App Review Best Antivirus vs Unknown Ransomware II (TPSC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
The PC Security Channel

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I remember a few posts on MT about ransomware that bypassed the protection of Kaspersky. Some time ago, I posted an example of ransomware that bypassed Kaspersky, Microsoft Defender, and most tested AVs. No AV can block/detect all possible malware (including ransomware) in all scenarios. This is especially true for simulations with custom-made samples. Furthermore, the AV vendors do not use all possible methods of fighting ransomware even if they know how to do it (other security layers, false positives, complexity, etc.).

I think that the problem with such videos is the expectations of watchers. If the video creator does not clearly say that the video is only an example of something that is already confirmed by reliable research, professional reports, tests, etc., people will understand that the video is going to prove something. To be honest, the author did not say anywhere in this video that AVs that blocked/detected the ransomware simulation were generally better than others. But if we look at the comments, most people take this video very seriously as proof that some AVs are winners and the rest are losers, which is untrue. This video only shows that AVs can use different methods to fight ransomware.

Generally, Kaspersky indeed has one of the best anti-ransomware protection. But, this cannot follow in any way from the video with one sample.
 
Last edited:

bazang

Level 8
Jul 3, 2024
365
I remember a few posts on MT about ransomware that bypassed the protection of Kaspersky. Some time ago, I posted an example of ransomware that bypassed Kaspersky, Microsoft Defender, and most tested AVs. No AV can block/detect all possible malware (including ransomware) in all scenarios. This is especially true for simulations with custom-made samples.
If a person (or AI) can write code, and that code bypasses protections, then it is a valid test of both the code and the protection failure. It is what we call a "Proof of Failure (POF)." We never use the words "Proof of Concept (POC)" to describe such tests.

If a white or grey hat coder can write code that bypasses a security solution, then so can the mad black hatter.

The point is this: there is no such thing as "real world." If it can be done in a test, then it can be done in the "real world."

Why do bug and vuln bounty programs pay so much money for "Proof of Concepts (POCs)"? Because the common sense, obvious fact is that if it can be done in the "lab" or at a BlackHat pwn event, then it can be done by threat actors.

It is dangerous territory to say "This will never happen in the real world." Because it just ain't true. It might have a very low probability of happening, but making decisions based upon low probabilities is a risk decision. Not everything can be protected. Not every security solution can protect everything. At some point the consumer - if they have the capacity - has to decide "I am going to worry about this." or "I am not going to worry about this."

I think that the problem with such videos is the expectations of watchers.
That is why there are places such as MalwareTips and people like you. To educate those who pay a high "Ignorance Tax."

If the video creator does not clearly say that the video is only an example of something that is already confirmed by reliable research, professional reports, tests, etc., people will understand that the video is going to prove something. To be honest, the author did not say anywhere in this video that AVs that blocked/detected the ransomware simulation were generally better than others. But if we look at the comments, most people take this video very seriously as proof that some AVs are winners and the rest are losers, which is untrue. This video only shows that AVs can use different methods to fight ransomware.
Nobody ever says that "This test and video are valid only for the specific sample(s) used, for these specific versions of these security software. Do not read into what is demonstrated. Do not generalize the results.

People with a high "Ignorance Tax" are the reason that social media has been a raging success. They make cybersecurity news click-bait a very profitable online endeavor.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Avast/AVG would have probably passed the test.
Yes, it would pass the test. However, this test would be useless for Avast because it cannot trigger any of Avast's anti-ransomware features. The sample is an EXE file without anti-sandbox checks. It will be analyzed in the CyberCapture sandbox and detected as malicious, just like most of malicious EXE files.

In the wild, the ransomware can bypass CyberCapture by using non-EXE files, or EXE files with advanced anti-sandbox checks, or EXE files executed filelessly. We cannot know what will happen because we did not test the anti-ransomware features of Avast.
 

cofer123

Level 3
Thread author
Sep 7, 2021
141
Another point observed on that video:
Marcos said:
Why weren't all AVs on the same start line, and why was ESET "tested" months before the other AVs?

ESET's version is 5 months older than the other AVs. Leo mentions it's not important as they are testing only behavior protection, yet he uses a much older version for ESET while all others are recent. This alone invalidates the result.

1729728457022.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top