AVLab - "Protection test against drive-by download attacks" (April 2017)

The difference between Zemana and secureaplus indicates that Zemana is most probably no using anymore third party engines in their "cloud" and is only based on their tech. This explains why they are scoring poorly in every single test lately

 

CCAV includes an option to block incoming and outgoing from sandboxed apps. Like you, I feel more comfortable with Cruel CIS. I would love to see Meghan test CFW and CCAV using the same nasties.

 

Well, if you test samples from the Polish malware pool, of course that could make Polish vendor score better. But who are we to say this test is biased? Maybe it really was the best product.

 

Yes, and that option was introduced in v1.11, while AVlab tested v1.10.

If you look at page 20 they wrote:
The exception of this rule is also Comodo software, which has implemented a local sandbox mechanism and unknown files scanning in the cloud, both ensuring that running unknown applications and scripts (.ps1, wscript.exe, .vba, .cmd, .bat, cmd.exe, .pl, .pdf, powershell.exe and others) won't access a network so they won't do any serious damage to the system

I agree, CIS (or even CFW) is superior to CCAV and much more tunable.

But CCAV does have some great advantages:

• it doesn't require kernel-level drivers, so it's less likely that it will break your OS
• it is really simple and lightweight, it can be used out of the box with the highest security level
• it receives regular updates that bring new interesting features without messing it up

Yeah, this would really be great
Let's poke @cruelsister

 

Well, I do not believe in...coincidences...

 

https://support.emsisoft.com/topic/...-avlab-testing/?do=findComment&comment=172618

 

Thnx. That pretty much explains it all.

 

Hello everybody. As an owner AVLab I have to tell you that Fabian's opinion explain nothing. In my opinion, if I would like to hack somebody, I would use a custom tools and custom malware to attack and post-exploitation. So what, that we should (in Fabian's opinion) use real live malware? But in fact you need perform several steps:

1. You have to prepare malicious software.
2. C&C Server is necessary also.
3. And most important - malware have to communication with C&C server.

Malware that will be found in the wild, will not allow us to examine all aspects described in the test. We would have to have access to the hacker console. It is impossible! Therefore, to carry out a real attack, you need your own tools, malware and server command and control.

If we do as Fabian would like to do, then other vendors would have us complain that the test did not count because the malware did not communicate with the hacker's server, so it could not do any harm into the Windows system.

This is my opinion and I have a sting that you think the same.

 

Well it explained why Emsisoft didn't participate in this test. Since that was my question, it explaind it all to me.

 

Totally agree

 

Hi Adrian...it's nice to see you here
+1 to your comment.

 

OK I see. I just read that Emsisoft doesn't believe in these artificial tests. But I think these tests are very useful, they often expose weaknesses in certain protection tools.

 

Yes...they are like "pentests" of security apps.

 

Moreover, I think that Fabian want to talk us, that the situation when testers creates a new malware to check antiviruses protection is maybe not ethical? For example: if I have malicious software captured by honeypot or malicious attach (real live malware), and this malware is detected by most of antiviruses, that is good for all vendors? Right? Of course

But if I will use some of packers to using executable compression, this malicious software would not be detected or the result will be much more different -> example test: https://avlab.pl/wiekszosc-mobilnych-antywirusow-jest-po-prostu-kiepska-test-57-aplikacji I described similar test in November 2016, in which used packers to change checksum mobile malware (original report: http://www.iswatlab.eu/wp-content/uploads/2015/09/mobile_antimalware_evaluation.pdf). In fact, this is a new collection of maIware created by testers - and maybe with this may not agree some vendors.

Nevertheless, I think that this is a normal and typical situation for copy the behavior of cybercriminals and malware authors. They really use this kind of tools, so why we can not, since we share the results with vendors and help to improve the security of their software.

What's more, one of the vendors accused us in a previous test (on ransomware protection: https://avlab.pl/wielki-test-oprogramowania-dla-domu-i-dla-firm-do-ochrony-przed-krypto-ransomware) that we should use only malware that has been tested by another source Of course, the source that the manufacturer has access to. This is another nonsense.

We can not make it easy for antivirus vendors. Have you ever wondered why most anti-virus in AV-Comparatives tests have about 100-99% detectability? Is this the real effectiveness of some anti-virus? I do not think so. You probably also.

 

Actually to set the record straight, this was stated for Emsisoft's primary reason for non-participation:

https://support.emsisoft.com/topic/...ive-by-download-avlab-testing/#comment-172618

I believe that statement is self-explanatory.

 

@adrian_sc , how about creating an English language ver. of your web site?

 

Also as far as I am concerned, this type of testing is very relevant in light of the recent UK university incidents where ransomware was delivered via exploit and drive-by download upon access to a web site with a malicious advertisement. Reports to date state this was a 0-day.

 

I do not know. Translating each article is an additional cost. But we are working on a COLOSSUS project where we will run tests automatically (something like AV-C). This unique script is based on the programming languages Python and NodeJS, and so far tests are performed on virtual machines. The COLOSSUS project is planned to be done in English language. For a month or two we will have a beta version. I attached algorithm, also in beta version Some things may change.

Right. The same incidents were in Poland. More than 1000 website has been infected (for example: government website, universities, and this is very interesting - one forum website belongs to antivirus vendor) and redirected visitors to malicious landing page (with Rig-V Exploit Kit: https://avlab.pl/rig-exploit-kit-w-...e-strony-uczestnicza-w-atakach-drive-download google translator should be very useful tool).

 

Yes, if they are done right. The problem is: People rarely get it right. Diagnostic UIs, so people watch what happens, are a classic (see the HeiligDefense test tool) or they miss certain steps like MRG did with assuming that no AV would block hidden browser add-on installation in one of their artificial tests and just assumed that their key logger addon would just magically appear on a system. Bottom line is, for these reviews you would have to create test cases that are so close to actual malware, that they may very well be indistinguishable from malware for all intents or purposes. Depending on where you are living and where your company is located, that may actually be illegal. It certainly is in Germany.

I don't mind that at all, as long as you use those tools on actual malware, check that the malware is still functional and those tests are done not only on-demand but while they attempt to infect a real system as well.

 

Below is a recent Eset detection. Appears the malware folks are now using cookies on HTTPS web sites for their drive-by attacks. Also you don't need a vulnerability to get nailed by a drive-by download. I have had two of these attempts in recent months and my system is fully patched:

 

@adrian_sc

When you tested Windows Defender was Win 10 native SmartScreen enabled? I assume it was since its a Win 10 native protection and enabled by default. Also based on my testing it offers zip protection against browser based exploits, drive-by downloads, etc..

-EDIT- Also would love to see a drive-by test of Windows Defender using either IE11 or Edge with SmartScreen enabled in those browsers. This would resolve if SmartScreen is an effective mitigation against exploits and drive-by downloads as claimed.

 

@adrian_sc - One last question.

Do you believe ad blockers are an effective mitigation against browser based malware drive-by downloads that trigger upon web page execution display? Is it possible for the drive-by download to execute prior to ad blocker execution; especially if browser plug-in/add-on based?

 

Sorry itman, but it was disabled to keep fair rules for all security software, but of course that is good opinion for the future tests. We'll take that into consideration.

Yes, this is possible. Blocking scripts may effectively protects against drive-by downloads. Unfortunately, but the websites that will be added to exceptions, can also be infected and you can not defend against malicious script.

With the blocking plugins - it is possible. Malicious redirects are very often triggered by infected ads campaign. By blocking ads you have basic protection. It turns out that blocking ads is not only for faster page loading, but also greater security and privacy.

 

Thanks for the reply. I also do hope you will perform a special test of Windows Defender with native SmartScreem enabled. Also using IE11 or Edge w/SmartScreen enabled.

One of the current "never ending" discussions here on Wilders by the Windows Defender fans is any AV Lab test result of it is bogus since SmartScreen is always disabled. I really would like that discussion ended with an AV Lab test that verifies browser based SmartScreen effectiveness against web based delivered malware; primarily malicious script, drive-by download, and exploit blocking. If it can be shown that SmartScreen is not effective against any of these, then the fact that AV labs routinely disable SmartScreen in their testing is in reality, a moot point. Additionally, the testing needs to be performed against unknown malicious web sites, real or simulated, since SmartScreen's primary detection method is web site URL/IP address blacklisting.

 

I think that SmartScreen is a good line of defense and therefore is disabled when testing another than Windows Defender security products - malicious software couldn't be executed (if digital signature is not exist? [as I think...]), so it is not possible to check the actual protection of the security product. That is why SS is disabled mostly. Most of malware would be stopped, but you should also be aware of fake detection (false positive).

Also, the combination of SS and Windows Defender is a good proposition and very rational. However, it can not be clearly and easy to check in tests in which viruses are tested automatically, if the threat has been stopped by the SS or by WD.