App Review ESET IS (Default) vs Ransominator

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901


After recording I manually submitted the sample to ESET since I'm currently using EIS on my host šŸ™ƒ , I know it would have been manually blocked with interactive HIPS but it's just too annoying for most people.

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.
 
Last edited:

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I don't think since this was a homemade sample, for real life scenarios, you should use samples seen on the wild that are way more sophisticated than mine, which just limits to call 7zip to do the dirty job.

I agree, the answer is kind of complicated. No, real ransomware tends to have a mechanism for phoning home, a mechanism for uploading/escrowing some sort of key (if not your entire data), and are likely based off some existing form of ransomware.

With that said, we've seen real world ransomware that uses WinZip, 7Zip, and other archivers to do the encrypting. And we've seen the recent CertUtil.exe based ransomware that defeats many AV software because it uses a built in system binary to do the dirty work.

One can argue that if your AV cannot detect this threat, you're vulnerable to this class of attacks. After all, scripts and fileless malware can bypass static inspection, leaving it up to the behavior blocker to save your files. If it cannot detect this attack, your files could very well have been encrypted and lost, even if another component of your AV software detects the attempt to phone home or subsequent suspicious behavior.

Very very few have the ability to roll back harmful actions -- KSW is one of them, but in one of the tests conducted against my sample, it also failed to completely roll everything back.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.
Would blocking execution of cmd and powershell (and disabling VBS) with HIPS or OSArmor when not needed help mitigate this risk? I know some threats bring along powershell in tow, but many donā€™t if I understand correctly.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Geminis3- Don't give away the family jewels!

Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
@cruelsister can all the AVs missing this sample possibly be attributed to the sample being a bonafide one?
@geminis3 mentioned earlier that the sample was compiled on the same VM he has been testing on.
Do you think that can be a premise (user creating the sample for intentional use using a legit app), following which the AVs are not flagging it OR would it simply be a whitelisted app doing the dirty job in a less pronounced manner?
The sample is also labelled as Hoax.Win64.FakeRansom.a by Kaspersky.
 

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
232
Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects
Now, if only someone would make a Mac equivalent to CF. :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top