App Review Best Antivirus vs Unknown Ransomware II (TPSC)

[Jonny Quest]

Wait! Leo just posted a video where he tests a single file and doesn't push 1,000 files at once? And he didn't disable any components????

Is this the real life? Or is this just fantasy?

I love the Queen - Bohemian Rhapsody reference as well

 

[Andy Ful]

I remember a few posts on MT about ransomware that bypassed the protection of Kaspersky. Some time ago, I posted an example of ransomware that bypassed Kaspersky, Microsoft Defender, and most tested AVs. No AV can block/detect all possible malware (including ransomware) in all scenarios. This is especially true for simulations with custom-made samples. Furthermore, the AV vendors do not use all possible methods of fighting ransomware even if they know how to do it (other security layers, false positives, complexity, etc.).

I think that the problem with such videos is the expectations of watchers. If the video creator does not clearly say that the video is only an example of something that is already confirmed by reliable research, professional reports, tests, etc., people will understand that the video is going to prove something. To be honest, the author did not say anywhere in this video that AVs that blocked/detected the ransomware simulation were generally better than others. But if we look at the comments, most people take this video very seriously as proof that some AVs are winners and the rest are losers, which is untrue. This video only shows that AVs can use different methods to fight ransomware.

Generally, Kaspersky indeed has one of the best anti-ransomware protection. But, this cannot follow in any way from the video with one sample.

 

[monkeylove]

One sample's good enough for me.

 

[Andy Ful]

Good enough to avoid boredom.

 

[Templarware]

Avast/AVG would have probably passed the test.

 

[Betonf]

It would be interesting to repeat this test, with the new folder protection function of ESET 18.

 

[bazang]

I remember a few posts on MT about ransomware that bypassed the protection of Kaspersky. Some time ago, I posted an example of ransomware that bypassed Kaspersky, Microsoft Defender, and most tested AVs. No AV can block/detect all possible malware (including ransomware) in all scenarios. This is especially true for simulations with custom-made samples.

If a person (or AI) can write code, and that code bypasses protections, then it is a valid test of both the code and the protection failure. It is what we call a "Proof of Failure (POF)." We never use the words "Proof of Concept (POC)" to describe such tests.

If a white or grey hat coder can write code that bypasses a security solution, then so can the mad black hatter.

The point is this: there is no such thing as "real world." If it can be done in a test, then it can be done in the "real world."

Why do bug and vuln bounty programs pay so much money for "Proof of Concepts (POCs)"? Because the common sense, obvious fact is that if it can be done in the "lab" or at a BlackHat pwn event, then it can be done by threat actors.

It is dangerous territory to say "This will never happen in the real world." Because it just ain't true. It might have a very low probability of happening, but making decisions based upon low probabilities is a risk decision. Not everything can be protected. Not every security solution can protect everything. At some point the consumer - if they have the capacity - has to decide "I am going to worry about this." or "I am not going to worry about this."

I think that the problem with such videos is the expectations of watchers.

That is why there are places such as MalwareTips and people like you. To educate those who pay a high "Ignorance Tax."

If the video creator does not clearly say that the video is only an example of something that is already confirmed by reliable research, professional reports, tests, etc., people will understand that the video is going to prove something. To be honest, the author did not say anywhere in this video that AVs that blocked/detected the ransomware simulation were generally better than others. But if we look at the comments, most people take this video very seriously as proof that some AVs are winners and the rest are losers, which is untrue. This video only shows that AVs can use different methods to fight ransomware.

Nobody ever says that "This test and video are valid only for the specific sample(s) used, for these specific versions of these security software. Do not read into what is demonstrated. Do not generalize the results.

People with a high "Ignorance Tax" are the reason that social media has been a raging success. They make cybersecurity news click-bait a very profitable online endeavor.

 

[Andy Ful]

Avast/AVG would have probably passed the test.

Yes, it would pass the test. However, this test would be useless for Avast because it cannot trigger any of Avast's anti-ransomware features. The sample is an EXE file without anti-sandbox checks. It will be analyzed in the CyberCapture sandbox and detected as malicious, just like most of malicious EXE files.

In the wild, the ransomware can bypass CyberCapture by using non-EXE files, or EXE files with advanced anti-sandbox checks, or EXE files executed filelessly. We cannot know what will happen because we did not test the anti-ransomware features of Avast.

 

[cofer123]

Another point observed on that video:

Why weren't all AVs on the same start line, and why was ESET "tested" months before the other AVs?

ESET's version is 5 months older than the other AVs. Leo mentions it's not important as they are testing only behavior protection, yet he uses a much older version for ESET while all others are recent. This alone invalidates the result.