Security Software against the latest Ransomware Techniques
In a comprehensive evaluation, AV-TEST analyzed security products for consumer users and corporate users. All products were required to stand up against the latest ransomware techniques. Those deployed included shrewd techniques such as polyglot files, DLL sideloading or nested password protected self-extracting archives, as they are also used by Emotet when attacking systems. A total of 25 products were put to the test and were successful in many challenges – but not in all. The present article from the Advanced Threat Protection test series sheds light on the findings in a summary evaluation.
In addition to the classic detection tests, the lab at AV-TEST examines many security products for consumer users and corporate users in a live test against ransomware and their particularly diabolical technical sophistication. In the latest study, the lab used the following attack techniques, as they are also deployed by Emotet, for example.
Polyglot file: In this technique, the attacker uses specially prepared files that work in concert. In this test, a combined LNK and ISO file was used, which makes it difficult for many security products to examine and identify these files and to prevent them from launching.
DLL sideloading: Here, attacks capitalize on very typical programming errors in standard software. A malicious DLL is copied into the application directory. The application does not notice it, and loads the DLL. The process then carries out the attackers' specified commands and, in doing so, it appears normal and innocuous.
Nested password protected self-extracting archives: This technique was also used by Emotet to prevent detection by security programs.
A product evaluated in the Advanced Threat Protection test receives a special certificate as recognition; but only if the protection score of at least 75 percent of the maximum 30 points, i.e. 22.5 points, are achieved in the test. Consumer user products receive the "Advanced Certified" certificate, and corporate user products receive the "Advanced Approved Endpoint Protection" certificate.
In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article ”Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.
Security software for consumer users vs. ransomware
Protection of companies against ransomware
Consumer user products in the Advanced Threat Protection test
In the lab, end user packages of these manufacturers were put to the test: Avast (2 versions), AVG, Bitdefender, F-Secure, G DATA, Kaspersky, Malwarebytes, Microsoft, Microworld, Norton, PC Matic and VIPRE Security.
Avast with One Essential, AVG, Bitdefender, F-Secure, Kaspersky, Microsoft, Microworld and PC Matic detected all special attack techniques of the various 10 ransomware scenarios and received the maximum 30 points for the protection score.
While additional products reliably identified the intruders, they were partly or totally unable to stop some of them. G DATA had problems in one test run: it detected the ransomware, but it was only partially able to block it, and individual files were encrypted: 29 points.
VIPRE Security received 28.5 out of 30 points, as it identified the attack, but was unable to do anything against the encryption.
Norton experienced a similar issue in one instance. While the ransomware was detected, the encryption of the system was not stopped: 27.5 points.
Malwarebytes Premium did manage to detect all 10 attackers, but was only able to partially block them. Thus, three malware samples were able to encrypt individual files: 27 points out of a possible 30.
Avast (Free Antivirus) had to concede defeat in one scenario: it did not detect the intruder and enabled the ransomware to completely unfold. The other 9 attacks were fended off error-free, which meant that the package received 27 points.
Company products in the Advanced Threat Protection test
In the protection of corporate users, the following solutions demonstrated error-free performance, receiving the maximum 30 points for the protection score: Avast, Bitdefender (2 versions), Check Point, Xcitium, Kaspersky (2 versions), Microsoft, WithSecure and VMware.
G DATA and Trellix did detect all attackers, but in one test run, each of the products failed to totally block the aggressor, and there was encryption of individual files. But each still achieved 29 points on its protection score.
Advanced test scenarios against sophisticated attackers
The Advanced Threat Protection test series is a challenge for any product being evaluated, as it typically encounters difficult and dynamic attack scenarios, as is the case in everyday use. The routines used in this test are described by the scenarios 1 to 10 illustrated in the tabs below. In order to enable professionals to interpret the test more effectively, the lab used for its description the internationally defined “Techniques" codes from MITRE ATT&CK.
The test shows that many security packages for consumer users provide perfect protection against special ransomware attacks: Avast, AVG, Bitdefender, F-Secure, Kaspersky, Microsoft, Microworld and PC Matic. However: 5 out of 13 security products had problems with the intruders. As a result, there were partial detections and individual files were encrypted.
The corporate user products demonstrated better performance: 10 of the 12 products immediately detected all attackers and fended them off completely: Avast, Bitdefender, Bitdefender Ultra, Check Point, Xcitium, Kaspersky Endpoint Security, Kaspersky Small Business Security, Microsoft, WithSecure and VMware. The additional two solutions had problems, which led to partial encryptions.