McMcbrad

Level 9
It says "Malware"

This is a bit more info about the sample:
1603755776529.png

1603755860283.png
 
Last edited:

Minimalist

Level 2
ESET 15/16 will have protected folders. I promise you that.
I somehow doubt it. As they say they have it "covered" with their HIPS for those that want to use it.
To be fair, a lot of other AVs don't offer that also. And Kaspersky's implementation is not that different from ESET's and is far from being "user friendly". I don't see ordinary users using it. At least I see it that way.
 

SeriousHoax

Level 32
Verified
Btw, this is how in ESET protected folders can be configured:


This is for Kaspersky:

 

McMcbrad

Level 9
Btw, this is how in ESET protected folders can be configured:

It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.
 

SeriousHoax

Level 32
Verified
It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.
I'm just showing that Protected Folders can be configured via ESET HIPS.

Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.


The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
 

McMcbrad

Level 9
I'm just showing that Protected Folders can be configured via ESET HIPS.

Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.


The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
When you ask for £49.99 per year, per device people expect you to do more than just saying "we tried and we failed". That's not excuse.
 

McMcbrad

Level 9
Agreed. Wanted to also note that we are fortunate as MT members to learn from other's experience. It boils down to we consumers wise decision to give or not give business.
To give or not to give? That's the question. If I go on a company's forum and I read:
"Dear users, we are truly sorry to inform you that we won't be protecting you from ransomware effectively.
We tried a common ransomware protection technique, but the performance hit was too much for our liking."
I will answer that question too quick FOR THEIR LIKING.
 
Top