We carried out three tests of security in March and April 2020 from which we publish right now a list of popular antiviruses to secure workstations, and home computers. The test includes 12 specialized solutions for individual users and 9 products for medium and large business.
Studies carried out we a response to the observed trends of threats in the first quarter of 2020: cybercriminals still continue to racketeering through attacks involving encryption viruses. Additionally, they use malicious code hiding in office documents. The tendency of encrypting files through ransomware has become more dangerous because during global paralysis of social life, hospitals and universities are attacked, and the effects of researcher’s work are irretrievably lost.
For micro-entrepreneurs and individual users:
- ARCABIT Internet Security
- AVIRA Antivirus Pro
- AVIRA Prime
- COMODO Internet Security
- EMSISOFT Anti-Malware
- MICROSOFT Windows Defender Antivirus
- MKS_VIR Internet Security
- SECUREAPLUS Pro
- SOPHOS Home Premium
- TREND MICRO Maximum Security
- WEBROOT Antivirus
- ZONEALARM Extreme Security
For larger companies:
- BITDEFENDER GravityZone Elite
- CHECK POINT Endpoint Security
- COMODO Advanced Endpoint Protection
- EMSISOFT Business Security
- ESET Endpoint Protection Advanced Cloud
- F-SECURE Protection Service for Business
- G DATA Endpoint Protection Business
- KASPERSKY Endpoint Security Cloud
- WEBROOT Endpoint Protection
Main objectives of the test
The verification of security effectiveness of popular applications to protect personal computers and workstations against most common threats and cyberattacks since the beginning of 2020.
In the last quarter, cybercriminals understood that in order to avoid detection by traditional security tools, they need to combine popular types of malicious software with modern techniques of attacking. According to the reports of global IT companies, fileless attacks will be very a common phenomenon in the coming quarters. Using this type of security deception has increased by several hundred percent as Trend Micro observed in late December 2019. Tools to automatic search vulnerabilities in applications programmed by hackers are now more technically capable than before. They are also harder to observe because require no user interaction in order to execute malicious code.
Destroying the work of universities, public hospitals, and private clinics that try together to isolate diseases, is an acute problem. It is difficult to understand what primitive motives are driven by criminals, and why they turn against science and healthcare. The actions of online criminals have negative consequences in the economy as we could observe in recent weeks. Major news services wrote about incidents of forcing ransom healthcare and education institutions in exchange for encrypting data lost as a result of a cyberattack.
Trends in cyberthreats in 2020 underline the need for invest in solutions that will allow users to provide detailed reporting of significant changes to systems and networks. Developers and providers of IT solutions should take responsibility for solutions that are provided to companies and end users. On the other hand, enterprises must understand the risk, and start to protect themselves proactively against attack, and also mitigate the effects of potential attacks. Most organizations cannot afford to keep basic security to protect network, not to mention maintaining 24-hour units of monitoring infrastructure security. Companies should consider collaborating with an experience provider of security services who will help them protect IT systems against modern cyberattacks.
Malicious Office documents
Macros can be easily connected to sociotechnical techniques in phishing campaigns. Document circulation in enterprises is a normal thing, and the Office suit installed by default forces us to protect IT systems against the attempt of infecting systems.
An organization that will lose an access to the data can have not only a serious P.R. problem, but also financial due to penalties imposed by the so called RODO. Attacks involving ransomware samples are still popular. Hackers focus mainly on medium and large organizations without excluding public institutions. And now they are not trying to extort ransom in exchange for data decryption. Criminal activities become more menacing because of increasing trade of stolen files content on forums in Tor network.
Techniques of fileless infecting of IT systems
Modern operating systems already have built-in tools used by criminals, and so they do not need to install malicious software. A script in PowerShell is easy to obfuscate, and therefore cannot be detected using older security tools. Administrators commonly use PowerShell to automate certain activities, and functioning of system processes, such as PowerShell or Windows Management Instrumentation is not unusual a corporate environment.
Methodology and other information
Tools to simulate attacks and malware samples
The test was carried out in three successive stages. We have used a certain amount of malicious software in every part. For the sake of transparency of the test, we publish checksums of the first five samples that have been qualified for each stage. We do not provide complete information about all samples because each individual product fiche is limited by maximum number of characters that can fit on one page of a document.
All samples have been checked for harmfulness before launching them in machines with solutions installed. We had to make sure that we analyze cases on working viruses which are able to infect Windows 10. We have used so-called samples in-the-wild. The “in-the-wild” term means threats that spread on the Internet.
To run the test, we have used:
(1) 65 malicious Office documents (Word and Excel).
(2) 28 ransomware samples.
(3) 2 simulated fileless attacks.
In the first and second scenarios, we wanted to check if security software tested deal with selected threats found on the Internet. Malicious files were delivered one by one by the Chrome or EDGE browsers to machines with solutions installed. Then, we have been observing a reaction of protection products after launching each virus.
There is no shortage of easily accessible tools on the Internet that are used by specialists of red teaming. Cybercriminals use the same or modified applications, and that is why in the third scenario of simulating fileless attacks, we used the Metasploit software and the Unicorn tool which are available in the GitHub repository.
- The first part of the attack consisted in providing a file with the .BAT extension to the victim’s system, and observing a response to a command executed in PowerShell. A process has established a connection to the hacker’s server. If it was successful then we tried to steal tested files located in user’s folders in order to prevent alerting the tested product.
- The second type of the attacks consisted in providing a file with .HTA extension to the victim’s system through malicious website. An appropriate interpreter of these files is the MSHTA.exe application that executes script commands of the Microsoft HTML files. They have the .HTA extension, and operate outside a browser. Interestingly, the use of the MSHTA interpreter is not limited only to files with this extension.
Tool for collecting logs
The whole test was carried out manually, and that is why we were able to observe the product’s reaction to a threat in real time. In some cases, there was no clear response to malicious software, which resulted from default configuration. Sometimes unknown sample is not explicitly blocked – it can be monitored by a product without displaying a warning message. Detailed logs were helpful at this stage.
To collect logs we used Sysmon that is the most advanced application of this kind from the Microsoft company. It is used to track changes in the Windows system. It is perfect as a comprehensive tool for dynamic analysis of malicious software because it records in real time, among others:
- Creating a new process.
- Terminating a process.
- Network connection.
- Various events regarding files.
- Instances of a driver / DLL.
- Access to process memory via other process.
- Access to registry: creating, modifying, removing keys.
- WMI events.
- An attempt of interference into Sysmon process.
We recommend using the XML configuration file as rules to tracking events in Windows prepared by Mark Russinovich from Microsoft, and Thomas Garnier from Google.
Sysmon is a tool known to groups of cybercriminals therefore it is recommended to harden settings from the moment of installation. Modified installation instructions prevent (to some extent) detection of the Sysmon processes by harmful software that might stop system services responsible for gathering information about suspicious activity.
Versions of application tested
We updated signature databases every day before the test if a developer has made available new files in the official release. Accordingly, we were always checking the effectiveness of protection on the latest versions of antivirus software. Developers can obtain detailed information by contacting us.
Every machine with Windows 10 Pro and a security application installed was configured in the same way. The Google Chrome software was a default browser. All updates from Windows Update have been paused during the test. The Windows system was updated to the latest version several days before the test.
Reports sent to developers
Prior to issuing this report, we have reported all results to developers with which we have managed to contact with. Not everyone has responded on time. Developers who have taken up the challenge, but have not achieved the maximum results of protection, they have been marked with the adequate information on the product’s card.
The results from three security tests
The results are separately available for each solution tested. To download detailed information, please click on the logo. The table below with tested products has been published in alphabetical order: