Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Emsisoft Anti Malware (default) vs Ransominator
Message
<blockquote data-quote="MacDefender" data-source="post: 876708" data-attributes="member: 83059"><p>Yeah my first demo ransomware wasn't even LOLBin based, it was literally just a 5 line C# app that iterated through My Documents and used .NET's AES encryption to encrypt everything.</p><p></p><p>ESET was basically the only product other than Windows Defender (without CFA) that failed to detect this. I had a conversation with their engineers and they basically said detecting this kind of demoware is not something they care to add to their signatures -- they are focused on actual in the wild malware and their variants.</p><p></p><p>I can understand their position. Most of us do not encounter completely bona-fide ransomware.</p><p></p><p></p><p>Speaking of behavior blocking, one behavior that really impressed me was that recent versions of Norton seem to use their internet security component to monitor for large amounts of upload, and when that happens, it prompts you to run Norton Power Eraser.</p><p></p><p>Pure ransomware isn't as popular as it once was -- most forms of ransomware also try to upload some of your files so that their actors can threaten to release them if you don't pay the ransom. Detecting large amounts of upload traffic is a pretty easy way to flag that activity, forcing ransomware to become more complex in attempting to evade that kind of blocking.</p><p></p><p>To date I haven't noticed Emsisoft or F-Secure or other good behavior blockers try to incorporate network traffic into their behavior scoring. That was a pleasantly innovative idea from perhaps a company that not a lot of us expect to be on the forefront.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 876708, member: 83059"] Yeah my first demo ransomware wasn't even LOLBin based, it was literally just a 5 line C# app that iterated through My Documents and used .NET's AES encryption to encrypt everything. ESET was basically the only product other than Windows Defender (without CFA) that failed to detect this. I had a conversation with their engineers and they basically said detecting this kind of demoware is not something they care to add to their signatures -- they are focused on actual in the wild malware and their variants. I can understand their position. Most of us do not encounter completely bona-fide ransomware. Speaking of behavior blocking, one behavior that really impressed me was that recent versions of Norton seem to use their internet security component to monitor for large amounts of upload, and when that happens, it prompts you to run Norton Power Eraser. Pure ransomware isn't as popular as it once was -- most forms of ransomware also try to upload some of your files so that their actors can threaten to release them if you don't pay the ransom. Detecting large amounts of upload traffic is a pretty easy way to flag that activity, forcing ransomware to become more complex in attempting to evade that kind of blocking. To date I haven't noticed Emsisoft or F-Secure or other good behavior blockers try to incorporate network traffic into their behavior scoring. That was a pleasantly innovative idea from perhaps a company that not a lot of us expect to be on the forefront. [/QUOTE]
Insert quotes…
Verification
Post reply
Top