Test antivirus protection against drive-by download

19 June 2017

Attacks that use vulnerabilities in software are difficult to detect. This process is even more complicated, if the hackers have to gain control over the computer by completely undetectable vulnerabilities, known as FUD (Fully Undetectable) or 0-day vulnerability that are prevalent among very few group people, mostly surrounded by cyber criminals, but also among hardware and software vendors. Events of this type are particularly dangerous, especially when the victim is going to have to deal with the threat of ATP (Advanced Persistent Threat), which is an advanced, prolonged attack. Almost always used elements of engineering socjotechnicznej in conjunction with effective tactic watering hole (“watering hole”) puts users in the losing position.

One way to execute malicious code on a victim’s device is to deliver malicious software such as. via e-mail. This is not the epitome of method, however, sooner or later the well prepared include attack convinces a user to open the attachment. This must, however, be preceded by a diagnosis of software, that the victim or the use on such an application, which uses many consumers in the affected region.

Experts of the AVLab focused on another scenario, which is more difficult to achieve, but at the same time very effective. Check, whether as a result of the use of vulnerabilities in Firefox hacker is able to get remote access to the infected computer and view the contents of the drives and folders, steal files, screen shots, download using PowerShell interpreter additional malicious files and change the security settings for example. of Microsoft Office by manipulating the values of registry keys.

Security software that have firewall and IPS module module (Intrusive Prevention System) can scan incoming and outgoing traffic, and thus find themselves in a privileged position in relation to the products, which provide only the basic antivirus protection. For this reason assigned separate recommendations for solutions that have firewall and separate for products that do not have such a mechanism.

We encourage readers to read the entire report, which in the introduction is characterized by issues of attacks, drive-by download, and explains how they are carried out. In the further part of this is the detailed methodology and main assumptions of the study. At the end is the interpretation of the results, the information from the testing process (m.in. for cooperation with manufacturers in order to improve the safety of AVLab) and the necessary guidelines that must be followed.

Test shows one more relationship, namely, the effectiveness of protection antivirus software with basic protection and conservation programmes, which are often paid and are characterized by the so-called comprehensive protection. In both cases, it turns out that most of the antivirus software completely suitable to protect computers from a range of attacks test drive-by download. Fortunately, there are exceptions to this rule — antivirus, which have received the certificate “BEST +++“.

The test was very difficult for all manufacturers. On the protected computers antivirus software was conducted real-world attacks using techniques, which every day use the cyber criminals. Only six suppliers of protective application was able to stop all attempts to circumvent security.

  • Arcabit (Poland): Arcabit Internet Security ArcabitEndpoint Security
  • Bitdefender (Romania): Bitdefender Total Security multi-device 2017, Bitdefender GravityZone
  • Eset (Slovakia): Eset Smart Security 10, ESET Endpoint Security
  • Kaspersky Lab (Russia): Kaspersky Total Security 2017, Kaspersky Endpoint for Windows 10, Kaspersky Small Office Security
  • Quick Heal (India): Quick Heal Total Security 17.00, Seqrite Endpoint Security 7.2
  • SecureAge Technology (Singapore): SecureAPlus
  • Symantec (USA): Norton Security 2017
 

Download full report in English or Polish.

Newsletter

SIGN UP

Newsletter

SIGN UP FOR EMAIL NOTIFICATIONS FOR ENGLISH CONTENT ONLY!
SIGN UP