Márk Szabó and Thomas Uhlemann / 10 Jul 2023
Usually, when discussing endpoint security, people dismiss the underlying technology as “techno-babble,” looking more at the performance and cost rather than what makes a cybersecurity solution actually work.
Those underlying technologies or toolsets are actually very important, as each layer protects the endpoint in a specific way, going from cloud-based sandboxing to actual on-device protection to deter any would-be attacker from compromising a network or a system. The combination of all these measures is what makes endpoint security work; however, as in the case of our detection and response blog, some features deserve deeper exploration, as well as the reasons why they exist in the first place – like the case of anti-tampering technologies created to protect against, you guessed it, tampering.
Recently, AV-Comparatives conducted its first Anti-Tampering Certification Test where security products were subjected to advanced techniques and tools in an effort to disable or modify AV/EPP/EDR components or capabilities through tampering. When the test results came in, ESET was one of only four companies that passed – showcasing the effectiveness of ESET’s multi-layered security approach. In the tests, ESET PROTECT Entry demonstrated the ability to effectively detect and prevent tampering attempts and protect its own integrity from malicious actors.
What is tampering?
Once a cybercriminal compromises a network/machine, staying under the radar is the most important hurdle to overcome. This is best achieved by eliminating endpoint security software, likely by using compromised credentials to access the network and then using legitimate tools as much as possible (living off the land).
That is called tampering, and it can happen in a variety of ways, usually by prompting the user with fake pop-ups asking them to disable their antivirus to avoid unnecessary software blocking during installation, for example. Consequently, the attacker has an easier time to compromise one’s system. Attackers might also want to completely and wholly kill security software services, modify Registry keys or configuration files so security tools do not operate properly. Or they may use other methods to interfere with security products, like disabling updates to prevent the latest security patches from reaching a victim’s systems. A successful tampering attack can result in a loss of functionality for the whole security ecosystem, enabling unauthorized access to the internal system (like privilege escalation), which could result in a data breach.
AV-Comparatives describes the hurdle of overcoming endpoint security rather as being about getting past the annoying product, even as a privileged user. Usually, after collecting logs and analyzing them post-incident, an admin can see attempts to disable endpoint security, potentially poor configuration of security products, the existence of vulnerabilities, and which modules in the endpoint security product were eventually disabled due to all the aforementioned weaknesses.
As soon as the criminal actor disables endpoint security software, they likely have limited time before they are detected – IT admin logs into ESET PROTECT in the morning and finds that endpoint protection was disabled or settings changed (likely through an XDR alert, kicking off an incident response).
False positives can happen, but in the case of ESET technology, that is less of a concern, thanks to our track record of regularly realizing the lowest rate of false positives amongst all tested vendors. Hence it is always better to heed the warnings of the endpoint protection platform itself rather than the page you are browsing or the software you are trying to install – always keep your protection enabled.
ESET’s anti-tampering technologies
At ESET, we strive to offer the best product we can, and this has been true for years, as our over 30-year-long cybersecurity history suggests. Anti-tampering functionality has been among our best tools in combating hacking attempts for several years now. It has been over a decade since we introduced several technologies to protect our software from being tampered with – one of the first vendors to do so, in fact.
The most important anti-tampering feature that customers need to be reminded about is setting a strong password/passphrase to protect their settings. Critically, customers should prioritize this step as it pays big dividends toward achieving ultimate protection.
Tech-wise, ESET uses core technologies modules including HIPS and Self-Defense, among others, to deliver self-defense across its products to prevent exploitation of memory corruption vulnerabilities or to block executable code from launching where it is not supposed to. These join trust certificates and other technologies and strategies to limit manipulation of our product.
The above modules work in concert with ESET Anti-Tampering technologies, including Protected Process Light, which controls and protects running processes from being infected by malicious code and possible exploitation by other potentially dangerous processes. Additionally, since the introduction of Windows 8.1 OS and higher, there is also ELAM, or Early Launch Anti-Malware, in the form of an opt-in driver, which helps anti-malware services by being launched as a protected service, only allowing trusted, signed code (Windows or anti-malware vendor signed) to load, as a built-in defense against code injection attacks.
These technologies are important since both malware and manual attackers will always focus on disabling the protection system first, even after attempting a remote login – disabling services for them is of utmost importance.
Testing confirms ESET’s anti-tampering chops
For any endpoint security solution, independent testing done by analysts is how a product receives professional/critical acclaim and certification proving its expert competence.
Regarding anti-tampering, ESET excelled in tests as far back as 2014 and 2015, when independent testing found ESET’s consumer offering 100% successful in preventing tampering attacks, a major milestone compared to the competition of 32 different vendors.
AV-Comparatives’ recent Anti-Tampering Certification Test results mark yet another feather in ESET’s cap – certifying ESET PROTECT Entry with the highest degree of approval while also affirming ESET’s continuous improvements of its anti-tampering technologies, like our password protection for settings, which was the most relevant settings change that AV-Comparatives highlighted in their test.
*Users of ESET Protect Entry are by default also entitled to use ESET Protect Cloud, which can help admins save time and capacity.