App Review Best Antivirus vs Unknown Ransomware II (TPSC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
The PC Security Channel

Schug

New Member
Jul 14, 2024
9
LEO is using a basic way to encrypt files. There is nothing extraordinary about his ransomware simulation. What he shows is completely realistic and any user is susceptible to it.
The situation this represents is an unknown zero-day ransomware attack. That is what is unlikely to be experienced by the average user. However, in this situation behavioral detection is necessary. Maybe I'm misunderstanding?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
I am impressed. Leo pushed the testing methodology in the XXII century. He created a golden sample that can show which AV is better against ransomware.
... or maybe I am wrong, and this video is just a presentation of one of many possible results (depending on the tested sample).
 
Last edited:

cofer123

Level 3
Thread author
Sep 7, 2021
140
A reasonable explanation on the ESET forums for the outcome of this sample:

Marcos said:
As I have already mentioned, this file encrypts files only in the current folder from which it was run. It does not walk through other folders like other actual ransomware which might account for why it was not detected by the Ransomware shield prior to adding the detection.
itman said:
Many "test" ransomware such as KnowBe4's Ransomware simulator: Ransomware Simulator | KnowBe4 operate as noted above; encrypt files in a single designated test folder/directory. As has been discussed previously at length in the forum: Ransomware Simulators - A Detailed Analysis, Eset will not detect these test ransomware due to the fact they don't exhibit actual ransomware behavior. Encrypting files in a single folder/directory per se is not "real world" ransomware behavior.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,558
Testing such custom-made samples can sometimes be useful for AV vendors. There are many ways to bypass any usable anti-ransomware protection. AV vendors do not cover all possible attack vectors, even if they know those vectors. The main purpose is to cover the methods that already happened in the wild and the new attacks that will probably happen soon.
The good thing about the video is showing the differences in applying the protection. For example, Kaspersky used the rollback feature to recover the files (including the malware) and other AVs did not. Other AVs prefer protected backups, protected folders, etc. Microsoft recommends automatic file backup in OneDrive, so the files can be easily restored.
 
Last edited:

CyberDevil

Level 9
Verified
Well-known
Apr 4, 2021
407
Suppose the malware creates its sample in the documents folder and then executes it from there - is that enough to bypass Eset's protection? On the one hand the scheme is too complicated, on the other hand ... If Eset understands that the encryptor works only if the program handles several different directories, but it doesn't have a rollback function like Bitdefender and Kaspersky, then we get guaranteed possibly very significant damage to personal files until the antivirus is triggered. Although the presence of a cloud backup will still offset these risks, and the encryptor will not be able to get to system and program files in time to damage the OS, it may not be a big deal. :unsure: In general, it's important to always have a backup in any case. :)

By the way, since in V18 it is now possible to protect document folders without going through manual HIPS rules, the risk is probably even lower.
 

bazang

Level 8
Jul 3, 2024
352
itman said:

Encrypting files in a single folder/directory per se is not "real world" ransomware behavior.

_ _ _ _ _

itman doesn't know what he is talking about. Ransomware that targets a specific directory has been around for years. It is just that it is not how most ransomware works.

The discussions and excuses on the ESET forums are total nonsense and living in denial behaviors.
 

bazang

Level 8
Jul 3, 2024
352
Suppose the malware creates its sample in the documents folder and then executes it from there - is that enough to bypass Eset's protection? On the one hand the scheme is too complicated, on the other hand ... If Eset understands that the encryptor works only if the program handles several different directories, but it doesn't have a rollback function like Bitdefender and Kaspersky, then we get guaranteed possibly very significant damage to personal files until the antivirus is triggered. Although the presence of a cloud backup will still offset these risks, and the encryptor will not be able to get to system and program files in time to damage the OS, it may not be a big deal. :unsure: In general, it's important to always have a backup in any case. :)

By the way, since in V18 it is now possible to protect document folders without going through manual HIPS rules, the risk is probably even lower.
The people on the ESET forum have no explanation as to why Kaspersky System Watcher detects and stops a single-directory encryption.

"But, but... you don't understand how ESET works! Single folder encryption is not real world!"

Sounds just like Webroot fanbois and fangirlz.
 

bazang

Level 8
Jul 3, 2024
352
Unlike Webroot Eset shows high signature detection and stable level of protection in all tests. It is enough to look at Shadowra tests. So there is no need to exaggerate.
The ESET forum is full of fanbois and fangirlz. Their behaviors are exactly like the Webroot fanatics on the Webroot Community.

They say the very same things that Webroot devotees say:

"But you don't understand how Webroot (ESET) works."
"That is not real-world!"

Oh yes. It is real-world and the product does not protect.

Same thing applies to ESET Community and ESET product.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top