App Review ESET IS (Default) vs Ransominator

[bayasdev]

Content source

https://www.youtube.com/watch?v=FNIrf4zRG_o

After recording I manually submitted the sample to ESET since I'm currently using EIS on my host , I know it would have been manually blocked with interactive HIPS but it's just too annoying for most people.

Spoiler: DISCLAIMER

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

 

[The Ordynary]

Eset with his weak behavior module would never be able to stop a zero-day ransomware. it looks hilarious.

 

[Mariihh]

Eset depends a lot on your signatures (which are great), but if they fail, goodbye to your system.

 

[Dave Russo]

Whenever I see a test online that Eset fails it is always against Ransomware,I like running voodoshield alongside ,I thinkits a good match and makes up for any weakness in Eset armor.Do these tests copy a real life scenario?

 

[fabiobr]

Eset depends a lot on your signatures (which are great), but if they fail, goodbye to your system.

That's why you have to install OSArmor. ESET and OSarmor are both light on the system.

 

[bayasdev]

Do these tests copy a real life scenario?

I don't think since this was a homemade sample, for real life scenarios, you should use samples seen on the wild that are way more sophisticated than mine, which just limits to call 7zip to do the dirty job.

 

[MacDefender]

I don't think since this was a homemade sample, for real life scenarios, you should use samples seen on the wild that are way more sophisticated than mine, which just limits to call 7zip to do the dirty job.

I agree, the answer is kind of complicated. No, real ransomware tends to have a mechanism for phoning home, a mechanism for uploading/escrowing some sort of key (if not your entire data), and are likely based off some existing form of ransomware.

With that said, we've seen real world ransomware that uses WinZip, 7Zip, and other archivers to do the encrypting. And we've seen the recent CertUtil.exe based ransomware that defeats many AV software because it uses a built in system binary to do the dirty work.

One can argue that if your AV cannot detect this threat, you're vulnerable to this class of attacks. After all, scripts and fileless malware can bypass static inspection, leaving it up to the behavior blocker to save your files. If it cannot detect this attack, your files could very well have been encrypted and lost, even if another component of your AV software detects the attempt to phone home or subsequent suspicious behavior.

Very very few have the ability to roll back harmful actions -- KSW is one of them, but in one of the tests conducted against my sample, it also failed to completely roll everything back.

 

[cruelsister]

The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.

 

[blackice]

The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.

Would blocking execution of cmd and powershell (and disabling VBS) with HIPS or OSArmor when not needed help mitigate this risk? I know some threats bring along powershell in tow, but many don’t if I understand correctly.

 

[bayasdev]

Would blocking execution of cmd and powershell (and disabling VBS) with HIPS or OSArmor when not needed help mitigate this risk? I know some threats bring along powershell in tow, but many don’t if I understand correctly.

My sample is coded to call first CMD and then 7zip so yep that would block it.

 

[ebocious]

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.

I assume you mean Cruel Comodo? I use this on all Windows machines now, except for the two that have AppGuard.

You don't know me, but I'm a big fan.

 

[cruelsister]

Geminis3- Don't give away the family jewels!

Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects

 

[Parsh]

@cruelsister can all the AVs missing this sample possibly be attributed to the sample being a bonafide one?
@geminis3 mentioned earlier that the sample was compiled on the same VM he has been testing on.
Do you think that can be a premise (user creating the sample for intentional use using a legit app), following which the AVs are not flagging it OR would it simply be a whitelisted app doing the dirty job in a less pronounced manner?
The sample is also labelled as Hoax.Win64.FakeRansom.a by Kaspersky.

 

[ebocious]

Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects

Now, if only someone would make a Mac equivalent to CF.