- Nov 17, 2016
- 1,242
Cerber ransomware can now detect virtual machines to prevent analysis
- Thread starter Danielx64
- Start date
Bunch of questions. Mods forgive but some just requiring mentioning other products. If this is bad let me know.
On the macrium question. Some of the ransomware I've played with will in fact encrypt the images and if that happens bye bye
I wrestled with how to protect my 2nd and 3rd internal drives. Many of the ransomware programs don't protect them. That is a fatal flaw. I finally settled on Pumpernickel(FIDES) as the solution. It locks changing files on the disks, but I can specifiy that certain programs can make changes. Cheap, only $13US. Big down side is it's only a driver controled by an ini file. EVERYTHING is manual. But it works.
That protects the images, so now the c: drive is a restore issue only.
As to what Rollback will do, I don't know. I won't use it as I don't trust either the software or the company. I don't like what it does to the imaging situation either. I don't believe there is any way to put Rollback on key. On there similiar in concept program is Raxco's Instant Recovery. While it could be used if your images are protected. It would be very unwieldy and time consuming.
What about all these new Anti Ransomware programs. To me a big Blah. By the time any of them detect anything YOU ARE INFECTED!!!. If that happens the smartest move would be to have an image to restore, in which case the use of these programs and is to me at least a waste of money
On the macrium question. Some of the ransomware I've played with will in fact encrypt the images and if that happens bye bye
I wrestled with how to protect my 2nd and 3rd internal drives. Many of the ransomware programs don't protect them. That is a fatal flaw. I finally settled on Pumpernickel(FIDES) as the solution. It locks changing files on the disks, but I can specifiy that certain programs can make changes. Cheap, only $13US. Big down side is it's only a driver controled by an ini file. EVERYTHING is manual. But it works.
That protects the images, so now the c: drive is a restore issue only.
As to what Rollback will do, I don't know. I won't use it as I don't trust either the software or the company. I don't like what it does to the imaging situation either. I don't believe there is any way to put Rollback on key. On there similiar in concept program is Raxco's Instant Recovery. While it could be used if your images are protected. It would be very unwieldy and time consuming.
What about all these new Anti Ransomware programs. To me a big Blah. By the time any of them detect anything YOU ARE INFECTED!!!. If that happens the smartest move would be to have an image to restore, in which case the use of these programs and is to me at least a waste of money
- Jul 22, 2014
- 2,525
I was Ted to check VT detections before but unfortunately couldn't till now.
At the end of Trendlabs's article there are the Sha of 4 files:
1st had VT=3/56 on 29.03.17
Antivirus scan for 09ef4c6b8a297bf4cf161d4c12260ca58cc7b05eb4de6e728d55a4acd94606d4 at 2017-03-29 18:11:46 UTC - VirusTotal
2nd VT=1, but Symantec, not Trend (5hours ago, 30.3.17)
Antivirus scan for a61eb7c8d7a6bc9e3eb2b42e7038a0850c56e68f3fec0378b2738fe3632a7e4c at 2017-03-30 21:42:27 UTC - VirusTotal
3rd 38/61 28.03.17. Where is Emsisoft?
Antivirus scan for e3e5d9f1bacc4f43af3fab28a905fa4559f98e4dadede376e199360d14b39153 at 2017-03-28 20:20:20 UTC - VirusTotal
4th 44/61
https://www.virustotal.com/en/file/...780b01c2a2c59bc399e5b746567ce6367dd/analysis/
At the end of Trendlabs's article there are the Sha of 4 files:
1st had VT=3/56 on 29.03.17
Antivirus scan for 09ef4c6b8a297bf4cf161d4c12260ca58cc7b05eb4de6e728d55a4acd94606d4 at 2017-03-29 18:11:46 UTC - VirusTotal
2nd VT=1, but Symantec, not Trend (5hours ago, 30.3.17)
Antivirus scan for a61eb7c8d7a6bc9e3eb2b42e7038a0850c56e68f3fec0378b2738fe3632a7e4c at 2017-03-30 21:42:27 UTC - VirusTotal
3rd 38/61 28.03.17. Where is Emsisoft?
Antivirus scan for e3e5d9f1bacc4f43af3fab28a905fa4559f98e4dadede376e199360d14b39153 at 2017-03-28 20:20:20 UTC - VirusTotal
4th 44/61
https://www.virustotal.com/en/file/...780b01c2a2c59bc399e5b746567ce6367dd/analysis/
- Apr 13, 2013
- 3,224
Solar- detection really depends on what you are checking- For instance if you check the original malware which is a vbs script you may get few detections as this is not in itself malicious, but will download the payload. But if you check the actual payload (like in the 4th one you indicated) things are different. And about the dll's (2 and 3)- not all dropped dll's will be actually malicious.
So the most important detections would be 3 and 4.
So the most important detections would be 3 and 4.
- Jul 22, 2014
- 2,525
Cruelsister, thanks.
Bte, I just checked the 4 Sha Trend provided (and stated that they were detecting).
I think it's strange to see how some are not detected or Emsisoft is not showing in the 3rd one.
In general, not related to the Cerber above, I think it's weird to see AV detect samples by the URL they try to connect to but then miss the executable/payload.
Bte, I just checked the 4 Sha Trend provided (and stated that they were detecting).
I think it's strange to see how some are not detected or Emsisoft is not showing in the 3rd one.
In general, not related to the Cerber above, I think it's weird to see AV detect samples by the URL they try to connect to but then miss the executable/payload.
- Jun 5, 2014
- 276
trend gets them on execution most of the time. even in virtual machines, i believe trend micro is not doing good at advertisement only the pro people know them, IMO their software is sometimes way better than some other software that the users most of the time use. they have bad things like false positive which is getting lower in every version. i'm testing their version 12 of software they enabled machine learning in this version for home products.
Similar threads
