomware attacks.

zoom ico

1

Software for consumer users against ransomware

2

Solutions for corporate users against ransomware

For consumer users: the November result of the Advanced Threat Protection tests

In the Advanced Threat Protection test of the 15 Internet security solutions, 9 of the 15 packages demonstrated that they effectively protected against ransomware in actual conditions. The following products achieved the maximum protection score of 36 points in all 10 attack scenarios: Bitdefender Internet Security, F-Secure SAFE, G Data Total Security, Kaspersky Internet Security, Microsoft Defender, Microworld eScan Internet Security Suite, PC Matic, Quick Heal Total Security and VIPRE AdvancedSecurity.

While Malwarebytes Premium did identify all threats, it experienced the problem in two instances so that in the end, encryption did occur. This added up to a total protection score of 34 points instead of 36.

The packages BullGuard Internet Security, Norton 360 and Protected.net Total AV followed with 33 out of 36 points, each detecting 9 attackers. All three packages missed detection of one attacker from one scenario, and accordingly, all the files were encrypted by the ransomware.

In the final field were the protection packages from Avast and AVG, each scoring 30 out of 36 points and with 8 out of 10 attackers identified. In two cases, there was no positive detection, thus everything was encrypted.

Because all products in the test achieved at least 75 percent of the protection score in the test, they received the certificate "Advanced Certified".

For corporate users: the November result of the Advanced Threat Protection tests

The Advanced Threat Protection test of endpoint solutions for companies yielded even better results. In this case, even 10 out of the 13 tested business products achieved the maximum protection score of 36 points through seamless detection of all 10 attackers. It involved the solutions Bitdefender Endpoint Security, Bitdefender Endpoint Security (Ultra), Comodo Client Security, F-Secure Elements Endpoint Protection, G DATA Endpoint Protection Business, Kaspersky Endpoint Security, Microsoft Defender Antivirus, Seqrite Endpoint Security, Sophos Intercept X Advanced and VMware Carbon Black Cloud.

In two instances, Malwarebytes Endpoint Protection was able to identify the attacker, but could not stop it. As a consequence, encryption occurred at the end of both attacks. The protection score was 34 out of 36 points despite 10 out of 10 detections.

Avast Business Antivirus Pro Plus and Symantec Endpoint Security Complete detected 8 out of 10 attackers. The two that made it through undetected carried out an encryption. That is why in both cases, no points were awarded towards the protection score and the overall rating remained 30 out of a possible 36 points.

In order to earn the certificate "Advanced Approved Endpoint Protection", a product had to achieve at least 75 percent of the protection score points in the test. In this test, it meant scoring a minimum of 27 points. All test participants of the corporate products thus received this certificate.

Test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual subsections, e.g. "T1038", are listed in the MITRE database for "Technics" under 1038 "File and Directory Discovery". Each test step is thus defined among the experts and can be logically understood.

01
zoom ico
02
zoom ico
03
zoom ico
04
zoom ico
05
zoom ico
06
zoom ico
07
zoom ico
08
zoom ico
09
zoom ico
10
zoom ico

1

01

2

02

3

03

4

04

5

05

6

06

7

07

8

08

9

09

10

10

Advanced Threat Protection tests provide a more rounded view

The evaluation of the attack diagrams quickly indicates that previously mentioned "pure" detection of attacker by a protection program is not always sufficient. After all, even a system partially encrypted by ransomware is dangerous. But as the test shows, there are many products on the market that also demonstrate, as seen by these very realistic hands-on tests, how well they can fend off attackers and, above all, ransomware.

The current article shows primarily the results of the Advanced Threat Protection test in November. The article APT: Strategic Attacks Require Strategic Tests, already published, also offers additional technical background and explanations.

 

Test results for consumer users: Avast, AVG, Bitdefender

Avast 1/2
zoom ico
Avast 2/2
zoom ico
AVG 1/2
zoom ico
AVG 2/2
zoom ico
Bitdefender 1/2
zoom ico
Bitdefender 2/2
zoom ico

1

Avast 1/2

2

Avast 2/2

3

AVG 1/2

4

AVG 2/2

5

Bitdefender 1/2

6

Bitdefender 2/2

Test results for consumer users: BullGuard, F-Secure, G DATA

BullGuard 1/2
zoom ico
BullGuard 2/2
zoom ico
F-Secure 1/2
zoom ico
F-Secure 2/2
zoom ico
G DATA 1/2
zoom ico
G DATA 2/2
zoom ico

1

BullGuard 1/2

2

BullGuard 2/2

3

F-Secure 1/2

4

F-Secure 2/2

5

G DATA 1/2

6

G DATA 2/2

Test results for consumer users: Kaspersky, Malwarebytes, Microsoft

Kaspersky 1/2
zoom ico
Kaspersky 2/2
zoom ico
Malwarebytes 1/2
zoom ico
Malwarebytes 2/2
zoom ico
Microsoft 1/2
zoom ico
Microsoft 2/2
zoom ico

1

Kaspersky 1/2

2

Kaspersky 2/2

3

Malwarebytes 1/2

4

Malwarebytes 2/2

5

Microsoft 1/2

6

Microsoft 2/2

Test results for consumer users: Microworld, Norton, PC Matic

Microworld 1/2
zoom ico
Microworld 2/2
zoom ico
Norton 1/2
zoom ico
Norton 2/2
zoom ico
PC Matic 1/2
zoom ico
PC Matic 2/2
zoom ico

1

Microworld 1/2

2

Microworld 2/2

3

Norton 1/2

4

Norton 2/2

5

PC Matic 1/2

6

PC Matic 2/2

Test results for consumer users: Protected.net, Quick Heal, VIPRE Security

Protected.net 1/2
zoom ico
Protected.net 2/2
zoom ico
Quick Heal 1/2
zoom ico
Quick Heal 2/2
zoom ico
VIPRE Security 1/2
zoom ico
VIPRE Security 2/2
zoom ico

1

Protected.net 1/2

2

Protected.net 2/2

3

Quick Heal 1/2

4

Quick Heal 2/2

5

VIPRE Security 1/2

6

VIPRE Security 2/2

Test results for corporate users: Avast, Bitdefender, Bitdefender (Ultra)

Avast 1/2
zoom ico
Avast 2/2
zoom ico
Bitdefender 1/2
zoom ico
Bitdefender 2/2
zoom ico
Bitdefender (Ultra) 1/2
zoom ico
Bitdefender (Ultra) 2/2
zoom ico

1

Avast 1/2

2

Avast 2/2

3

Bitdefender 1/2

4

Bitdefender 2/2

5

Bitdefender (Ultra) 1/2

6

Bitdefender (Ultra) 2/2

Test results for corporate users: Comodo, F-Secure, G DATA

Comodo 1/2
zoom ico
Comodo 2/2
zoom ico
F-Secure 1/2
zoom ico
F-Secure 2/2
zoom ico
G DATA 1/2
zoom ico
G DATA 2/2
zoom ico

1

Comodo 1/2

2

Comodo 2/2

3

F-Secure 1/2

4

F-Secure 2/2

5

G DATA 1/2

6

G DATA 2/2

Test results for corporate users: Kaspersky, Malwarebytes, Microsoft

Kaspersky 1/2
zoom ico
Kaspersky 2/2
zoom ico
Malwarebytes 1/2
zoom ico
Malwarebytes 2/2
zoom ico
Microsoft 1/2
zoom ico
Microsoft 2/2
zoom ico

1

Kaspersky 1/2

2

Kaspersky 2/2

3

Malwarebytes 1/2

4

Malwarebytes 2/2

5

Microsoft 1/2

6

Microsoft 2/2

Test results for corporate users: Seqrite, Sophos

Seqrite 1/2
zoom ico
Seqrite 2/2
zoom ico
Sophos 1/2
zoom ico
Sophos 2/2
zoom ico

1

Seqrite 1/2

2

Seqrite 2/2

3

Sophos 1/2

4

Sophos 2/2

Test results for corporate users: Symantec, VMware

Symantec 1/2
zoom ico
Symantec 2/2
zoom ico
VMware 1/2
zoom ico
VMware 2/2
zoom ico

1

Symantec 1/2

2

Symantec 2/2

3

VMware 1/2

4

VMware 2/2

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.