Protection effectiveness of EDR solutions against Internet threats

22 April 2024

We dedicate this edition to EDR (Endpoint Detection and Response) solutions, and by the way we want to remind some terms. The primary purpose of EDR is to help security teams make better decisions when handling incidents that are reported from employee’s devices. EDR makes incident management much easier. For example, it is possible to redirect issues to designated experts of malware and network traffic analysis, search for intrusion traces in real time, point out irregularities with the security of each endpoint. In general, solutions that are equipped with EDR modules allow businesses to save money by avoiding unnecessary expenses. Namely, a single product is cheaper to implement, manage, configure, integrate, and maintain on a yearly basis than several separate solutions from different developers. For antimalware software with the EDR or XDR module, a holistic approach to security works better in practice than fragmentation of IT products.

In March 2024, during the Advanced In-The-Wild Malware Test, we acquired well over 400 unique URLs pointing to malware samples. Let us remind you that malware samples are obtained from real online sources: messengers, websites, honeypots. Then, each sample is carefully checked to make sure it is harmful. That way, we do not waste time on testing “junk samples”, and we assess protection against threats from various sources on the Internet using algorithms.

Our tests comply with the guidelines of the Anti-Malware Testing Standards Organization. Details about the test are available at this website as well as in our methodology.

In March 2024, we tested the following solutions for business and government institutions:

  • Emsisoft Enterprise Security + EDR
  • Microsoft Defender for Business + EDR
  • ThreatDown Endpoint Protection + EDR
  • Xcitium ZeroThreat Advanced + EDR

And solutions for home users:

  • Avast Free Antivirus
  • Bitdefender Total Protection
  • Comodo Internet Security Pro
  • Eset Smart Security Premium
  • F-Secure Total
  • Panda Dome
  • McAfee Total Protection
  • Malwarebytes Premium
  • Webroot Antivirus

March 2024 Test Summary

We included Microsoft Defender for Business with the EDR module in the tests which, as it later turned out, received the EXCELLENT certificate from the AVLab Cybersecurity Foundation because the solution met the required minimum of 99% of the total protection on the PRE-Launch + POST-Launch levels. Also, new to the test was Bitdefender Total Protection software, which is designed for individuals and microbusinesses, and was certified for its effectiveness as well.

In total, we tested over a dozen solutions. Almost all of them were characterized by 100% neutralization of in-the-wild threats. If you would like to learn more, you should visit the results webpage where we break down the blocking of threats at a specific stage. We also calculate the average time needed to completely neutralize a threat (the life cycle of malware in the system).

The most important technical data is fully transparent and available on the RECENT RESULTS webpage together with the results. We also publish the so-called threat landscape which was developed on the basis of data of the test from the March 2024.

The average response time achieved by all developers was about 33 seconds. The following solutions coped best with blocking and flawless removal of threats:

  • F-Secure (0.559s second average)
  • McAfee (1.167 seconds average)
  • Avast (10 seconds on average)

Not all developers have been able to detect and block every in-the-wild threat sample. In this edition, the confirmed negative result was obtained by Eset Smart Security Premium, similarly to Bitdefender Total Security, as well as Panda Dome Advanced.

Although we do not use PUP.PUA samples in the test, in a home environment and small office, it is always worth activating such feature, and we also use such settings. In a business environment, due to numerous security features, it is worth enabling all available modules: rollback, isolation of devices with detected incidents, protection of MS Office documents, etc.

In the “Advanced In-The-Wild Malware Test” series, we use the default settings of the products we tested. Presets are good, but not always the best. Therefore, for the sake of full transparency, we list the ones we have enabled for better protection or if it is required by a developer.

In addition to the changes below, we always configure a solution in such a way that firstly it has a dedicated extension for the Firefox browser which we use in our tests (if the extension is available). Secondly, to make the software automatically block, remove, and repair incidents.

The configuration of the software is as follows:

  • Avast Free Antivirus: default settings + automatic repair of PUP + browser protection.
  • Bitdefender Total Security: default settings + crypto miners detection + browser protection.
  • Eset Smart Security Premium: default settings + browser protection +
    • LiveGrid enabled.
    • PUA detecting enabled.
    • LiveGuard set to “kill process and clean”.
    • Protection and detection at the “balanced” level.
  • F-Secure Total: default settings + browser protection.
  • Comodo Internet Security Pro: default settings.
  • Emsisoft Enterprise Security: default settings + automatic repair of PUP + EDR + Rollback + browser protection.
  • Malwarebytes Premium: default settings + browser protection.
  • McAfee Total Protection: default settings + browser protection.
  • Microsoft Defender for Business: default settings + EDR.
  • ThreatDown Endpoint Protection: default settings + EDR + browser protection.
  • Webroot Antivirus: default settings + browser protection.
  • Xcitium ZeroThreat Advanced: predefined policy -> Windows Secure Profile 8.1 + EDR.