Panda Antivirus Adaptive Defense 360

We recently tested Panda Antivirus Adaptive Defense as a continuance to a previous review of NGAV products. Does Panda live up to its claims? Is it the future of Antivirus? It has it’s ups and downs but overall I think the issues we experienced can be fixed. It’s headed in the right direction and overall the interface is designed well for a modern protection platform.

Panda’s current version is 7. x and the product is Adaptive Defense 360. From the marketing on the website, you get the feeling that it’s not your average ‘Panda’ but it’s next-generation, sexy, and ready to eradicate even the most virulent samples.

During the test, I exchanged 178 emails with the vendor over a period of fewer than 90 days. I’ve learned a great deal through direct experience of its stability and effectiveness. It’s been my experience that you’d better test the heck out of these products. Not only with detection but the basic administration features as well. There can be bugs lurking that may not impact you on the security side but potentially impair your ability to control and manage endpoints. I went ahead and dug in using my basic Dell models and hoped for the best. Keep in mind that the things I don’t ‘like’ are bugs that can be resolved – not necessarily fatal issues. Here’s my evaluation…

*** Update 8/13 – Panda is aware of this blog and actively working to fix any of the issues I found. They’ve allocated folks from Product Management, Engineering and other teams to help improve response.

A few things to note:

1. My blog recommends products on occasion but has nothing for sale
2. Bugs like to come out when I’m around so careful if I sign up for a demo
3. I don’t drink the kool-aid so I look forward to lifting the marketing curtain

Machines Tested:

Dell Latitude E6440, E5470, E5480
Dell XPS 8390 (Desktop)
Dell Inspiron (7000 Series)
Windows 7 and Windows 10

Things we liked: 

• Support is light speed and much more responsive than BitDefender. We received prompt responses and consistent service from all of the techs. They responded appropriately to our concerns. Many times it was just a matter of reproducing the issues and gathering the right data. Panda can trigger a ‘PSINFO’ tool to gather support data without you having to send any technical information to support. In comparison, I’ve waited days and days for BitDefender support to reply. Even when they do it’s not with any urgency. If you call there is typically no way to speak to anyone live at BitDefender until they call you back. Panda is easy to get on the phone and called me often when I was available before the afternoon time.

• Panda recently implemented anti-tampering. I’ve been advocating for this across a number of products. In Barkly, I could simply stop any of the AV processes, execute malcode and start them again. Panda protected its services even in the services.msc snap-in.

• EDR function traced the source of execution back to a file on many virus samples we tested. We’d get an alert within 0-15 minutes that showed which process executed a particular piece of code and where it connected to. Very useful and is focused on the context of that execution. Liked this better than the fancy tree in other EDR products. It’s better to be able to alert on this in an e-mail format without needing to access the console.

• Deployment tools were adequate in that there were no major issues with installing, uninstalling or deploying the files. Minimal interruption or notices to the machine when pushing it down with a script. Removal from the console happens in under 15 minutes on most machines.

• Panda’s support is phenomenal despite us having many bugs with it on our particular platform that was available to test. They responded quickly and with haste. During our support they offered access to an early release version of Panda AD360 8.x as a way to get past known issues on v7.

Issues we worked with support on:

• Crashing/Bluescreens – Panda caused many bug checks on my machines with the driver NNSPRV.SYS, and by many I mean over a dozen on multiple machines. The key for some was that they were running Intel Proset Drivers for Wireless on a slightly older version but I can not fully confirm that’s the cause. The crashes continued until we were put on an early release of version 8.0 that seemed to alleviate them. At the time though this was not a general release. Every dump had references to Panda drives in it when the crashes occurred and they happened often.

• Performance Issues/Hangups – Machine slowdowns on several boxes that include severe delays opening applications. This happened several more times in the last few months with the most recent being on my own machine while I was using it. I captured video of this and called in to offer an impacted machine to Panda. They were unavailable to gather any data and did not recommend any steps to take on the machine at that time. I had to remove the product and could not wait until ‘tomorrow’ to find out what I needed to do. That issue is still not identified or resolved. The burden was on me to prove that this is an issue even though I’ve captured live video of it happening multiple times. Panda was using 10,000 handles on PSANHOST.EXE when the issue occurs. Chrome tabs were completely hung up and simple applications like Notepad.exe took more than a minute to open. The issue was immediately resolved by removing the AV – which by the way was so hung up it took about 30 minutes. After the removal, we could immediately surf the web, and open up applications.

• Service instability – Panda services were crashing on version 7.x-8.x randomly. We detected this in the monitoring of its services, and the issue impacts the latest version. Support requested that we manually gather using a dump tool for them to access the issue. The main service controlling Panda crashes and says ‘The Panda Endpoint Administration Agent service terminated unexpectedly’ on these machines. There is no fix or explanation for this issue, and it’s separate from the ones shown above. We don’t know why the service keeps crashing off or what to do next. Even if we did, we believe that this ‘broken agent’ issue leads to decreased security for those endpoints when they aren’t able to update or communicate properly. A lot of time being spent manually reinstalling agents to fix this issue.

• Upgrade Issues – Panda also failed to upgrade from v7 to v8 automatically on around 25% of the computers creating a situation where it was ‘broken’ and not functional. There was, of course, a fix or method for support to help us but it was manual, involved remoting into each machine and again the upgrade just didn’t work without any explanation. Many of the computers have rebooted numerous times and get repeatedly prompted to ‘Upgrade Panda’ when they’ve accepted that menu over and over. Meanwhile, the agents did not have full protection because the install was technically broken between versions.

 (Panda Support)

• Dropper Detection / Kill Chain Issues – None of the files I opened with Malicious Word Macros were detected until the actual payload ran. Panda did not detect many files on-access but only once they ran and down the line in the attack chain. It will stop the PowerShell command from running but only at the point of execution. A little too close for comfort especially when many other tools see the evil in the Macro’s and malware code embedded in the document. Out of a dozen files of so I got live from the internet, none of the droppers triggered an alert until they tried something fishy. Panda was quick about adding them as a generic type of alert when I sent in samples. There is no automated system or method to submit samples to Panda w/o manually opening an e-mail ticket. Panda’s ‘EDR’ type execution report fails to correlate the malicious .doc I opened and only ‘sees’ the Powershell. But what ran the command? What were the parameters?

 ( Panda Support)

• False Positives – We found that Panda would trigger on innocuous Windows 10 processes like those that update the Windows Store applications. In some cases it labeled them as ‘potentially malicious’ and in lock mode, it halted execution while it could determine if they were true positive malicious. This wasn’t the only ‘system’ type file and we encountered many more with Nvidia and a driver from Intel.

• Web Filtering / Phishing – Many of the Malware and Phishing URLs I attempted to visit wasn’t classified by the software. During my investigation of the ‘Master Angler’ story this month I had Panda running and it never blocked any of the URLs. I submitted a URL to Panda with my blog and they added that single address but no others that were obviously running off that same IP. After reporting many of these URLs to Panda I realized that the phishing protection was outsourced to Cyren and not using its own threat intelligence.

• Buggy Alerting- Malware alerts were configured for the web and alerted directly from the IP via SMTP to my e-mail server kind of strange. Not only that but there were still variables in the e-mail that was unresolved like {ExtendedUrlMalwareinfo}. The other issue was that I’d get tons of duplicates with the same information may be 5-10 e-mails in a blast from a single machine visiting a site. It says ‘Virus deleted’ but I couldn’t find anything malicious on some of these sites.

• Console Outages –  Web console has issues on several occasions with server-side errors that prevented me from logging in. At this exact moment I keep logging in but it tells me for security reasons my session is timed out

• Cookie Alarm – Panda sent alerts for cookies detected on machines and I couldn’t turn it off. There was no way to whitelist or otherwise exclude this extra noise.