MRG Effitas – Real World Exploit Prevention – March 2015 (sponsored by Surfright)

I thought @Peter2150 gave a good example when he explained what happened when he tested against some crypto variants:

It seems to me that if the various components are enabled in the AV, in this case Emsisoft, the payload is either detected by signature or behaviour analysis. It's not the exploit it is detecting, but in this scenario EIS is obviously stepping in first IF it can detect the payload.

 

Thank you for reporting the version number bug, we fixed it now.
We already wrote how we downloaded and updated the products. The real question is not "why were we not using the latest versions" but "why is the latest version not delivered to the users". We see this problem at almost every test, across different vendors.

 

During this test, we did not kept a log about which protection component blocked the malware. For Trend Micro, it was the URL blocking most of the cases. For Emsisoft, I believe it was the File guard, but this is just an impression rather than hard evidence.

For some products, it is easy to find out which component blocked the attack, for others, it is next to impossible. And because of the different protection techniques/layers used across different products, we decided not complicate the test further.

 

Well, apparently all layers were enabled in this test, yet it still failed to block a lot of payloads.

OK, this makes sense. So if I understood correctly, you could only pass the test if you could block payloads from running at all. So of course, tools which can block memory corruption, had a bigger chance of performing well. Because in general, AV's can't identify all malware variants, and behavior blockers might not be able to stop all malicious behavior, and won't immediately terminate payloads.

 

I believe the important point is the following:

It is not economically feasible or necessary for a security vendor to provide for "theoretical" malware. If they cover real world malware, that is good enough for me.