Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
I am very disappointed by some antivirus solutions [copycats]
Message
<blockquote data-quote="Deleted member 65228" data-source="post: 714568"><p>I did actually take a look at the test sample regardless of it being a test one and it does show a deceiving GUI. It also lacks PE details, isn't digitally signed, has no icon, etc... It checks many boxes for being at-least "suspicious", so I'd hope it'd get flagged by an AV product, even if it truly isn't "ransomware".</p><p></p><p>The interface for the sample will claim that your file's are/will be encrypted and request payment, which of course is non-functional feature as it's a test sample. While nothing is actually going to be encrypted (there is not even support for enumeration of files - it's not even a fake simulation, it's literally just a UI with a timer), you could in theory claim that it should be marked as "malicious software" due to it's deceiving form. Obviously, the malicious was not intent because the intent was for it to be a test sample which would do absolutely no harm, but if someone were to share it around regardless, how would an average user feel coming confronted by it?</p><p></p><p>To be precise, it's a MSIL executable which has a UI which meets a criteria to appear like in-the-wild ransomware would. It has a timer, dark background, a payment button, etc. There's no functionality other than the timer, but that's not the point. It could still scare an average user and put them into distress if they really believed it.</p><p></p><p>Advanced users will know that it's a test sample and where it came from, but if someone starts trying to prank people and shares it around, an average unknowing user might not feel so good about the joke. It's Anti-Virus vendors jobs to protect people from malicious software as much as they can, therefore it only makes sense for them to flag it, even if no encryption capabilities are present - you could argue that there's no genuine use for the sample in a real-world environment because of it's interface and that is a reason to justify blocking it. It's also worth a mention that generic detection's are used to detect new malware which has not yet been seen (the actual sample - the variant may be known but the sample may be different) and there's many different forms of static heuristic analysis.</p><p></p><p>On that note, the same detection names does not equal stealing detection's. Stealing detection's is when a vendor blatantly flags a sample because another vendor did, but there's actually no evidence what-so-ever here that any vendor which flags the sample did this, even if the detection name is similar/the same. As I've already noted, the interface of the sample looks like what you could expect from ransomware in the home user market despite the lack of actual malicious code, and this could justify a detection.</p></blockquote><p></p>
[QUOTE="Deleted member 65228, post: 714568"] I did actually take a look at the test sample regardless of it being a test one and it does show a deceiving GUI. It also lacks PE details, isn't digitally signed, has no icon, etc... It checks many boxes for being at-least "suspicious", so I'd hope it'd get flagged by an AV product, even if it truly isn't "ransomware". The interface for the sample will claim that your file's are/will be encrypted and request payment, which of course is non-functional feature as it's a test sample. While nothing is actually going to be encrypted (there is not even support for enumeration of files - it's not even a fake simulation, it's literally just a UI with a timer), you could in theory claim that it should be marked as "malicious software" due to it's deceiving form. Obviously, the malicious was not intent because the intent was for it to be a test sample which would do absolutely no harm, but if someone were to share it around regardless, how would an average user feel coming confronted by it? To be precise, it's a MSIL executable which has a UI which meets a criteria to appear like in-the-wild ransomware would. It has a timer, dark background, a payment button, etc. There's no functionality other than the timer, but that's not the point. It could still scare an average user and put them into distress if they really believed it. Advanced users will know that it's a test sample and where it came from, but if someone starts trying to prank people and shares it around, an average unknowing user might not feel so good about the joke. It's Anti-Virus vendors jobs to protect people from malicious software as much as they can, therefore it only makes sense for them to flag it, even if no encryption capabilities are present - you could argue that there's no genuine use for the sample in a real-world environment because of it's interface and that is a reason to justify blocking it. It's also worth a mention that generic detection's are used to detect new malware which has not yet been seen (the actual sample - the variant may be known but the sample may be different) and there's many different forms of static heuristic analysis. On that note, the same detection names does not equal stealing detection's. Stealing detection's is when a vendor blatantly flags a sample because another vendor did, but there's actually no evidence what-so-ever here that any vendor which flags the sample did this, even if the detection name is similar/the same. As I've already noted, the interface of the sample looks like what you could expect from ransomware in the home user market despite the lack of actual malicious code, and this could justify a detection. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
