Did she? I understood that she assumed auto-submission when running the sample.
Indeed she did, but to no avail.But he point of the video should not be the malware itself (or its close cousins), which is (are) hardly special and has (have) been in the Wild for a couple of months with the infection mechanism being even older. What one must wonder about is how such a thing can knife through local and cloud databases as well as things like UAC and CFA.
That is a really interesting sample. Usually, the malware submission is finished after 12 hours. I have seen a similar sample thanks to @SeriousHoax. He submitted a special (malicious) sample to Microsoft and noticed that it is still undetected on execution 2 days later, although it is already recognized in the cloud as malicious (this is visible on the submission webpage). I noticed that this sample is also undetected by BAFS even when it is recognized in the cloud as malicious. I resubmitted this sample with a similar effect (cloud detection = malicious) to start a dispute about it. But after several days my submission is not finished - there is no final determination from the Microsoft analyst.
She has listed it on the video description.
I found two more samples a few days ago with the same problem. According to the Microsoft analyst it's already detected by MD and the "Final determination" section also shows Malware, but they are not detected either by Cloud or Client. No detection even after execution.
Its the best way of describing it. Good, healthy browsing habits is 70% of the way. The remaining being common sense, if it doesn't feel right, don't look right or don't smell right. Don't click it. And the last stretch being some protection help. We are all human after all, mistakes or miss clicks happen.
Is KnowBe4 RanSim a reliable tool to test an antivirus? I mean if the final result of the test is to be taken seriously, if the antivirus has a bad result, look for another solution?Some time ago I tested Defender against KnowBe4 Ran Simulator. It uses a folder of files (documents, pictures, etc.) that are supposed to be encrypted. To make the tests quicker, I decreased the number of files in this folder. I noticed that the Defender postinfection detection did not work - all files were encrypted. After many tests, I used the full set of files, and in several cases, Defender stopped the process of encryption before it ended (not all files were encrypted).
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample.
I do not know a reliable tool to check the anti-ransomware protection.
www.infosecurity-magazine.com
I found a Magniber sample on Malware Bazaar which was detected by Defender on Virus Total in June (Trojan:Script/Phonzy.A!ml) and still can be run with fully activated Defender. It uses Fodhelper to bypass UAC, but this is stopped when UAC is on MAX. All Magniber samples on Malware Bazaar (checked yesterday) are one month or elder (I inspected 76 samples submitted from 01.06.2022).
Yes, I do not worry about Magniber - the attackers do not currently use MSI but rather CPL files. I worry that the method used by it can be adopted in the future also for other malware types. For now, Microsoft seems to ignore this danger.
