They are the leading vectors for attacks: ransomware and info stealers. If attacks are successful, what follows is extortion for ransom, the data ends up for sale on the Internet, or both. None of this happens if good protection software thwarts the attacks immediately. But is the software capable of doing so? The current Advanced Threat Protection – ATP – test examines 25 security packages for consumer users and corporate users in 10 scenarios in a live battle to fend off ransomware and data stealers. The Advanced Threat Protection test shows that many providers fulfill their protection promises. The test also reveals errors in some products that have consequences, however: the systems are encrypted and the data is stolen.

Screenshot 2025-05-26 21.47.41.jpg

Reports from those affected by successful attacks with ransomware or info stealers almost always sound the same: If one PC is infected in a network, the attacker quickly proliferates and encrypts almost everything it finds there or hijacks the data. Without backups and contingency plans, companies in particular run into problems and sometimes even face the prospect of bankruptcy, as some media reports recently have indicated.

But it doesn't have to lead to such drastic outcomes if users or companies deploy a good protection solution that fends off the attackers. Other protective measures, such as updates, backups and contingency plans, are still necessary elements in the mix.

The latest ATP test from January/February 2025 examined 25 security solutions for consumer users and corporate users in 10 live scenarios in which 5 samples of ransomware and 5 variants of info stealers attacked Windows 10 systems in the lab. Almost 75 percent of PCs worldwide run a Windows operating system. Of these PCs, Windows 10 reaches a share of just under 60 percent. However, Windows 11 is increasingly catching up, now accounting for nearly 40 percent.

ATP: 25 protection products in a live test

The test was completed by 10 products for consumer users and 15 solutions for corporate users and their endpoints. The packages for consumer users came from AhnLab, Avast, AVG, Avira, Bitdefender, ESET, F-Secure, G DATA, McAfee and Norton.

The solutions for corporate users came from AhnLab, Avast, Bitdefender (with 2 versions), Crowdstrike, ESET, Kaspersky (with 2 versions), Microworld, Qualys, Rapid7, Sophos, Symantec, Trellix and WithSecure.

Screenshot 2025-05-26 21.52.39.jpg
Screenshot 2025-05-26 21.56.20.jpg

Screenshot 2025-05-26 21.53.17.jpg
Screenshot 2025-05-26 21.57.41.jpg

Many of the security manufacturers achieved the maximum of 35 points for their protection score in the test. This is a composite of the results from the 10 real-life scenarios, involving 5 ransomware and 5 info stealer samples. For each ransomware sample blocked, up to 3 points are awarded, and for each info stealer, up to 4 points. A product is able to earn a half or full point for each action that is fended off. The laboratory describes all operations in a matrix according to the MITRE ATT&CK standard. The interesting aspect about the ATP test is that even if a product does not immediately detect the attacker, further defensive actions can take effect and thus stop the attack. The test shows exactly at which step this occurs – or doesn't occur.

While many products received the full 35 points for their protection score, a total of 5 known products had isolated issues with attackers and therefore lost important points.

Attack scenarios and techniques

In the 10 scenarios, a special attack technique under Windows was used in this ATP test. Here is a technical explanation of the attack.

UAC bypass: User Account Control (UAC) is a Windows security function designed to protect the operating system from unauthorized changes. Attackers can bypass the UAC mechanism to elevate their privileges and carry out tasks. In our tests, we implemented a UAC bypass by exploiting the IFileOperation COM interface to copy or move files having elevated privileges, without displaying a UAC prompt. The method works by launching a process that already has elevated privileges (a process with an auto-elevate function), such as mmc.exe, the Windows executable for the Microsoft Management Console, in the test. As a result, the malicious DLL was loaded into an elevated process. We used this environment to execute our attack malware directly or to install a controlled Windows service.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment“. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

Screenshot 2025-05-26 22.02.12.jpg
Screenshot 2025-05-26 22.02.43.jpg
Screenshot 2025-05-26 22.03.15.jpg
Screenshot 2025-05-26 22.03.45.jpg
Screenshot 2025-05-26 22.04.17.jpg

Screenshot 2025-05-26 22.07.10.jpg
Screenshot 2025-05-26 22.07.39.jpg
Screenshot 2025-05-26 22.08.15.jpg
Screenshot 2025-05-26 22.08.51.jpg
Screenshot 2025-05-26 22.09.19.jpg

ATP test results for consumer user products

In the lab, the security experts put to the test 10 products from AhnLab, Avast, AVG, Avira, Bitdefender, ESET, F-Secure, G DATA, McAfee and Norton. Many of the products performed strongly and fended off the attackers in all the scenarios, thus reaching the 35 points achievable for their protection score.

Without exception, the products from AhnLab, Avast, AVG, Bitdefender, F-Secure, McAfee and Norton fended off all attackers in the 10 scenarios. For this, they received the maximum of 35 points.

Avira detected and fended off 9 attackers in the test totally error-free. However, one data stealer got through undetected, wreaking havoc and stealing the data. This resulted in a loss of 4 points, for a final tally of 31 points.

ESET was also unable to detect or stop a data stealer and therefore lost all 4 points. In another case involving ransomware, detection also failed, but further protective measures took effect, stopping the attack. This meant another point taken off for ESET. At the end of the test, the solution scored 30 out of 35 points.

G DATA had an issue with a data stealer and an instance of ransomware in that it simply did not recognize the attackers, thus allowing the data to be stolen or the system to be encrypted. This meant that 7 points were lacking in the final tally, for a final score of 28 points.

In order for a product to receive from AV-TEST the “Advanced Certified” certificate in the test, it is required to achieve at least 75 percent (26.5 points) of the maximum 35 points of the protection score. This was achieved by nearly all the products in the ATP test from January/February 2025. Only G DATA received no certificate. The product achieved the necessary point score, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfilment of all their criteria.

ATP test results for corporate user products

The endpoint solutions for corporate users rendered strong threat prevention against ransomware and info stealers in laboratory tests. Of the 15 products tested, 13 performed completely flawlessly. They were able to detect all 10 attackers in the test and fend them off completely. For this feat, the following products were awarded the maximum total of 35 points as their protection score: AhnLab, Avast, Bitdefender (with both versions), Crowdstrike, Kaspersky (with both versions), Microworld, Qualys, Sophos, Symantec, Trellix and WithSecure.

In one scenario, Rapid7's solution did not recognize the ransomware, allowing it to encrypt the system unhindered. This cost the full 3 points in the evaluation. In another case involving an info stealer, the attacker was recognized but not blocked. The malware was able to scan and steal the data. Another deduction of 3.5 points. As a result, Rapid7 ended up with a score of 28.5 points instead of 35.

The solution from ESET had a difficult challenge in this test. In the case of one info stealer, the defense was unable to stop it, and the data was gone – along with the possible 4 points. In four other cases, the ESET solution recognized the attackers, but only partially blocked them in the beginning. Therefore, the attackers were able to infiltrate attack DLLs onto the systems. But that was the end of the line, as further defense mechanisms stopped the attacks completely. This cost ESET another point in the rating in four other instances, however. In the end, ESET reached 27 out of 35 possible points on the protection score.

In order for a corporate product to receive the “Advanced Approved Endpoint Protection” certificate in the test, it is required to achieve at least 75 percent (that is 26.5 points) of the maximum 35 points of the protection score. Nearly all the tested products achieved this goal. Only Rapid7 received no certificate. The product achieved the necessary point score, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfilment of all their criteria.

ATP test: changed scenarios – variable results

The ATP test uses dangerous samples of ransomware and info stealers in every run. The attack techniques used also vary constantly. This is what makes comparing the test results of a product throughout the year so interesting. In the latest test with the malware using the bypass technique, some products had difficulties. In many cases, an attacker was detected, but could only be stopped in subsequent steps. Although this cost the product points in the test, the user and the company remained protected in a critical situation.

Only in very few instances did the security products not detect the attackers or fail to stop them after detection. This is manifested in the points tallied for in the protection score.

Nevertheless, it must be clearly stated: 7 products for consumer users and 13 solutions for corporate users excelled in all 10 attack scenarios with perfect threat prevention and were therefore deservedly awarded a full point score and test certificate.

Screenshot 2025-05-26 22.17.13.jpg
Screenshot 2025-05-26 22.18.21.jpg
Screenshot 2025-05-26 22.19.06.jpg
Screenshot 2025-05-26 22.19.41.jpg
Screenshot 2025-05-26 22.20.38.jpg

Screenshot 2025-05-26 22.23.35.jpg
Screenshot 2025-05-26 22.24.06.jpg
Screenshot 2025-05-26 22.24.38.jpg
Screenshot 2025-05-26 22.25.11.jpg
Screenshot 2025-05-26 22.25.59.jpg

Screenshot 2025-05-26 22.29.03.jpg
Screenshot 2025-05-26 22.29.33.jpg
Screenshot 2025-05-26 22.30.06.jpg
Screenshot 2025-05-26 22.30.37.jpg
Screenshot 2025-05-26 22.31.18.jpg

Screenshot 2025-05-26 22.31.51.jpg
Screenshot 2025-05-26 22.32.22.jpg
Screenshot 2025-05-26 22.32.52.jpg
Screenshot 2025-05-26 22.33.23.jpg
Screenshot 2025-05-26 22.33.52.jpg

Screenshot 2025-05-26 22.39.20.jpg
Screenshot 2025-05-26 22.39.52.jpg
Screenshot 2025-05-26 22.40.27.jpg
Screenshot 2025-05-26 22.40.52.jpg
Screenshot 2025-05-26 22.41.22.jpg