geminis3

Level 16
Verified
Malware Tester

The long awaited test has arrived.

Stay safe and stay at home! 😄

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.
 

MacDefender

Level 12
Verified
I wonder if some of these products have a whiter whitelist?

One issue that I frequently see is that Steam, Starcraft/Blizzard, and many other games store their game files in My Documents. Then the game engine modifies or deletes these files, and that triggers protected folders.

Surely BitDefender in this config isn't going to block those apps, but that suggests there's just another set of whitelists there.
 

MacDefender

Level 12
Verified
Of course if I implement Protected Folders in Kaspersky Application Control via Manage Resources, We will get also untouched documents...

Yeah I'm just afraid that trying to lock down protected folders harder is not the right answer to this. Sure, if you made an Allow or Deny prompt for any time someone touches a document in My Documents, we would have almost no ransomware that can bypass it. But just imagine how many times you'd be clicking that button.....

That turns into the new age of macOS malware. They basically now socially engineer you to click through the "_____ is trying to access your documents. Allow or Deny?" dialog, except the one they trick you to click through is for something like Terminal or another general-purpose program, and then afterwards they can just piggyback on the newly granted permission.


EDIT: What I really want to see is "helloWorld.exe launched 7Zip Console, which is trying to access a protected document. helloWorld.exe has poor reputation. Do you want to allow this access?". AFAIK No behavior blocker on the market right now is smart enough to make that determination.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Yeah I'm just afraid that trying to lock down protected folders harder is not the right answer to this. Sure, if you made an Allow or Deny prompt for any time someone touches a document in My Documents, we would have almost no ransomware that can bypass it. But just imagine how many times you'd be clicking that button.....
My implementation does not prompt warnings to user, it keeps default settings in Auto Mode... of course the best solution would be via BB...
 

blackice

Level 28
Verified
I wonder if some of these products have a whiter whitelist?

One issue that I frequently see is that Steam, Starcraft/Blizzard, and many other games store their game files in My Documents. Then the game engine modifies or deletes these files, and that triggers protected folders.

Surely BitDefender in this config isn't going to block those apps, but that suggests there's just another set of whitelists there.
Actually I’m pretty sure it does cause problems with steam games. I don’t apply this to MyDocuments. I use a separate documents folder on a different drive and have Bitdefender or CFA protect that folder. Then Steam Games work without having to whitelist each one that tries to access the folder.
 

MacDefender

Level 12
Verified
Actually I’m pretty sure it does cause problems with steam games. I don’t apply this to MyDocuments. I use a separate documents folder on a different drive and have Bitdefender or CFA protect that folder. Then Steam Games work without having to whitelist each one that tries to access the folder.

Our dreams are crushed once again :D

Really though! Don't let users save any documents to the computer, don't let anything read documents. Boom, ransomware problem solved!
 

geminis3

Level 16
Verified
Malware Tester
Are you sure this is not fake? author does not show the contents of encrypted files
bat to exe - and rename files extensions ;)
There I opened the encrypted file with the provided password (random integer). This ain't professional malware but it causes real data harm.
 

Wraith2020

Level 2
@geminis3 I am really impressed by your Ransominator sample. You proved that even the best BB's can be bypassed (Kaspersky, Emsisoft, F-Secure, Bitdefender). That's why the best protection against Ransomware is backup. In this test, BD protected folders did it's job and it's a win for BD. So BD safe files, WD controlled folder access and Avast Ransomware Shield will be able to keep the documents folder safe from unknown malware.
 

Wraith2020

Level 2
Actually I’m pretty sure it does cause problems with steam games. I don’t apply this to MyDocuments. I use a separate documents folder on a different drive and have Bitdefender or CFA protect that folder. Then Steam Games work without having to whitelist each one that tries to access the folder.
Yeah BD safe files, Avast Ransomware Shield and CFA all causes problems with steam games (at least on my PC). But at the end of the day, you'll have to choose between usability and protection. You'll have to manually whitelist every steam games.
 

MacDefender

Level 12
Verified
Are you sure this is not fake? author does not show the contents of encrypted files
bat to exe - and rename files extensions ;)

Loll indeed! That is one of my pet peeves.

I really respected the responses I got back from Fabian (Emsisoft), F-Secure, and WiseVector when we talked about this 7zip exploit.

GREAT response: WiseVector:
(paraphrased because the communication was private)
We've tuned our product to detect and stop some in-the-wild attacks that use WinRAR in a similar fashion. We didn't detect this one because it operates specifically within a test folder within My Documents. Our product is tuned to expect that to be legitimate behavior.

However, knowing that Kaspersky can block this attack, we will see if we can do better.

Acceptable/Respectable responses:
F-Secure:
Thanks also for your valuable inputs with the 7-zip example. Those techniques are always considered in our detection iterations. However, we need to take into cognizance the legitimate use cases for this application. Aggressively blocking software with ransomware-like behavior without other checks will cause lots of false positives which will significantly impact the usability of our products. In addition, there are traces of the password used to archive the files which may be easily recovered by looking into event logs or reversing the malware itself.

Emsisoft in other thread, paraphrased as "We consider once ransomware makes it onto a device, it can already be compromised in many ways. What you're seeing is reflective of the shift in focus to preventing host compromise as opposed to behavior blocking a malicious binary already on-host". Video - Emsisoft Anti Malware (default) vs Ransominator

I don't mind if a vendor's choice is to explain why they're not taking any action for this proof of concept. I think those are good answers from all 3 vendors for their justification.

The most disappointing answers were the ones from ESET which said their product would react to real ransomware, this is not real ransomware, and if you write real ransomware, that's illegal/unethical.
 

MacDefender

Level 12
Verified
and...... it`s true :)
Sure, but it's more dismissive than it needs to be.

We've seen more than one example in the MalwareHub of where ESET let files get encrypted but other products dynamically blocked the ransomware. They have the best signatures in the industry and that results in them, as a whole, outperforming many BB+Sig products, but it doesn't change that they have a weakness.
 

Outpost

Level 5
Verified
EDIT: What I really want to see is "helloWorld.exe launched 7Zip Console, which is trying to access a protected document. helloWorld.exe has poor reputation. Do you want to allow this access?". AFAIK No behavior blocker on the market right now is smart enough to make that determination.

Maybe you could get a similar answer by VS. It would be interesting to test it.
 

blackice

Level 28
Verified
I wonder if some of these products have a whiter whitelist?

One issue that I frequently see is that Steam, Starcraft/Blizzard, and many other games store their game files in My Documents. Then the game engine modifies or deletes these files, and that triggers protected folders.

Surely BitDefender in this config isn't going to block those apps, but that suggests there's just another set of whitelists there.
So I just had a steam game blocked, because I forgot to remove the OneDrive version of my user’s MyDocuments folder from the Safe Files feature. It actually made adding the exclusion fairly painless, so I turned it back on for all documents folders. I don’t add new games THAT often. We’ll see how it goes. Still pondering just going back to ESET.
 
Last edited:
Top