Antivirus protection test against exploits

Exploit, or malware that exploits a programming error in the system or in installed applications, is not the most common variant of viruses. It has an advantage over common macros viruses or malicious JavaScript scripts, because they are used to execute code with logged in user privileges. They are also more difficult to detect, because in most cases cyber attacks are delivered through vulnerabilities in the browser or in the installed extensions. In addition, they can remain hidden for a long time, as it happened during the infection of the Polish Financial Supervision Authority servers (5 months were needed to detect the threat).

In the carried out test of protection against exploits, it was verified how security products cope with popular exploitation techniques.

35 different simulations were developed, including:

1. The application for testing the system DEP (Data Execution Prevention) function found in modern operating systems was used. The purpose of this security is to prevent the execution of code from the data segment. This helps protect against exploits that use buffer overflows. DEP works in two modes: hardware mode, in which the processor means memory pages as non-executable and programmable, which gives limited protection and is used when the processor can not mark memory pages as non-executable. The first version of DEP appeared in Windows XP Service Pack 2.

2. The own application was also used to test the ASLR functionality. The ASLR mechanism was first used in Windows Vista. A random allocation of address space (ASLR - Address Space Layout Randomization) secures (reads hampers) buffer overflows due to an exploit attack. This complicated mechanism in a nutshell means that ASLR randomly allocates a stack of application memory addresses, which means that none of the essential system components (including exe, dll, sys files) can be easily traced by the malicious code of a foreign application. This is more difficult if the malicious code "does not know" in which location in the memory and at a given time there is a legal application.

3. In this scenario, protection against the "process hollowing" technique used by some malicious programs to replace legal application code with malicious instructions has been checked.

The test used publicly available tools such as: DoublePulsar, Mimikatz, ShellterPro, Backdoor Factory and others, which were used to map 35 techniques of injecting DLL libraries and executing their own malicious code. Most of these tools are available on the GitHub platform - for free for every tester and criminal. How it will be used depends primarily on the moral backbone of the person sitting on the other side of the monitor.

Tested systems:

  • Microsoft Windows 7 Professional x64 (6.1.7601 Service Pack 1).
  • Microsoft Windows 10 Pro (10.0.16299 Fall Creators Update).

Tested security products:

  • McAfee Endpoint Security with Threat Protection
  • Symantec Endpoint Protection
  • Trend Micro Smart Protection for Endpoints
  • CrowdStrike Falcon Prevent
  • Sophos Intercept X
  • SentinelOne Endpoint Protection
  • Microsoft Windows 10 Professional z zainstalowanym Windows Defender (Fall Creators
  • Update)
  • Microsoft Windows 10 Professional z zainstalowanym Windows Defender i aktywnym Exploit Guard (Fall Creators Update)
  • Produkt A (zgodnie z ustaleniami z producentem nie ujawniono nazwy produktu)

The following results do not reflect the overall effectiveness of products, but rather the effectiveness of protection against exploits.

Test ochorny przed exploitami

The summary has been divided into stages:

  • Green means a positive result - the product stopped the exploit or recognized an attack before running malicious code. In addition, some techniques or tools did not work in Windows 10 (due to better hardening than in Windows 7), but the result was considered in favor of the security product.
  • Yellow means positive recognition and blocking of the attack technique before running the malicious code (eg in some cases, PowerShell was used, which is burdened with increased risk by some security products).
  • The gray situation was marked when the testers stated that the product did not stop the threat and the manufacturer was of the opinion that the product was incorrectly configured.
  • Red means a negative result.

Detailed results divided into 35 types of attacks and exploitation techniques:

Test ochrony przed exploitami

We are not surprising that Sophos obtained the best result in the test he sponsored. No, no - we do not accuse MRG Efiitas of manipulating the results. The second scenario is more likely. Sophos felt so strong in defense against exploits that he paid for such a test to prove to competitors and potential clients that it is simply better in this category. But the most amazing thing is that Microsoft's native system solutions have proved to be worse in securing the Windows environment than software created by third parties.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.