Thursday, December 21, 2017

AV products do work, folks.

I see a lot of criticism of anti virus products... they can't keep up... they miss nation-state malware... people need magical new solutions... etc. Yesterday, I tested the day's ransomware against ten products that I had readily to hand, namely, Webroot, Sophos, Avast, Symantec, Windows Defender, Panda, Avira, MalwareBytes, FProt, and Eset.

I try to do what I call Real World testing. I install products with their default options, just like an average user might. I don't specifically update the signature databases. If they update, fine. If they don't, oh well. I only use the malware of the day, rather than stuff that is a few days old (and probably extinct). I execute the malware, just as the attackers would like their victim to do, and see who detects it.

Simple, really.

Yesterday's ransomware was spread via an email, with a vbs attached. The pitch in the email is to get you to open the attachment, which executes the vbs, which then goes out to a website, and downloads and executes the ransomware.

In my testing, I simulated that by executing the vbs, and ... wait for it... nine out of the ten products nailed it, either with a generic sig, or by blocking access to the website!

This is a Good Thing (tm), and well done guys and gals.

Of course, this still doesn't answer the vexatious question of what happens when they don't have a sig, but, in the fullness of time, we will find out. I can't do this every day, but I will try to add more products to the mix, and see what happens.

Stay tuned, and keep safe.