I'm starting to like AV-TEST a bit more, finally they are giving quite a lot of information about how testing was done. It seems like most AV's didn't have any difficulties to block these ransomware attacks: https://www.av-test.org/en/news/9-s...ed-threat-protection-test-against-ransomware/
Good stuff. It seems if these tests are accurate, there is gap between the reported incidents of successful ransomware attacks and the preventive power of the AVs. Of course, these may not be enterprise editions, but unless many users and IT departments are totally incompetent, what the hell is going on?
Hello @Rasheed187 For those who may have forgotten, Malwarebytes Anti-Ransomware (MBARW) Beta 10 ("Perpetual") v0.9.19.73 - CU 1.1.443 remains free and it was updated just a few weeks ago. MBARW will install/run as long as MB3/4 free is not installed. The fully functional ARW module is already baked into Malwarebytes for Windows (MB4) Premium. Announcement/download: https://forums.malwarebytes.com/forum/172-anti-ransomware-beta/ and https://www.malwarebytes.com/solutions/ransomware-protection Malwarebytes Blog: https://blog.malwarebytes.com/malwa...ducing-the-malwarebytes-anti-ransomware-beta/ Wilders: https://www.wilderssecurity.com/threads/malwarebytes-anti-ransomware-beta.383333/ HTH
I'm not sure if this is one of those tests that you have to pay to participate in. It looks like everyone passes. I don't know if that is because of the test or if most mainstream products will get the job done. In any case I am far from worried about the products you named. I don't think anyone cares anymore. Discussions of these tests used to go on for 50 pages. Now they rarely get 50 responses.
Also, no Avast/AVG, McAfee. The way these special tests by AV labs work is AV concerns that are clients can opt out of being shown in published report.
I thought the low number of AV's tested was related to it being expensive to test a lot of them. But if they test a low number, why not well known names instead of copy/paste rebranded stuff like Total AV.(I thought PC Matic was pretty bad as well but apparently they detected all samples.) As for me, I know what is good and what isn't, have read enough AV tests in the past. Some real world tests and special tests like exploit tests are still somewhat interesting. I wish some promising newcomers like SecureAPlus and WiseVector would be tested to see how they compare.
Exactly. A test like this isn't going to make me switch products. Previous tests, personal experience. Sometimes these are entertaining but not so much these days as they all score similarly. You have to run what you like more than worry about test results.
I for one have issues with this test. Referring to Microsoft Defender, all ransomware samples were detected upon initial access; the only tested product to do so. I am interpreting the "initial access" detection being any attempt to access files under MD's Controlled Folders protection. The problem is the first two tests involved Excel attachments containing a malicious macro. This also implies that no app exclusions had been set up for Controlled Folders. I would assume that Excel; given that MS Office was installed, would be an app allowed access to Controlled Folders?
I believe that initial access is initial access to file in mail, before file could be opened or launched and not initial access to protected files.
No, I don't think WD monitors the file system for suspicious file activity as is done by HMPA, Malwarebytes and AppCheck. WD is simply trying to identify suspicious behavior via the cloud. Yes, weird that they chose to test less known brands like PC Matic and Protected.Net, they should have included Avast, ESET and Kaspersky.
Yes good question, I also wonder about this. I do know that a lot of succesful attacks on companies are via zero days in corporate software like Citrix and MS Exchange, but you would think it shouldn't matter for AV's, they should still be able to protect. So my guess is that hackers may be capable of succesfully disabling AV software. However, this stuff should be spotted by EDR systems like MS Defender ATP, so it remains shady.
As much as I wanted to agree and leave it at that... the more I think about it the more I have to assume that it has happened. If these security products are any bit effective you have to wonder if they are being disabled by some crooked IT guy with a Bitcoin account then runs this stuff from the inside, then profits. How would you track it? Maybe they were paid off by someone else and given a cut of the take? I don't know that any of these products could do anything about that situation. Maybe there are also physical security issues that can't be addressed with software.
I forgot to respond to this. But you never get to hear about how these attacks took place and what defense systems they were using, this would clear things up quite a bit. Sometimes I wonder if big IT security companies perhaps forbid their customers to publish this information? Because it might make them look bad when they couldn't prevent such an attack.
No question- cover-up is the name of the game in today's context. Saving "face" is what they are all about. Essentially, they likely censor any explanation of what really happened or might have happened. That is why we never can find a clear explanation as to what IT was doing or not doing to foil the attacks.
Yes exactly, it's seems way too shady. Why not give full disclosure so that it can also help other companies?
