AVLab - "Protection test against drive-by download attacks" (April 2017)

"In recent months, viruses that were infecting personal computers and employee
workstations through drive‐by download attacks have been playing a major role in
global threats. These techniques are commonly used in exploit kits, tools that make it
easy to automatically search for vulnerabilities (mostly installed in browsers and plug‐
ins). They optimize and adapt exploits to an operating system version and an
architecture, and an installed browser.

(...)
In this unique test, we wanted to check if comprehensive security applications
protect against attacks which use software vulnerabili⵼es. If it was necessary, we
enabled protection against exploits, as well as website scanners. All other options
were set to default."
https://avlab.pl/sites/default/files/68files/avlab_drive_by_download_test_en.pdf

 

Kaspersky and Bitdefender at the top, as in all other tests.

Webroot. Windows Defender.

 

After the ransomware test another very interesting one by AVlab. Unfortunately, most of the av solutions lack adequate protection against scripts in a powershell interpreter, which is a real pity because nowadays it is one of the most used vector for infection.

 

Nice review indeed.
About Comodo (which I use), they said "Software provider Comodo quickly implemented appropriate security rules for scripts and applications run by a PowerShell interpreter"

I know that in CCAV they added an option to block incoming and outgoing internet connections of sandboxed apps. I wonder if that's what AVlab mentioned

 

Disable powershell. Doing so eliminates an attack vector that uses the PS shell - which is what most powershell attacks do. However, powershell can be still be launched from a custom executable or *.dll. Those attacks are generated using pen-testing frameworks such as Powershell Empire.

 

AVLab (Poland) : "Protection test against drive-by download attacks"

and the winner is......... Arcabit (Poland).

 

All the free AV's tanked

 

Too bad that Emsisoft was not tested...

 

"Emsisoft has not agreed to the tests and therefore is not included in the results."
https://avlab.pl/test-antywirusowej-ochrony-przed-atakami-drive-download#comment-1811

 

Thnx for explanation.

 

Curious given Emsisoft IS's excellent results in their Ransomware Test**. Was Emsisoft afraid of something about this particular test and if so was it the validity/integrity of the testing method or something about Emsisoft IS/AM that caused the concern?

**
https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf

 

ESET [Business and Individual User] , Norton, and Quick Heal [Individual User] also in this test.

 

Out of coincidence...

 

Was about to post the same.

 

@anon
@ArchiveX
Hmmm...I should probably say something...OK...MkS_Vir (created in 1987) was from Poland and SpyShelter is from Poland too and Polish programmers - girls and boys...are on the top of the world ranking.
Look at that
http://nearshore-it.eu/firma/news/408-polish-female-programmers-some-of-the-best-in-the-world
https://neoteric.eu/why-poland-is-one-of-the-best-places-to-outsource-software-development
https://blog.hackerrank.com/which-country-would-win-in-the-programming-olympics/
http://www.businessinsider.com/which-countries-have-the-best-computer-programmers-2016-8?IR=T
http://www.web.gov.pl/eng/news/671_4509.html

 

All these home products received the highest rating:

Arcabit Internet Security
Bitdefender Total Security Multi-Device 2017
Eset Smart Security 10
Kaspersky Total Security 2017
Norton Security 2017
Quick Heal Total Security 17.00

 

All paid products

 

MBAE or Hmp.a would have stopped the attack?

 

These are top solutions that score well in almost all tests, almost all the time, so no surprises here.

 

Well said

 

It's obvious that they are so good. That's why ArcaBit uses a 3rd party engine (Bitdefender).

Futher to the AVLab tests, is Arkabit so good on the rest AV Testing Labs?

 

Didn't read the report yet, but what's your take on it, did they test everything in the correct way, did everything make sense?

 

Actually, I like this lab's creativity when it comes to testing. For example when they tested AV products in their last on-line banking comparative, no one passed all the tests. The awarding in that test was to the products that scored highest.

 

If you set up the firewall sandbox according to Cruelsister1's settings, the incoming and outgoing sandboxed connections are blocked. I haven't looked at the latest CCAV. Kind of like CCAV, but my comfort zone is Comodo Firewall. It works.