[AV-Comparatives] Proactive protection against the WannaCry ransomware

E

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
featured-image-wannacry.png

The WannaCry ransomware has been a major news story over the last few days. It has infected hundreds of thousands of computers worldwide (mostly in Russia), including some well-known companies and institutions. All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures, but we decided to find out which of these programs would have blocked the malware proactively, i.e. before the the outbreak started and the malware samples became known. We ran a proactive protection test, i.e. we used vulnerable Windows 7 systems with definitions prior to May 12th. A WannaCry malware sample was then executed on offline systems. The list below shows which of the tested programs would have protected the system, and which did not.

Proactive protection against the WannaCry ransomware - AV-Comparatives Weblog.png


As can be seen above, a majority of these products protected against this ransonware, but over 200,000 systems worldwide were compromised by it nonetheless. New variants might appear, and results for the next outbreak could look different. Users are advised to keep their systems patched, enable AV protection (i.e. do not disable features) and keep it up-to-date, as well as practising safe computing.
 
  • Like
Reactions: JB007, Venustus, omidomi and 26 others
E

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
frogboy said:
Eset not protected, very surprising. :eek:
Click to expand...
according to the testing methodology, yes ESET couldn't protect
fortunately, ESET detected wannacry by signatures
All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures
Click to expand...

however, in the future, if there are new wannacry variants which are not yet detected by signatures, those products would struggle to block the new variants because their zero-day components already failed in this test
 
  • Like
Reactions: JB007, jamescv7, Sr. Normal 2.0 and 7 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The weird thing is that according to Eset they detect it...Below an Email I got from them on the 15th.

Hello there,

As you may know, a massive ransomware attack known as "WannaCry" began on Friday, May 12.
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).

ESET Internet Security, featuring Network Attack Protection, prevents the spread of malware that leverages exploits.

Learn everything you need to know about WannaCry, plus the most important steps you can take to protect data and devices, in our latest blog post.

Don’t risk losing all your family photos and videos, tax returns and important documents to ransomware. Buy ESET Internet Security and protect multiple computers and devices today.
 
  • Like
Reactions: JB007, Jack, frogboy and 8 others
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Solarquest said:
The weird thing is that according to Eset they detect it...Below an Email I got from them on the 15th.

Hello there,

As you may know, a massive ransomware attack known as "WannaCry" began on Friday, May 12.
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).

ESET Internet Security, featuring Network Attack Protection, prevents the spread of malware that leverages exploits.

Learn everything you need to know about WannaCry, plus the most important steps you can take to protect data and devices, in our latest blog post.

Don’t risk losing all your family photos and videos, tax returns and important documents to ransomware. Buy ESET Internet Security and protect multiple computers and devices today.
Click to expand...
The way they've used the formation of sentences looks exactly like how other AV blogs write about their now-acquired ability of blocking the RW sample(s).

Read the below lines. They've purposefully used a SIMPLE PRESENT TENSE in their sentence formation like "Eset security products detect" instead of saying "Eset security products detected at that time.." and so on...
Solarquest said:
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).
Click to expand...
So, they've not clarified if they actually detected the threat earlier when signatures were NOT available, or not. But them saying that their proactive protection can protect against the threat and the exploit might somehow indicate the other way (may be that could have been done via feature/program update? Maybe not)

From this Chinese article that was shared here 2 days back: Eset failed in the test.
successful defense of: BDF: KIS: FSCS: DrWeb the AV: Cybereason RansomFree: Emsisoft iS:SBie: in the part of the scene can defense:HMPA: only personal files on the desktop - defense failed in the desktop and my documents have personal files - successful defense of hindsight: TrendMicro: GDATA:
defense failure: 360 antivirus + guardian:360TS: tinder: Fair: AVAST legacy: AVAST new version: AVG: MES: SEP: AVIRA : ESET:
Click to expand...
 
  • Like
Reactions: JB007, frogboy, BugCode and 6 others
Razza

Razza

Level 4
Verified
Well-known
Aug 12, 2014
165
I agree with spaceoctopus with Eset being weak, Since Eset dose not have a behaviour blocker, it dose have hips never seen it blocking anything on default setting's if a malware get passed the signature's your system will most likely be infected.

If you run the malware with signature turn off on AV with good behaviour blocker like Emsisoft,BitDefender,Kaspersky then you might manage to get away with it.
 
  • Like
Reactions: spaceoctopus, Evjl's Rain and AtlBo
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
During the execution, WannaCry:

- initializes the network stack by using the Winsock library.
- calls WSAStartup.
- calls the CryptAcquireContext() function to create a context for the use of cryptographic Windows API.
- etc...etc..

But, above all, the worm's payload is copied in two DLL, one for x86 and one for 64-bit architecture, and it is executed.

It is strange Eset did not detect all these behaviors!
 
  • Like
Reactions: JB007, Handsome Recluse, Hector1 and 4 others
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
harlan4096 said:
I also got the past 12th 16:01 (Spanish local time) this similar email from Kaspersky (in Spanish):
Click to expand...
Yes, got this one, probably because I've subscribed when applying for KAR:
IMG_20170517_233844.jpg

bulamber said:
Where is comodo?
Click to expand...
Comodo is usually not tested against other AVs in such tests. However, it is most likely that Comodo will auto-sandbox (auto-contain) the Wannacry threat as soon as it tries to execute, on the basis of being unknown (or blocked if it was already detected as a bad program). So the user'd be safe.
If missed, or even inside sandbox, Viruscope could probably detect the malicious activity and block it.
 
  • Like
Reactions: JB007, brambedkar59, Hector1 and 6 others
Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
vindiesel said:
Do I use ESET Hello to all a question if I have Zemana Antimalware am I protected?
Click to expand...
Not much is known about Zemana being able to block Wannacry from its behavior, but both Eset and Zemana can statically (with signatures) detect the variant of Wannacry that wreck havoc recently.
However, there may be newer and advanced variants of Wannacry that may (assuming based on its capability as mentioned in the Eset email shared by @Solarquest above) or may not get detected by the mentioned AVs/AMs. The same applies for other products as well.
 
  • Like
Reactions: JB007, Evjl's Rain, harlan4096 and 3 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
  • Like
Reactions: JB007, Parsh, harlan4096 and 1 other person
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures.
Click to expand...
This test, taking note of the technical validity, shows how the signatures have still a certain importance in detecting malware even if it is absolutely necessary to entrust also on behavioral technologies, in case the signatures fail.

But in the end, the average user is only interested in knowing that his system is protected (in this case by WCRY).
 
  • Like
Reactions: JB007, Parsh, frogboy and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Parsh said:
The way they've used the formation of sentences looks exactly like how other AV blogs write about their now-acquired ability of blocking the RW sample(s).

Read the below lines. They've purposefully used a SIMPLE PRESENT TENSE in their sentence formation like "Eset security products detect" instead of saying "Eset security products detected at that time.." and so on...

So, they've not clarified if they actually detected the threat earlier when signatures were NOT available, or not. But them saying that their proactive protection can protect against the threat and the exploit might somehow indicate the other way (may be that could have been done via feature/program update? Maybe not)

From this Chinese article that was shared here 2 days back: Eset failed in the test.
Click to expand...

I saw that but the tone of the email, the note of the proactive ability let people understand that they, "unlike other vendors", do and did protect from this threat.
According to https://www.eset.com/us/about/newsr...03dc2f&elqaid=3059&elqat=1&elqCampaignId=1383

"Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped well before this particular malware was even created. "

So at least the exploit should have been blocked..The proactive wanna cry ransom detection is "tricky" to understand
 
  • Like
Reactions: JB007, Parsh, frogboy and 6 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Thanks
    • +Reputation
AV-Comparatives Consumer Malware Protection Test September 2024
Replies
2
Views
546
Security Statistics and Reports
Sorrento
Sorrento
Gandalf_The_Grey
    • Like
    • Thanks
    • Wow
AV-Comparatives Advanced Threat Protection (ATP) Test 2024
Replies
0
Views
480
Security Statistics and Reports
Gandalf_The_Grey
Gandalf_The_Grey
Brownie2019
    • Applause
    • Thanks
    • HaHa
Unlimited Giveaway Free RogueKillerAntiMalware
Replies
3
Views
778
Giveaways, Promotions and Contests
cartaphilus
cartaphilus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top