MRG Effitas Comparative Efficiency Assessment of Enterprise Security Suites against In-the-wild Rans

http://media.kaspersky.com/pdf/201704-MRG-Ransomware-Test.pdf

 

Thanks for posting, I still have to read the full report, but this is going to be interesting. Seems like Sophos Intercept X didn't perform as good as expected.

 

Also for folks that want an effective free stand-alone anti-ransomware solution, Kaspersky's scored 100%; same as their full Enterprise solution.

 

Honestly, I don't trust any of these sponsored tests - that's all.

 

I don't expect that the sponsorship affects the results. That said, you aren't going to sponsor a test you aren't going to do well in.

 

There is a testing note in the report in regards to Intercept X. It protected files "commonly" target by ransomware but other file extensions were encrypted e.g. .txt, .exe, etc.. Sage ransomware targets Python extensions i.e. .py which Intercept X allowed to be encrypted.

 

Yes, on second thought, results weren't THAT bad. But as usual I have to comment on the fact that MRG never explains how all of those malware/ransomware samples were stopped, was it via signature or behavior blocking? This is interesting to me.

 

Actually they did explain it in Section 5 of the report. Stated there was if the product detected by behavior with some files being encrypted prior to detection. It is also noted in the footing section of the detection results chart.

Of note was Kaspersky was configured to run with max. protection settings whereas as Eset ran with their default settings.

 

Yes but it doesn't answer my question. For example Kaspersky and Eset both had a 100% detection rate, but they don't tell how they managed to block all of the samples. They might as well blocked them all via signature.

We all know how many ransomware variants there are, and how easy it is to bypass signature detection. So you must also offer behavior based detection, to catch new variants. So would be cool to know just how good behavior based detection of all of these products is. Would be cool if they can do this same test with tools like RansomOff, RansomFree and Appcheck.

 

I believe it would be accurate to state that most AV products use a combination of signature, heuristic, and cloud rep analysis to determine if an unknown executable is attempting ransomware like activities. All these products are geared to blocking any program, script, etc. activity rather than detecting ransomware post execution phase. This insures that any secondary payload malware is blocked from installing.