MRG Effitas Real World Enterprise Security Exploit Prevention Test March 2015

Discussion in 'other anti-malware software' started by FleischmannTV, Apr 24, 2015.

  1. Finally, was that so difficult to admit? :thumb:
     
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Claim 1:
    https://blog.malwarebytes.org/wp-content/uploads/2015/03/ExploitKitsHoneyView-2.png
    I will not take the effort to calculate a percentage, I do not know how old your avg linkscanner db is.

    Claim 2:
    it can be assumed that most exploits used by EKs are in the top 20.

    Claim 3:
    I don't know whether you can just say that AVs can detect 60/75% of the exploitation attempt purely by looking at the exploit code. This seems pretty strange to me due to the many layers of obfuscation. I assume that most of the cases detection happens due to more general detection rules.

    ~Image removed~
     
    Last edited by a moderator: May 2, 2015
  3. @ropchain more or less agree with you

    Ad 1. post says 2013

    Ad 2. At second thought that indeed makes sense, so thinking logically those post which disclose research are an open door research finding

    Ad 3. But even with generic rule detection that would still imply that general AV's have some means of protection.
     
  4. Zoltan_MRG

    Zoltan_MRG Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    31
    Based on the number of fallacies, I won't answer in this thread anymore unless there is a real, constructive question to us. Our lack of future answer does not mean we agree what is written here, or we run out of arguments (Argument from silence)

    This is a fallacy "experts" call "ad hominem, poisoning the well". You try to discredit me. This is not fair.
    I have 8 years of first-hand experience with ~30 enterprises in Europe about how enterprise patch levels look like. What is your experience, how many enterprises have you seen? Anyway, I never said that "IT-administrators look like incompetent people", and I don't agree with the words you just put in my mouth. Bad patch levels are more likely to be the results of:
    1: lack of resources (not enough people to do the patching)
    2: lack of priority (it is not urgent now)
    3: lack of tools (some software is hard to detect, e.g. portable Firefox)
    4: compatibility issues (e.g. core business application only runs on Java6)

    Fallacy: "straw-man"
    Again, I never said it is the same. I really "like" your argument technique as I see a pattern now. You interpret my words totally differently as I wrote, and after that make it look like bad. As I already wrote in another thread, 10 years ago antivirus and antispyware were different products, but it was really bad for the industry, as people were not protected by a single product. AV and Internet Security Suites, Endpoint Protections should include anti-exploit protections, otherwise, it is doomed to fail - this is my opinion. Now anti-exploit is commonly a complementary protection, but in 5 years, it will be in the core of all AV protections. This is my prediction.

    Fallacy: "straw-man"
    I never wrote Avast does not have an enterprise solution. We were talking about prevalence, and the OPSWAT report. The report does not support your statement that Avast is prevalent at enterprises.

    As I already wrote multiple times, this whole attack has nothing to do with vulnerabilities fixed in 2011. The whole attack works on fully patched Windows with Firefox 29.0 (released in April 29, 2014), and the whole attack can be converted to a two-staged remote attack, where no executable is used locally to calculate the offsets.

    There are so many errors in this argument.
    1: You don't accept our expertise that we know what we do, but you expect me to accept your expertise. This is not fair.
    2: "60-75% of the exploits used in exploits kits is over two years old". This is a rather old statistic, which changed since the rapid emergent of Flash vulnerabilities. Also, even if an exploit is 2 years old, if the obfuscation is new and good, an updated AV won't trigger an alert. Which means AV's can't protect "at least 60 to 75 percent of the exploits".
    3: Microsoft did not stopped over half of the exploits. It stopped the downloaded malware. Have a look at page 23.
    4: I'm glad you are reminding me that "real life risk = exposure risk x no-protection risk". At enterprise level (with 20 000 or 200 000 users), a 95% protection level or less is a huge problem, and it is not a success. It is a fail.
    5: And last but not least I hope the screenshot you made in the https://www.wilderssecurity.com/threads/anti-exploit-testing.368806/ thread had nothing to do with the test you have done, as testing with Blackhole exploit kit in October 2014 seems at least one year outdated.

    Fallacy: "Cherry-picking"
    I wrote a detailed explanation on behavior blocking, and all you can say is this? Looks like you are running out of arguments. Behavior blocking can not be considered as success. It's like doctors trying to save the patients life after heart stopped, when it was a routine operation. Even if they save the life of the patient, this is not the way to do the operation.
     
  5. @Zoltan_MRG Poisoning the well, cherry-picking, strawman, are you serious? Do you have so much trouble answering the arguments and facts that you have to start naming me? Do you realize that in your pompeous answers you also offend this forum. When I am a strawman, the audience are the members of this forum!

     
    Last edited by a moderator: May 3, 2015
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    https://www.wilderssecurity.com/threads/free-web-administered-avast-for-business.373006/
     
  7. Ad 1. I said that my findings were in line with the research findings of AV companies, I did not ask neither expected you to accept this.

    Ad 2. So explain this to experts of Sophos and Symantec. They were the sources of this information (published end 2014 and beginning 2015)

    Ad 3. Whatever, you said that AV's were useless, even Microsoft stopped over 50%, you own research counterdicts your statement

    Ad 4. Note that I am not tweaking or changing your words, your exact quote "At enterprise level, a 95% protection level or less is a huge problem, and it is not a success. It is a fail". So now you are telling that your sponsor's anti-exploit feature (Kapersky endpoint security AEP) is a huge problem with a 89,3 protection rate? Does your marketing manager know about the bad publicity you are implying over the products of your sponsor in social media?

    Ad 5. I was using a data base of 2013 as the thread explains! So using an exploit kit of over a year old in october 2014 is valid. I also confirmed this to my answer to Ropchain in this thread. Your ability to miss or ignore that fact twice, tells enough IMO
     
    Last edited by a moderator: May 3, 2015
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    This has got to stop.

    So many users with hidden agendas, desperately trying to discredit, derail and put up smokescreens.

    The threads relating to the last two MRG reports (the SurfRight and Kaspersky reports) are a prime example of why I for years and years have been telling people to stay away from these so called "security forums" if they feel the need to ask for advice.
    These forums are not the place for Average Joe to learn or get helped.

    I've been around the block a few hundred times and have a pretty good understanding of who's hiding behind each username and what vendors they have relations with behind the scenes.
    That makes the ulterior motives in most posts easy to spot.

    Average Joe just passing through, doesn't have that luxury.

    It was sickening to witness how all the little spin-doctors rushed to the keyboards when their precious AV vendor didn't do well in the exploit prevention test.
    Desperate smokescreens tried to lull Average Joe into believing that URL-blocking and behavior blocking would save his day, while hoping he would get lost in the technical terms.

    And now we see similar attempts carried over to this thread.

    There's a handful of developers that does really good and makes excellent tools to keep users safe, but they drown in the myriads of post from those trying to discredit at all costs.
     
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    @Zoltan_MRG

    Thank you for taking the time to repeatedly and comprehensively explain your position to us.
     
  10. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Could you give a few examples?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, I'm also not sure why some people seem to have major issues with the latest MRG tests. Of course, they are probably not perfect, but I haven't seen any major flaws either. If anything, the tests seems to be getting better and more transparent.

    Yes, I really appreciate this. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.