Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Andy Ful" data-source="post: 1032633" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">KnowBe4 Simulator Ransomware test</span></strong></p><p><strong></strong></p><p><strong>Part 1:</strong> all attack scenarios detected/blocked.</p><p>ConfigureDefender set to HIGH + ASR prevalence rule (Block executable files from running unless they meet a prevalence, age, or trusted list criteria)</p><p></p><p>[ATTACH=full]273931[/ATTACH]</p><p></p><p></p><p><strong>Part 2: </strong>7 attack scenarios bypassed Defender.</p><p>ConfigureDefender set to HIGH (without enabled ASR prevalence rule):</p><p></p><p>[ATTACH=full]273932[/ATTACH]</p><p></p><p>---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</p><p></p><p>KnowBe4 Simulator uses loaders (*.cxp files) executed via WMI, that can load payloads (*.dlm, *.exe, *.bin, ...).</p><p>All files are created by the simulator and are different in each test.</p><p>The ASR prevalence rule can block such attacks. Many of them are also detected by Defender at the pre-execution level (behavior-based detections: Trojan:Win32/Wacatac.B!ml, Program:Win32/Wacapew.C!ml).</p><p>This is not a real-world test and cannot be used to show the true capabilities of AV. I used it to show the effectiveness of the ASR prevalence rule. Of course, all samples could be also blocked by enabling the ASR rule related to WMI commands. Other ASR rules did not block anything due to the special form of KnowBe4 tests.</p><p></p><p>Edit.</p><p>A similar test for other AVs was done on MT:</p><p>[URL unfurl="false"]https://malwaretips.com/threads/ransomware-simulator-vs-10-avs.113267/#post-984441[/URL]</p><p>Generally, most AVs scored poorly (with some exceptions). But, this can follow from a special testing procedure (uncommon in the wild).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1032633, member: 32260"] [B][SIZE=5]KnowBe4 Simulator Ransomware test[/SIZE] Part 1:[/B] all attack scenarios detected/blocked. ConfigureDefender set to HIGH + ASR prevalence rule (Block executable files from running unless they meet a prevalence, age, or trusted list criteria) [ATTACH type="full" alt="1679960769264.png"]273931[/ATTACH] [B]Part 2: [/B]7 attack scenarios bypassed Defender. ConfigureDefender set to HIGH (without enabled ASR prevalence rule): [ATTACH type="full" alt="1679961171001.png"]273932[/ATTACH] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- KnowBe4 Simulator uses loaders (*.cxp files) executed via WMI, that can load payloads (*.dlm, *.exe, *.bin, ...). All files are created by the simulator and are different in each test. The ASR prevalence rule can block such attacks. Many of them are also detected by Defender at the pre-execution level (behavior-based detections: Trojan:Win32/Wacatac.B!ml, Program:Win32/Wacapew.C!ml). This is not a real-world test and cannot be used to show the true capabilities of AV. I used it to show the effectiveness of the ASR prevalence rule. Of course, all samples could be also blocked by enabling the ASR rule related to WMI commands. Other ASR rules did not block anything due to the special form of KnowBe4 tests. Edit. A similar test for other AVs was done on MT: [URL unfurl="false"]https://malwaretips.com/threads/ransomware-simulator-vs-10-avs.113267/#post-984441[/URL] Generally, most AVs scored poorly (with some exceptions). But, this can follow from a special testing procedure (uncommon in the wild). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
