[AV-Comparatives] Proactive protection against the WannaCry ransomware

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
featured-image-wannacry.png

The WannaCry ransomware has been a major news story over the last few days. It has infected hundreds of thousands of computers worldwide (mostly in Russia), including some well-known companies and institutions. All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures, but we decided to find out which of these programs would have blocked the malware proactively, i.e. before the the outbreak started and the malware samples became known. We ran a proactive protection test, i.e. we used vulnerable Windows 7 systems with definitions prior to May 12th. A WannaCry malware sample was then executed on offline systems. The list below shows which of the tested programs would have protected the system, and which did not.

Proactive protection against the WannaCry ransomware - AV-Comparatives Weblog.png


As can be seen above, a majority of these products protected against this ransonware, but over 200,000 systems worldwide were compromised by it nonetheless. New variants might appear, and results for the next outbreak could look different. Users are advised to keep their systems patched, enable AV protection (i.e. do not disable features) and keep it up-to-date, as well as practising safe computing.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Eset not protected, very surprising. :eek:
according to the testing methodology, yes ESET couldn't protect
fortunately, ESET detected wannacry by signatures
All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures

however, in the future, if there are new wannacry variants which are not yet detected by signatures, those products would struggle to block the new variants because their zero-day components already failed in this test
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The weird thing is that according to Eset they detect it...Below an Email I got from them on the 15th.

Hello there,

As you may know, a massive ransomware attack known as "WannaCry" began on Friday, May 12.
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).

ESET Internet Security, featuring Network Attack Protection, prevents the spread of malware that leverages exploits.

Learn everything you need to know about WannaCry, plus the most important steps you can take to protect data and devices, in our latest blog post.

Don’t risk losing all your family photos and videos, tax returns and important documents to ransomware. Buy ESET Internet Security and protect multiple computers and devices today.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
The weird thing is that according to Eset they detect it...Below an Email I got from them on the 15th.

Hello there,

As you may know, a massive ransomware attack known as "WannaCry" began on Friday, May 12.
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).

ESET Internet Security, featuring Network Attack Protection, prevents the spread of malware that leverages exploits.

Learn everything you need to know about WannaCry, plus the most important steps you can take to protect data and devices, in our latest blog post.

Don’t risk losing all your family photos and videos, tax returns and important documents to ransomware. Buy ESET Internet Security and protect multiple computers and devices today.
The way they've used the formation of sentences looks exactly like how other AV blogs write about their now-acquired ability of blocking the RW sample(s).

Read the below lines. They've purposefully used a SIMPLE PRESENT TENSE in their sentence formation like "Eset security products detect" instead of saying "Eset security products detected at that time.." and so on...
ESET security products detect and block this malware.
Unlike other vendors, ESET’s proactive, multilayered solution not only blocks this ransomware, but can also stop it from spreading by blocking the utilized exploit (Eternal Blue).
So, they've not clarified if they actually detected the threat earlier when signatures were NOT available, or not. But them saying that their proactive protection can protect against the threat and the exploit might somehow indicate the other way (may be that could have been done via feature/program update? Maybe not)

From this Chinese article that was shared here 2 days back: Eset failed in the test.
successful defense of: BDF: KIS: FSCS: DrWeb the AV: Cybereason RansomFree: Emsisoft iS:SBie: in the part of the scene can defense:HMPA: only personal files on the desktop - defense failed in the desktop and my documents have personal files - successful defense of hindsight: TrendMicro: GDATA:
defense failure: 360 antivirus + guardian:360TS: tinder: Fair: AVAST legacy: AVAST new version: AVG: MES: SEP: AVIRA : ESET:
 

Razza

Level 4
Verified
Well-known
Aug 12, 2014
163
I agree with spaceoctopus with Eset being weak, Since Eset dose not have a behaviour blocker, it dose have hips never seen it blocking anything on default setting's if a malware get passed the signature's your system will most likely be infected.

If you run the malware with signature turn off on AV with good behaviour blocker like Emsisoft,BitDefender,Kaspersky then you might manage to get away with it.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
During the execution, WannaCry:

- initializes the network stack by using the Winsock library.
- calls WSAStartup.
- calls the CryptAcquireContext() function to create a context for the use of cryptographic Windows API.
- etc...etc..

But, above all, the worm's payload is copied in two DLL, one for x86 and one for 64-bit architecture, and it is executed.

It is strange Eset did not detect all these behaviors!
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I also got the past 12th 16:01 (Spanish local time) this similar email from Kaspersky (in Spanish):
Yes, got this one, probably because I've subscribed when applying for KAR:
IMG_20170517_233844.jpg

Where is comodo?
Comodo is usually not tested against other AVs in such tests. However, it is most likely that Comodo will auto-sandbox (auto-contain) the Wannacry threat as soon as it tries to execute, on the basis of being unknown (or blocked if it was already detected as a bad program). So the user'd be safe.
If missed, or even inside sandbox, Viruscope could probably detect the malicious activity and block it.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Do I use ESET Hello to all a question if I have Zemana Antimalware am I protected?
Not much is known about Zemana being able to block Wannacry from its behavior, but both Eset and Zemana can statically (with signatures) detect the variant of Wannacry that wreck havoc recently.
However, there may be newer and advanced variants of Wannacry that may (assuming based on its capability as mentioned in the Eset email shared by @Solarquest above) or may not get detected by the mentioned AVs/AMs. The same applies for other products as well.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
All the programs in our public Main Test Series now detect the WannaCry malware samples by means of signatures.
This test, taking note of the technical validity, shows how the signatures have still a certain importance in detecting malware even if it is absolutely necessary to entrust also on behavioral technologies, in case the signatures fail.

But in the end, the average user is only interested in knowing that his system is protected (in this case by WCRY).
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The way they've used the formation of sentences looks exactly like how other AV blogs write about their now-acquired ability of blocking the RW sample(s).

Read the below lines. They've purposefully used a SIMPLE PRESENT TENSE in their sentence formation like "Eset security products detect" instead of saying "Eset security products detected at that time.." and so on...

So, they've not clarified if they actually detected the threat earlier when signatures were NOT available, or not. But them saying that their proactive protection can protect against the threat and the exploit might somehow indicate the other way (may be that could have been done via feature/program update? Maybe not)

From this Chinese article that was shared here 2 days back: Eset failed in the test.

I saw that but the tone of the email, the note of the proactive ability let people understand that they, "unlike other vendors", do and did protect from this threat.
According to https://www.eset.com/us/about/newsr...03dc2f&elqaid=3059&elqat=1&elqCampaignId=1383

"Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped well before this particular malware was even created. "

So at least the exploit should have been blocked..The proactive wanna cry ransom detection is "tricky" to understand
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top