App Review Emsisoft Anti Malware (default) vs Ransominator

[MacDefender]

Just to give some real-world examples of the challenges around warez:

This is a Windows Activation defeat tool that doesn't permanently install anything on the system. It temporarily intercepts a communication with the Windows Activation servers:

VirusTotal

VirusTotal

www.virustotal.com

I've analyzed this one and it does not perform any malicious action.
BitDefender sigs call it "Trojan.GenericKD.3260284". Some engines label this a PUP or WinActivator. ClamAV labels it as Ransomware: "Win.Ransomware.Avcrypt-6917413-0".

This one I just searched for "KMS Activator" and downloaded the first result, as if I'm a "dumb" user

This binary was password protected in a zip file, randomly generated when I downloaded it. I strongly suspect it to be malicious. It has very low VirusTotal detection (including no BitDefender derived products).

VirusTotal

VirusTotal

www.virustotal.com

Here's another clearly fake piracy tool, searched "VMWare Crack":

VirusTotal

VirusTotal

www.virustotal.com

Here's a real Windows watermark disabler, not malicious. Most engines get this right, except for 2 AI ones that think this is suspicious:

VirusTotal

VirusTotal

www.virustotal.com

Here's a fun one. This is for Ableton live:

VirusTotal

VirusTotal

www.virustotal.com

I analyzed this one in a VM and was unable to find any evidence of it doing anything malicious. Kaspersky labels it as clean (usually my ground truth), but it's labeled everything from coin miner to ransomware. I was so curious about this one that I set up a clean machine about a month ago, with no security software enabled, and after running it I tried a few second opinion scanners and they found nothing left behind. Maybe this is really good at evasion but chances are, most AV engines do not like the way that this keygen has to scrape a bunch of data about your machine in order to compute an activation response (Ableton's DRM tries pretty hard to tie activations to your hardware)


Personally, to me, one of the few reasons why I turn to antimalware is to analyze files that I know are high risk. It is mildly disappointing for me that the results are so unreliable for this problem domain, but with that said, I recognize this is not a common or profitable use case to chase after. After all, what pirate is going to pay for your AV software? (Well, other than me -- every AV that I use or test is either legitimately licensed or a trial version)

 

[Vitali Ortzi]

Then for enterprise, why Emsisoft does not include a Firewall or a way to control the Windows firewall? I thought the BB monitors the firewall but you can still change rulesets via Security Center and not a peep from Emsisoft. Changing rulesets should be within the Emsisoft GUI only. Other vendors also use Windows Firewall but control is within their GUI!

Emsisoft has no App and device control and DLP. Spam filter addon for email clients? Those are usually the entrance vectors for threats in Enterprise.

There is no way to control what can be accessed on the network. For example lockdown everything and only allow access to sites in a whitelist or block certain categories. You have an Enterprise product but it doesnt allow Enterprises complete control and management on their devices.

How about Patch management and Vulnerability scans? Enterprises want a dashboard to monitor everything on.

Enterprises buy a complete package rather than using several solutions since it is cheaper, easier to maintain and easier to manage. Training for several solutions cost money and time. Troubleshooting due to using several solutions in place also cost money and time.

I hope Emsisoft Enterprise products become real enterprise-grade soon. Seriously the Business and Enterprise products are just like Home with different brand text on the GUI.

Not a complete product aka managing nightmare .

 

[Vitali Ortzi]

Just to give some real-world examples of the challenges around warez:

This is a Windows Activation defeat tool that doesn't permanently install anything on the system. It temporarily intercepts a communication with the Windows Activation servers:

VirusTotal

VirusTotal

www.virustotal.com

I've analyzed this one and it does not perform any malicious action.
BitDefender sigs call it "Trojan.GenericKD.3260284". Some engines label this a PUP or WinActivator. ClamAV labels it as Ransomware: "Win.Ransomware.Avcrypt-6917413-0".

This one I just searched for "KMS Activator" and downloaded the first result, as if I'm a "dumb" user

This binary was password protected in a zip file, randomly generated when I downloaded it. I strongly suspect it to be malicious. It has very low VirusTotal detection (including no BitDefender derived products).

VirusTotal

VirusTotal

www.virustotal.com

Here's another clearly fake piracy tool, searched "VMWare Crack":

VirusTotal

VirusTotal

www.virustotal.com

Here's a real Windows watermark disabler, not malicious. Most engines get this right, except for 2 AI ones that think this is suspicious:

VirusTotal

VirusTotal

www.virustotal.com

Here's a fun one. This is for Ableton live:

VirusTotal

VirusTotal

www.virustotal.com

I analyzed this one in a VM and was unable to find any evidence of it doing anything malicious. Kaspersky labels it as clean (usually my ground truth), but it's labeled everything from coin miner to ransomware. I was so curious about this one that I set up a clean machine about a month ago, with no security software enabled, and after running it I tried a few second opinion scanners and they found nothing left behind. Maybe this is really good at evasion but chances are, most AV engines do not like the way that this keygen has to scrape a bunch of data about your machine in order to compute an activation response (Ableton's DRM tries pretty hard to tie activations to your hardware)


Personally, to me, one of the few reasons why I turn to antimalware is to analyze files that I know are high risk. It is mildly disappointing for me that the results are so unreliable for this problem domain, but with that said, I recognize this is not a common or profitable use case to chase after. After all, what pirate is going to pay for your AV software? (Well, other than me -- every AV that I use or test is either legitimately licensed or a trial version)

Most average pirates use Kaspersky/eset or other pirated endpoint product for detection.
Fast reputation and low false positive is key for them.

 

[MacDefender]

Most average pirates use Kaspersky or other pirated endpoint product for detection.
Fast reputation and low false positive is key for them.

I do have to say, in my experience, Kaspersky has been relatively accurate when it comes to pirated software. It tends to have good enough signatures and behavior blocking that it detects the most common fake/bugged pirated software, but it also rarely incorrectly marks a "legit" (lol) piracy tool as malware.

The "Ableton Live" sample above on KSN has 10,000+ known Kaspersky users. Pretty impressive for such an esoteric professional application.

I know you like SEP, but unfortunately I've found for pirated software that SEP and Norton behave quite similarly in that the heuristic "AdvML.B/C" engine tends to trigger frequently on piracy tools, especially ones that apply binary patches (e.g. cracks) to existing binaries. I still have hosts where I use SEP and I've learned how to interpret such alerts, but Kaspersky definitely deserves an honorable mention in this field, which I appreciate you bringing up.


I am also, on another note, interested to hear about Emsisoft's future direction. I am 100% on board with the idea that ransomware often reaches enterprise machines due to network compromises/intruders and other sorts of network oriented attacks, and by the time a piece of malware lands on a user's computer and the user has an opportunity to execute it, you've already lost. But with that said, I'm really interested in how vendors are trying to solve that problem. I've seen some APT defense products try to provide a whole-stack solution to that which includes virtualized honeypots, but not a lot of endpoint security software suites trying to address this.

 

[plat]

Winaero's Universal Watermark Disabler is a great tool I use when running Insider builds. Some like me find the watermark these builds generate to be intolerable. I do a right-click scan before running it every time, though. It has always comes out clean via HitmanPro.

Here's a real Windows watermark disabler, not malicious. Most engines get this right, except for 2 AI ones that think this is suspicious:

Yes, CyberReason and eGambit, it seems.

 

[Vitali Ortzi]

I do have to say, in my experience, Kaspersky has been relatively accurate when it comes to pirated software. It tends to have good enough signatures and behavior blocking that it detects the most common fake/bugged pirated software, but it also rarely incorrectly marks a "legit" (lol) piracy tool as malware.

The "Ableton Live" sample above on KSN has 10,000+ known Kaspersky users. Pretty impressive for such an esoteric professional application.

I know you like SEP, but unfortunately I've found for pirated software that SEP and Norton behave quite similarly in that the heuristic "AdvML.B/C" engine tends to trigger frequently on piracy tools, especially ones that apply binary patches (e.g. cracks) to existing binaries. I still have hosts where I use SEP and I've learned how to interpret such alerts, but Kaspersky definitely deserves an honorable mention in this field, which I appreciate you bringing up.


I am also, on another note, interested to hear about Emsisoft's future direction. I am 100% on board with the idea that ransomware often reaches enterprise machines due to network compromises/intruders and other sorts of network oriented attacks, and by the time a piece of malware lands on a user's computer and the user has an opportunity to execute it, you've already lost. But with that said, I'm really interested in how vendors are trying to solve that problem. I've seen some APT defense products try to provide a whole-stack solution to that which includes virtualized honeypots, but not a lot of endpoint security software suites trying to address this.

That's true SEP is too aggressive to pirates .
For gaming only machine I'm planning running Kaspersky as I have seen it favorite among pirates.
Hopefully It will be good enough to replace some of the manual labor of analysis.
I will block access to lan run the adapter via a proxy changing ports etc.
No account or steam will be installed on the gaming machine for security.
And other practices I'm planning .
Setting honey pots is a good idea noted .

 

[Vitali Ortzi]

I do have to say, in my experience, Kaspersky has been relatively accurate when it comes to pirated software. It tends to have good enough signatures and behavior blocking that it detects the most common fake/bugged pirated software, but it also rarely incorrectly marks a "legit" (lol) piracy tool as malware.

The "Ableton Live" sample above on KSN has 10,000+ known Kaspersky users. Pretty impressive for such an esoteric professional application.

I know you like SEP, but unfortunately I've found for pirated software that SEP and Norton behave quite similarly in that the heuristic "AdvML.B/C" engine tends to trigger frequently on piracy tools, especially ones that apply binary patches (e.g. cracks) to existing binaries. I still have hosts where I use SEP and I've learned how to interpret such alerts, but Kaspersky definitely deserves an honorable mention in this field, which I appreciate you bringing up.


I am also, on another note, interested to hear about Emsisoft's future direction. I am 100% on board with the idea that ransomware often reaches enterprise machines due to network compromises/intruders and other sorts of network oriented attacks, and by the time a piece of malware lands on a user's computer and the user has an opportunity to execute it, you've already lost. But with that said, I'm really interested in how vendors are trying to solve that problem. I've seen some APT defense products try to provide a whole-stack solution to that which includes virtualized honeypots, but not a lot of endpoint security software suites trying to address this.

To say the truth about SEP I hate bloodhound and Sonar and all other ML proactive detection and the Auto protect signature .
They don't detect enough zero days .
While increase attack surface on my critical main machines.
I don't use detection based protection other then manual SPEM logging.
Waste of performance headaches and protection .
With decent policies Application control can stop anything that Sonar and bloodhound can't anyway .
But for friends that use pirated software I recommend Kaspersky .
But some prefer eset Wich has better performance but not as fast reputation or Strong BB in my experience .
And system watcher rollback is pretty good.

 

[Vitali Ortzi]

To say the truth about SEP I hate bloodhound and Sonar and all other ML proactive detection and the Auto protect signature .
They don't detect enough zero days .
While increase attack surface on my critical main machines.
I don't use detection based protection other then manual SPEM logging.
Waste of performance headaches and protection .
With decent policies Application control can stop anything that Sonar and bloodhound can't anyway .
But for friends that use pirated software I recommend Kaspersky .
But some prefer eset Wich has better performance but not as fast reputation or Strong BB in my experience .
And system watcher rollback is pretty good.

But any friend that just uses office I will use unmanaged SEP as firewall / exploit mitigations
And Andy Configure defender Max and some other lolbin blocking rules .
For family SEP same+ application control and managed by local SPEM server with copying my policies to test mode for a few weeks before production mode.

 

[MacDefender]

To say the truth about SEP I hate bloodhound and Sonar and all other ML proactive detection and the Auto protect signature .
They don't detect enough zero days .
While increase attack surface on my critical main machines.
I don't use detection based protection other then manual SPEM logging.
Waste of performance headaches and protection .
With decent policies Application control can stop anything that Sonar and bloodhound can't anyway .
But for friends that use pirated software I recommend Kaspersky .
But some prefer eset Wich has better performance but not as fast reputation or Strong BB in my experience .
And system watcher rollback is pretty good.

On the bright side, Symantec/Norton products always perform within spitting distance of the top performers, they just don't lead or excel at any particular thing. That's too bad, because SONAR was such an innovative idea when they first launched it, and Bloodhound was also revolutionary in the 90's and set the benchmark for heuristic scanning. The company clearly has had potential to innovate and lead the market, but that's no longer really what they do.

I'm not knocking these products, Norton/Symantec are always in my short list of options, but as you mentioned, each component has some drawbacks as time goes on. SONAR insight doesn't have the same level of quick reaction that Kaspersky's KSN has in terms of if one endpoint detects a file behaving badly, within literally seconds KSN will adjust the file reputation and other endpoints will statically flag the file as a virus.

Symantec is trying some cool stuff with machine learning and AI, but a detection signature that simply says "the AI thinks this is bad" (which is basically all AdvML.C means) is not at all helpful for the user, especially since they've frequently had this detection falsely flag legitimate enterprise login scripts.

With that said, their products are comprehensive, frequently go on sale, and perform within the top tier class of most standardized AV tests. It's hard to fault them. It's just not exciting and not worth putting on a pedestal. It's like the Toyota Camry of the AV world -- respectable, dependable, commonplace. Can't insult it but also can't admire it as some modern engineering marvel...

In a lot of ways this makes it a good go-to choice for family and friends who want to invest in protection. It's much easier to have them choose Norton360 than to attempt to explain how ESET is great at signatures but not behavior blocking, or F-Secure is good at most things but poor script malware protection and no firewall/network controls, etc etc.

 

[Vitali Ortzi]

On the bright side, Symantec/Norton products always perform within spitting distance of the top performers, they just don't lead or excel at any particular thing. That's too bad, because SONAR was such an innovative idea when they first launched it, and Bloodhound was also revolutionary in the 90's and set the benchmark for heuristic scanning. The company clearly has had potential to innovate and lead the market, but that's no longer really what they do.

I'm not knocking these products, Norton/Symantec are always in my short list of options, but as you mentioned, each component has some drawbacks as time goes on. SONAR insight doesn't have the same level of quick reaction that Kaspersky's KSN has in terms of if one endpoint detects a file behaving badly, within literally seconds KSN will adjust the file reputation and other endpoints will statically flag the file as a virus.

Symantec is trying some cool stuff with machine learning and AI, but a detection signature that simply says "the AI thinks this is bad" (which is basically all AdvML.C means) is not at all helpful for the user, especially since they've frequently had this detection falsely flag legitimate enterprise login scripts.

With that said, their products are comprehensive, frequently go on sale, and perform within the top tier class of most standardized AV tests. It's hard to fault them. It's just not exciting and not worth putting on a pedestal. It's like the Toyota Camry of the AV world -- respectable, dependable, commonplace. Can't insult it but also can't admire it as some modern engineering marvel...

In a lot of ways this makes it a good go-to choice for family and friends who want to invest in protection. It's much easier to have them choose Norton360 than to attempt to explain how ESET is great at signatures but not behavior blocking, or F-Secure is good at most things but poor script malware protection and no firewall/network controls, etc etc.

For me it's or default deny protection
Or good reputation such as Kaspersky especially for friends who use pirated and or risky software
You need to explain way it's not moral or just teach them safe places to do that ##### .
Used to try and tweak SEP unmanaged as SEP basically works without a license only caveat is that submissions doesn't work .(they pirate anyway so if they won't listen to moral stuff this is my last resort that I used to do )
I tried to reduce false positive by doing things like allowing community trusted and disabling hack tool and security risks from auto protect .
But as always the AI made them uninstall SEP XD.
Thankfully Kaspersky free is nowadays pretty good so that Seattle's the long battle.

 

[Artemis]

Does any of the popular programs remove this threat (heuristic)? NortonLifeLock, McAfee, f Secure?

 

[MacDefender]

Does any of the popular programs remove this threat (heuristic)? NortonLifeLock, McAfee, f Secure?

the OP has made other "ransominator" threads demoing this attack. Some forms of antiransomware like CFA and protected folders can stop this attack, but they usually incorrectly identify 7zip as the offending agent, not the ransomware binary.

Kaspersky System Watcher appears to correctly understand this attack but it often is capable of ransoming a few files before Kaspersky kicks in.

In general I give kudos to Kaspersky here -- it's blocking a lot of these kinds of home-brew zero day ransomware simulators.