In January 2013, AV-TEST performed a comparative review of McAfee Deep Defender against the full security features of Microsoft System Center Endpoint Protection and Symantec Endpoint Protection suite to determine their capabilities to proactively protect against new kernel-mode and MBR rootkits (zero-day attacks).
To investigate each product’s ability to block unknown rootkits, two individual tests were performed by AV-TEST. The first was a test that used frozen updates (from October 1, 2012) to test against 48 previously unknown rootkits discovered after that date. The second test was done with disabled on-access components, so that only behavioral detection was in place against 48 rootkits.
The result of this test shows that the proactive approach of McAfee Deep Defender is capable of providing excellent protection against kernel-mode and MBR rootkits. It detected and successfully blocked all 48 tested rootkits. Microsoft System Center Endpoint Protection and Symantec Endpoint Protection suite were not able to match this result.
While the prior test showed detection of rootkits, it’s still possible that a rootkit can be detected but not disabled. This means a rootkit still may be operational and further remediation is required.
Testing clearly shows the need for proactive protection measures, as static, signature-based protection is not good enough to protect against all threats. This protection is especially important for rootkits, since it is much harder to detect them once they are successfully installed on the system. McAfee Deep Defender has proven to protect against such an advanced stealthy attack using McAfee DeepSAFE technology.