Anti-Tampering Certification Test
AV-Comparatives has published the results of the Anti-Tampering Certification Test on its website, complete with detailed information about the methodology and criteria used in the evaluation. Each year, AV-Comparatives offers a focus test, allowing vendors to apply for certification. This year, the emphasis was on “Defense Evasion” (Anti-Tampering). Both vendors and customers are encouraged to review the results and use them to make informed decisions regarding cybersecurity solutions.
https://www.av-comparatives.org/news/anti-tampering-certification-test/
After compromising a system within the targeted network, attackers often must contend with endpoint security products such as traditional antivirus or next-generation antivirus and endpoint detection and response (EDR) products. EDR products can be particularly problematic for tactics, techniques, and procedures (TTPs) such as credential dumping and lateral movement. Even if an attacker has already gained privileged user access (e.g., local admin), most endpoint security products can still pose significant challenges. As a result, attackers will attempt to disable or modify tools and remove key capabilities from endpoint security products to permanently avoid the risk of prevention or detection.
The AV-Comparatives Anti-Tampering Certification Test plays a vital role in the fight against tampering, ensuring that products can be trusted by consumers and are not compromised by malicious software. This certification also allows vendors to differentiate themselves by demonstrating that their products are tamper-proof to the extent tested.
This evaluation includes techniques to disable or modify user space and/or kernel space components of a product by attempting to tamper with, disable, or modify processes, threads, services, DLLs, agents, file systems, kernel drivers, and other components such as update services.
Methodology
In this test, we focus on evaluating whether it is possible to disable or modify AV/EPP/EDR components or capabilities through tampering. By penetrating the product, we attempt to disable or modify its components. All tampering activities were performed in the Windows user space as a high integrity or system integrity privileged user. We didn’t attempt to gain write access to the Windows kernel, but we did attempt to tamper with components in the kernel while remaining in user space (e.g., file system). We didn’t perform any tampering activities in an unprivileged user context (low or medium integrity) as we were interested in evaluating anti-tampering properties, not finding exploits. If it were possible to disable key functionality from an AV/EPP/EDR as an unprivileged user, this would be considered an exploit.
Certified Products
AV-Comparatives’ Anti-Tampering Certification Test is an independent test that certifies products against tampering, which is a critical component of security. The results of this certification are published on our website and are available to the public. Certification reports are only published for vendors that have achieved certification.
Out of several products tested, only four passed the evaluation successfully:
- CrowdStrike Falcon Enterprise
- ESET PROTECT Entry
- Kaspersky Endpoint Security for Business
- Palo Alto Networks Cortex XDR Prevent
Non-certified vendors received feedback on how their products were successfully tampered with in order to improve their product. AV-Comparatives works closely with non-certified vendors to address issues identified during testing.