Tag: built-in protection
Everybody needs antivirus protection. Everybody! And I don't mean the antivirus built into Windows—it just doesn't measure up. Fortunately, you can get that protection without spending a penny. AVG AntiVirus Free (2017) looks a bit different from its previous edition, and it includes some new technologies. In our own tests and tests by the independent labs, it earned very good scores.
Last year, Avast acquired AVG, but fans of either company needn't worry, as both product lines continue their separate existence. Why would a company want to acquire such a similar competitor? Both AVG and Avast have huge followings, but globally each is strong in different areas. The combined company has a worldwide reach.
Of course, AVG only makes money if somebody purchases the for-pay security suite. There's a certain amount of upsell when you go to install the free antivirus, but it's much more laid back than, for example, Comodo. You can choose the free antivirus or start a 30-day free trial of the suite. You don't have to enter a credit card, and if you do nothing, at the end of the trial it reverts to the free antivirus. It does offer to install a plug-in for all of your browsers, and replace your home page, new tab page, and default search. However, as I'll explain below, installing AVG in the browser gets you a ton of useful security features.
Management by Zen
Like all AVG products, the antivirus includes AVG Zen, a management and launching utility that offers an overview of AVG security on all of your devices. It's similar in many ways to the component that helps you manage McAfee AntiVirus Plus and other McAfee products.
Four panels dominate Zen's main window, devoted to antivirus, PC tuneup, VPN, and Web Tuneup. Each panel contains a circle that can be fully or partially colored, depending on whether or not you've installed all possible protection in that area. If all is well, the circle glows green; if your attention is needed, it changes color.
When you install the free antivirus, you see a three-quarter circle in the antivirus panel. That becomes a full circle only if you upgrade to the paid edition. If you followed the installer's instructions regarding Web Tuneup, that panel displays a full circle. As for the VPN panel, that one remains empty unless you separately install the Hide My Ass VPN.
Likewise, you won't see anything in the PC Tuneup panel unless you install AVG PC TuneUp. You do get a one-day trial of the tuneup product along with the free antivirus; I'll discuss that below.
New User Interface
Last year's edition of the antivirus looked extremely similar to AVG Zen, with the same color scheme and the same circle-based status indicators. This year, the color scheme hasn't changed, but almost everything else has.
The main window has two main panes. The Basic protection pane includes icons for computer protection and for Web and email protection, both enabled. The Full protection panes icons represent protection for private data, protection during online payments, and protection against hack attacks, all three disabled. To enable those, you must upgrade to AVG's non-free security suite.
In the middle, below the two panes, is a big button labeled Scan Computer. Clicking it launches a full scan, which does more than just scan for malware. It also scans for junk files, revealing browser traces, system logs, and Registry problems—but if you want to fix those you must start your short-time trial of AVG PC Tuneup.
In testing, the full scan finished in just six minutes, which led me to peruse all the scan options. I found another option called Deep Virus Scan. This scan took over an hour, quite a bit longer than last year's edition of AVG. However, because the scan flags safe files that don't need to be looked at again, a second scan goes much faster. I found that a repeat scan finished in just a few seconds.
Lab Scores High and Plentiful
It may seem counterintuitive, but in most cases antivirus makers pay for the privilege of having products included in testing by the independent labs, but they do benefit. A high score gives the company bragging rights; if the score is poor, the lab lets it know what went wrong. When the antivirus doesn't bring in any income, a company might be tempted to avoid the expense of testing. Not AVG. I follow five independent testing labs that regularly release reports on their results; all five of them include AVG.
Testers at AV-Comparatives run a wide variety of tests on antivirus and other security products; I follow five of those tests closely. As long as a product meets the minimum for certification, it receives a standard rating. Those that go beyond the minimum can receive an Advanced rating, or even Advanced+. AVG participates in four of the five, and received two Advanced and two Advanced+ ratings. Note, though, that Kaspersky and Bitdefender Antivirus Free Edition both rated Advanced+ in all five tests.
AV-Test Institute reports on antivirus capabilities in three areas: protection, performance, and usability. With six points possible in each category, the maximum score is 18 points. AVG took six points for usability, meaning it didn't screw up by flagging valid programs or websites as malicious. It came close in the other two categories, with 5.5 apiece.
A total of 17 points isn't enough for AV-Test to designate AVG a Top Product; that requires 17.5 or better. Bitdefender, Quick Heal, and Trend Micro earned the necessary 17.5 points, while Kaspersky and Avira Antivirus managed a perfect 18.
AVG scored 81.05 percent in Virus Bulletin's RAP (Reactive And Proactive) test, just a hair below the current average. SE Labs tests products using real-world drive-by downloads and other Web-based attacks, assigning certification at five levels: AAA, AA, A, B, and C.
While most of the labs report a range of scores, tests by MRG-Effitas are more like pass/fail. Half of the products tested failed at least one test; 30 percent, including AVG, failed both. Since not-quite-perfect and epic failure get the same rating in this test, I give it less weight when coming up with an aggregate score.
Avast Free Antivirus, AVG, ESET, and Kaspersky are the only products in my collection that currently have results from all five labs. AVG's aggregate score is 8.7 of 10 possible points, better than many commercial products. At the top is Kaspersky, with 9.8 points, followed by Avira and Norton with 9.7.
Very Good Malware Blocking
Malicious software from the Internet must get past numerous defenses before it can infect your PC. AVG could block all access to the malware-hosting URL, or wipe out the malware payload before the download finishes—I'll discuss those layers shortly. If a file is already present on your computer, AVG assumes it must have gotten past the earlier protection layers. Even so, it checks one more time before allowing such a file to execute.
To test AVG's malware-blocking chops, I opened a folder containing my current collection of malware samples and tried to execute each one. AVG blocked almost all of them immediately, wiping them out so fast it left Windows displaying an error message that the file could not be found. It wiped out most of those that managed to launch before they could fully install.
Initially I determined that AVG detected 94 percent of the samples and scored 9.0 of 10 possible points. However, upon checking with my company contact, I learned that for full protection I should enable detection of potentially unwanted applications, sometimes called PUAs or PUPs. With that setting enabled, AVG's scores rose to 97 percent detection and 9.5 points, better than many commercial programs. I wish, however, that AVG either enabled detection of PUAs by default or, like ESET NOD32 Antivirus 10, made the user actively choose to enable or disable this protection.
Webroot and Comodo Antivirus 10 scored a perfect 10 in this test. However, when I checked Comodo against hand-modified versions of my samples, it missed quite a few.
When AVG detects a file that's completely new to the system, never before seen, it prevents that file from launching and sends it to AVG headquarters for analysis. I managed to invoke this feature using one of those hand-modified samples. AVG killed the process, triggering a Windows error message. To show it wasn't really an error, AVG attached a CyberCapture tab to the error message.
A few other files merited special scrutiny. AVG displayed a message stating, "Hang on, this file may contain something bad," and promising an evaluation within 15 seconds. All of my hand-coded testing utilities triggered this warning; all three got a clean bill of health.
Detecting my months-old samples is one thing; protecting against the very latest threats is quite another. My malicious URL test uses a feed of URLs detected within the last day or two by MRG-Effitas. An antivirus product gets equal credit if it prevents all access to the malware-hosting URL or if it eliminates the downloaded malware immediately.
I test URL after URL until I've recorded data for 100 verified malware-hosting URLs, then tally the results. AVG blocked access to more than half of the URLs and eliminated almost another quarter at the download stage, for a total of 73 percent protection. That's quite a bit better than Comodo, which lacks URL-based blocking and scores just 37 percent. However, others have done quite a bit better than AVG. Symantec Norton AntiVirus Basic holds the lead, with 98 percent protection; Avira managed 95 percent.
Trojans and other malicious programs must successfully infiltrate your compute in order to steal data. Phishing websites, by contrast, only have to trick you, the user. If you log in to a fraudulent site that's pretending to be your bank, or your email provider, you've handed over your account to a crook. Such sites get discovered and blacklisted quickly, but the crooks simply set up new ones.
The most dangerous phishing sites are those that haven't been analyzed yet, so I scour the Web for sites that have been reported as fraudulent but not yet verified. I discard any that don't pretend to be some other site, and any that don't include fields for username and password. I launch each URL in a browser protected by the program under test, and in another protected by long-time phish-killer Norton. I also launch the URL in Chrome, Firefox, and Internet Explorer, relying on the browser's built-in protection. If the URL returns an error message in any of the five browsers (and they often do), I discard it.
Because the URLs themselves are different every time, I report each product's results as the difference between its detection rate and that of the others. In last year's test, AVG lagged Norton's detection rate by 28 percentage points, which is still actually better than the majority of competing products. This time around, it lagged Norton by 70 percentage points, putting it near the bottom. My contact at the company checked with the developers and confirmed that they know about the problem and are working on speedier updates.
Even though Norton is my touchstone for this test, it doesn't beat every single competitor. Check Point ZoneAlarm Free Antivirus+ 2017 tied with Norton in its most recent test. Bitdefender, Kaspersky, and Webroot actually beat Norton by a few points.
The AVG Web TuneUp plug-in installs in all your browsers and offers several useful and important security benefits. First off, the Site Safety component warns when you visit a website that's risky or actively dangerous. You can click for more details, and click again for a full website report online. However, the full report isn't as detailed as what you get from Norton and a few others. And where Norton marks search results with red, yellow, and green icons, AVG only offers a rating once you try to visit a site.
Advertisers love to track your Web surfing, so they can show you ads they think you'll like, and avoid showing the same ad too often. But tracking by advertisers and others is a bit creepy, enough so that there's a header in the HTTP standard specifically designed to tell websites you don't want to be tracked. Alas, the header has no teeth. Your browser can send a Do Not Track header, but sites and advertisers can ignore it.
AVG's Web TuneUp includes an active Do Not Track component, one that checks each page you visit for trackers and optionally cuts off their tracking. It's disabled by default; I suggest you turn it on. A similar feature in Abine Blur uses its toolbar button to display the number of trackers on the current page and let you fine-tune its tracker blocking. AVG just blocks all trackers when this feature is turned on.
The last tune-up feature, Browser Cleaner, doesn't add a lot to your security. It tracks things like browsing history, saved Web form data, and cookies, and lets you click to delete them. But in Chrome, Firefox, and Internet Explorer, you can simply press Ctrl+Shift+Del to do the same, with finer control over what gets deleted.
As noted, you can at any time install a one-day free trial of AVG PC TuneUp. Don't do this until you have a little free time, so you can make full use of your short-term trial.
The final bonus feature is a little hard to spot. Buried in the right-click menu for files and folders, you should find a new item titled Shred using AVG. If you choose this item, AVG overwrites the file's data before deleting it, thereby foiling any attempt to recover the deleted file's data.
An Excellent Choice
With the Avast acquisition, both the outward appearance and the technology inside are changing for AVG AntiVirus Free, and that's not a bad thing. The antivirus gets very good marks from all of the independent labs that I follow, and also did quite well in my malware-blocking test. It wasn't quite as good at blocking malicious downloads, but still beat many competitors. Yes, its antiphishing performance wasn't great, but phishing protection isn't a central antivirus component. Overall, it's an excellent choice.
But don't just take my word for it. Go ahead and give the program a try; it's free, after all. While you're at it, have a look at Avast Free Antivirus and Panda Free Antivirus, our other Editors' Choice products in the free antivirus realm.
These days, you can find almost anything bundled into one antivirus or another—firewalls, spam filters, even password managers.
At the other end of the spectrum are lean, mean antivirus tools that just focus on the task at hand.
TrustPort Antivirus Sphere belongs to the latter group.
It does boast several bonus features, but they're all aimed at that core task.
Alas, it didn't fare well in my hands-on testing, and the independent labs mostly ignore it.
At $22.95 per year for one license or $29.95 for three, TrustPort is easier on the wallet than most of the non-free competition.
Bitdefender, Kaspersky, Norton, Webroot SecureAnywhere AntiVirus, and more than a dozen others charge $39.95 for a single license. However, after working with the product I'm not sure it's a bargain, even at that price.
With the 2017 product line, TrustPort has added "Sphere" to each product name, and changed the user interface considerably.
The small main window boasts a horizontal row of five large, square buttons against a dark gray background.
A green button toggles the on-access scanner, and another configures the anti-exploit component.
There are blue buttons to check for updates, display quarantined malware, and access bonus features.
What you won't see is anything like the big scan button that dominates Trend Micro Antivirus+ Security, Quick Heal, and a few others.
The documentation points out that the on-access scanner should take care of any problems, but that there are several ways to launch a scan. You can scan any drive or folder by choosing from the right-click menu, or select from numerous scan possibilities by right-clicking the TrustPort icon in the notification area.
A full scan of my standard clean test system took 63 minutes.
That's longer than the current average of 47 minutes, but again, TrustPort encourages users to skip the on-demand scan and rely on the real-time scanner.
Labs Mostly Mum
Independent antivirus testing labs around the world put multiple products through grueling tests, all designed to identify those that are the most effective.
I follow five labs that regularly report on their findings.
In most cases, vendors must pay to have a product tested (and reap the reward of learning what areas need work). When a product appears in reports from multiple labs, it means the vendor considered the expense worthwhile, and the labs considered the product significant enough to merit one of their testing slots.
Top antivirus utilities like Kaspersky Anti-Virus and Bitdefender get the highest marks from many labs.
If my simple hands-on tests don't seem to align with the lab results, I give the labs more weight.
Alas, there are very few lab results available for TrustPort.
It doesn't show up in reports from AV-Test Institute, AV-Comparatives, or SELabs.
These three offer the most information about a product's antivirus capabilities.
That leaves Virus Bulletin, with its VB100 and RAP (Reactive and Proactive) tests.
I stopped tracking VB100 a while ago, because a single false positive translates into failure.
The RAP test skews the other direction detail-wise, offering scores measured in hundredths of a percent.
TrustPort's latest RAP score of 85.34 percent is better than average, but that's all the information I have.
I can't build an aggregate lab score from one small data point.
Sharp-eyed users may notice that TrustPort uses two antivirus engines, code-named Argon and Xenon.
These are licensed from AVG and Bitdefender, respectively. However, the labs state very clearly that their results apply only to the actual product tested, not to any licensee.
So only tests of an actual TrustPort product are relevant.
So-So Malware Removal
I installed TrustPort on a virtual machine and waited for the necessary initial update.
Then I initiated my malware-blocking test by opening a folder full of malware samples.
TrustPort immediately started checking them, and quarantining any it found to be malicious. However, the process proved so CPU-intensive that the system was unusable for several minutes.
Admittedly, the average user doesn't just open a folder full of malware and shove the antivirus's face in it.
With G Data Antivirus 2017 and some other competitors, you must respond to a popup notification for each detection.
TrustPort conveniently stacks up multiple detections in a single popup.
The on-access scan eliminated 84 percent of the samples at this point.
I launched each of the remaining samples, taking note of how effectively the antivirus blocked its installation.
TrustPort missed a few, but managed to pull its overall detection rate up to 87 percent.
Its malware-blocking score was 8.5 of 10 possible points, which isn't great, especially with no stellar lab results to offset it. Webroot, G Data, F-Secure Anti-Virus, and a couple others managed 100 percent detection. Webroot earned a perfect 10 points; G Data and F-Secure came close, with 9.8 points.
My malicious URL blocking test starts with a feed of the latest malware-hosting URLs graciously supplied by MRG-Effitas.
These URLs are typically no more than a day or two old.
The malware samples aren't zero-day threats by any means, but they're definitely in the wild.
I launch each URL and note whether the antivirus kept the browser from reaching the URL, eliminated the malicious download, or did nothing at all. When I've got data for 100 valid malware-hosting URLs, I tally the results.
TrustPort's antivirus is at something of a disadvantage here, as the company reserves Web-based protection against malicious or fraudulent URLs for the security suite products. However, it proved quite vigilant at blocking malicious downloads.
In many cases, it identified and blocked the download before I could even hit Save.
That vigilance wasn't sufficient to yield a good score, however.
At 70 percent protection, TrustPort is in the lower half of recently tested products. Norton is at the top, with 98 percent protection.
Avira Antivirus Pro came quite close, blocking 95 percent of the malware downloads.
For most products, I would proceed to test antiphishing capabilities, comparing the products detection rate with that of Symantec Norton AntiVirus Basic and of the built-in protection in Chrome, Firefox, and Internet Explorer. However, as noted, detection of undesirable websites isn't included in TrustPort's antivirus.
TrustPort devotes one of its five main buttons to the anti-exploit component.
By default, this component runs in Silent mode, and the average user will assume that means it's offering exploit protection silently. Unfortunately, it isn't so.
The default action in Silent mode is to allow all activity, meaning the anti-exploit component doesn't do anything.
If you take it out of Silent mode, it pops up a notification when it detects chicanery, giving you the option to block or allow a specific action, or mark the program involved as trusted.
To evaluate this component, I turned off Silent mode and attacked the test system with about 30 exploits generated by the CORE Impact penetration tool. Not one of them triggered a notification by the anti-exploit component, though the on-access scanner tagged a dangerous payload for 20 percent of them.
It turns out I just didn't understand the meaning of exploit in this context.
TrustPort doesn't watch for attempts to exploit specific vulnerabilities in the operating system or popular programs. Rather, it looks for programs attempting to manipulate other programs.
For example, it found my hand-written programs that launch Internet Explorer and direct it to malicious or phishing URLs to be highly suspicious.
For a further test, I attempted to install 20 old utilities, programs that work by hooking deeply into the operating system.
TrustPort flagged eight of them, giving me the option to allow or deny the suspicious action.
Strangely, the checkbox to remember my choice wasn't functional, so the popups just kept coming, in every case.
I could end the torture by choosing to trust the program, but I found no other way.
The same menu lets you switch to the application inspector component, disabling anti-exploit.
This component aims to foil zero-day and polymorphic malware by preventing malicious behaviors.
It prevents modification of sensitive file system and Registry areas, active processes, Windows services, and more. When it detects suspicious activity, it asks you, the user, to decide a course of action. You can allow the program, in which case it becomes trusted, with no limits. You can run it with sandbox-like restrictions. Or you can block it, in which case TrustPort kills the process.
I switched TrustPort to use the application inspector and repeated the test with old utilities.
The application inspector flagged six of them for various crimes, among them modifying a protected Registry location, using harmful access privileges, and more.
Two other utilities failed to function properly, with no notice from TrustPort. While both anti-exploit and application inspector flagged eight programs, only two programs got zinged by both.
It's possible to dig deep into settings and fine-tune the way these features work, but few users will go beyond the three basic settings.
The default silent anti-exploit mode does nothing.
The interactive anti-exploit mode blocks activity by some valid programs, and I couldn't end its popup cycle except by trusting the program.
And the application inspector also blocks valid programs, but in a different way.
After experiencing all three, I'm warming to the do-nothing option.
The Extra Applications button on the main window looks tempting. What could these goodies be? Alas, the average user won't be able to make use of them. Who understands what it means to Prepare BartPE Plugin or to Prepare Windows PE CD?
In fact, both options aim to let you wipe out the most persistent malware by booting into an environment where the malware has no power.
If you dare to choose the BartPE option, TrustPort prompts you to select a folder and then announces that it successfully created the plugin. You're left to research BartPE on your own, and create a BartPE bootable disk including the plugin files.
If you choose instead to prepare a Windows PE CD, you'll find that you can't. Not without first downloading and installing Microsoft's Windows Automated Installation kit.
This just isn't something the average user will do.
Bitdefender Antivirus Plus 2017 handles this same problem so much better. You don't have to fiddle with creating a rescue disk at all. Just choose Rescue Mode and the system reboots into a non-Windows environment where Bitdefender is king. Kaspersky automates the process of creating a rescue disk, and Avira at least lets you download its rescue disk as an ISO file.
TrustPort needs to move away from the über-geeky BartPE and Windows PE solutions.
Not a Winner
With its new name and user interface, TrustPort Antivirus Sphere makes a good first impression. However, most of the antivirus testing labs ignore it, and it earned mediocre scores in our testing.
The anti-exploit component takes no action by default.
If you take it out of silent mode, it pops up warnings about both good and bad programs. Yes, it costs less than most competing products, but the best of those are worth paying more for.
From the many dozens of antivirus products available, we've identified five as our Editors' Choice products.
They are: Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, Symantec Norton AntiVirus Basic, and Webroot SecureAnywhere Antivirus.
Each has its own virtues.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
It gets excellent lab scores, and it brings along a team of related Avira products.
Given that it's free, I can overlook the fact that both its on-demand scan and real-time protection proved sluggish in testing. The app's main window is largely white, with a white-on-slate menu at left and couple of panels that offer status information and access to features.
From PC Protection, you can launch a scan or an update, toggle real-time protection, or drill down for detailed configuration settings. The Internet Protection panel is a bit weak, by comparison. Web Protection, Mail Protection, and Game Mode are grayed out and disabled, because they're not available in the free edition.
And the firewall item just helps you configure Windows firewall. An Antivirus With a PosseMany security products flip through a series of informational slides during installation, extolling the virtues of the product itself or advertising companion products.
Avira takes the concept a step further.
Each of its informational images both describes a companion product and offers to install that product.
I'll report on the posse of companion products after covering the core antivirus features. Many Scan ChoicesClicking the Scan System button in the PC Protection panel launches a full system scan.
The scan window itself retains the oddball window caption "Luke Filewalker" that I remarked on in previous editions.
I guess George Lucas doesn't mind. A full scan of my standard clean test system took two and a quarter hours, the longest time for any current product, about three times the current average scan time.
Some products speed subsequent scans by skipping files that have already been validated.
For example, a repeat scan with AVG AntiVirus Free finished in just one minute. Not Avira; a second scan took just as long.
Don't be fooled by the progress bar, as it runs to 100 percent multiple times during a scan. Most antivirus products offer a full system scan and a quick scan that focuses on active malware and commonly infected locations. Many add a custom scan that lets you choose where and how the scanner should operate.
Clicking System Scanner in Avira's left-hand menu brings up a dizzying array of scanning choices. Quick scan and full scan are present in the list, naturally. Other choices include scanning all local drives, examining just local hard disks, checking for active malware, and scanning the Documents folder.
Clearly these are meant for the unusually tech-savvy consumer. Most folks will do fine with the basic quick or full scan. Very Good Lab ResultsIn most cases, antivirus companies must pay to be included in testing by the independent labs.
A few of the labs actively help them achieve certification—if the product fails, the vendor gets a punch list of things that need fixing.
ICSA Labs and West Coast Labs offer this type of certification, but Avira doesn't participate with either. More interesting to me are the tests that put a group of products through the exact same evaluation and report how well they did. With those labs, Avira did quite well.
Its score of 85.07 percent in Virus Bulletin's RAP (Reactive and Proactive) test is about halfway between the current average and the current maximum. When the experts at AV-Comparatives determine that a product does everything it should, they certify it at the Standard level.
A product that goes beyond the minimum can earn Advanced certification, or even Advanced+.
Avira participates in four of the five tests that I follow from this lab, and it took Advanced+ in all four.
By contrast, Quick Heal AntiVirus Pro 17 took two Advanced+ certifications and one Advanced and one Standard in those same four tests. To cover all facets of antivirus functionality, AV-Test Institute rates products on how well they protect against malware, how little they interfere with performance, and how carefully they avoid flagging valid programs or websites as malware, with 6 possible points in each area.
Avira got 5.5 points in the first two categories and 6 points in the third, for a total of 17 points. Note, though, that Bitdefender Antivirus Plus 2017, Kaspersky Anti-Virus, and Trend Micro Antivirus+ Security all earned a perfect 18 points in the same test. Earlier this year I added a pair of tests from London-based MRG-Effitas to the mix. One focuses on financial malware, while the other attempts to cover the whole range of malware types.
Avira failed the financial test, but then, 70 percent of the products tested failed that one. Nearly as many failed the whole-range test, but Avira managed to pass at Level 2, like Avast, Norton, and Trend Micro. Only Kaspersky Anti-Virus earned Level 1 certification.
Given that there's no reported difference between an epic fail and missed-it-by-that-much, I give less weight to this test in calculating my aggregate score. Avira's aggregate score, 9.3 of 10 points, puts it in a tie with Bitdefender. Only Norton (9.7 points) and Kaspersky (10 points) have done better.
All five of the labs I follow include Avast Free Antivirus 2016 and AVG in their testing, but their aggregate scores aren't as good as Avira's.
AVG came in with 8.7 points and Avast with 8.3. Improved Malware BlockingAnalyzing a new set of samples for my hands-on malware blocking test is a grueling ordeal that takes me several weeks.
That being the case, I refresh the sample set just once a year, in late winter when there typically aren't many new antivirus releases.
That works fine when product releases come roughly a year apart. However, Avira's previous edition was the very first product tested using my current set of samples. Naturally the current version, which I tested in the middle of the cycle, did a little better. When I opened the folder containing my malware samples, Avira started picking them off, but slowly.
Every so often it popped up a notification saying that it quarantined six files, or eight, or one.
It also popped up several small floating windows captioned Luke Filewalker, with nothing in them except a progress bar, followed by a similar window with the caption "System is being scanned." Overall, it seemed like a lot of fuss, considering these samples were just static files, never launched. When all the progress bars reached 100 percent and the floating windows vanished, more than 10 minutes had passed, and 68 percent of the samples were gone.
At that point, Avira wanted to reboot the system and run a full scan. However, the point of this test is malware blocking, not scanning. Most antivirus programs I've tested wipe out the samples they recognize in less than a minute, and they certainly don't require a reboot. Next I started launching those samples that survived.
Avira detected almost all of them at this point.
For each detection, it launched one of those miniature Luke Filewalker windows, with the apparent aim of eliminating malware traces related to what it discovered.
At one point during this test I found the system to be extremely sluggish.
Checking with Task Manager, I discovered that the avscan.exe process was using 99 percent of CPU resources. In a few cases, the antivirus popped up a window informing me that for full remediation I should run a scan using the Avira Rescue Disk.
I dutifully downloaded the ISO file and booted the system from it, thereby launching Avira's Ubuntu-based scanner.
But wow! A full scan with the Rescue Disk took more than 90 minutes! To check how successfully the antivirus blocked malware installation, I run a tool that checks for the file and Registry traces associated with each sample, as well as for active malware processes.
Each time the app asked for a Rescue Disk scan, I checked for traces both before and after the scan, but found next to no difference.
Avira failed to prevent installation of one or more executable files for most of the samples that it detected after launch. Like Norton, Trend Micro, Emsisoft Anti-Malware 11.0, and K7 Antivirus Plus 15, Avira detected 97 percent of the samples, either on sight or after launch. Norton and Trend Micro completely blocked every detected sample, earning 9.7 of 10 possible points overall.
Avira could have had 9.7 points too, but its incomplete malware blocking dragged its score down to 8.9 points.
Avast detected 100 percent of my previous malware set and earned 9.3 points. I also test each app with a sampling of the latest malware.
For this test, I use a feed of the very latest malware-hosting URLs supplied by MRG-Effitas.
The purpose-built program I use for this test normally launches the URLs in Internet Explorer, but I had to modify it for Avira, as the Browser Safety feature in this program still only supports Chrome and Firefox.
For each valid URL, I record whether the antivirus kept the browser from connecting, wiped out the payload during or just after download, or just heedlessly allowed the download. The exact URLs differ every time, naturally, but I keep going until I have a decent sample of at least 100 data points. Last time I tested Avira, it blocked 99 percent of the samples, all of them by preventing all access by the browser.
This time around, it blocked a total of 95 percent, 93 percent at the browser level and 2 percent by killing off the download.
That's still an extremely good protection rate, but Norton's 98 percent protection is now the top score among current products. Improved Phishing Detection, But…That same Browser Safety extension that fends off malicious URLs also serves to keep users from being fooled by phishing sites, fraud sites that try to steal login credentials by posing as, say, PayPal, or a bank website.
These URLs don't last long, because they quickly get blacklisted.
As soon as the fraudsters have conned a few saps, they close up shop and re-open with a different URL. For testing purposes, I scrape phish-watching sites to get URLs that have been reported as fraudulent but haven't been around long enough to get blacklisted.
I launch each simultaneously in five browsers, one protected by the product under test, one by Symantec Norton AntiVirus Basic (a long-time antiphishing winner) and one apiece by the protection built into Chrome, Firefox, and Internet Explorer.
Because the URLs themselves are different every time, I report the results as the difference in detection rate between the product and the other four. Last time I tested Avira's antiphishing ability it lagged 50 percentage points behind Norton's, which is bad.
This time it was only 28 points behind, which is better, but still not great.
In addition, its detection rate edged out both Chrome and Internet Explorer, and totally slammed Firefox.
Even so, I wouldn't advise turning off your browser's built-in protection. Very few products outscore Norton in this test, and no free products do. However, Avast came in just one percentage point behind Norton. Qihoo 360 Total Security 8.6 and Sophos Home also came close. Avira Antivirus Pro technically should do better than the free edition, because in addition to the Browser Safety plugin, it has a Web Protection component. Just to see the difference, I tested the Pro edition using the same sample set as with the free edition.
The result? Web Protection caught exactly one fraud that Browser Safety didn't.
The most important thing about Web Protection is that it works in all browsers, not just Chrome and Firefox. The Rest of the GangAs I mentioned, when you install Avira Antivirus you can choose to also install a large collection of ancillary tools.
I'd strongly suggest installing all those that are truly free, starting with Avira Connect.
It manages all your other Avira products and serves as a launch pad to start any of them. Avira Connect also lets you review all the devices that you've associated with your Avira account online.
Clicking the Manage Device button opens the Avira dashboard online. Here you can see each device, with icons showing all the installed Avira tools. You can also dig in to view system details, or details for each installed product.
And you can even trigger an email with instructions on how to install missing products. Phantom VPN is a full-featured virtual private network with servers in 20 countries around the world.
The list of countries is seriously weighted toward North America and Europe, though it does include China and Singapore. Using it is a snap; just select the country you want and click the big green Secure my connection button.
This is a free installation of Phantom VPN, which means you can use it on just one device, with a data limit of 1GB per month. Upgrading to Pro gives you unlimited devices and unlimited bandwidth, and enables a feature that automatically activates the VPN any time you're connected to an unsecured wireless network. Avira Scout is a Chrome-based secure browser with some interesting additions. Privacy Badger blocks advertisers from tracking your Web surfing, and HTTPS Everywhere ensures the browser uses a secure HTTPS connection whenever possible—these two are projects of the Electronic Frontier Foundation.
Avira's own Browser Safety is installed, naturally, and it also aims to block trackers.
If you go shopping online, Avira can look for better deals on whatever item you've selected.
That's a feature I haven't seen in other security products. Note that Browser Safety adds some of these features to Chrome and Firefox (but not Internet Explorer).
It includes Avira Price Comparison, it automatically sends the Do Not Track header, and it actively blocks trackers.
A tiny tab at the top of the page pulls down to show the current site's rating and the number of trackers; you can click to see a full list of trackers. You can also enable Avira SafeSearch Plus, which becomes the default new tab page in the two supported browsers. Exploit attacks take advantage of unpatched security vulnerabilities.
Avira Software Updater scans your system and lists any software with missing security patches.
Clicking Download All gets all the updates; you can also download updates one by one, or remove products from being monitored. On my test system, the only thing it found was an update for Firefox.
I did notice that it downloaded a full installer for the latest version, which took a good bit longer than just updating within Firefox itself.
At present this tool doesn't do a lot. On my test system, it reported Java and Firefox as monitored, but Chrome and a ton of other apps were listed as unmonitored. All the items I've mentioned so far are free, though the free Phantom VPN is limited.
They can be downloaded for use independent of Avira Antivirus.
Avira System Speedup is a bit different. You get a free trial that's good for exactly one use.
Its basic scan seeks junk files, Registry problems, and system traces of your private activity.
Additional features include boot time optimization, power management, file encryption, secure deletion, backup, and more.
After your one-time optimization, you can explore these features and even use some of them, but Avira hopes you'll shell out $31.99 for a full license. Accurate but SluggishAvira Antivirus gets better ratings from the independent labs than most free products.
It also did well in my hands-on malware blocking and malicious URL blocking tests, though both the on-demand scan and real-time protection proved sluggish.
The fact that its Browser Safety component works only in Chrome and Firefox is no problem if one of those is your default browser.
The fact that it can keep you safe, for free, means it's worth a try.
But also take a look at our Editors' Choice products in the free antivirus realm, Avast Free Antivirus, AVG AntiVirus Free, and Panda Free Antivirus. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
The plus sign in the name of Trend Micro Antivirus+ Security refers to the fact that it includes spam filtering and a firewall booster component, items more commonly seen in full-scale security suites.
It earns great scores in all of our hands-on tests, though not all of the independent labs give it top ratings.
It's definitely worth your consideration. This product costs $39.95 per year for a single computer, a price that seems to be the standard these days. You pay the same for Bitdefender Antivirus Plus 2016, Webroot SecureAnywhere AntiVirus, and many other competing products. During installation, you must create or log in to your Trend Micro account online.
This account lets you manage your subscriptions and even view security reports remotely.
Immediately after installation, it prompts you to enable the Folder Shield ransomware protection component; more about that shortly.
It also installs browser extensions for Chrome, Firefox, and Internet Explorer. The main window's lively, quirky appearance hasn't changed since the previous edition.
A large, round Scan button dominates the squarish window, and icons across the top represent Device, Privacy, Data, and Family (though clicking Family just gets you an invitation to upgrade to the security suite).
The icons bounce as you mouse over them.
If that's not lively enough for you, you can change the background of the window's top half to any of eight predefined skins, or use a photo of your own, perhaps that selfie you took at the Insane Clown Posse concert. Ransomware ProtectionMalware coders are in it for the money, and distributing ransomware is a great way to rake in cash.
It's an instant payoff, not like using a Trojan to steal credit card numbers and sell them cheaply on the black market. New in the latest Trend Micro antivirus is a strong focus on ransomware protection. Most PC-based ransomware focuses on encrypting your essential documents and making you pay to get the decryption key.
The new Folder Shield component foils such attacks by preventing any unknown application from modifying documents in its protected folder.
By default, it protects the Documents folder and all of its subfolders.
If you habitually keep important documents in other folders, consider moving those folders into the Documents folder.
A similar feature in Panda's suite protects multiple folders, but that feature isn't included in Panda Antivirus Pro 2016. I tried to test this feature with a real-world ransomware sample, but the antivirus wiped it out. When I turned off antivirus protection, I found that doing so also turned off Folder Shield.
I created my own simple-minded file-encryption tool and tried to encrypt files in the Documents folder, but even that was blocked by the antivirus component due to its malware-like behavior.
Finally, I wrote a tiny text editor and tried to use it to modify protected files.
Folder Shield kicked in to warn that an unknown program was attempting to open protected files.
It works! I also found in my testing that ransomware samples got called out specifically, instead of the generic "Threat Detected" warning. Likewise, ransomware-hosting websites were identified as such. Trend Micro has also set up a ransomware hotline that even non-customers can call on for help.
The information page includes links to ransomware-removal utilities. One type defeats ransomware that simply locks the screen so you can't use the computer.
The other type decrypts files encrypted by some (but not all) older file-encrypting ransomware. Mixed Lab ResultsMost of the independent antivirus testing labs that I follow include Trend Micro's technology in their testing, and some of them rate it quite highly.
AV-Test Institute scores antivirus products on protection, performance, and usability, with that last category meaning a low rate of false positives.
A product can earn up to six points in each category, for a maximum total of 18.
Trend Micro took 5.5 for protection, 6.0 for performance, and 6.0 for usability.
Its total score of 17.5 makes it a "top product." Only Kaspersky Anti-Virus did better in the latest test, with a perfect 18 points. I follow five of the many tests performed regularly by the diligent researchers at AV-Comparatives.
A product that passes one of these tests earns Standard certification; those that go above and beyond can earn Advanced or Advanced+ certification.
Trend Micro participates in three of these five tests.
It took an Advanced rating in two malware-detection tests and Standard in a test of performance. (In a more recent priate test commissioned by Trend Micro, that performance score improved.) Bitdefender and Kaspersky managed Advanced+ in all five tests. The grueling real-world antivirus testing performed by Simon Edwards Labs requires a lot of time and resources, and necessarily includes fewer products.
Trend Micro is among those few, and it earned an impressive AA certification. Norton, ESET NOD32 Antivirus 9, and a few others took this lab's top rating, AAA. Earlier this year I added MRG-Effitas to the list of labs that I follow.
I particularly look at a test specific to banking Trojans and another that's meant to cover all kinds of malware.
These tests are a bit different, as the majority of products fail the all-kinds test, and fail or receive partial credit for the banking Trojans test.
Trend Micro failed both, but due to the pass-fail nature of the test I don't give this lab's results as much weight in my aggregate rating. Very Good Malware BlockingTrend Micro performed significantly better in my hands-on tests than it did with some of the labs. When I opened the folder containing my current sample collection, it quickly eliminated 68 percent of them. Rather than display multiple popups reporting its discoveries, it showed the total number of samples found in a single popup, with a link to view details. Normally I launch the samples that remain after this initial onslaught, selecting three or four at a time for processing and deleting the rest.
I was surprised to discover that Trend Micro caught a number of files as I was deleting them.
I reverted the virtual machine to an earlier state and copied the surviving files to a new folder, at which point the antivirus wiped out another 26 percent, for a total of 94 percent eliminated before ever being launched.
Trend Micro's overall detection rate was 97 percent, and it scored 9.7 of 10 possible points, just as Norton did.
Tested with this same collection, Webroot SecureAnywhere AntiVirus earned a perfect 10 points. While wiping out malware files from your PC is good, keeping them from ever landing on the PC is even better.
To test the product's ability to keep users from accidentally downloading malware, I challenged it with a collection of very recent malware-hosting URLs supplied by MRG-Effitas.
For each URL, I noted whether Trend Micro blocked access to the URL, eliminated the downloaded malware, or did nothing.
I kept at it until I had recorded data for 100 malicious URLs. Trend Micro blocked 89 percent of the malware downloads, the vast majority by replacing the dangerous page in the browser with a big warning.
In a couple of cases, it specifically identified the site as hosting ransomware.
This score is quite a bit better than the current average of 69 percent.
Avira Antivirus 2016 holds the top score in this test, with 99 percent protection, and Norton managed 98 percent. As a false-positives sanity check, I install 20-odd PCMag utilities and note any reaction from the antivirus.
Folder Shield did quite reasonably warn about one utility that creates a database in the Documents folder. Otherwise, Trend Micro kept mum…except in one case.
Its heuristic analysis actively identified one of the utilities as malware, and deleted it. Looking back at the independent lab tests, I noted that Trend Micro lost points for false positives in one test by AV-Comparatives, too. Excellent AntiphishingPhishing URLs are actually more insidious than URLs that host malware.
These frauds masquerade as PayPal, eBay, bank sites, even online gaming sites, and try to trick you into entering your login credentials.
If you do, you're hosed.
The fraudsters can clean out your bank account, or steal your level 110 Paladin.
And as soon as they've scammed a few people, they take down the site and pop up another. To test phishing protection, I gather hundreds of reported phishing URLs, ones too new to have been analyzed and blacklisted.
I launch each one simultaneously in five browsers, one protected by the product under evaluation, one by antiphishing leader Symantec Norton AntiVirus Basic, and one each by the built-in protection in Chrome, Firefox, and Internet Explorer. Because the URLs are necessarily different for every test, I report results not as the raw detection rate but as the difference between the product's detection rate and that of Norton and the browsers.
Trend Micro lagged just two percentage points behind Norton and handily beat all three browsers.
It's right up there in the winner's circle. See How We Test Security Software Web and Social MarkupMany people these days get their news via Facebook or other social media.
Friends post links, Facebook suggests links, and you click, click, click.
But what if the link is bogus? What if your friend's social media account were taken over by a hacker? What if a clueless friend unknowingly shared a malicious site? Trend Micro has you covered.
By default, it automatically highlights links in social media: green for safe, yellow for iffy, red for dangerous, and gray for untested.
If the link isn't green, don't click it! Each link also displays a small icon. Pointing to the icon gets a popup that explains the rating, but there's no link to a detailed report online such as you get from Norton. The browser extension also rates links in popular search engines. You can optionally enable it to rate links on any webpage when you hover the mouse over a link. Firewall BoosterTrend Micro doesn't include a firewall component as such in its security suite products, but the suites and antivirus all offer a component called Firewall Booster.
This component specifically aims to detect botnets. In the past, I've found no way to see the booster in action.
This time I got a little help from my Trend Micro contacts.
They supplied a file that the booster detects as the Nimda worm, though it's actually innocuous.
I used network tools to send the file to the test system, and, sure enough, I got a Network Threats Blocked popup. I also ran my exploits test, figuring those might also trigger a response from the Firewall Booster (even though my Trend Micro contacts said they would not).
Indeed, I got no reaction from the booster component, but the regular Web-protection system blocked access to over half of the exploits. Norton's Intrusion Prevention System blocked nearly two-thirds of these at the network level, identifying many by name. Spam FilterThese days, most consumers get their spam filtered by the email provider.
It's gotten to the point where some vendors are considering dropping the antispam component from their security suites.
Bucking that trend, Trend Micro includes antispam in the standalone antivirus product. The spam filter integrates with Windows Mail, Windows Live Mail, and Microsoft Outlook (2003-2016).
Since all of this component's configuration takes place in the toolbar it installs, you simply can't use it with a different email client.
It filters POP3 and Exchange email, but not IMAP. The first time you launch your email client after enabling the spam filter, it offers to import your contacts into its whitelist, so their messages will never be blocked.
By default, it whitelists any address to which you send mail. You can also manually import contacts into the whitelist at a later time. The main page of this component's settings dialog features a big slider for spam filter sensitivity. Most users should leave it set to the default Medium setting.
If you wish, you can enable the Link Filter feature, which discards messages containing dangerous links. On the Blocked Languages tab, you can set the filter to discard messages written in any language you don't speak. A Definite PlusWhile Trend Micro Antivirus+ Security didn't earn top scores with all of the independent labs, it scored very well in all of my hands-on tests.
Its ransomware protection doesn't go as far as Webroot's, which claims the ability to reverse encrypting ransomware after the fact, but it should be effective.
If ransomware has you in a panic, and especially if you also need spam filtered from your email, this is an excellent choice for antivirus software. Even so, I'd suggest you consider our Editors' Choice products in this area.
As noted, Webroot SecureAnywhere Antivirus also handles ransomware, and it's the tiniest antivirus around.
Symantec Norton AntiVirus Basic, back after a two-hear hiatus, is a dependable favorite. McAfee AntiVirus Plus costs a little more, but protects all of your devices, not just one.
Bitdefender Antivirus Plus and Kaspersky Anti-Virus and both score top marks with the independent labs across the board. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
The developers of the new generation of Windows have vigorously responded to the most significant and relevant threats that target the Windows platform by developing numerous security technologies that were previously available only in third-party solutions.
The system has become better protected, making the life of cybercriminals more difficult. Nevertheless, in some cases, the tools provided by the operating system are not sufficient – the developers have had to make compromises in a number of areas, which has negatively affected system security and makes it necessary to use third-party IT security tools. Because it is so widespread, Windows has been, and remains, the target of choice for cybercriminals of all stripes.
Each new version is researched thoroughly by thousands of blackhats in search of new moneymaking opportunities. Whitehats, for whom Windows is the main battleground in their fight against the bad guys, also explore it. Naturally, Kaspersky Lab always carries out a painstaking analysis of all changes introduced by Microsoft to the security system in order to provide its users with the best possible protection against cyberthreats. This review consists of three parts devoted to the most prominent new Windows 10 features that affect security.
These are the Microsoft Edge browser, virtualization-based security and an updated built-in anti-malware solution called Windows Defender.
All of these features have brought new capabilities to the Windows security system, but, unfortunately, they also come with some weaknesses of their own.
In this paper, we use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security. Microsoft Edge The latest browser, Microsoft Edge, is intended to replace Internet Explorer.
It is included in Windows 10 as the default browser.
The company has worked hard to implement numerous new features, some of which are security-related. Content Security Policy and HTTP Strict Transport Security technologies were introduced to combat cross-site scripting attacks.
These technologies are designed not only to lower the chances of a successful attack but also to notify the web service’s owner about the attempt to carry it out. Microsoft has also come up with ways to protect Edge against exploits, which were the curse of Internet Explorer. Now, by using containers and separating content handling operations into different processes, exploiting vulnerabilities has been made much more difficult.
Finally, integration with SmartScreen should prevent users from visiting sites with malicious content. In addition to supporting new technologies, the security of Edge has been enhanced by retiring vulnerable old ones.
The browser no longer supports VML, BHO and ActiveX, which are used by a multitude of advertising apps and malicious browser add-ons. However, a browser’s security is determined by its ability to combat real attacks.
The majority of malicious programs designed to steal money via Internet banking work successfully with browsers such as Internet Explorer, Chrome, Firefox and Opera.
Typically these are Zeus (Zbot), the infamous Dyreza (Dyre), and the peer-to-peer bot Cridex (Dridex), all of which, despite being old, are nevertheless still used by virus writers. The functionality of a typical banker leads to the implementation of an MiTB (Man-in-The-Browser) attack. Most bankers pull off such an attack by integrating their code in the browser process and intercepting the network-interaction functions. However, these functions are implemented differently in different browsers, forcing virus writers to constantly modify and update their malicious software so that it can work with all possible browsers and versions. In November 2015, it was reported that the Dyreza Trojan had been given functionality that enabled it to attack Microsoft Edge. However, the activity of that particular botnet fell to zero soon afterwards: updates ceased to be released and the command-and-control servers were taken offline. Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine.
In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware. Function that identifies the browser based on the checksum of its process name Kronos checks the process’s name, converts the string to lower case, calculates its checksum and squares it.
The hash obtained in this way is checked against a table – if it is found there, the Trojan will attempt to hook the functions it needs in the browser’s process. Browser process names known to the Trojan: Process name Checksum iexplore.exe 0x64302d39 chrome.exe 0x05d66cc4 firefox.exe 0x39ace100 opera.exe 0x9420a4a1 microsoftedge.exe 0x9b6d5990 microsoftedgecp.exe 0x949b93d9 In order to perform malicious operations that will make money for its owners, Kronos hooks the functions that create and send HTTP requests in the Wininet library. List of wininet.dll functions hooked: API function Hash HttpOpenRequestA Y7D4D7E3T2T2A4U3 HttpQueryInfoA C8C0U1A2G4G5Y2B5 HttpSendRequestA Y4U1P2F2G7T2A4U3 InternetCloseHandle A7S3H3X3D5Y7T7F7 InternetConnectA H0S6D5Q7E8P3P6U5 InternetCrackUrlA E6F2A3S8Y4C7D5A5 InternetOpenA B7P8P7T4E3U2H5A5 InternetQueryOptionA C1Y0B7E2B0P2P3T7 InternetReadFile D6X2S6E3Q3C5B5X2 InternetSetOptionA X3Y6Q2T7Q5Q2A5X6 Kronos hooks functions using the splicing method, adding a JMP (unconditional jump) instruction at the beginning of the code.
Since the malicious code injected into the browser is loaded as a shellcode rather than a library, the Mitigation Policy enabled in the browser will not block it from being executed. InternetReadFile function hook in MicrosoftEdgeCP.exe Handler for the hooked function Successfully hooking these functions enables the Trojan to inject data into web pages.
It also enables Kronos to get information about the user, the user’s credentials and bank account balance, to redirect the user to phishing sites, or to include additional entry fields to the bank’s legitimate page (enabling the malware to find out the user’s reply to the secret question, credit card number, date of birth or phone number). Web injection on a bank’s page Note that Kronos can only attack Edge on the 32-bit version of Windows 10.
But this is not a fundamental constraint – there are now bankers that work with the 64-bit version of Edge, as well. In the beginning of the year, a new modification of the infamous Gozi banker appeared.
Among other things, it was designed to carry out an MiTB attack against Edge under a 64-bit version of Windows 10.
The Trojan injects its code into the RuntimeBroker.exe process, launches the browser on behalf of that process and injects its code into the browser’s own processes. Part of the function that checks process names for injection As in the case of Kronos, the injected code hooks functions that create and send HTTP requests. However, instead of splicing, it substitutes IAT pointers as well as function addresses in the Export Table. Part of the function that checks process names to set the right hooks for each browser HttpSendRequestW hook set by Gozi banker in the MS Edge browser Note that Windows Defender successfully blocks the current versions of Kronos and Gozi. Nevertheless, new malware and adware will emerge that is capable of using Edge for its own purposes. Virtualization-Based Security In the corporate version of Windows 10, Microsoft has implemented a new approach to security that is based on Microsoft Hyper-V, a hardware-assisted virtualization technology.
The new paradigm, called Virtualization Based Security (VBS), is based on a whitelisting mechanism that only allows applications that are on the trusted-application list to be executed, and on isolating the most important services and data from other components of the operating system. VBS depends on the platform and CPU features, which means that the technology needs the following to operate: Windows 10 Enterprise. UEFI firmware v2.3.1+ with Secure Boot support. CPU supporting Intel VT-x/AMD-V virtualization features. Ability to block some features of the UEFI firmware and its secure updating. TPM (optional). Microsoft uses the Hyper-V hypervisor as its virtualization platform.
The less code a hypervisor contains, the fewer attack vectors against it exist.
In this aspect, the compactness of Hyper-V is very beneficial for security. Unlike previous Windows versions, the hypervisor starts not as a kernel-mode driver but in UEFI, at an early stage of the computer’s startup. Hyper-V initialization procedure In VBS, with the hypervisor active, each virtual CPU is assigned a Virtual Trust Level (VTL) attribute.
Two attributes are currently used: VTL 1 (“Secure World”) and VTL 0 (“Normal World”).
VTL 1 is more privileged than VTL 0. Secure Kernel Mode or SKM (Ring 0, VTL 1) includes a minimal kernel (SK), a Code Integrity (CI) module and an encryption module.
Isolated User Mode or IUM (Ring 3, VTL 1) includes several isolated services called Trustlets that are isolated not only from the external world but also from each other.
In “Normal World” (VTL 0) mode, the traditional kernel, kernel-mode drivers, processes and services work according to the former rules. Diagram describing the two worlds When the hypervisor is active, physical RAM pages and their attributes are only controlled by the secure isolated kernel (SK).
It can manipulate page attributes, blocking or allowing reading, writing or executing code on specific pages.
This makes it possible to prevent execution of untrusted code, malicious modification of trusted application code, as well as to make leaking protected data more difficult. In this architecture, the only component that controls the execution of any code in the system is the secure isolated Code Integrity (CI) module.
The kernel from “Normal World” cannot set the attributes of kernel-mode physical pages. Credential Guard Credential Guard is one of the main functional blocks of VBS.
It isolates secrets in such a way as to ensure that only trusted code has access to them.
This helps to withstand direct memory access (DMA) attacks, as well as pass-the-hash and pass-the-ticket attacks. System Information.
Credential Guard and HVCI We have tested the technology, attempting to get secret data using direct memory access. We used Mimikatz and Inception hacker tools for this. Nothing worked.
These hacker tools were powerless against Credential Guard. DMA attack using the Inception tool Device Guard The Device Guard technology that is part of VBS is the successor of Microsoft AppLocker.
It controls the launching and execution of all code: executable files and dynamic libraries, kernel-mode drivers and scripts (e.g., PowerShell).
This is based on a code integrity policy created by the system administrator that defines which software is regarded as trusted. The main difficulty in using Device Guard is in creating a proper policy, which can be difficult even for experienced system administrators.
Ideally, the procedure is as follows: Enable the necessary Windows 10 VBS mechanisms on a test computer. Prepare a master image of Windows OS. Install all the necessary software. Create a code integrity policy based on certain rules and leave it in audit mode for some time.
During this time, software can be added or changed. Watch the event log for CI events. Perform any necessary policy adjustments, such as signing any software that is not signed. Consolidate the original policy with the version created while the policy was in audit mode. Disable audit mode in the code integrity policy, replacing it with enforced mode. Distribute the prepared policy to end users. A code integrity policy defines the conditions for executing code both in user mode (User Mode Code Integrity or UMCI) and in kernel mode (Kernel Mode Code Integrity or KMCI).
Secure loading of the Windows kernel itself is provided by the Secure Boot technology.
The integrity policy needs to be maintained and updated based on the software requirements in place at a specific organization. In addition to the integrity policy, there are other restrictions on executing code.
A physical memory page gets the “executable” attribute only if the certificate is validated.
Additionally, a kernel-mode page cannot have “writable” and “executable” attributes at the same time (the W^X restriction), which prevents most exploits and hooks from working in kernel mode.
In the event of an attempt to modify the contents of a kernel mode page that has “readable” and “executable” attributes, this will lead to an exception.
If it is not handled, Windows will stop and display a BSOD. As a result, it is impossible to execute unsigned drivers, applications, dynamic libraries, UEFI modules and some script types when the hypervisor and all the security options, such as Secure Boot, TPM, IOMMU, and SLAT are active.
Depending on settings, code that is signed but not trusted can also be blocked from being executed. To protect the policy from unauthorized changes or substitution, Microsoft suggests that it should be signed using a certificate generated by the administrator.
To remove a policy or change settings, another policy signed with the same certificate is required.
If an attempt is made to remove a policy or ‘plant’ an unsigned policy, the operating system will not start. Still, Device Guard is not perfect.
Increased protection comes at a price – in the form of performance degradation.
This is unavoidable due to the presence of a hypervisor.
The convoluted process of creating, configuring and maintaining a code integrity policy can be considered a weakness of the technology.
The options used by the policy are scattered across the operating system and cannot be managed through a single control panel.
As a result, it is easy to make a mistake, leading to weaker protection. Since Secure Boot plays a key role in this technology, the level of protection very much depends on the quality of UEFI code, which is developed by a third party over which Microsoft has no control.
Finally, the absence of protection against exploits in user mode is disappointing. Testing VBS If malicious code makes its way onto a computer with VBS by taking advantage of a vulnerability, it will have to elevate its privileges to kernel mode to be able to attack the hypervisor, the “Secure World” or UEFI. We tried to do this using a signed and trusted kernel mode driver. Kernel mode penetration testing results: Test Result Test Result W+X PE section .INIT + (by design) Allocate NP/P MEM, hack PTE manually + (BSOD) W^X PE section .INIT + (as is) R+X section, remove WP in CR0 + (BSOD) W+X PE section + (no start) Stack code execution + (BSOD) Allocate MEM, execute + (BSOD) Allocate MEM, hack MDL manually + (BSOD) R PE section, write, execute + (BSOD) None of the attack methods that we tried was successful.
Attacks based on changing Control Registers (CR0-CR8, EFER etc.) and Model-Specific Registers (MSR) did not work either – they all invariably ended in a Privileged Instruction exception (0xC0000096). We also carried out some tests in user mode, trying to circumvent a code integrity policy in enforced mode.
The objective was to execute an unsigned application or load an unsigned dynamic library into a trusted process. We were unable to do this directly, but we found a curious error in the Windows 10 preview release (10154). The error lies in the fact that, although Device Guard checks whether an application, driver or library is signed, it does not verify that the signature is valid for the application signed with it.
This makes it possible to extract a valid signature from any trusted application and insert it into any untrusted application – after this the system will consider the application to be trusted.
So, by inserting a signature from another application, we were able to execute an untrusted application and to load an untrusted dynamic library. We immediately reported the error to Microsoft and it was fixed within a few days. Windows 10 RTM (10240) does not include that error. We also discovered a denial-of-service error that makes it possible to crash the system and cause a BSOD for the hypervisor from the user space with just one Assembler instruction.
A fix for this error was included in Windows 10 TH2 (10586). The hypervisor’s BSOD Overall, Microsoft has done a great job in developing new security mechanisms. However, as in previous versions, there are still opportunities for attacks via the firmware.
Another problem is that the system administrator needs to be highly qualified to configure protection properly.
In the event of faulty configuration or loss of the private certificate, all protection becomes useless.
In addition, there is no protection against user-mode vulnerabilities.
It is also important to keep in mind that VBS is only available to users of the corporate Windows 10 version. We have notified Microsoft of all the vulnerabilities discovered during testing. Built-in Anti-Malware Protection in Windows Let’s have a look at the Windows component that protects the system against malware in real time.
It is enabled by default and, for users who do not install third-party anti-malware solutions, it is the main Windows IT security tool. The principal purpose of built-in protection is to prevent the installation and execution of malware.
It scans files and active processes in real time, identifying those that are malicious by checking them against a regularly updated signature database.
In most cases, this protection is sufficient. However, if you are an active Internet user and often perform critically important operations on your computer – such as managing your bank accounts via online banking – you need multi-tier protection.
Even the best anti-malware solution can miss new, as yet unknown malware.
In this case, only additional layers of protection can save the day by preventing a Trojan from carrying out malicious activity in the system. We did some research and found a few real-life examples demonstrating that built-in protection may not be sufficient. Keystroke Interception Some banker Trojans intercept data entered on the keyboard to steal the user’s online banking account.
Examples of such malware include Qadars, Zbot and Cridex. Many anti-malware solutions, including Kaspersky Internet Security, have a component that detects and blocks attempts by programs to intercept the sequence of keypresses.
In some cases, this can be enough to prevent criminals from making money at the victim’s expense, even if they have managed to infect the computer. We tested the response of built-in protection to keystroke logging with the help of a test application that uses the GetAsyncKeyState WinAPI function (this method is similar to the one used in the latest MRG testing). We were able to intercept the user’s login and password for a PayPal account with Windows Defender enabled. Logging the user credentials while entering a PayPal account Unauthorized Web Camera Access In the next test, we tried to gain unauthorized access to the web camera.
This functionality has been increasingly used in Trojans and other hacker tools in the past years.
The fact that a surveillance module using the web camera is included in the AdWind Trojan is a telling example of the popularity of this functionality among cybercriminals. Monitoring victims using their own web cameras can provide a wealth of information about them, which can later be used to make money illegally – for example, by blackmailing a victim with intimate videos. Some anti-malware solutions can control application access to the camera.
In real life, there are practically no situations in which a legitimate application could need to use the camera without notifying the user, which is why providing such notifications is a convenient and widely accepted practice.
The user can decide in each specific case whether the application really needs to use the camera or whether this is suspicious activity that should be blocked. Our test application used a publicly available library called OpenCV (which is what the Rover Trojan does, to give one example).
A simple Python script captured video from the web camera and displayed it in a separate window.
This means that an application was able to intercept video from the web camera on a Windows 10 machine with protection enabled, without the user being notified of this in any way. Capturing the screen with a script Control of Drive-By Downloads Another problem that is among the most serious issues faced by Windows users is the numerous exploits that can be used to infect the system via vulnerabilities in various applications. We tested the built-in protection with one of the latest exploits for the CVE-2016-1019 vulnerability in Adobe Flash Player. The exploit’s file is an SWF object compressed using the ZLIB algorithm. The flash exploit In this form, the file is recognized by the Windows Defender and quarantined. Successful detection of a packed exploit However, if the file is decompressed into the original SWF, the security system will miss it. Moreover, a compressed file that was detected on the hard drive is downloaded from websites in drive-by attacks and successfully executed from the browser’s context.
If a vulnerable version of Adobe Flash Player is installed in the system, an infection can occur, because Windows Defender does not include a drive-by download control component. Successful download of a Flash exploit that was previously detected on the hard drive In addition, we want to mention that Microsoft Windows has embedded component (SmartScreen) which could successfully stop drive-by attacks using reputation-based analysis, but in some cases, especially in targeted attacks, heuristic content analysis is needed for successful detection of exploitation process. We used this test case, which could not be covered with SmartScreen component to show that if threat actors will use Flash exploit with bypass techniques for Edge security mechanism user could be infected.
Currently we have not registered usage of such bypass techniques yet. Conclusion Today, a multi-tier approach is required to provide reliable protection for user systems, combining standard detection methods (signature-based analysis, behavioral analysis, etc.) with additional modules designed to detect attack techniques commonly used by cybercriminals. As our brief review has demonstrated, in some cases the IT security technologies built into Windows 10 are not sufficient for full-scale protection against malicious attacks.
As in previous Windows versions, all possible attack vectors should be blocked using dedicated Internet Security class security solutions.