Video Avira vs a D+2 Ransomware file

Source
https://www.youtube.com/watch?v=WnE0z-LhxXA
Video Uploaded by
cruelsister

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,535
OS
Windows 10
Antivirus
Tencent
#3
Avira is still only good in the signature and web protection department, a pity.

Good to see you again, it has been quiet around you and the video demonstrations :)
Judging from the ext, it's the latest variant of GandCrab, right? (Correct me please if there are newer ones).

Thank you for the share @ CS!
 

Mahesh Sudula

Level 9
Verified
Joined
Sep 3, 2017
Messages
447
OS
Windows 8.1
Antivirus
Doctor Web
#5
Yipee! Ransomware won the game
Avira shame on you..Your competitors are evolving into different technologies ..you are still inclined to precious dinosarous signatures
M/L , night vision are a joke...Sit along with sigatures till 2050
H+BEDV alone can change you:notworthy:(n)
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#6
Hi Guys! Just wanted to give a bit of background to this test. An old colleague made me aware of a bunch of this malware masquerading as Cracks were showing up, written by a Bulgarian Group. I was in a process of writing a rather extensive report on AMD and as is typical for me I needed frequent breaks (to allow for Brilliance to rise to the top). Anyway, I followed this thing from the report to me until I made the video and wanted to share a few things:

1). From what my friend told me there were over a hundred different variants that were released. Some just differed in the file name, some had verbose code that was nopped out to give it a different SHA-256. But all essentially were the same. Point being, whenever you read that there are like 10,000 "New" malware thingies being released daily, in all probability it is really like 10 with 9990 semi-duplicates.

(Note: for the following I'm limiting myself to products that are utilized by the Home User)

2). The initial detection was by Kaspersky. Qihoo was second. Both had definitions in place within 12 hours of initial detection (infection).

3). Between Day 1 and 2 (D+24-48 hrs)- detection came in dribs and drabs. Eset and Avast/AVG were the first, followed by others.

4). On day 2 (when I did the video), both Avira and Webroot were the only Non-Chinese majors not to detect it. At this point I did and uploaded to YouTube a Webroot fail. But before I made it public I did one more test and Damned- Webroot now got it (about FxxxxxG Time). So I deleted that video and did this one, with Avira.

5). Today (day 3; D+72 hrs), Avira cloud now detects it. Microsoft also delayed detection until earlier today. I personally feel that Microsoft could be the best anti-malware product on the Planet but are forced to dumb-down their detection due to anti-trust concerns.

6). Tencent still allows this malware. Please, please do not use Tencent!

7). Regarding the Avira Heuristics (and please note that I heavily edited this video to fit the song- which I consider one of the Highpoints of Western Culture - If I had used the default heuristic setting, the malware would have encrypted almost immediately. At the max, Avira kept it at abeyance for about 3 minutes until allowing it (duhhhhh- I think it's OK). Avira heuristics suck big-time.

8). This point is of EXTREME IMPORTANCE- note my comment above about Microsoft (Windows defender). I've seen such delays in TTD (Time To Detection) all of the time. So whenever you see any "Pro" testing site give WD stellar results, you should know that the malware used in that test was OLD (reminds me of the Kaspersky anti-ransomware test posted here recently when the newest malware used was a year old!). Demand that the Pro sites use ONLY NEW MALWARE and do the tests on all of the products SIMULTANEOUSLY. Otherwise there is no actual Real-World signifigance no matter what they may say.

Rant Ends.
 

davisd

Level 20
Verified
Joined
Feb 2, 2016
Messages
995
OS
Windows 10
Antivirus
Default-Deny
#7
At this point I did and uploaded to YouTube a Webroot fail. But before I made it public I did one more test and Damned- Webroot now got it (about FxxxxxG Time). So I deleted that video and did this one, with Avira.
Ahhh, you could have kept snapshot with Webroot fail and look after 24 hours/x days if it could rollback system from encryption. It might have been interesting to see. I did this in late 2016 with Cerber, and it could succesfully rollback encrypted files. I was impressed back then. (y)

Sad about Avira. I am a part of their BETA builds, and honestly thinking to unsign from it, not because of this test, but because I am also tired that they can't come up with new innovations in malware detection capabilities. They could have at least made "Folder/Data protection" feature to not let ransomwre encrypt those areas like other AV vendors have introduced, but no.
 
Last edited:

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,535
OS
Windows 10
Antivirus
Tencent
#8
6). Tencent still allows this malware. Please, please do not use Tencent!
No idea whether another ransomware uses the .KRAB (GandCrab v4) extension, but this one is blocked easily. Maybe later versions will bypass TCPM BB / HIPS. Did not find encrypted files, neither in user folder nor over the system (I have seen RW targeting files in system folders before attacking personal files).
run.PNG

Taken from the hash at the end of the article, file to be found on AnyRun.

GandCrab V4 Released With the New .KRAB Extension for Encrypted Files

Note I have used custom settings, product version is 12.3.26562.901.
File system shield was turned off, to prevent the file being detected by signatures.

Realtime protection mode: Expert mode (Prompt upon detecting suspect actions)
File system protection level: High (monitor all file operations)
Action on threat detection: Choose action manually
Download Protection: Security prompt on dangerous files only

No AV is perfect.
All I want to say, it's a matter of personal preference. Q360 did not shine in the HUB lately (especially not against fileless malware, stealing precious information instead of encrypting them), and missed a RW, too, which encrypted some files until the user clicked the option to block the RW.

Another one:
run.PNG page.PNG run1.PNG run1_1.PNG files.PNG files2.PNG
Triggers UAC, is active in memory for about 5 seconds, calls out. No files encrypted.


EDIT: The malware triggered both SmartScreen as well as UAC, both have been confirmed.
The URL was not intercepted by Google Webfilter or Avira Browser extension by the time of download.
No idea on F-Secure, the webfilter option in FreeDome has been shut down by the time of testing to not interfere with malware.
 
Last edited:

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,977
OS
Windows 10
Antivirus
Microsoft
#9
...
8). This point is of EXTREME IMPORTANCE- note my comment above about Microsoft (Windows defender). I've seen such delays in TTD (Time To Detection) all of the time. So whenever you see any "Pro" testing site give WD stellar results, you should know that the malware used in that test was OLD (reminds me of the Kaspersky anti-ransomware test posted here recently when the newest malware used was a year old!). Demand that the Pro sites use ONLY NEW MALWARE and do the tests on all of the products SIMULTANEOUSLY. Otherwise there is no actual Real-World signifigance no matter what they may say.
Rant Ends.
Very interesting remark. But, your tests were usually done on Windows 7. Please, clarify how is the above remark related to the updated Windows 10.
If I correctly understood your post, then Defender detection means signature detection + dynamic detection (default Defender settings).
Regards.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#11
What about Comodo Firewall In your config?
Actually running both of these samples used in this test under Cruel Comodo is kind of cool (I really should do a video about it, but I don't do videos anymore). You can see the damage that the malware is doing in the VTRoot directory (the virtualized space); it's so pathetic that it almost makes you feel bad for the malware (and CF also stopped ~500 Network Intrusions in 5 minutes). Also note one thing- in order to see how easily Containment handles the malware, I shut off the Cloud AV. If I had enabled the AV I would have just got an error message that the file could not be run, with that malware file being deleted by the AV. Needless to say there would be no fun there!

(both malware samples eventually just terminated themselves in despair).

With leads me to my complaint about CF- in previous builds a reboot would have cleared the Sandbox. Currently things like the above will hang out in VTRoot until a manual sandbox cleaning is done. In spite of innumerable private and a couple of Public requests, they still essentially told me to GFM (they hate me). Oh Well (sigh)...

Fun Fact- there was a new Worm file that was brought to my attention last week- to my total surprise Comodo was the ONLY consumer level AV that detected and deleted it. Not believing my eyes I immediately ran that worm in my Kaspersky VM and it indeed did get right past it (I almost fainted). Understand that in statistics we would call this a N=1 test (no actual significance), but perhaps the Comodo Cloud AV does not suck as much as I think.

Andy- Your answer is more complex:

1). Although I chose to do my videos under Win7 (the most popular OS), my initial testing is always under Win10. Normally this does not matter EXCEPT in the case of WD.
2). From the start I was a proponent of IMMEDIATELY switching from whatever Windows build to Win 10 because of the intrinsic increase in malware protection (I LOVED AMSI- Scriptors Beware!). Sadly many were swayed by Bullshit articles written by the ignorant that stated that MSFT was just trying to track people with Win10, so they both missed out on a superior OS and missed out on getting it for FREE. WD on Win10 is without doubt vastly superior to WD on WIN(not 10).
3). Tests like: Malware Protection Test March 2018 | AV-Comparatives
are done with WD at default with no further Bells and Whistles. 100% Detection my (firm and extremely shapely) Ass! A zero-day info stealer can cut right through WD on 10 like a knife through soft butter. Anyone putting their faith in a test like this could reasonably assume that WD provides perfect protection. This makes me angry as my only concern is that the Peeps out there live a malware free life, and believing crap like this will lead to anything but.
 
Last edited:

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,977
OS
Windows 10
Antivirus
Microsoft
#12
...
Andy- Your answer is more complex:

1). Although I chose to do my videos under Win7 (the most popular OS), my initial testing is always under Win10. Normally this does not matter EXCEPT in the case of WD.
2). From the start I was a proponent of IMMEDIATELY switching from whatever Windows build to Win 10 because of the intrinsic increase in malware protection (I LOVED AMSI- Scriptors Beware!). Sadly many were swayed by Bullshit articles written by the ignorant that stated that MSFT was just trying to track people with Win10, so they both missed out on a superior OS and missed out on getting it for FREE. WD on Win10 is without doubt vastly superior to WD on WIN(not 10).
3). Tests like: Malware Protection Test March 2018 | AV-Comparatives
are done with WD at default with no further Bells and Whistles. 100% Detection my (firm and extremely shapely) Ass! A zero-day info stealer can cut right through WD on 10 like a knife through soft butter. Anyone putting their faith in a test like this could reasonably assume that WD provides perfect protection. This makes me angry as my only concern is that the Peeps out there live a malware free life, and believing crap like this will lead to anything but.
Thanks for clarifying. Maybe you will find the time someday to test Defender Controlled Folder Access + ASR against the ransomware on Windows 10 ver. 1803.