Serious Discussion Are antiviruses unimportant?

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
245
This became a interesting thread. We had some samples similar to this and Kaspersky, even eset could detect it because it was under evaluation,Kaspersky detected it with system watcher and eset really late(everything was encrypted)

The surprise of the show is McAfee they truly improved every aspect of their home edition product. Seems there are new managers in this company, this kind of stuff mostly happens when people get replaced in key positions in a company and change the way the company works.
 

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
245
Friends would it be problem if i share source code public?
This is not good. You actually are going to give malware in the hands of the people. Which bad ones can use to their own benefit. You can do something better and discuss this with the vendors since you have the source code you can help with sharing it with them. We have some people here who can help you to reach the vendors specialists. But sharing it is a bad move, not professional.


I'm interested to see how Gdata beast would react to it.
 

Dr. Wells

Level 1
Thread author
Aug 27, 2024
38
This is not good. You actually are going to give malware in the hands of the people. Which bad ones can use to their own benefit. You can do something better and discuss this with the vendors since you have the source code you can help with sharing it with them. We have some people here who can help you to reach the vendors specialists. But sharing it is a bad move, not professional.


I'm interested to see how Gdata beast would react to it.
Bro i actually wanted to show how simple is this ransomware. It encrypts through aes-256 with random key, so if you open it, your files at document, music, videos, desktop will be done. No recovery because of random key.
 
  • Like
Reactions: Divine_Barakah

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
245
Bro i actually wanted to show how simple is this ransomware. It encrypts through aes-256 with random key, so if you open it, your files at document, music, videos, desktop will be done. No recovery because of random key.
well, sometimes simple means no evil intention. the thing is sometimes this kind of encryptor can pass the antimalware, the sample you used does have similar behavior to encryptor apps, and distinguishing between them and ransomware is sometimes hard(if the vendor decides to not use the protected folder tactic and goes for full automated defense without user intervention), as you see with the detections, they detect it with heuristics which means it is showing some codes like a ransom in its genes and if you change its code enough even the current ones who got it with real-time detection can be bypassed.
but your sample simply encrypts files with no intention, distinguishing between an encryptor and ransomware is sometimes hard and this is why some vendors go for protected folders as a second line of defense, so if you used an encryptor you can simply accept the app's message and it will not intervene.
 

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,729
That's why in this case it's important to keep the antiransonware modules active in the products that have it. We can see in the videos that when turned on, they detect an unknown software was trying to modify user files in bulk and asked the user if he was ok with it. Exactly because it can't distinguish between a file encryptor the user is using or a malware encryptor.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
That's why in this case it's important to keep the antiransonware modules active in the products that have it. We can see in the videos that when turned on, they detect an unknown software was trying to modify user files in bulk and asked the user if he was ok with it. Exactly because it can't distinguish between a file encryptor the user is using or a malware encryptor.
Bitdefender, Trend Micro, Avast/AVG and MD have it. Regarding Avast/AVG I always change to Strict ransomware protection and I enable protection for all file extensions not only the preset ones for the fact that I have my files encrypted by Cryptomator.
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,214
If you surf carefully, don't download suspicious files from unknown sources and don't open suspicious e-mail attachments, your chances of getting ransomware (or any kind of malware) is zero. I'm still yet to be infected with ransomware. Last malware infection I had when I was a kid in elementary school, really. Use Windows Defender, install ad blocker in your web browser of choice, activate common sense in your brain and this is pretty much everything you need to stay protected. That is if you know at least something about malware and security.

If you don't know anything, to above mentioned security configuration, I'd recommend setting up Quad9 or any kind of malware blocking DNS and additional security in browser like Bitdefender TrafficLight. People should really stop buying AV software because it's no longer necessary. You can be better protected than with those free products than with commercial ones. AV software today exists purely for the purpose of upselling you products you don't really need.
 

Dr. Wells

Level 1
Thread author
Aug 27, 2024
38
well, sometimes simple means no evil intention. the thing is sometimes this kind of encryptor can pass the antimalware, the sample you used does have similar behavior to encryptor apps, and distinguishing between them and ransomware is sometimes hard(if the vendor decides to not use the protected folder tactic and goes for full automated defense without user intervention), as you see with the detections, they detect it with heuristics which means it is showing some codes like a ransom in its genes and if you change its code enough even the current ones who got it with real-time detection can be bypassed.
but your sample simply encrypts files with no intention, distinguishing between an encryptor and ransomware is sometimes hard and this is why some vendors go for protected folders as a second line of defense, so if you used an encryptor you can simply accept the app's message and it will not intervene.
Main difference between an encryption software and ransomware is user-input encryption like you said, if you select path and encrypt yourself, yes AV need not to detect it but If it encrypts automatic, av need to block it or at least ask to us for decide block/allow.
 
  • Like
Reactions: Game Of Thrones

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
245
Main difference between an encryption software and ransomware is user-input encryption like you said, if you select path and encrypt yourself, yes AV need not to detect it but If it encrypts automatic, av need to block it or at least ask to us for decide block/allow.
automatic ones do not do it they tend not to let users decide as low as possible. although I have to say the Kaspersky reaction was not because this sample was like an encryptor, it came from not detecting it, and it should have some response. but this sample is hard to detect one aspect of it comes from being similar to an encryptor app
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top