Anti-Malware Test

Real-World Test of Selected Products

What are we testing?

Webroot - heavily reliant on cloud and behavioural analysis, the software uses hash-based protection and pre-execution heuristics (dynamic analysis). It also makes use of behavioural monitoring, journalling and rollback. The Webroot extension provides real time Phishing protection by inspecting page linguistics and overall structure for signs of phishing.

ZoneAlarm - product makes use of dynamic emulation, inspecting files with 60+ AI engines in real time. It offers standard antivirus, reputation-based antivirus, CDR and real-time phishing protection.

Eset - a well known package. Offers standard antivirus, behavioural monitoring, HIPS and anti-phishing protection. The most premium version includes cloud emulation.

Trend Micro - the software is heavily based on signatures and machine learning that's being ran only on files with low prevalence.

4 Products

Various threats

Tolerance: 1 fraudulent site

Section 1: known & unknown phishing links.

These links will test products abilities to block already known and pre-analysed phishing. In some cases, they may rely on real-time analysis. For example, ZoneAlarm and Webroot both use real-time inspection. Evidence suggests that Eset creates definitions/heuristics as part of the AV scanner, that can potentially detect unknown phishing pages.

Spoofed brand:	Link

Netflix	https://amitsharmaxx.github.io/Netflix-clone-/signup/sign_up.html
Facebook	https://mipallab.github.io/facebook/index.html
Booking.com Extranet	https://hotel-id368076.com/sign-in
Mobile.de	https://haendlers-bewertung.de/daten.html
AT&T	https://ghghhjjhfgfhj.weebly.com
AT&T Web Mail	https://onteamatt-100120.weeblysite.com/
BT	https://bt-login-3982.webflow.io/
BT	https://orange116419.studio.site
Facebook	https://contact.bmsupportcenter.com/appeal_case_id

Section 2: known & unknown malware links.

These links will test products abilities to detect malware in a realistic scenario. A lot of products control false positives by using more aggressive screening on downloads, but more moderate scanning of local files. By downloading files from the web, product's full potential is realised.

Malware Name	Type	Link	Behaviour	Any.run Report
Vidar/StealC	Infostealer	http://147.45.44.104/yuop/66bb989993888_crypted.exe#1	Injects in RegAsm.exe	https://app.any.run/tasks/3dfbb89f-8768-44a6-bcba-2567d2f8b870
Phorpiex	Infostealer	http://185.215.113.66/newtpp.exe	Abuses svchost and rundll	https://app.any.run/tasks/731c7e4c-8ed6-42b9-b9cc-4c9791b1c92d
Lumma	Infostealer	http://147.45.44.131/files/L.exe	Injects in RegAsm and svchost.exe	https://app.any.run/tasks/87fd6b77-f487-45d2-befa-cc555e80023e/
Discord grabber	Infostealer	https://1drv.ms/u/c/32a149dac3ce5a59/EY65PdQ4DAhFlCYqOiZFXVYBlSO_218ksBLhazsWpoqIqg?e=xUbNlp	Reads credentials; saves them in C:\Users\admin\AppData\Local\Temp\Discord\DiscordFiles.zip	https://app.any.run/tasks/d2d4e52b-0c81-431b-af21-9658f3e9bf70/
Ryuk	Ransomware	https://1drv.ms/u/c/32a149dac3ce5a59/EWiPuWR7ihpOi0N7Nd6t3fUBjfRJ02oNa4KVLhvrhGOjNQ?e=mm97Ib	Typical	https://app.any.run/tasks/3fe7dabf-f049-418e-9156-2249b671c4f2
	Ransomware	https://1drv.ms/u/c/32a149dac3ce5a59/ET8L3fc3Ec9Kio9B3LOPWJ8Bc3RBPFxAF32l6ol3hCpUwQ?e=SSVgdi	Typical	https://app.any.run/tasks/8976b977-f230-4943-a965-5130fd975013/#
Stop/DJVu	Ransomware	https://1drv.ms/u/c/32a149dac3ce5a59/AT8L3fc3Ec9Kio9B3LOPWJ8?e=tW26F6	Typical	https://app.any.run/tasks/a55506ae-3832-4b8e-b26f-331cc55685a3/#
Netwalker	Ransomware	https://1drv.ms/u/c/32a149dac3ce5a59/AUWehrKzj_NLhSoBtwzo0SM?e=cE084z	Typical	https://app.any.run/tasks/e1119668-302b-4f89-a72e-5d33787def97
Remcos	RAT	https://1drv.ms/u/c/32a149dac3ce5a59/EenNkMdyyyhCtJeApUrBbs8B9bvNcDaT55a_pIzu1BmPIQ?e=CrNAmW	Allows Remote Access; attacker must be actively looking at the machines to log-in	https://www.joesandbox.com/analysis/1491471/0/html

Section 3: malicious documents.

Malicious documents are one of the quick ways attackers can obtain credentials and infect systems. The documents below (some of them somewhat funny) represent what attackers use every day. They could be attached to convincing, AI-composed emails.

Link
https://1drv.ms/b/c/32a149dac3ce5a59/EUsAqAaddk9NqbXP1O3KfVwBmVGiP4DKAtZZzBmJ8qR2IQ?e=IqKglI
https://1drv.ms/b/c/32a149dac3ce5a59/EUzehxtjT_ZOuYvFbU_XGGcB1WveRuOupR9eV6TmvICVJA?e=BiKUnc
https://1drv.ms/b/c/32a149dac3ce5a59/EV4Xx3lRf0lMtSFWyxIkfbABOJ-WS-hmNT-9Mtb7L-tCSQ?e=691ERT
https://1drv.ms/b/c/32a149dac3ce5a59/EV1l0-r3m7ZHrO5p1OC8PbEBKtHOReA_o5Qem8emZFaJxQ?e=wVyAxU
https://onedrive.live.com/?cid=32A149DAC3CE5A59&id=32A149DAC3CE5A59%21s4eba2ee3c84c466685ec0bbbbbf90151&parId=root&o=OneUp
https://1drv.ms/u/c/32a149dac3ce5a59/EfQgoSGbhmtPu5gWhgu92fcBWzCh1hWWpwYAF-1Qsiw4sQ?e=S8N8yC
https://1drv.ms/u/c/32a149dac3ce5a59/EVNImawxWOFKp2aHSlzPmyEBL6m_xrv4Jq6pGcvdQb4FBQ?e=DFonHD

EDR Experts Limited

VAT Number:

About

Contact

Privacy Policy

Terms of Service

hello@edr-experts.co.uk

About Check Point

Harmony Products

Technologies

Learning Centre

Blog

Follow us

Share by: