Under Scrutiny: Endpoint Security Solutions

Jun 21, 2017

Evaluation, in the endpoint security domain, has been undergoing rapid changes these past few years. In endpoint security solutions, evaluation has two main differentiators: detection rate and false positives. In most of the cases, the measurement of the detection rate test relies mostly on known malware that can be easily retrieved from public or private repositories.

Endpoint security solutions are progressively improving the accuracy of their detection rates, mainly on known malware, based on a wide range of capabilities: blacklists of hashes, signatures, heuristics, machine learning-based models and nowadays, also with deep learning-based models that scan files (statically) or look at the behavior of the processes or the machine (dynamically).

Having those capabilities in place raises, of course, the option that endpoint security solutions will perform well on such datasets from the wild; it is enough to sign them all and consequently, reach 100% detection.

Two points are important: the first is that the new malware, which can be signed easily and rapidly, was actually unknown prior to the publication. Therefore, if an endpoint security solution fails on this malware, it fails both on known and unknown. Surprisingly, during tests, we see that some of the most common solutions are failing easily on new threats.

The second point is that next-generation endpoint security solutions are targeted to detect unknown malware, which other non-next-generation solutions, might fail detection. Therefore, the test case should be different when testing next-generation solutions by using real unknown malware where there is a smaller chance for them to be signed by any means.

The main methods for delivering new malware variants are very varied, starting from hash modifications, packing with known packers or by FUD, encryption, polymorphism, metamorphism, or by rewriting some of the malware code.

Read more about the main methods for delivering new malware variants, and how we recommend to evaluate endpoint security solutions in our new white paper.

New Call-to-action