Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
[Battle Test] Final Battle Antivirus vs Ransomware (Manzaitest)
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 273493" data-attributes="member: 24327"><p>Yeah, except that the file shown here is not ransomware. The window that is being displayed isn't even always on top and you can happily continue to use other applications. I get that the intent is to mimic a screen locker, but where is the actual screen lock for example?</p><p></p><p></p><p>A behavior blocker is not intended to block all actions but to block malicious actions. The last Orion "ransomware" sample you shared was literally a .NET application with a normal form containing a background image combined with a #####ed up attempt to close certain processes running in the background. Why just an attempt? Because the author of the malware "forgot" that string comparisons are case sensitive and requesting active processes via WMI may return process names in inconsistent cases. There is no input blocking going on, no always on top windows, no attempt to process payments, no attempt to create and switch to a new desktop, not even input controls to type in an unlock code. You know, stuff that would be present if this would have been actual ransomware. Stuff a behavior blocker would look for to figure out whether the file is malicious or not. That is all missing from the Orion "ransomware" v3 sample you shared and apparently continues to be missing in the new version as well. But feel free to send me the new version as well. I will happily point out why it isn't malware <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" />.</p><p></p><p></p><p>You are correct, we must block malicious software. The file you tested with is just not malicious. That is why I mentioned the test would be more interesting if you would choose to use actual ransomware, as the file you tested with clearly isn't.</p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 273493, member: 24327"] Yeah, except that the file shown here is not ransomware. The window that is being displayed isn't even always on top and you can happily continue to use other applications. I get that the intent is to mimic a screen locker, but where is the actual screen lock for example? A behavior blocker is not intended to block all actions but to block malicious actions. The last Orion "ransomware" sample you shared was literally a .NET application with a normal form containing a background image combined with a #####ed up attempt to close certain processes running in the background. Why just an attempt? Because the author of the malware "forgot" that string comparisons are case sensitive and requesting active processes via WMI may return process names in inconsistent cases. There is no input blocking going on, no always on top windows, no attempt to process payments, no attempt to create and switch to a new desktop, not even input controls to type in an unlock code. You know, stuff that would be present if this would have been actual ransomware. Stuff a behavior blocker would look for to figure out whether the file is malicious or not. That is all missing from the Orion "ransomware" v3 sample you shared and apparently continues to be missing in the new version as well. But feel free to send me the new version as well. I will happily point out why it isn't malware :). You are correct, we must block malicious software. The file you tested with is just not malicious. That is why I mentioned the test would be more interesting if you would choose to use actual ransomware, as the file you tested with clearly isn't. [/QUOTE]
Insert quotes…
Verification
Post reply
Top