February 14, 2024 | Text: Markus Selinger | Antivirus for Windows
  • Share:

More Protection Against Encryption and Data Theft

Most of the attacks on consumer users or corporate users occur with data stealers or ransomware. That is why it is of utmost importance whether the latest security programs and solutions on the market are able to detect the most recent threats and their attack techniques. The experts from AV-TEST examined 25 security products in the latest Advanced Threat Protection test. In the 10 real-life attack scenarios, the process hollowing technique plays a special role, in which standard Windows processes serve the purpose of enabling malware obfuscation. While many protection products can see through this attack technique, some of them lost valuable points, as the attacker was successful.

Advanced Threat Protection test – 25 products for Windows in the ATP test defending against data stealers and ransomware
Advanced Threat Protection test –

25 products for Windows in the ATP test defending against data stealers and ransomware

zoom

The AV-TEST laboratory conducted its current test on 25 security products for consumer users and companies. In this, evaluations were made in 10 real-life scenarios to see how well products are able to fend off the attacks with existing protection techniques. And if the classic detection of malware should fail, advanced protection functions can still stop the course of the attack. The lab precisely tracked these steps and evaluated the 10 attacks with all segments spelled out in a results graph.

ATP: 25 products in an advanced test

The following manufacturers of products for consumer users participated in this special test series of Advanced Threat Protection tests in December 2023: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, Microsoft, Microworld, Norton and PC Matic.

The following product manufacturers were in the line-up of solutions for corporate users: AhnLab, Avast, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Microsoft, Rapid7, Seqrite, Symantec, Trellix and VMware.

In the test with 10 real-life attack scenarios, some of the products earned the full 30 points for their protection score. There were a few missteps here and there, however, and due to insufficient detection the malware was able to unleash its destructive payload.

The attack by a malware sample can be compared to a military action: the attacker attempts to overwhelm the defense in order to capture a precious commodity if successful. Various strategies are often deployed during such attacks. One of them involves using a disguise, i.e. an obfuscation technique, to get by the guard posts. Technically speaking, this type of process injection is referred to as "process hollowing". A known process is hollowed out, and a malware sample is injected in what is otherwise a trusted and seemingly innocuous process. The malware uses this method to sneak by the technical watchdogs.

ATP test: security packages for consumer users

In the Advanced Threat Protection test under Windows against ransomware and data stealers, only two products had difficulties – the rest passed in flying colors

zoom ico
ATP test: endpoint solutions for corporate users

Solutions for corporate users in particular have to ensure perfect protection at the endpoint. In this recent December test in 2023, only Microsoft did not detect the attacker in one instance – all other products  performed flawlessly

zoom ico

1

ATP test: security packages for consumer users

2

ATP test: endpoint solutions for corporate users

Attack techniques and scenarios

In these 10 scenarios, deploying a spearphishing attack, an e-mail is sent out, which activates the PowerShell via batch file or script, launches additional tools and injects the malware into the trustworthy "RegAsm.exe". The internal Windows application is actually the assembly registration tool. The app is started and hollowed out, in order to then inject and launch the information theft or ransomware code. The task of protection software: The attacker should already be stopped upon arriving in the system or when being launched. In case of non-detection during the initial steps ("Initial Access" or "Execution"), EDR tools and other mechanisms ought to detect the attack and intercept it in later steps.

The graphs show the results of each individual attack step. If the initial fields are already "green", the attack was stopped. The color "yellow" indicates problems, and "orange" signals that the defense was unsuccessful – the ransomware or the data stealer was able to go about its business unhindered.

Data stealers and ransomware gather information on existing data. The stealers exfiltrate this data afterwards to a C2 server. Ransomware also sends data sometimes, but generally only a file list. Next, the data encryption and renaming of data begins. Once this stage is complete, a text file is displayed on the desktop, informing the user about the attack and demanding ransom.

You can find a more detailed explanation of the evaluation charts and the individual color codes in the traffic light system in the article “Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?”.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

01
zoom ico
02
zoom ico
03
zoom ico
04
zoom ico
05
zoom ico
06
zoom ico
07
zoom ico
08
zoom ico
09
zoom ico
10
zoom ico

1

01

2

02

3

03

4

04

5

05

6

06

7

07

8

08

9

09

10

10

Consumer user products in the ATP test

As many consumer users are also faced with the threat of ransomware and data stealers, the lab tested the products from these manufacturers in the ATP test: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, Microsoft, Microworld, Norton and PC Matic.

9 out of the 12 manufacturers achieved perfect results and were awarded the maximum total of 30 points as their protection score, namely AhnLab, Avast, AVG, Bitdefender, F-Secure, Kaspersky, McAfee, Norton and PC Matic.

Microworld failed in one instance: while it did recognize the attack of the ransomware and count the attempts (10 detected attacks), it then quarantined the wrong file. Because it nabbed the file disguise "RegAsm.exe", but the actual malware was already at work. In the end, it earned 27.5 points on its protection score.

Microsoft and Avira had greater difficulties: Microsoft did not detect the attack of a data stealer, Avira even failed to spot two attacks – one ransomware and one data stealer. That is why important points were taken off the protection score. Microsoft achieved 27 points, whereas Avira received only 24 points.

Each product for consumer users achieving a protection score of at least 75% out of the 30 points (i.e. 22.5 points) in the test received the certificate "Advanced Certified". All products overcame this hurdle in the December 2023 test and received recognition.

Corporate user products in the ATP test

Among the protection solutions for companies, the following manufacturers competed in the test: AhnLab, Avast, Bitdefender (with 2 versions), Check Point, Kaspersky (with 2 versions), Microsoft, Rapid7, Seqrite, Symantec, Trellix and VMware.

Nearly all solutions were able to garner the full 30 points for their protection score, as they identified and thwarted the attackers in the 10 scenarios. Only Microsoft did not detect the attack of a data stealer in one instance, and all the data was exfiltrated. Thus, the table lists only 9 detected attacks and 27 points for the protection score.

Each corporate user product achieving a protection score of at least 75% out of the 30 points (i.e. 22.5 points) received the certificate "Advanced Approved Endpoint Protection". All the manufacturers achieved this goal in the December 2023 test.

No need to fear encryption and data thieves

The current Advanced Threat Protection test under Windows 10 took place in November and December 2023. It shows that many products for consumer users, as well as for corporate users, offer excellent protection. This is also supported by the tables and the listings of the protection scores. But not all products achieved the top score of 30 points.

Nearly all the security packages for consumer users were able to achieve the maximum total of protection points available. Only Avira had problems with attackers twice with its product for consumer users.

By contrast, Microsoft failed in both user groups with its Defender Antivirus for Consumer and for Enterprise: a data stealer was not detected, plain and simple, each time. Here, the specialists from Redmond urgently need to make improvements.

Consumer Users 12/2023

V3 Internet Security
Free Antivirus
Internet Security
Internet Security for Windows
Internet Security
Standard
Premium
Total Protection
Defender Antivirus (Consumer)
eScan Internet Security Suite
Norton 360
Application Allowlisting

Corporate Solutions 12/2023

V3 Endpoint Security
Ultimate Business Security
Endpoint Security
Endpoint Security (Ultra)
Endpoint Security
Endpoint Security
Small Office Security
Defender Antivirus (Enterprise)
Rapid7
Endpoint Security

Social Media

We want to stay in touch with you! Now there is an easy way to receive regular updates on the latest news and test releases.