Test: Anti Malware Solutions in comparison
After the last article on the subject of antivirus (or rather: anti-malware) has dealt with the field of consumer solutions, we are now talking business.
As opposed to the private sector, we are dealing with a completely different category of threats in the business sector:
- Not only wide-spread attacks but also advanced, targeted attacks and APTs (Advanced Persistent Threats) must be countered
- Time-consuming tactics such as social engineering are much more commonly used in the business area
- Even a single successful attack can cause devastating damage
- Complex network structures, often including hundreds or thousands of workstations, are hard to survey. Thus attacks (and successful attacks) are often only discovered after weeks – if at all
- The costs of stand-stills in production, data loss or unintentional “knowledge transfer” are immense, as is the image damage
- As a result, there is an opportunity to make a lot of money. The existence of insurances against cyber attacks shows that companies (unfortunately often too late) are willing to spend a lot of money. This naturally attracts criminals.
It seems pretty obvious that the money is better spent in protective measures than in the payment of a cyber-crusher – or a dubious insurance. However, attacked companies often find themselves in the situation that paying the criminals (for example, in the case of a ransomware attack) is more favorable than suffering the serious consequences when several production sites are paralyzed for a few days.
But what about the next blackmailer? And the one after that?
In order not to become a cash cow for cybercriminals, intelligent defence systems are required, which can thwart the attack before it has started causing any damage.
Endpoint Defence is essential
In the year of 2017 the entry point for successful attacks – no matter how sneaky and sophisticated they may be – is basically still a compromised computer or endpoint. From here the attackers attempt to work their way through the network to reach critical systems.
Endpoint security solutions must constantly adapt to new threats in today’s world. What appears to be a game-changer is the inclusion of artificial intelligence (AI) to better detect potentially harmful software.
The goal of our investigation was to draw a comparison between the new generation of endpoint security solutions and traditional AV products that have been on the market for quite some time.
The question is: Is the detection rate of traditional antivirus products still sufficient or do the new solutions offer a significant advantage in the fight against current malware?
CylanceProtect version 1400
CylanceProtect takes a whole new approach to combating malware and exploits. As the identification of malware is almost exclusively based on artificial intelligence, machine learning techniques are used to recognize whether a file is good or malicious. The AI detects malware by examining binaries and dlls without having to execute them (pre-execution and predictive). In addition to the AI, Cylance uses additional protection modules such as Script Control to protect against VBA scripts or Excel macros, which are frequently used for example during ransomware attacks.
SOPHOS Endpoint Protection 2017 with Intercept X
Intercept X extends the SOPHOS anti-virus protection for enhanced threat- and exploit detection. Unauthorized encryption (such as Ransomware) is prevented by a separate module of Intercept X (CryptoGuard). Intercept X is intended to detect zero-day malware through these extensions, prevent them in advance and thus complement the classic AV approach by means of signature databases.
Palo Alto Networks Traps version 3.4.3
Traps is mainly specialized in exploits, but also provides appropriate protection against malware. Traps use the “WildFire” cloud developed by Palo Alto Networks. Executables are uploaded to WildFire where they are analyzed and evaluated using sandbox techniques among other methods. WildFire then returns a corresponding verdict as to whether the executables are good or bad.
Symantec Endpoint Protection 14
Symantec’s professional solution provides many new and improved recognition features in addition to its signature database. For example, Behavioral analysis, machine learning, and static analysis to detect malware are included.
Kaspersky Endpoint Security for Business Advanced 2017
Kaspersky Endpoint Security for Business provides protection for the PC, Mac and mobile devices. The protection modules are similar to Symantec EP 14. An anti-virus scanner with a signature database is integrated and additionally there is a heuristic analysis of files. Modules such as a password manager, protection for mobile devices, a firewall and program control are integrated as well.
Test setup and methodology
A total of 559 malware samples, packed by a packer (mpress.exe), were used in the test. Packing is used to mutate the malware samples so that the samples have new signatures and their hash value is therefore “unknown”. As a rule of thumb, the file size for a mutation is smaller than that of the original. However, mutant malware samples can continue to execute their malicious code. Ordinary anti-virus systems should no longer be able to detect the malware using their signature database. The malware samples were then executed. The key criterion for testing the endpoint security solutions was the detection rate.
- All endpoint security solutions were tested under the same conditions for 30 days in the first quarter of 2017
- Internet Connection was provided on the test machines in order for the malware samples to use their full potential, e.g. by downloading other malicious files, and for the endpoint security solutions to show their best results (e.g., through cloud connectivity).
- Only mutated samples with new unknown hash values were used.
- The latest zero-day malware (approx.150 pieces) and Ransomware (approx. 70 pieces) were used for the test. The remaining malware samples were no older than 30 days at most.
- The signature databases (if any) of Endpoint Security Solutions were fully updated.
- In case the endpoint security solution had a scan function (true for all tested solutions except for traps), the malware samples were scanned before execution.
- Finally, the malware samples were executed and the detection rate was determined.
The malware samples were obtained from various well-known sources. The following were used:
, http://dasmalwerk.eu, http://malc0de.com/database/, http://testmyav.com
Next-Gen-Solutions offer superior recognition rates
The result of this study is that the new generation offers a clear advantage over conventional endpoint security solutions in terms of detection rate and performance.
Cylance Protect, Palo Alto Networks Traps and SOPHOS Endpoint Protection with Intercept X provide over recognition rates of more than 95%. The conventional solutions do not approach this rate by far. Even under ideal conditions, detection remains at around 75% at most.
Particularly noteworthy is the use of artificial intelligence (AI) by CylanceProtect. Cylance was the only tested program to detect more than 80% of malwares even before they were executed. As a result, most malware does not have the slightest chance to do any harm at all.
Another advantage of the new solutions is that they require much fewer updates than conventional antivirus software, or even continue working without any. The benefits are clear: the next-generation solutions can also be rolled out without stress in complex network structures and do not require permanent online access to update themselves. (More details on the test results in the free Whitepaper)
Another critical area was tested: the solutions’ impact on system performance.
The next-generation solutions proved to be a significant improvement in this aspect as well. In the normal state, the processor load of all tested softwares was about 2-3%. However, when a malware was running, the utilization rate increased to 100%, especially for conventional solutions. The corresponding workstation was therefore virtually unusable for an extended period of time.
This is not the case with computers equipped with CylanceProtect or Traps. Malware were casually resolved in the background, using less than 10% of processing capacity.
In terms of memory consumption, the two solutions are also ahead: they only require 50 MB of memory or less. Kaspersky consumes up to 800 MB in comparison.
“Next-Generation Antivirus” is not just a gripping PR-buzzword. The solutions behind it really deliver.
This is reflected not only in the much better recognition rate of the new solutions.
System-related advantages such as the significantly reduced maintenance effort due to the elimination of annoying signature updates and the significantly lower resource consumption make administration easier. Another advantage is that particular workstations, which are bound to have no Internet connection for extensive periodes of time, are still well protected. This is not guaranteed in a signature-based approach.
Anyone who is thinking about upgrading their antivirus solution today should seriously consider switching to the new generation.
By the way, you can find the detailed test results as a whitepaper on the iT-CUBE SYSTEMS page for free download.
Image: ©iT-CUBE SYSTEMS AG 2017