Have you ever come across such malware in real world?
@harlan4096 showed me one such piece of malware less than a month ago. It downloaded a standalone copy of Node.js from their official site (which of course is not malware and not suspicious). It then dropped 2 Javascript files on disk with a crypto payload (that is suspicious but their signatures missed it), and then told Node.js to execute the payload.
Because Node.js is presumably whitelisted and trustworthy, F-Secure happily allowed it to encrypt everything. This, however, I believe was the single (or maybe two total instances) of ransomware managing to encrypt files under DeepGuard's watch.... Even when he did bonus dynamic testing where the signature scanner was totally disabled. Across ~a hundred samples of ransomware, IMO that is a fairly decent result.
In my recent testing (
Discuss - MacDefender Test #2, "Trojan" Ransomware ) I replicated a very similar technique but I used 7-zip instead of Node.js. It defeated basically every behavior blocker that we tried, except as soon to be reported extremely paranoid configs of Kaspersky.
Most other AVs I tested that detected the Javascript based ransomware detected it because it saw something suspicious in the .js files dropped on disk, not because its behavior blocker understood the indirect attack vector of hijacking a known binary to do your dirty work.
So yes, such malware exists in the real world but I wouldn't fault DeepGuard / F-Secure too much for this hole. It's virtually an industry-wide weakness.