Test: Can endpoint solutions be manipulated?

Test: Can endpoint solutions be manipulated?

Share post

AV-Comparatives has published the results of its anti-tampering protection test “Anti-Tampering Certification Test”, which shows whether endpoint solutions defend themselves against tampering: CrowdStrike, ESET, Kaspersky and Palo Alto Networks.

The test attempts to disable or modify user and kernel space components of endpoint solutions to assess their anti-tampering properties. The test evaluates whether it is possible to disable or change AV/EPP/EDR components or functions through manipulation, with all tampering activities (manipulation) performed in the Windows user area. The following products are included in the test.

  • Crowd Strike Falcon Enterprise
  • Kaspersky Endpoint Security for Business
  • Palo Alto Networks Cortex XDR Prevent

Manipulation: what needs to be defended against?

To be approved by AV-Comparatives as an anti-tampering protection, all tampering attempts made during the test must be prevented. With various tests, tools and procedures, the testers try to penetrate the endpoint solutions or test the tamper resistance of each product. Attempts are made to disable the most important functions as part of prevention by affecting various diverse components of the respective product.

  • Test 1: Successfully protected against manipulation attacks that could lead to a temporary or permanent and partial or complete deactivation of the EDR functionality was not possible.

The following components or categories have been tested against tampering attacks that could result in permanent, temporary, partial, or total loss of product functionality:

  • User-space processes, including threads and handles (terminate, suspend, etc.)
  • Services in user space (pause, stop, disable, uninstall, etc.)
  • Registry keys (delete, remove, rename, add, etc.)
  • DLLs (manipulation, modification, hijacking, etc.)
  • Agent integrity (disable, change, uninstall, etc.)
  • File system (manipulation, modification, etc.)
  • Kernel drivers (ELAM drivers, filter drivers, minifilter drivers, etc.)
  • Other components and functions (e.g. connection to update services, etc.)

All 4 products CrowdStrike Falcon Enterprise, ESET PROTECT Entry, Kaspersky Endpoint Security for Business and Palo Alto Networks Cortex XDR Prevent successfully passed the test and received the “Approved Anti Tempering 2023” certificate from AV-Comparatives.

More at AV-Comparatives.org


About AV-Comparatives

AV-Comparatives is an independent AV test laboratory based in Innsbruck, Austria, and has been publicly testing computer security software since 2004. It is certified according to ISO 9001: 2015 for the area of ​​"Independent tests of anti-virus software". It also has EICAR certification as a "Trusted IT Security Testing Lab".


Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more