APT groups use many different attack tactics. AV-TEST attacked protection products for companies in 10 currently used scenarios with the techniques ".Net Reflective Assembly loading", ".Net Dynamic P/Invoke" and "AMSI Bypass". Only half of the products examined were able to withstand 100 percent of all attacks.
The Advanced Threat Protection tests are specific, but they repeatedly test protection software against the latest attack techniques from the APT groups. Such as ".Net Reflective Assembly loading", a technique used in its basic form in attacks by Cobalt Strike, Cuba or Lazarus. But the techniques ".Net Dynamic P/Invoke" and "AMSI-Bypass" are also popular for current attacks with ransomware.
After a successful attack, the systems are encrypted and the extortion by the APT groups begins. Unless: the protection products for private users and companies recognize the attack techniques used, stop the attack and liquidate the ransomware.
Advanced Test: solutions for companies
Products from AhnLab, Bitdefender (2 versions), Check Point, G DATA, Kaspersky (2 versions), Microsoft, Sangfor, Symantec, Trellix, VMware, WithSecure and Xcitium face the extended test of endpoint security solutions for companies.
Each product must recognize the attack technique and fend off the ransomware in 10 scenarios. The laboratory awards 3 points for each complete defense. The products from Bitdefender (Endpoint and Ultra versions), Check Point, G DATA, Kaspersky (Endpoint and Small Office Security versions), and Xcitium shine with error-free detection of all attacks and defense against ransomware. For their performance, these products receive 30 points for the protection score.
Recognition Yes - stopping only to a limited extent
Although Symantec and Microsoft also recognize all 10 attack scenarios, they have a problem in one case: they recognize the attack and also the ransomware. They even both initiate further steps against the attack. But in the end, Symantec encrypts individual files and Microsoft even encrypts the entire system. This gives Symantec 29 points and Microsoft 28,5 points for the protection score.
After that, the field weakens: AhnLab, Sangfor, and WithSecure all have the same problem. In one case, they recognize neither the attack technique nor the ransomware. Finally, the system is encrypted and all products lose the full 3 points for one case: 27 points each for the protection score. The other endpoint solutions from Trellix and VMware only get 24 and 22,5 points respectively.
More at AV-TEST.org
About AV-TEST AV-TEST GmbH is an independent provider of services in the field of IT security and anti-virus research with a focus on the identification and analysis of the latest malware and its use in comprehensive comparative tests. The fact that the test data is up-to-date enables the quick-response analysis of new malware, the early detection of virus trends, and the investigation and certification of IT security solutions. The results of the AV-TEST Institute represent an exclusive information base and serve manufacturers for product optimization, specialist magazines for the publication of results and end customers for orientation in product selection.
The company AV-TEST has been operating in Magdeburg since 2004 and employs more than 30 people with profound specialist and practical experience. The laboratories are equipped with 300 client and server systems in which more than 2.500 terabytes of self-determined test data of harmful and harmless information are stored and processed. Further information can be found at https://www.av-test.org.