After completing extensive tests, AV-TEST today publishes the first test report of endpoint protection platforms - EPP and Endpoint Detection & Response products - EDR for short. The focus was on the detection and defense of APT attacks that use ransomware.
Security leaks such as the recently discovered Microsoft Exchange vulnerability highlight the dangers that threaten companies, authorities and critical infrastructure worldwide. It took only a few days after the mass hack by hafnium became known, DearCry, the first ransomware to exploit the Exchange vulnerability was already in circulation.
9 endpoint solutions put to the test
The advanced EPP & EDR tests developed by the experts at the AV-TEST Institute follow dedicated attack scenarios based on the MITER ATT & CK matrix. A total of 9 security solutions were put to the test in the laboratories of the IT security institute.
The following 6 EPP (Endpoint Protection Platform) products were tested
- AhnLab V3 Endpoint Security
- Avast PremiumSecurity
- Avira Antivirus Security
- Bitdefender Endpoint Security Tools
- G DATA Security Client
- McAfee Endpoint Security
All products receive the “Approved Endpoint Protection” certificate for Windows
The following 3 EDR (Endpoint Detection & Response) solutions were tested
- Bitdefender Endpoint Security Tools
- McAfee agent
- VMware Carbon Black Cloud
All products receive the “Approved Endpoint Detection & Response” certificate for Windows
Three-stage test setup
The verification of the detection and defense performance of the tested EPP and EDR solutions takes place in a three-stage structure.
1. In the "attack simulation" the testers check how well EPP solutions can detect and stop APT attacks using different ransomware samples and how well EDR solutions detect and report these attacks.
2. In the "Sanity Check" In the event of false-positive checks, the checked EPP solutions must prove whether they are able to differentiate between normal user behavior and detected attack patterns or whether they are incorrectly blocking it. It is checked whether the system is restricted in its usability, whereby the testers test both the user and the admin view according to the following scheme
3. In the "noise check" it is checked which normal actions (techniques), which in turn can be misused by attackers, can be carried out and are logged by the EDR solutions. Above all, those techniques are used that are also used within the scope of the attacks tested (e.g. unpacking an archive with the help of the GUI).
More at AV-TEST.org
About AV-TEST AV-TEST GmbH is an independent provider of services in the field of IT security and anti-virus research with a focus on the identification and analysis of the latest malware and its use in comprehensive comparative tests. The fact that the test data is up-to-date enables the quick-response analysis of new malware, the early detection of virus trends, and the investigation and certification of IT security solutions. The results of the AV-TEST Institute represent an exclusive information base and serve manufacturers for product optimization, specialist magazines for the publication of results and end customers for orientation in product selection.
The company AV-TEST has been operating in Magdeburg since 2004 and employs more than 30 people with profound specialist and practical experience. The laboratories are equipped with 300 client and server systems in which more than 2.500 terabytes of self-determined test data of harmful and harmless information are stored and processed. Further information can be found at https://www.av-test.org.