More Protection Against Encryption and Data Theft
Most of the attacks on consumer users or corporate users occur with data stealers or ransomware. That is why it is of utmost importance whether the latest security programs and solutions on the market are able to detect the most recent threats and their attack techniques. The experts from AV-TEST examined 25 security products in the latest Advanced Threat Protection test. In the 10 real-life attack scenarios, the process hollowing technique plays a special role, in which standard Windows processes serve the purpose of enabling malware obfuscation. While many protection products can see through this attack technique, some of them lost valuable points, as the attacker was successful.
The AV-TEST laboratory conducted its current test on 25 security products for consumer users and companies. In this, evaluations were made in 10 real-life scenarios to see how well products are able to fend off the attacks with existing protection techniques. And if the classic detection of malware should fail, advanced protection functions can still stop the course of the attack. The lab precisely tracked these steps and evaluated the 10 attacks with all segments spelled out in a results graph.
ATP: 25 products in an advanced test
The following manufacturers of products for consumer users participated in this special test series of Advanced Threat Protection tests in December 2023: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, Microsoft, Microworld, Norton and PC Matic.
The following product manufacturers were in the line-up of solutions for corporate users: AhnLab, Avast, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Microsoft, Rapid7, Seqrite, Symantec, Trellix and VMware.
In the test with 10 real-life attack scenarios, some of the products earned the full 30 points for their protection score. There were a few missteps here and there, however, and due to insufficient detection the malware was able to unleash its destructive payload.
The attack by a malware sample can be compared to a military action: the attacker attempts to overwhelm the defense in order to capture a precious commodity if successful. Various strategies are often deployed during such attacks. One of them involves using a disguise, i.e. an obfuscation technique, to get by the guard posts. Technically speaking, this type of process injection is referred to as "process hollowing". A known process is hollowed out, and a malware sample is injected in what is otherwise a trusted and seemingly innocuous process. The malware uses this method to sneak by the technical watchdogs.
Attack techniques and scenarios
In these 10 scenarios, deploying a spearphishing attack, an e-mail is sent out, which activates the PowerShell via batch file or script, launches additional tools and injects the malware into the trustworthy "RegAsm.exe". The internal Windows application is actually the assembly registration tool. The app is started and hollowed out, in order to then inject and launch the information theft or ransomware code. The task of protection software: The attacker should already be stopped upon arriving in the system or when being launched. In case of non-detection during the initial steps ("Initial Access" or "Execution"), EDR tools and other mechanisms ought to detect the attack and intercept it in later steps.
The graphs show the results of each individual attack step. If the initial fields are already "green", the attack was stopped. The color "yellow" indicates problems, and "orange" signals that the defense was unsuccessful – the ransomware or the data stealer was able to go about its business unhindered.
Data stealers and ransomware gather information on existing data. The stealers exfiltrate this data afterwards to a C2 server. Ransomware also sends data sometimes, but generally only a file list. Next, the data encryption and renaming of data begins. Once this stage is complete, a text file is displayed on the desktop, informing the user about the attack and demanding ransom.
You can find a more detailed explanation of the evaluation charts and the individual color codes in the traffic light system in the article “Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?”.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
Consumer user products in the ATP test
As many consumer users are also faced with the threat of ransomware and data stealers, the lab tested the products from these manufacturers in the ATP test: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, Microsoft, Microworld, Norton and PC Matic.
9 out of the 12 manufacturers achieved perfect results and were awarded the maximum total of 30 points as their protection score, namely AhnLab, Avast, AVG, Bitdefender, F-Secure, Kaspersky, McAfee, Norton and PC Matic.
Microworld failed in one instance: while it did recognize the attack of the ransomware and count the attempts (10 detected attacks), it then quarantined the wrong file. Because it nabbed the file disguise "RegAsm.exe", but the actual malware was already at work. In the end, it earned 27.5 points on its protection score.
Microsoft and Avira had greater difficulties: Microsoft did not detect the attack of a data stealer, Avira even failed to spot two attacks – one ransomware and one data stealer. That is why important points were taken off the protection score. Microsoft achieved 27 points, whereas Avira received only 24 points.
Each product for consumer users achieving a protection score of at least 75% out of the 30 points (i.e. 22.5 points) in the test received the certificate "Advanced Certified". All products overcame this hurdle in the December 2023 test and received recognition.
Corporate user products in the ATP test
Among the protection solutions for companies, the following manufacturers competed in the test: AhnLab, Avast, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Microsoft, Rapid7, Seqrite, Symantec, Trellix and VMware.
Nearly all solutions were able to garner the full 30 points for their protection score, as they identified and thwarted the attackers in the 10 scenarios. Only Microsoft did not detect the attack of a data stealer in one instance, and all the data was exfiltrated. Thus, the table lists only 9 detected attacks and 27 points for the protection score.
Each corporate user product achieving a protection score of at least 75% out of the 30 points (i.e. 22.5 points) received the certificate "Advanced Approved Endpoint Protection". All the manufacturers achieved this goal in the December 2023 test.
No need to fear encryption and data thieves
The current Advanced Threat Protection test under Windows 10 took place in November and December 2023. It shows that many products for consumer users, as well as for corporate users, offer excellent protection. This is also supported by the tables and the listings of the protection scores. But not all products achieved the top score of 30 points.
Nearly all the security packages for consumer users were able to achieve the maximum total of protection points available. Only Avira had problems with attackers twice with its product for consumer users.
By contrast, Microsoft failed in both user groups with its Defender Antivirus for Consumer and for Enterprise: a data stealer was not detected, plain and simple, each time. Here, the specialists from Redmond urgently need to make improvements.