AV-TEST: Advanced Threat Protection Test against Ransomware

Discussion in 'other anti-virus software' started by Rasheed187, Jan 9, 2022.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
  2. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,210
    Location:
    SinCity (aka Las Vegas)
    Good stuff. It seems if these tests are accurate, there is gap between the reported incidents of successful ransomware attacks and the preventive power of the AVs. Of course, these may not be enterprise editions, but unless many users and IT departments are totally incompetent, what the hell is going on?
     
  3. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,257
    Location:
    North of the 38th parallel.
    Hello @Rasheed187

    For those who may have forgotten, Malwarebytes Anti-Ransomware (MBARW) Beta 10 ("Perpetual") v0.9.19.73 - CU 1.1.443 remains free and it was updated just a few weeks ago. MBARW will install/run as long as MB3/4 free is not installed.

    The fully functional ARW module is already baked into Malwarebytes for Windows (MB4) Premium.

    Announcement/download: https://forums.malwarebytes.com/forum/172-anti-ransomware-beta/ and https://www.malwarebytes.com/solutions/ransomware-protection
    Malwarebytes Blog: https://blog.malwarebytes.com/malwa...ducing-the-malwarebytes-anti-ransomware-beta/
    Wilders: https://www.wilderssecurity.com/threads/malwarebytes-anti-ransomware-beta.383333/

    HTH
     
    Last edited: Jan 10, 2022
  4. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,210
    Location:
    SinCity (aka Las Vegas)
    Windows Defender is functionally doing the same thing.
     
  5. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,173
    No ESET or Kaspersky here huh?
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,150
    Location:
    USA
    I'm not sure if this is one of those tests that you have to pay to participate in. It looks like everyone passes. I don't know if that is because of the test or if most mainstream products will get the job done. In any case I am far from worried about the products you named. I don't think anyone cares anymore. Discussions of these tests used to go on for 50 pages. Now they rarely get 50 responses.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Also, no Avast/AVG, McAfee.

    The way these special tests by AV labs work is AV concerns that are clients can opt out of being shown in published report.
     
  8. entropism

    entropism Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    481
    Well, this forum is near dead as it is.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,705
    Location:
    Outer space
    I thought the low number of AV's tested was related to it being expensive to test a lot of them. But if they test a low number, why not well known names instead of copy/paste rebranded stuff like Total AV.(I thought PC Matic was pretty bad as well but apparently they detected all samples.)

    As for me, I know what is good and what isn't, have read enough AV tests in the past. Some real world tests and special tests like exploit tests are still somewhat interesting. I wish some promising newcomers like SecureAPlus and WiseVector would be tested to see how they compare.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,150
    Location:
    USA
    Exactly. A test like this isn't going to make me switch products. Previous tests, personal experience. Sometimes these are entertaining but not so much these days as they all score similarly. You have to run what you like more than worry about test results.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    I for one have issues with this test.

    Referring to Microsoft Defender, all ransomware samples were detected upon initial access; the only tested product to do so. I am interpreting the "initial access" detection being any attempt to access files under MD's Controlled Folders protection. The problem is the first two tests involved Excel attachments containing a malicious macro. This also implies that no app exclusions had been set up for Controlled Folders. I would assume that Excel; given that MS Office was installed, would be an app allowed access to Controlled Folders?
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,642
    Location:
    Slovenia, EU
    I believe that initial access is initial access to file in mail, before file could be opened or launched and not initial access to protected files.

    upload_2022-1-12_22-37-17.png
     

    Attached Files:

  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    No, I don't think WD monitors the file system for suspicious file activity as is done by HMPA, Malwarebytes and AppCheck. WD is simply trying to identify suspicious behavior via the cloud.

    Yes, weird that they chose to test less known brands like PC Matic and Protected.Net, they should have included Avast, ESET and Kaspersky.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Yes good question, I also wonder about this. I do know that a lot of succesful attacks on companies are via zero days in corporate software like Citrix and MS Exchange, but you would think it shouldn't matter for AV's, they should still be able to protect. So my guess is that hackers may be capable of succesfully disabling AV software. However, this stuff should be spotted by EDR systems like MS Defender ATP, so it remains shady.
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,150
    Location:
    USA
    We probably also have to consider that some of these might be inside jobs... :isay:
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    LOL, let's hope not.
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,150
    Location:
    USA
    As much as I wanted to agree and leave it at that... the more I think about it the more I have to assume that it has happened. If these security products are any bit effective you have to wonder if they are being disabled by some crooked IT guy with a Bitcoin account then runs this stuff from the inside, then profits. How would you track it? Maybe they were paid off by someone else and given a cut of the take? I don't know that any of these products could do anything about that situation. Maybe there are also physical security issues that can't be addressed with software.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    I forgot to respond to this. But you never get to hear about how these attacks took place and what defense systems they were using, this would clear things up quite a bit. Sometimes I wonder if big IT security companies perhaps forbid their customers to publish this information? Because it might make them look bad when they couldn't prevent such an attack.
     
  19. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,210
    Location:
    SinCity (aka Las Vegas)
    No question- cover-up is the name of the game in today's context. Saving "face" is what they are all about. Essentially, they likely censor any explanation of what really happened or might have happened. That is why we never can find a clear explanation as to what IT was doing or not doing to foil the attacks.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Yes exactly, it's seems way too shady. Why not give full disclosure so that it can also help other companies?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.