Advice Request Is F-Secure sleeping again?

[marcopaone]

HI!

On VirusTotal Avira detect the ransomware as JAVA/SMSSend.zgxoh. But why not f-secure?
EDIT:
I tried to open it and anyway f-secure does not block it.
Result. System is Infected and files are encrypted.

 

[upnorth]

Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :

https://malwaretips.com/threads/java-ransomware-pegasus.105454/

That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?

 

[Andrew3000]

I've tried to open the file to test Norton. Result: Files Encrypted.

 

[marcopaone]

Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :

https://malwaretips.com/threads/java-ransomware-pegasus.105454/

That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?

Also I tried to open it and anyway f-secure does not block it.
System is Infected and files are encrypted .

 

[upnorth]

Also I tried to open it and anyway f-secure does not block it.
System is Infected and files are encrypted .

I'll submit it. Thanks for the info!

 

[upnorth]

A little update! Just before I was to submit it, I did a static scan. Not does it only detect it, but F-Secure also clean it flawless.

 

[marcopaone]

A little update! Just before I was to submit it, I did a static scan. Not does it only detect it, but F-Secure also clean it flawless.

I tried it now and now it finds it as a virus.
Now it also appears on Virus total which was not the case before.

 

[Andrew3000]

HitmanPro Alert (only ransomware mode) block it!

 

[Gandalf_The_Grey]

Would Microsoft Defender Antivirus block it?
Not according VirusTotal.

 

[Local Host]

Would Microsoft Defender Antivirus block it?
Not according VirusTotal.

Not under normal circumstancies (until it is added to the Cloud and no third-party tools used), Kaspersky blocked it here.

 

[marcopaone]

Would Microsoft Defender Antivirus block it?
Not according VirusTotal.

WD default setting.
Final result: File encrypted.
Tested now.

 

[Nightwalker]

F-Secure Capricorn engine (Avira) may have a small delay time in updates compared to Avira proprietary solutions, but it isnt anything significant, just today were released 15 updates to it, so we can assume that the detection was included after you tested with a database update.

Anyway F-Secure DeepGuard should protect the machine in those situations, but unfortunately it didnt happen.

F-Secure Latest Database Updates for F-Secure Capricorn (f-secure.com)

 

[Gandalf_The_Grey]

@Gandalf_The_Grey

Spoiler: :p

Kidding mate!

I don't drink water

 

[Gandalf_The_Grey]

@marcopaone @McMcbrad Thank you both for testing Defender
The ransomware protection of AVG/Avast prevented the encryption of documents/pictures, could Controlled Folder Access of Defender do the same?

 

[KonradPL]

If someone can send me the sample, I can test both Defender and Avast/AVG.

Please test Mcafee

 

[Gandalf_The_Grey]

It was on and protecting all folders that go there by default:
View attachment 250507

Thanks, it's disappointing that CFA didn't make any difference.

 

[MacDefender]

If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.

 

[Nightwalker]

The moral of the story? If you dont need Java, uninstall it ASAP.

 

[silversurfer]

What about eset? Maybe Eset can do better?

Useless to ask for ESET, without signatures or cloud detection by ESET, Custom HIPS rules only helps to block such threats unknown to ESET.

 

[Pat MacKnife]

In newspapers they say that 2021 there will be a new wave : Ransomware 2.0
So be careful and stay protected !