Next Generation Antivirus (NGAV)
We spent a great deal of time in late 2017 reviewing NGAV products on the market. All of the testing was done using demo environments, directly from the vendor. Namely: Cylance, SentinelOne, Barkly, and BitDefender. The research was conducted to keep updated on the underlying technologies powering NGAV. As you might expect, a good deal of time was spent running Malware, and tampering with the AV processes themselves. We tested the features and functionality of the cloud consoles and any notable impacts on system performance. It is highly recommended that you perform your own testing, and using other resources than what the vendor provides, in terms of malware samples.
*** Update 8/5/2017 – Check out our review of Panda Adaptive Defense 360.
Highlights of the testing, and outcomes
BitDefender – Best all around Endpoint platform with NGAV functionality. The GravityZone product has HyperDetect (Pre-execution protection), Sandbox Analysis based on Exploits, Ransomware, and Grayware. Full Disk Encryption (FDE) as well. Best feature set for managing endpoints. Performance on machines is not impacted by scans or processes. Very hard to tamper within memory, or by attacking it’s program files. Web Filtering is effective, and often they were the only vendor on Virustotal blocking phishing pages. Overall stability is great, and configuration ability on the console is very good for putting machines in containers and controlling active modules. Be on the lookout for BitDefender rolling out EDR, Hyperdetect, Sandboxing, and other new competitive features.
Unable to recommend products based on testing 7/2017
Barkly is heavily marketed in searches for NGAV on Google. The console is basic, very v1.0, as well as the product. A new entrant, sees themselves as a complement to existing AV, not a full endpoint replacement. No web protection, device control, or any of the traditional endpoint features found in cloud products.
The product we had the most feedback on was missing key features, and controls. Barkly, based on features, and a bit of manual testing on live machines. There are no policies, or settings for aggressiveness of the engine, IDS or other features of the product. It runs on a single setting for all users, no configurable containers.
Product bypass mode needs to completely turn down the engine, and/or processes – Bypass mode in Barkly seemed to leave protections up, at least to some extent. We had bypassed all of them, but continued to see a performance issue on the machines, and/or blocking being activated. Bypass should mean completely off, otherwise, it’s not useful for troubleshooting purposes.
Protect the AVs files from being altered, or tampered with by unauthorized 3rd party applications. When killing the some NGAV’s processes in memory from Task Manager or from another process, it succeeds and never restarts. Found that when I do kill the process, my machine nearly locks up while Node.js and brpe.exe ramp up the CPU from a low percentage to as high as they can consume, it even skips my Spotify into a trance-like remix, after about 1-2 minutes my computer is usable again. BitDefender AV, for example, will not let me stop a service, and if I try to kill it in memory or Task Manager, nothing happens where the program has a watchdog + active memory suppression to halt the request and protect itself. This goes beyond a watchdog, which if it takes too long, you can slip in a malicious execution before it restarts a process.
Level of reporting for incidents, not good for IR. What was the exact command-line? I need to know what triggered the cmd.exe process, like if it was a system process, browser, or maybe our RMM tool that we use for maintenance. If fsutil was used, what parameters were passed to it? I have no idea what parameters were sent to cmd.exe, so how can I determine if it’s malicious?
Exclusions in Barkly have to occur, before being ignored and there needs to be a way to do it upfront, globally, and perhaps by isolating users into an assignable policy. Having the app blocked, then the ability to add it is somewhat backward from the common approach. In the Barkly product, we had to see an alert first, then we could exclude it. There was no way to do it ahead of time. Also, if there was a detection for cmd.exe with the command line, the app would completely exclude cmd.exe, but not the process that triggered it, etc. It was worrisome for things like PowerShell.exe.
Notification silent mode – Control of notifications to end-users, endpoint Issues. System tray bar is large, and on the cusp of advertising. We like to receive the alerts, and triage them, then decide if it’s a true positive for IR capability. BitDefender lets you fine-tune alerts, and completely turn them off. Barkly had posted a banner by the clock that was ~5 inches wide, ~3inches tall, with a big bear (from its logo) alerting the user it took action. No way to turn it down.
Remote uninstall capability from the dashboard , especially since bypass mode seems to keep its monitoring capability. It would be ideal if turning off protection, fully turned it down from working in memory. There will always be a small chance (in my mind) that it could continue impacting the performance of an endpoint. In this case, I like the ability to trigger an uninstall remotely, instead of manually removing it by taking over the user’s screen.
Uninstall password for protection of removal from local admins/malicious software. I don’t want users to accidentally, or intentionally remove the software. I was able to use scripts to simply uninstall some products, which seemed a bit trivial for defeating them. There should be at a minimum ability to restrict it to non-silent installs only or place a password/code for removal.
Barkly NGAV bluescreened my machine uninstalling it from Windows 10. I wasn’t able to remove it using appwiz.cpl, had to do it manually with Revo Uninstaller. I submitted all of the relevant data with the crash but never heard back about how to remove the software, or if it was fixed.
Didn’t test fully, or wasn’t offered a workable cloud/model:
Cylance never responded to inquiries on the website for both a customer and MSP program. I finally spoke with them about 8 months after filling out the website for more information.
SentinelOne has a large minimum deal size, and I could only get access via a Channel Partner CARVIR. They don’t have a multi-tenant cloud console, and so all of the installs are done blindly, sorted by the channel partner. They ask you to let them know when you’ll be deploying, and they’ll put your customers in containers. No console, you have to have them configure all of the policies for you.