International. Independent company AV-Test tested 11 endpoint protection platform products in 113 different attacks to determine the extent to which they actually protect users. The tests developed three scenarios: Protection of users' files against prevalent ransomware, protection against remote encryption, and proof-of-concept ransomware protection.
The first test scenario simulated the most typical ransomware attack, the one in which the victim runs malware on their computer and it tries to reach the local files. A positive result assumes that the threat has been neutralized (i.e., all malware files were deleted, execution processes were stopped, and attempts to take control of the system were thwarted) and all user files have been made accessible and unencrypted.
In the second situation, the protected computer stored accessible files throughout the local network and the attack came from another computer connected to this same network (the other computer did not have a security solution, which allowed attackers to run the malware, encrypt local files and look for information accessible on neighboring hosts).
The security solution observed a system process manipulating local files but could not see the execution of the malware, so it could not check the reputation of the malicious process or the file that had started it, nor could it even scan the file. The result is that of the 11 solutions analyzed, only three offered any kind of protection against this type of attack, and only Kaspersky Endpoint Security Cloud handled the situation perfectly. What's more, while the Sophos product was activated in 93% of cases, it only provided complete file protection in 7% of cases.
The third scenario shows how products are dealing with malware that they hadn't seen before and that couldn't be present in malware databases. Since security mechanisms can identify a still-unknown threat simply by means of proactive technologies that react to malware behavior, the researchers created 14 new ransomware samples with methods and technologies that cybercriminals hardly use, in addition to never-before-seen encryption techniques. As with the first scenario, they determined success in the test based on detection and blocking, which also includes maintaining the integrity of all files on the victim's computer and completely removing all traces of threat from the computer.
The results were mixed, with some (ESET and Webroot) unable to detect this tailor-made malware and others with better performance (WatchGuard 86%, TrendMicro 64%, McAfee and Microsoft 50%). The only solution that demonstrated 100% performance was Kaspersky Endpoint Security Cloud.
