Discussion has become lively and a very informative thread. Looking forward to the results of further testing. Thanks for the work so far with this.
A side topic while we await further analysis of Zemana...Curious if anyone thinks that a-v/sig based apps ever look for key words in the title of a file like Cerber or another single word that might give away a test sample?
I installed a program called KnowBe4 Ran Sim that simulates ransomeware. 360 TS seemed to know the ten test files before the test started (almost). Grabbed them all in one alert. No surprise since probably the program has been around for some time. I was forced to restore the files to the program to run the test and then rerun with a-v off, which I was planning to do anyway. Still, it's difficult to ascertain which method of detection is being applied with 360. Log says it was File Protection but not the method of detection.
No problem, I don't know 100% how ZAM Real-time works under the hood so I didn't want to give you a partial answer. What I am sure is when you see a window that Zemana blocked a harmful file, that is a 99.99% malicious file. How ZAM determines it, is what I don't know. It could be a cloud engine detection, behavior detection or Pandora detection (that has many checks whether some file is good or bad), but again I am not competent to answer that question.
Containment: VMware Workstation 12.5.2 build-4638234
Guest/OS: Windows 7 Pro SP1 Product: Zemana Antimalware Premium (latest), withPandora
Static: Not tested
Dynamic: 5/7 (2 samples left in the folder but ZAM blocked a dropped .vbs file of 1 of the samples) Total: 5/7
System Final Status: Infected (by second opinion scanners, including ZAM itself)
NOTE: AutoKMS.exe is not an infection
Final verdict: ZAM did a much better job than my previous tests. However, Pandora still let 1 malware pass through. It dropped a file and created an entry on boot. The realtime protection should be improved
EDIT: My mistake, it should be 5/7 in total. I removed some steps to decrease the video length. Forgot to count it properly