Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Homebrewed Zero Day behavior blocker test
Message
<blockquote data-quote="Andy Ful" data-source="post: 948535" data-attributes="member: 32260"><p>I am not sure if simulated tests make sense for Home users. The new brands of ransomware are mostly used in the attacks on schools, hospitals, organizations, enterprises, etc. The Home users can get infection via reused or modified ransomware. Such samples are well detected by AVs without additional anti-ransomware protection via machine learning. The rare exceptions (dangerous for Home users) can be related to pirated software, cracks, etc.</p><p></p><p>If one wants to simulate the attack on organizations then Defender must have enabled ATP features (ASR rules, Network Protection, and higher Cloud-delivered protection level). I am not sure if the samples used in this thread are realistic enough. That is the problem with simulations because they usually produce fewer IOCs than malware in the wild.</p><p>Another problem is the post-execution protection of Defender. I tested several simulated ransomware samples and often the detection was triggered after a few minutes. It means that the first victim can be infected, but others will be protected by Defender after a few minutes (via Block at first sight). </p><p></p><p></p><p></p><p>The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" will block EXE files compiled on the machine, but the same is true for Norton Insight. Both use the prevalence criterion (and some others) and both solutions can produce a similar rate of false positives. I tested this rule on fresh files from Softpedia (pushed one day earlier) and most of the files accepted by SmartScreen were allowed by this ASR rule. Others were usually blocked for about two days.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 948535, member: 32260"] I am not sure if simulated tests make sense for Home users. The new brands of ransomware are mostly used in the attacks on schools, hospitals, organizations, enterprises, etc. The Home users can get infection via reused or modified ransomware. Such samples are well detected by AVs without additional anti-ransomware protection via machine learning. The rare exceptions (dangerous for Home users) can be related to pirated software, cracks, etc. If one wants to simulate the attack on organizations then Defender must have enabled ATP features (ASR rules, Network Protection, and higher Cloud-delivered protection level). I am not sure if the samples used in this thread are realistic enough. That is the problem with simulations because they usually produce fewer IOCs than malware in the wild. Another problem is the post-execution protection of Defender. I tested several simulated ransomware samples and often the detection was triggered after a few minutes. It means that the first victim can be infected, but others will be protected by Defender after a few minutes (via Block at first sight). The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" will block EXE files compiled on the machine, but the same is true for Norton Insight. Both use the prevalence criterion (and some others) and both solutions can produce a similar rate of false positives. I tested this rule on fresh files from Softpedia (pushed one day earlier) and most of the files accepted by SmartScreen were allowed by this ASR rule. Others were usually blocked for about two days. [/QUOTE]
Insert quotes…
Verification
Post reply
Top