- Aug 31, 2014
- 439
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Norton => SONAR
Bitdefender => The medium is sufficient (if not false positive)
Emsisoft => No configuration is necessary
TrendMicro => Extreme Sensibility
Comodo => Default Setting with Sandbox
Tiranium => Default
- Apr 5, 2014
- 6,008
- Sep 30, 2014
- 54
- Sep 26, 2014
- 2,973
again manzai what a great review
. i enjoy watching your videos and i can't wait for the next one.keep up the great work
. i enjoy watching your videos and i can't wait for the next one.keep up the great work 
- Jun 9, 2013
- 6,720
- Jun 29, 2014
- 260
The test would have been more interesting if you had used actual ransomware.
- Sep 9, 2013
- 1,054
oh bo ho you are just upset that your BB fail that test and anyone can make ransomware you know. you should know that no av is foolproof.
Hello Emsisoft
I acknowledge that Emsisoft is a good product, but in my testing, it did not block Orion Ransomware.
I tell you, Ransomware connects to a remote host and downloads a file named "dontclose.exe." Emsisoft BB did not block all actions.
Then anyone with knowledge can encode malware few clicks. Emsisoft MUST block block any malicious software coded by a hacker or script kiddies.
- Jun 29, 2014
- 260
Yeah, except that the file shown here is not ransomware. The window that is being displayed isn't even always on top and you can happily continue to use other applications. I get that the intent is to mimic a screen locker, but where is the actual screen lock for example?
A behavior blocker is not intended to block all actions but to block malicious actions. The last Orion "ransomware" sample you shared was literally a .NET application with a normal form containing a background image combined with a #####ed up attempt to close certain processes running in the background. Why just an attempt? Because the author of the malware "forgot" that string comparisons are case sensitive and requesting active processes via WMI may return process names in inconsistent cases. There is no input blocking going on, no always on top windows, no attempt to process payments, no attempt to create and switch to a new desktop, not even input controls to type in an unlock code. You know, stuff that would be present if this would have been actual ransomware. Stuff a behavior blocker would look for to figure out whether the file is malicious or not. That is all missing from the Orion "ransomware" v3 sample you shared and apparently continues to be missing in the new version as well. But feel free to send me the new version as well. I will happily point out why it isn't malware
.You are correct, we must block malicious software. The file you tested with is just not malicious. That is why I mentioned the test would be more interesting if you would choose to use actual ransomware, as the file you tested with clearly isn't.
Last edited:
- Aug 12, 2013
- 694
I have tested myself the ransomware called "Orion" after the tests.
The file put a start-up key and kill with a defined timer interval the explorer.
A file that computer newbies will not know how to stop and the malicious program start-up all times with Windows.
This means, it's malicious.
I'm okay with you, it's not really a ransomware but more a screen-locker / home made malware. A screen-locker is malicious too.
And the activities and behavior are most like same a bit within ransomware and screen-locker malware.
Regards,
The file put a start-up key and kill with a defined timer interval the explorer.
A file that computer newbies will not know how to stop and the malicious program start-up all times with Windows.
This means, it's malicious.
I'm okay with you, it's not really a ransomware but more a screen-locker / home made malware. A screen-locker is malicious too.
And the activities and behavior are most like same a bit within ransomware and screen-locker malware.
Regards,
- Jun 29, 2014
- 260
It attempts to kill. But the function is messed up in version 3.0 and given the fact that explorer.exe clearly continues to run in the VM as can be seen in the video it still is. Otherwise there wouldn't have been a taskbar anymore.
Yeah, right clicking the icon in the taskbar and selecting close is clearly too hardcore unless you are a professional.
Screenlockers are just a sub-type of ransomware. I still don't see the screen locking aspect though given that the window isn't even always on top and you can just Alt + Tab out of it. But that must be too hardcore as well?
Last edited by a moderator:
- Jan 4, 2012
- 279
Manzai tests are useless. And that is my last comment on them.
- Aug 12, 2013
- 694
@Fabian Wosar We were probably not talking about the same malware.
I'm talking about the last Orion version that's working well and that you can't pass away with Alt + Tab.
@Neno Maybe you can respect his hard work a bit?
Lot of installations/uninstallations , lot of malware fiding time and recording and editing and uploading.
You can think that is useless but i can see the work that he put on this vidéos. This means, you can respect this work a bit.
I'm talking about the last Orion version that's working well and that you can't pass away with Alt + Tab.
@Neno Maybe you can respect his hard work a bit?
Lot of installations/uninstallations , lot of malware fiding time and recording and editing and uploading.
You can think that is useless but i can see the work that he put on this vidéos. This means, you can respect this work a bit.
- Jun 29, 2014
- 260
As I mentioned before, I only ever got one sample for V3 which was a joke. But just judging by the video most of the flaws are still present. Explorer still running, no input blocking, etc.. Those details may not matter for a sandbox or a simple HIPS, but they do for a behavior blocker.
- Jun 29, 2014
- 260
I wouldn't go that far. He clearly puts a lot of time into his videos. I just don't understand why he sometimes chooses not to go with actual malware but instead chooses to use some leaktest-like test tools instead. It's not like there aren't dozens of new Critroni and CryptoLocker copycats every day that could be used for testing.
- Sep 1, 2014
- 94
- Jan 4, 2012
- 279
I am not being rude at all. That is a summary of his tests. Last 5 are not the only flawed ones.
Similar threads
