Overview of techniques and attacks in Windows 11

WHEN USING INTERNET BANKING

Test of security solutions in blocking attacks on Internet banking

We have used the Caldera Framework tool to simulate a hacker’s activity. This software allows to connect to an infected device through reverse shell using TCP, UDP, HTTP. In case of blocking one of attack vectors, we have switched to the next protocol until it was successful. If an attack was still blocked, we considered the test passed. In addition, we have used the Python programming language to develop malicious software.

Placing a malicious file in the victim’s system is an important aspect of testing. In this test scenario, there is no need to have the Python environment installed on a victim’s device because malware was previously compiled into a single executable file (EXE) using the PyInstaller tool. We haven’t been using packers because they are easy to identify by developers of security software.
Testing labs often use protocols (HTTP and HTTPS) to place malware in the system because it is the most common attack vector in the real-life situations. We wanted to avoid a file being uploaded to the system by a browser because developers have mastered techniques of blocking 0-day files. FTP and SFTP are less popular vectors, and the main purpose of the test was to check the operation of modules to block attacks on Internet banking (regardless of the initial protocol of cyberattack).
All security suites have been installed on default settings unless the annotation in the table below states otherwise. For example, if protection against keyloggers was turned off by default, we activated this feature before starting the test.
Malicious software was intentionally downloaded to the system using FTP, rather not popular in spreading threats. The purpose of tested protection solutions was to detect and stop an attack at any stage: before running, after running, or after establishing connection to a hacker’s server.
By running malware or other dangerous scripts, we always try to force a protection solution to save logs as well as to display warning notifications. We do it because we want a threat to be clearly blocked or removed.

If a threat was not blocked on default settings, we experimented with other settings of a security suite. It is important that an attack triggers antivirus warnings.

Dostarczenie szkodliwego pliku do systemu ofiary to ważny aspekt testowania. W tym scenariuszu nie było potrzeby, aby na urządzeniu ofiary znajdowało się środowisko Python, ponieważ złośliwe oprogramowanie zostało wcześniej skompilowane do jednego pliku wykonywalnego EXE przy użyciu narzędzia PyInstaller. Nie używaliśmy packerów, ponieważ są one łatwe do zidentyfikowania przez producentów oprogramowania ochronnego.

Laboratoria testujące często korzystają z protokołu HTTP i HTTPS, aby dostarczyć malware do systemu, ponieważ jest to najczęstszy wektor ataku w świecie rzeczywistym. Chcieliśmy uniknąć sytuacji, kiedy plik trafia do systemu przez przeglądarkę, ponieważ producenci w dobrym stopniu opanowali techniki blokowania plików zero-day. Mniej popularnym wektorem jest FTP i SFTP, a dodatkowo głównym celem badania było przetestowanie działania modułów do odpierania ataków na bankowość internetową niezależnie od początkowego protokołu zainicjowania cyberataku.

Wszystkie pakiety bezpieczeństwa były zainstalowane na ustawieniach domyślnych, chyba że adnotacja poniżej w tabelce stanowi inaczej. Jeżeli np. ochrona przed keyloggerami była domyślnie wyłączona, to aktywowaliśmy funkcję przed rozpoczęciem testu.

Złośliwe oprogramowanie celowo było pobierane do systemu protokołem FTP, raczej niezbyt popularnym w rozprzestrzenianiu zagrożeń. Zadaniem testowanych rozwiązań ochronnych było wykryć i zatrzymać atak na dowolnym etapie: przed uruchomieniem, po uruchomieniu lub nawiązaniu połączenia z serwerem hakera.

Uruchamiając złośliwe oprogramowanie lub inne niebezpieczne skrypty, zawsze postępujemy tak, aby zmusić rozwiązanie ochronne do zapisywania logów, jak również wyświetlania komunikatów ostrzegawczych. Postępujemy w taki sposób, ponieważ chcemy, aby zagrożenie zostało wyraźnie zablokowane albo usunięte.

Jeśli zagrożenie nie było zablokowane na ustawieniach domyślnych, to eksperymentowaliśmy z innymi ustawieniami pakietu ochronnego. Ważne jest jest, aby atak zainicjował wyświetlenie ostrzeżenia antywirusowego.

We have awarded the quality certificate for security software that seamlessly has managed to detect and block all threats and cyberattacks.
Results of the Internet banking protection test
Click on the developer’s logo to quickly scroll to the table.

COMODO Advanced Endpoint Protection

12.9.0.8649 - Configuration "Windows - Security Level 3 Profile v.6.42" with "Custom Firewall Rules as Allow for Web Browsers in Virtual Desktop" has been applied.

Clipboard capture: part 1

Clipboard capture: part 1 The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Comodo does not allow unknown applications to run. It automatically sends them to sandbox which is a safe area.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

Clipboard capture: part 2 The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Comodo does not allow unknown applications to run. It automatically sends them to a sandbox which is a safe area.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

Clipboard swap The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Comodo detects an untrusted file that connects to a hacker’s server. The HIPS module prevents a file from running and tags it as unrecognized (limited access to the system).

Protocol HTTP

The threat has been stopped before.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Comodo does not allow unknown applications to run. It automatically sends them to a sandbox which is a safe area.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

Comodo does not allow unknown applications to run. It automatically sends them to a sandbox which is a safe area.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 2

Screen capture: part 2 The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protokół FTP

Comodo detects an untrusted file that connects to a hacker’s server. The HIPS module prevents a file from running, and tags it as unrecognized (limited access to the system).

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Comodo detects an untrusted file that connects to a hacker’s server. The HIPS module prevents a file from running and tags it as unrecognized (limited access to the system).

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Comodo detects an untrusted file that connects to a hacker’s server. The HIPS module prevents a file from running and tags it as unrecognized (limited access to the system).

Protocol HTTP

The threat has been stopped before.

Banking protection from COMODO

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
After activating a virtual environment, a user can run, for example, suspicious attachments without worrying about security, and check their harmfulness. Technology protects devices against keyloggers, trojans, worms, screenloggers, and also isolates processes, preventing malicious code from being injected into a browser in a virtual environment. The HIPS module monitors the system and an application activity. The so-called sandbox automatically protects against 0-day threats that antivirus engine cannot detect with signatures and file scanning in the cloud. Comodo is a powerful tool to protect the system against 0-day malware and cyberattacks.

ESET Smart Security

15.0.18.0

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Connection with a hacker’s server cannot be established because Eset detects unsafe outgoing connection.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

Clipboard capture: part 2 The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Connection with a hacker’s server cannot be established because Eset detects unsafe outgoing connection.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Malicious software could change the content of the system clipboard, regardless of the enabled banking mode.

Protokół HTTP

Malware has been blocked in a browser.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Keylogger has been neutralized before running.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

The test has been passed, but it was required to enable the interactive mode for a firewall to manually block sending screenshot to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Connection with a hacker’s server cannot be established because Eset detects unsafe outgoing connection.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Connection with a hacker’s server cannot be established because Eset detects unsafe outgoing connection.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Connection with a hacker’s server cannot be established because Eset detects unsafe outgoing connection.

Protocol HTTP

The threat has been stopped before.

Banking protection from ESET

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
During the test, the firewall module provided an important value by detecting malicious connections. A useful feature is the Internet banking protection which protects the system WinAPI against keyloggers. An isolated browser is immune to most network attacks. Unfortunately, no technology was sufficiently effective to prevent a clipboard hijacking attack when using Internet banking.

F-SECURE Total

18.1

Clipboard capture: part 1

Clipboard capture: part 1 The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

The F-Secure banking mode prevents the system clipboard from being sent to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Connection to a hacker’s server cannot be established because the system is protected by the banking mode.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number

Protocol FTP

Connection to a hacker’s server cannot be established because the system is protected by the banking mode.

Protocol HTTP

The threat has been stopped before.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

F-Secure does not allow keystrokes to be sent during an active banking session.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

The upload of a screenshot to a hacker’s server has been blocked by the F-Secure banking mode.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Connection to a hacker’s server cannot be established because the system is protected by the banking mode.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Connection to a hacker’s server cannot be established because the system is protected by the banking mode.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Connection to a hacker’s server cannot be established because the system is protected by the banking mode.

Protocol HTTP

The threat has been stopped before.

Banking protection from F-SECURE

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
During an active banking mode, all other Internet connections are temporarily disabled. F-Secure secures a device quickly and automatically, but a user has a full control of everything. Banking protection from F-Secure prevents connections, so no malicious software can reach a hacker’s server.

G DATA Total Security

25.5.11.316

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

It was impossible to capture the system clipboard from area protected by G Data.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Connection to a hacker’s server could not be established because a threat has been blocked by G Data.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Malicious software could change the content of the system clipboard, regardless of enabled firewall mode and antivirus settings.

Protocol HTTP

There is no improvement in protection against threats spread by a browser.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Protection against keyloggers was effective. This has prevented keystrokes to be captured.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

Screenshot has been sent to a hacker’s server despite the use of the interactive mode (malicious applications has gained access to SFTP).

Protocol HTTP

There is no improvement in protection against threats spread by a browser.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Connection to a hacker’s server could not be established because a threat has been detected by G Data.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Connection to a hacker’s server could not be established because a threat has been detected by G Data.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Connection to a hacker’s server could not be established because a threat has been detected by G Data.

Protocol HTTP

The threat has been stopped before.

Banking protection from G DATA

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
G Data is a comprehensive software suite that protects against attacks and Internet threats. The most important components are a firewall and antivirus protection covering most protocols, including the DeepRay technology. Complexity of protection is based on supporting all protocols through which a user communicates with the Internet. Unfortunately, in two scenarios, that was not what we expected from the suite of the German developer, so we point out areas for improvement.

KASPERSKY Total Security

21.3.10.391

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

It was impossible to capture the clipboard when the Safe Money mode is active.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Connection with a hacker’s server through malware cannot be established. Malicious application is controlled by the antivirus modules of Kaspersky.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Malicious software could change the content of the system clipboard when the banking mode was enabled, regardless of protection settings.

Protocol HTTP

Malware has been blocked in a browser.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Kaspersky Secure Browser has effectively been protecting against keylogger activity.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

We have not found application settings that would effectively prevent screenshots from being sent during Internet banking via SFTP.

Protocol HTTP

Malware has been blocked in a browser.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Connection with a hacker’s server through malware cannot be established. Malicious application is controlled by the antivirus modules of Kaspersky.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Connection with a hacker’s server through malware cannot be established. Malicious application is controlled by the antivirus modules of Kaspersky.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Connection with a hacker’s server through malware cannot be established. Malicious application is controlled by the antivirus modules of Kaspersky.

Protocol HTTP

The threat has been stopped before.

Banking protection from KASPERSKY

Description of unique components of banking protection to allow a better understanding how technology protects users during an active online session.
The Safe Money module plays an important role in securing online sessions. It suggests opening a secure browser which is resistant to injecting malicious DLLs, or even reading sensitive information entered a browser from RAM. Theoretically speaking, an attacker or malicious software cannot swap the content of the system clipboard. Unfortunately, we have succeeded. In this area, developer should apply better security for less popular protocols.

MICROSOFT Defender

Configuration had all security features enabled, among others: Windows Firewall, SmartScreen, PUA blocking. For HTTP, the test was done on the EDGE browser, instead of Chrome.

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

An untrusted application has accessed to the network despite all security features enabled

Protocol HTTP

The threat has been blocked by Microsoft Defender SmartScreen.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Windows Firewall has displayed a warning to an untrusted application which allowed to block a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Untrusted application has accessed to the network despite all security features enabled.

Protocol HTTP

The threat has been blocked by Microsoft Defender SmartScreen.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Microsoft Defender has not blocked a keylogger – it was possible to send keystrokes to a hacker’s server.

Protocol HTTP

The threat has been blocked by Microsoft Defender SmartScreen.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

A screenshot has been successfully sent to a hacker’s server.

Protocol HTTP

The threat has been blocked by Microsoft Defender SmartScreen.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Windows Firewall has displayed a warning to an untrusted application which allowed to block a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Windows Firewall has displayed a warning to an untrusted application which allowed to block a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Windows Firewall has displayed a warning to an untrusted application which allowed to block a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Banking protection from MICROSOFT

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
Microsoft Defender works best with the SmartScreen system feature that analyzes files downloaded from the Internet, and applications from Microsoft Store for their source of origin, checksums, and patterns found on black list of files. All this information is provided to the antivirus in the form of signatures. The SmartScreen technology, although it effectively protects against suspicious files and warns if a file does not have a digital signature, it is not effective enough if malicious software enters the system different way than a browser, for example, through a pendrive, exchange protocol, or email client. Developer should improve blocking unknown threats besides a browser.

MKS_VIR internet security

2021.11.04

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

mks_vir detects running applications and closes them when Secure Browser is launched.

Protocol HTTP

The threat has been stopped before.

Banking protection from MKS_VIR

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
The mks_vir Safe Browser provides a high level of security when using Internet resources, especially banking and payment operations as well as those requiring sensitive data. Safe Browser works closely with other modules of the mks_vir suite, and continuously monitors the system security level, not allowing for sensitive data to end up in the wrong hands. Developer has applied protection based on “white lists” of processes which means that running processes are checked before Safe Browser is launched. The decision as to which process should be closed and which should be kept, depends on user preferences.

NortonLifeLock 360 Standard

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Malicious application is stopped by the Download Insight module. It is not possible to run a threat.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Clipboard capture: part 2

Clipboard capture: part 2 The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Firewall in automatic mode displays a warning that an untrusted process attempts to access the Internet.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Malicious application is stopped by the Download Insight module. It is not possible to run a threat.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Malicious application is stopped by the Download Insight module. It is not possible to run a threat.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

Malicious application is stopped by the Download Insight module. It is not possible to run a threat.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Firewall in automatic mode displays a warning that an untrusted process attempts to access the Internet.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Firewall in automatic mode displays a warning that an untrusted process attempts to access the Internet.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Firewall in automatic mode displays a warning that an untrusted process attempts to access the Internet.

Protocol HTTP

Zagrożenie zostało zatrzymane już wcześniej.

Banking protection from NortonLifeLock

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
During the test, protection against 0-day files was properly reacting to banking threats. This security is based on file reputation, so unknown files and scripts are blocked by NortonLifeLock. Undervalued firewall is a useful module that is marginalized in some security suites. It turns out that with a firewall with the IPS module based on attack signatures it is possible to block hacker attacks and detect the unauthorized network traffic, both ingoing and outgoing.

SOPHOS Home

3.5.0

Clipboard capture: part 1

The test whether malicious software written in Python can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

With Sophos technology, it was impossible to capture the clipboard from the protected process of a browser.

Protocol HTTP

The threat has been stopped before.

Clipboard capture: part 2

The test whether malicious software from the Caldera framework can capture the content of the system clipboard and send information to a hacker’s server.

Protocol FTP

Running unknown 0-day file has been blocked. It was not possible to establish a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Clipboard swap

The test checks whether malicious software can modify the content of the system clipboard, for example, copy bank account number.

Protocol FTP

Unfortunately, the system clipboard has been successfully swapped.

Protocol HTTP

Malware has been blocked in a browser.

Keylogging

The test checks whether malicious software can record keystrokes when logging into a bank account and send information to the attacker’s Gmail account.

Protocol FTP

Even though, a keylogger has been running in the background when using Internet banking, the anti-keylogger technology from Sophos encrypts keystrokes in a browser. It is not possible to capture them even by malware.

Protocol HTTP

The threat has been stopped before.

Screen capture: part 1

The test checks whether malicious software written in Python can take screenshots when using Internet banking.

Protocol FTP

Unfortunately, a threat has successfully taken a screenshot and sent it to a hacker’s server.

Protocol HTTP

Malware has been blocked in a browser.

Screen capture: part 2

The test checks whether malicious software from the Caldera framework can take screenshots when using Internet banking.

Protocol FTP

Running unknown 0-day file has been blocked. It was not possible to establish a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Hidden desktop

The test checks whether malicious software can establish a remote connection to a hacker’s server during an active banking session.

Protocol FTP

Running unknown 0-day file has been blocked. It was not possible to establish a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Password theft

The test checks whether malicious software can isolate sensitive information, such as credit card numbers, passwords, logins, or bank account numbers.

Protocol FTP

Running unknown 0-day file has been blocked. It was not possible to establish a connection to a hacker’s server.

Protocol HTTP

The threat has been stopped before.

Banking protection from SOPHOS

Description of unique components of banking protection in order to allow a better understanding how technology protects users during an active online session.
Sophos Home offers high-level protection against threats. In practice, the anti-keylogging technology has proven to work properly because we were not able to capture keystrokes. The low-reputation file warning technology plays an extremely important role in protecting against new threats, although a file extension does not matter. It turned out, however, that the protocol for delivering files to the system is relevant, so Sophos Home in two cases had problem detecting malicious software. This area needs to be improved by the developer.

CONTACT US!

Please write to us if you have additional questions about the test, or you would like us to test other security software in the next edition of Internet banking security.

Report a mistake or suggestion

If you notice a mistake or have a suggestion of editing contect, you can report it using the form below.
* All fields are required.

Tests