App Review Avast Free (Hardened Mode) vs Ransominator

[Parsh]

That's a nice little test. However, all reputed AVs struggling with the sample might either be silly or a matter of real concern.
@geminis3 did you compile the malware on the same machine/VM image on which you're testing? If yes, likely they're trusting the file because of the origin ... or simply a result of being an object of whitelisting ...

Regardless, I think two comments posted on the WD test for and against - are interesting in this regard

Heuristics have the issue that ransomware behaviour is not distinguishable from e.g. backup software that saves space by compressing files. Compression looks just like encryption, it raises the entropy. Renaming lots of files at once is not malicious, nor is encryption or compression. These actions only become malicious in context. So most of the time there needs to be something additional like anti-AV features, UAC bypass features, shadow copy deletion, certain ransom note keywords, code injection.
If you create a bare ransomware from scratch just using the encryption portion and no additional features, there is no way to detect it with heuristics without also flagging legitimate software.

Yeah really the main thing you can go by is the idea of a low reputation binary modifying files, especially in My Documents and other user-valuable paths. This is how most behavior blocker identify ransomware and when a low-reputation EXE is doing that work themselves, that is an easy rule to write. Kaspersky and Emsisoft simply halt such an application mid-act and give you a few seconds to answer whether or not you expected them to be doing this. Others automatically terminate the application but give you an option to whitelist and try it again.
This proactive technique breaks down for scripts (difficult to measure reputation) and when you use another binary that's well-trusted to do your dirty work for you.
For the latter, I think the right answer is enhancing behavior blockers to account for "who started this application?" and if it's an untrusted process, consider the child process untrustworthy too.

 

[stefanos]

Whatever product, all that matters is how a security solution protects at the moment of truth. Everybody knows that any security software can fail, yet there is never ending aghast, disappointment and upheaval when new youtuber bypasses are posted. Seems like a real waste of energy to re-investigating the same thing over and over. The definition of insanity is doing the same over and over, yet expecting a different result. Hurt feelings over security software bypass. It's so curious and it makes no sense.

The software security debate that will ensue here will be just like asking and the ensuing arguments about "Which is best tap water... NYC, Dublin or Tokyo ?"

I do not consider your comment good. Either you agree with the methodology or you don't. A member of the forum gives us his free time to make a video. I think it's worth a thank you to geminis3 and all the members who take the test on the hub. Whether we like the result or not.

 

[DSD27]

"Everybody knows that any security software can fail ", just use Protegent then.

Yes, but there will always be better products and worse ones.

 

[Islam Gamal]

Maybe when I finish my homework, if you have spare time currently I can send you the sample so you can test by yourself.

can you please send it to me to test comodo ? thanks.

 

[Tiamati]

I'd like to know what how Avast Hardened mode actually works, and if it's user friendly (for example: if it keep blocking everything that it shouldn't)

Kaspersky TAM for example works by letting only trusted applications to run, but kaspersky database of trusted apps is very good, so even when enabled, you can use your pc without problems.

BTW, i heard kaspersky will remove TAM in the future. And some "complete" kaspersky solutions like Kaspersky Small Office doesn't offer it anymore

 

[Parsh]

Whatever product, all that matters is how a security solution protects at the moment of truth. Everybody knows that any security software can fail, yet there is never ending aghast, disappointment and upheaval when new youtuber bypasses are posted. Seems like a real waste of energy to re-investigating the same thing over and over. The definition of insanity is doing the same over and over, yet expecting a different result. Hurt feelings over security software bypass. It's so curious and it makes no sense.

That's the human tendency, everywhere. Quite some video tests may not make sense in the first place. Some of them may be flawed. Some people might find them unnecessary.
If you see, there are also times when productive discussions and findings arise out of some reviews and discussions. Some knowledgable members jump in and enlighten on multitude of factors. Even a terrible topic might lead way to a single simple useful outcome. Sample testing may vary from terrible to unique. Some videos are helpful to figure if some settings can be taken advantage of or if it is better left untouched, if the viewer can cover the weakness of their product or supplement them. Of course there will be hoppers - hey now I do not think it will protect me, hey I should jump to this product right?
But see the rest of outcomes too
In the end what matters is the user being stable and comfortable with their choice of security, and being conscious of his own actions - that is more important than any security commodity.

 

[bayasdev]

That's a nice little test. However, all reputed AVs struggling with the sample might either be silly or a matter of real concern.
@geminis3 did you compile the malware on the same machine/VM image on which you're testing?

Yes, it's dangerous to test on my host machine, IDK if unpacking with 7Z removes the metadata.

 

[DDE_Server]

I'm genuinely surprised to see Avast Free blocking my LOLbin inspired ransomware while Kaspersky Free allowed it to execute and encrypt my files.

Is this the end of Ransominator?

Thanks for the test keep it up i enjoy it thanks@geminis3

 

[SeriousHoax]

Now it's detected by Kaspersky's cloud as "UDS:Hoax.Win64.FakeRansom.a"

Also there's a analysis by their Threat Intelligence Portal:

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

 

[harlan4096]

I'd like to know what how Avast Hardened mode actually works, and if it's user friendly (for example: if it keep blocking everything that it shouldn't)

Kaspersky TAM for example works by letting only trusted applications to run, but kaspersky database of trusted apps is very good, so even when enabled, you can use your pc without problems.

BTW, i heard kaspersky will remove TAM in the future. And some "complete" kaspersky solutions like Kaspersky Small Office doesn't offer it anymore

You can easily emulate TAM in Defaults just setting unknown apps to Untrusted in Application Control...

 

[Parsh]

I'd like to know what how Avast Hardened mode actually works, and if it's user friendly (for example: if it keep blocking everything that it shouldn't)

Moderate hardened mode
This mode in Avast Antivirus has pre-installed settings. Unlike the regular mode when the detected threat gets into the DeepScreen, this mode doesn’t have any further scanning. It is immediately blocked. Even suspicious files get this reaction. So the difference is that if the DeepScreen doesn’t find any malicious problem it restores the file. In a case with the hardened mode, the file won’t stand a chance and will be immediately blocked.

Aggressive hardened mode
This type of hardened mode also differs from the rest. Here the system is only based on the whitelist database from Avast cloud. In this situation, the antivirus sees the file and searches it in the database. In case it finds the file in that cloud and it’s marked as safe, the computer will be able to run it. In case there is no such file in the list or it’s marked as a threat, the antivirus will block it. This is probably the most secure mode.

However, this mode has one slight drawback. If you use very old or very new software, the antivirus will have trouble defining it as well as its category (safe or threat). If you run software that is used by thousands of people, you are unlikely to have any issues.

That's the main info available. The time I had used Avast with Hardened Mode, I did not find it to be very aggressive. @RejZoR may be able to share a better experience.

BTW, i heard kaspersky will remove TAM in the future. And some "complete" kaspersky solutions like Kaspersky Small Office doesn't offer it anymore

Yes. And it can be mimicked with the existing Application Control by setting unknown applications to 'Untrusted'. Setting to 'High Restricted' is not really advisable. The difference has been seen in the Hub ransomware testing.

 

[bayasdev]

Now it's detected by Kaspersky's cloud as "UDS:Hoax.Win64.FakeRansom.a"
View attachment 238188
Also there's a analysis by their Threat Intelligence Portal:

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

I expected to have my username in the detection name

 

[Parsh]

Yes, it's dangerous to test on my host machine, IDK if unpacking with 7Z removes the metadata.

I did not mean that. If you are testing on a virtual machine, was the sample created in the same virtual machine (image) earlier?
Yes, 7zip strips off the mark of origin/web in case of unzipping.

 

[SeriousHoax]

I expected to have my username in the detection name

Infect a PC/VM with the sample with Windows Defender. Multiple times if you can and even better if you use a VPN at least once to boost the prevalence. If WD cloud gathers enough data which seems suspicious to it then it'll automatically create a post infection signature with your name or the name of your sample I mean

 

[bayasdev]

I did not mean that. If you are testing on a virtual machine, was the sample created in the same virtual machine (image) earlier?
Yes, 7zip strips off the mark of origin/web in case of unzipping.

I actually coded it inside the VM earlier, then 7zipped and unpack each time I do a video.

 

[SeriousHoax]

Infect a PC/VM with the sample with Windows Defender. Multiple times if you can and even better if you use a VPN at least once to boost the prevalence. If WD cloud gathers enough data which seems suspicious to it then it'll automatically create a post infection signature with your name or the name of your sample I mean

I just noticed you already tested WD. So I guess the cloud analysis alone wasn't enough to create a post infection signature.

 

[Parsh]

I actually coded it inside the VM earlier, then 7zipped and unpack each time I do a video.

I cannot tell for sure, but that could be a reason for the file to be allowed by all AVs — to not raise a most certain FP. On the premise that the user has created the file intentionally for use. Ultimately it's an exe file, still it's interesting that static/real-time scans also got nothing.
If that's the reason, typical AVs that use that check might not flag your sample. But tools like dedicated anti-ransomware apps that mainly rely only on encryption-like behavior may block it.
Could you create a different VM, using a fresh new image, then import and test this file with some AVs again when time allows?

 

[bayasdev]

I just noticed you already tested WD. So I guess the cloud analysis alone wasn't enough to create a post infection signature.

I remember that @Robbie on a FB group posted that WD detected a 0day ransomware 3/2 days later after the machine was encrypted.

 

[SeriousHoax]

I remember that @Robbie on a FB group posted that WD detected a 0day ransomware 3/2 days later after the machine was encrypted.

That's possible if he was talking about local signatures. That can take few days but their cloud usually create signatures pretty quickly but there could always be some special cases I guess.

 

[MacDefender]

Now it's detected by Kaspersky's cloud as "UDS:Hoax.Win64.FakeRansom.a"
View attachment 238188
Also there's a analysis by their Threat Intelligence Portal:

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

Did someone submit it or was this automatic?

Kaspersky was also super aggressive in my testing at the cloud having a reaction. I had to recompile my sample with a bit more obfuscation midway through testing because it started getting blocked statically on other VMs after I clicked the button saying to undo.

No other AV I tested did this -- I suspect they required more than one or two hosts detecting a binary.