In the test with real attack scenarios, 26 protection solutions for private users and companies demonstrate their performance in the AV-TEST laboratory. In the series of Advanced Threat Protection tests, the lab examines how well the products protect against ransomware.
Every step of the malware attack is logged and evaluated, right through to encryption. Many solutions deliver what they promise: they offer protection against ransomware. But not all solutions deliver brilliant performance.
Ransomware - the plague of the 21st century
Ransomware is arguably the plague of the 21st century. The reports in the media about partial or completely successful attacks just don't want to stop. The interesting Sophos study “The State of Ransomware 2022” also shows that this feeling is not deceptive. One of the first takeaways from the study is “Ransomware attacks are more prevalent – 66% of organizations surveyed were hit by ransomware in 2021, up from 37% in 2020.”
26 products in the Advanced Threat Protection test
The Advanced Threat Protection tests provide important insight for manufacturers and users as to how securely a product protects against ransomware in real scenarios. 14 enterprise security solutions and 12 end-user products took part in the test. The manufacturers of the end-user products are: Avast, AVG, Bitdefender, F-Secure, G DATA, K7 Computing, Kaspersky, Microsoft, Microworld, NortonLifeLock, PC Matic and VIPRE Security.
The solutions for companies include products from these manufacturers: Acronis, Avast, Bitdefender (two versions), Comodo, F-Secure, G DATA, Kaspersky (two versions), Microsoft, Seqrite, Symantec, Trellix and VMware.
All products must pass against ransomware in 10 real-world scenarios on Windows 10. For example, files with hidden malware in archives, Powerpoint files with scripts or HTML files with dangerous content are used. The 10 graphics for the "test scenarios" list the type of attack and each step in it. The lab even gives the definitions in MITER ATT&CK technique codes. The laboratory also explains the exact technical steps of an Advanced Threat Protection test for those interested in the already published article New defenses: EPPs and EDRs in the test against APT and ransomware attacks.
Company: Live attack test with ransomware
The lab tests 14 enterprise network protection solutions in 10 real-world ransomware scenarios. In this test, 10 defined scenarios are used. The primary attack vector is an email with a malicious attachment. There are always dangerous attackers in the attachment, for example in the form of Office files with scripts that then carry out further steps, for example via PowerShell.
In the test, all products without exception recognize the attackers in the first steps (initial access or execution). However, the attack was only recognized and completely blocked for 10 out of 14 products. The end result is 10 company products with the full 40 points. Symantec follows with 39,5 points, Seqrite and VMware with 39 points each and Trellix with 36,5 points.
Home users: Live attack test with ransomware
In the test, 12 end-user products face the examinations of the experts in the laboratory. All products have to assert themselves in the 10 scenarios with different attack paths. In all attacks, the user receives an email with an attachment. This is dangerous in all cases: for example infected Powerpoints, scripts or packed archives with malware. The test shows that all products recognize the attacker as soon as the first steps are taken (initial access or execution). 11 of the 12 protection packages also stop any further execution of the attack at this point and thus receive the full rating of 40 points. Only K7 Computing has a problem: the attack is recognized, but in the further course of scenario No. 6 the attacker manages to create a file. Even if this is harmless, there is a deduction of 0,5 points for it.
More at AV-TEST.org
About AV-TEST AV-TEST GmbH is an independent provider of services in the field of IT security and anti-virus research with a focus on the identification and analysis of the latest malware and its use in comprehensive comparative tests. The fact that the test data is up-to-date enables the quick-response analysis of new malware, the early detection of virus trends, and the investigation and certification of IT security solutions. The results of the AV-TEST Institute represent an exclusive information base and serve manufacturers for product optimization, specialist magazines for the publication of results and end customers for orientation in product selection.
The company AV-TEST has been operating in Magdeburg since 2004 and employs more than 30 people with profound specialist and practical experience. The laboratories are equipped with 300 client and server systems in which more than 2.500 terabytes of self-determined test data of harmful and harmless information are stored and processed. Further information can be found at https://www.av-test.org.