SearchLight

Level 9
Verified
I am using Eset Internet Security 2019 v12.1.31.0 with Roboman's Config File Setup. None of the protection modules are disabled.

I was reading about a Ransomware Simulator called RanSim which some on the web use to test their software.

For the heck of it, I downloaded and ran the test, and these are the results:

210460


I ran it twice with the same results.

So should I be worried, and remove Eset and try something else or to the gurus here and everyone else are the results bogus?

What do you think and if you agree, what other software passed the test?
 
Last edited:

Azure

Level 24
Verified
Content Creator
Discussion on ransim you can read on the ESET forum

 

Nightwalker

Level 16
Verified
Content Creator
Tested the Tool with Norton Security Deluxe and just keeps loading. So nothing Executed or simulated.

Program is blocked immediately when executing the tests. :) good job Norton

View attachment 210461
It is just a signature detection (hacktool.Cryptran), not a big deal, really.

AMTSO tests, Ransim and Fortimetal are just syntentic tests that in NO WAY reflect a security solution capability to detect malware.

For example, Emsisoft doesnt have a web scanner, so by default it would tank in a test like AMTSO, while it offers great protection in the real world.
 

SearchLight

Level 9
Verified
Appreciate the responses. Thanks.

Going back to my OP, then is the consensus here that RanSim accomplishes nothing, and is bogus because it does not reflect what happens in the real world?

If that be so, then what is the purpose of creating, and using this simulator to test software? To create Scareware?

To that end, one could almost argue that the EICAR test virus is the same because it is not doing anything malicious.

I feel that slowly this topic is migrating into the infamous marketing tactics that vendors might employ to sell their security products that will protect and defend your PC from every known threat including Zero day.

It is great to be an informed consumer because of the many informative postings here on the MT website.
 
Last edited:

SearchLight

Level 9
Verified
I wouldn't worry too much about what this Tool says to rate an AV like Eset.
However I have done a test with Comodo Firewall with CS settings.
View attachment 210465
Interesting results. In your case, the simulator implies that CF/cs works in almost all cases.

Now the question is what to believe? One would think that CF and Norton are very effective based on the RanSim results, and Eset was not. Is it because in reality these softwares were "programmed" to recognize RanSim behavior while Eset was not?
 
  • Like
Reactions: Nestor and bribon77

bribon77

Level 28
Verified
Interesting results. In your case, the simulator implies that CF/cs works in almost all cases.

Now the question is what to believe? One would think that CF and Norton are very effective based on the RanSim results, and Eset was not. Is it because in reality these softwares were "programmed" to recognize RanSim behavior while Eset was not?
Comodo comes out very well from 13/13 protected.But this is not real. therefore it is not Relevant at least for me.
But it's fun. :p
 

Nightwalker

Level 16
Verified
Content Creator
Interesting results. In your case, the simulator implies that CF/cs works in almost all cases.

Now the question is what to believe? One would think that CF and Norton are very effective based on the RanSim results, and Eset was not. Is it because in reality these softwares were "programmed" to recognize RanSim behavior while Eset was not?
Neither, Comodo Firewall isolated the file and Norton avoided the execution with a signature; Malwarebytes Antimalware for example will behave exactly like Norton.

If there isnt a specifically bypass or certificate problem, Comodo with CS settings will offer 100 % protection against malware.

ESET could create a signature to detect the executable that does the simulation, but there is no real gain to the end user.

About ESET response, I will quote @Marcos (ESET staff) about this:

While eicar is a test file with an exact definition that virtually all AV vendors agreed to detect for testing purposes, RanSim is a tool created by a particular company that does not do actual harm.

Definition of eicar (http://www.eicar.org/86-0-Intended-use.html?
... it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

On the other, RanSim tries to simulate of of zillions of ways of encryption. Given that there's no standard defined for detection of ransomware behavior (it'd be useless anyways since malware authors use different ways of encryption to avoid detection), applications that seemingly pass these test may miserably fail in real world when it comes to protection from real ransomware.

The lesson to learn is, do not put trust into simulators but real world tests.
 

SearchLight

Level 9
Verified
If only Comodo firewall.:giggle:
So far from what I am reading, the consensus seems to be Eset "should" react to any Ransomware attack, and one should ignore the RanSim results.

On the other hand, if one wants to be doubly sure that there product would react to a Ransomware attack, software like Norton, and CF/cs might be safer and less riskier choices if results are to be believed.

Although some of you do not think highly of PCMag reviews, I came across this portion of an article they were doing on Ransomware Protection 2019 referring to RanSim:
210466
 
Last edited:

SearchLight

Level 9
Verified
Again, what to believe?

Has any tester and/or anyone else on this site been able to vouch for Eset in some type of real world testing or VM that it would react to and protect from Ransomware besides just the words "it would"?
 

Burrito

Level 18
Verified
Yes, I think testing is the basis for the basic evaluation of a product.

But not through simulators...

Simulators do not necessarily trigger as an actual event. And yes, some vendors put more effort into gaming all the simulators.

You need to look at AMTSO approved testing. And even then, don't just rely on one test. Look at multiple tests to get a larger perspective.

Here are a couple from AV-C and MRG.

210469


210470


And there are other tests out there...

As a 'test watcher' (I check them all out) --- as a generalization, it is a good time to use ESET. They are trending upward. It is a good capability.