Nothing new from the 2nd quarter test besides the use of reflective i.e. memory based dll injection in the Simulator test. Unless a vendor received 100% in all tests, they weren't certified. I really don't understand why vendors participate in this test.
I cannot comment on "bias", but of course there have to be business relations with at least some of the tested companies.
As you might know I got my avitar from MRG I would rather see an in the wild section with common intrusion techniques used by prevailing exploitkits (since top 20 of exploits kits are source of 99% percent of the intrusions). This still leaves unknown zero-day protection capabilities open and unanswered. IMO it is silly to call something real life whensynthetic tests use a browser which is not the most used browser. The argument it is to difficult to craft a Chrome test is just prooving my devils's advocate theory (look, but don't touch, touch but don't taste, taste but don;t swallow). Devil's advocate theory projected to white hat testers and insiders (understanding basics of programming): a) understands an exploit he/she thinks he/she can replicate an exploit b) can replicate an exploit in a synthetic test, he/she thinks can use an exploit in a real life situation c) can use a vulnability in a non-patched real life situation can craft an exploit in a future situation Bottem line: show me the money, disclose a new Chrome exploit Regards Kees
@FleischmannTV Oh, sure. Like, say, Emsisoft... @Windows_Security Ah, yes.. those alleged (by MRG) "straw man" arguments were so faux pas.
As far as I am aware of, vendors ask and therefore pay to participate in the tests. For example, Emsisoft used to be tested and then parted ways with MRG a while back.
They used to participate in both the 360 and Online Banking tests. Below are the links: https://www.mrg-effitas.com/wp-content/uploads/2012/06/360-Q2-2014.pdf https://www.mrg-effitas.com/wp-cont...urity-Assessment-Project-Q3-2013-Q1-20141.pdf
