AV-Comparatives has published the results of its anti-tampering protection test “Anti-Tampering Certification Test”, which shows whether endpoint solutions defend themselves against tampering: CrowdStrike, ESET, Kaspersky and Palo Alto Networks.
The test attempts to disable or modify user and kernel space components of endpoint solutions to assess their anti-tampering properties. The test evaluates whether it is possible to disable or change AV/EPP/EDR components or functions through manipulation, with all tampering activities (manipulation) performed in the Windows user area. The following products are included in the test.
- Crowd Strike Falcon Enterprise
- ESET PROTECT Entry
- Kaspersky Endpoint Security for Business
- Palo Alto Networks Cortex XDR Prevent
Manipulation: what needs to be defended against?
To be approved by AV-Comparatives as an anti-tampering protection, all tampering attempts made during the test must be prevented. With various tests, tools and procedures, the testers try to penetrate the endpoint solutions or test the tamper resistance of each product. Attempts are made to disable the most important functions as part of prevention by affecting various diverse components of the respective product.
- Test 1: Successfully protected against manipulation attacks that could lead to a temporary or permanent and partial or complete deactivation of the EDR functionality was not possible.
The following components or categories have been tested against tampering attacks that could result in permanent, temporary, partial, or total loss of product functionality:
- User-space processes, including threads and handles (terminate, suspend, etc.)
- Services in user space (pause, stop, disable, uninstall, etc.)
- Registry keys (delete, remove, rename, add, etc.)
- DLLs (manipulation, modification, hijacking, etc.)
- Agent integrity (disable, change, uninstall, etc.)
- File system (manipulation, modification, etc.)
- Kernel drivers (ELAM drivers, filter drivers, minifilter drivers, etc.)
- Other components and functions (e.g. connection to update services, etc.)
All 4 products CrowdStrike Falcon Enterprise, ESET PROTECT Entry, Kaspersky Endpoint Security for Business and Palo Alto Networks Cortex XDR Prevent successfully passed the test and received the “Approved Anti Tempering 2023” certificate from AV-Comparatives.
More at AV-Comparatives.org
About AV-Comparatives AV-Comparatives is an independent AV test laboratory based in Innsbruck, Austria, and has been publicly testing computer security software since 2004. It is certified according to ISO 9001: 2015 for the area of "Independent tests of anti-virus software". It also has EICAR certification as a "Trusted IT Security Testing Lab".