App Review F‑Secure SAFE vs Gerber 3.0 ransomware (Juan Diaz)

[Nestor]

Content source

https://www.youtube.com/watch?v=yYt9tH8nrcc

 

[bribon77]

Failure F Secure. This video has been done by a person who speaks Spanish. Thanks for sharing.

 

[Mahesh Sudula]

Similar conclusions F Secure failed against Gand Crab 5.0.4. Files were encrypted with ransom note
Will shoot the video under same banner in coming week(s)
Verdict: It was in the wild for 3.5 days . Bit defender haven't detected til yesterday evening so did F Secure.
Except these both all reacted to sample within 24-48 hrs with a signature including Dr WEB
Shared the sample already with @silversurfer

 

[Moonhorse]

Thanks for sharing, even im following this guys since he uploads very often wich is nice

 

[Andrew3000]

Bitdefender failure* :^)
P.S Thanks for the video

 

[Lord Ami]

I've also seen Ransomware bypass F-Secure (in VM that is).

I find it rather odd... should not happen if we take into account Protected folders. I've submitted 2-3 such bug reports with samples. They are reluctant to acknowledge it and fix it... Only suggesting to submit samples as usual. This is not the point imo.

 

[Cortex]

Oh dear, & with a Ransom email like that the chances of getting your files restored after paying are not that high? Just as well F-Secure are getting new sigs?

 

[Mahesh Sudula]

Oh dear, & with a Ransom email like that the chances of getting your files restored after paying are not that high? Just as well F-Secure are getting new sigs?

Under normal circumstances user would never get this far at least their web module would prevent it from accessing@ F Secure is good at .
How ever for testing dynamic analysis we download and execute it directly . It is a known thing that F Secure lacks own signatures at early hours but web shield should prevent it at most of the cases.

 

[ChemicalB]

Damn shady malware!
VirusTotal

 

[bribon77]

Damn shady malware!
VirusTotal

42 engines detected this file,there is no problem.

 

[JM Safe]

Ransomware threats should be detected nowadays considering most of new AVs (but also newer versions of classic AVs) have a lot of heuristic/behaviour blocking modules. Unfortunately some new ransomware variants manage to bypass AVs engine. If a malware is obfuscated is usually harder for an AV to detect and destroy it because the source code is not easily readable.

 

[509322]

F-Secure is default-allow. Do people not realize that default-allow is intrinsically behind the protection curve ? I always wonder why people get so perturbed when a default-allow solutions fails to protect a system. Do people think that security soft developers just sit there waiting for the next malware report to come rolling in so they can hurry-up and implement a protection solution ? It don't work that way.

The malc0ders are always going to find new ways to outwit default-allow. You just have to find a trusted process and abuse it. And it takes a good bit of time for counter-measures to be introduced by the default-allow publishers. This is as it has always been.

Now this doesn't mean that default-allow is a worthless protection model. It just means what it means, at face value... and that default-allow is almost always behind in the malc0der vs security soft industry cat-and-mouse game.

People should not be surprised when they see a "bypass" video. It's nothing to get all bent out of shape over.