App Review Kaspersky Security Cloud Free vs Ransominator (default settings)

[fabiobr]

It's currently blacklisted by their cloud service https://opentip.kaspersky.com/C92E226D39B612785F8CE5074DA03DEEC6618E5C9AAEB4046AD153133B027805/ but the first victim (my VM) hypothetically lost its personal files

Super fast.

 

[fabiobr]

Can you test Norton, please?

 

[MacDefender]

Can you test Norton, please?

I'm gonna take a guess and say it's not going to protect. I just tested the latest NortonLifeLock (with Data Protector set) with my equivalent binary (also using 7z to encrypt) and it failed -- no reaction at all.

 

[Vitali Ortzi]

I'm gonna take a guess and say it's not going to protect. I just tested the latest NortonLifeLock (with Data Protector set) with my equivalent binary (also using 7z to encrypt) and it failed -- no reaction at all.

Same as SEP default will be blocked by app control / system lockdown

 

[fabiobr]

Thanks to application control custom rules, document files were protected in my test.

Advanced disinfection starts, restart the system and all things rolled back.

Cloud Detection:

 

[MacDefender]

Same as SEP default will be blocked by app control / system lockdown

For the purposes of this test, I don't consider an application control feature to be the same as detection and blocking of this attack.

Yes, application whitelisting and reputation control are part of your layered protection, but this is specifically intended to be a test of a ransomware encrypting mechanism. Blocking the POC from running in the first place is not successfully identifying malicious behavior the way we want our dynamic behavior blockers to do so.

 

[Vitali Ortzi]

For the purposes of this test, I don't consider an application control feature to be the same as detection and blocking of this attack.

Yes, application whitelisting and reputation control are part of your layered protection, but this is specifically intended to be a test of a ransomware encrypting mechanism. Blocking the POC from running in the first place is not successfully identifying malicious behavior the way we want our dynamic behavior blockers to do so.

well Sonar/bloodhound always sucked

 

[cryogent]

Hitman Pro Alert,H_C ,WVSX ,and any av application control module blocked it

So KSFC tweaked paired with H_C will be a good combo I think...

 

[Vitali Ortzi]

So KSFC tweaked paired with H_C will be a good combo I think...

No need for ksfc if you use H_C
But of course you can use both

 

[Brahman]

An average user need not get into panic mode on seeing these kind of videos because the file will get blocked by Kaspersky before it reaches an average user. But at the same time it also reminds us to have a locked down state in our systems while opening attachments or unknown files.

 

[MacDefender]

An average user need not get into panic mode on seeing these kind of videos because the file will get blocked by Kaspersky before it reaches an average user. But at the same time it also reminds us to have a locked down state in our systems while opening attachments or unknown files.

I’ll go one step further and say to simply not take risks that you don’t have to take! We can feel warm and cozy that we have advanced and well tested AV software and layers of protection but it’s easy to become overconfident. Zero day exploits exist. Modern exploits have demonstrated attackers know how to chain a bunch of exploits together to defeat layers of security.

 

[Xjoker]

This sample isn't special but ones like fun.bat/exe test in the hub did surprise me and some signed sample i tested
But don't think you are safe i few samples i tested bypassed wise vector

The same can be said for all the antiviruses out there. You can bypass any of them (except comodo IMHO). But in general WV has a very very good detection rate and a powerful behavior blocker!

 

[stefanos]

The same can be said for all the antiviruses out there. You can bypass any of them (except comodo IMHO). But in general WV has a very very good detection rate and a powerful behavior blocker!

And except Avast with HM

 

[Xjoker]

And except Avast with HM

In my opinion AVAST can be bypassed even in HM.

 

[stefanos]

In my opinion AVAST can be bypassed even in HM.

App Review - Avast Free (Hardened Mode) vs Ransominator

I'm genuinely surprised to see Avast Free blocking my LOLbin inspired ransomware while Kaspersky Free allowed it to execute and encrypt my files. Is this the end of Ransominator?

malwaretips.com

 

[Xjoker]

App Review - Avast Free (Hardened Mode) vs Ransominator

I'm genuinely surprised to see Avast Free blocking my LOLbin inspired ransomware while Kaspersky Free allowed it to execute and encrypt my files. Is this the end of Ransominator?

malwaretips.com

Unfortunately Ransominator is not the only malware in the world, there are MANY of them that can do the job!

 

[Evjl's Rain]

In my opinion AVAST can be bypassed even in HM.

yes it can but when you combine it with syshardener with proper settings, it would be very hard to bypass HM aggressive (not moderate mode)
Hardened mode only support .exe files so other extensions can easily bypass it. Syshardener will block most scripts and vectors that can bypass HM
I have used and tested avast for 3 years. There was only 1 bypass, which was a PUP

 

[Xjoker]

yes it can but when you combine it with syshardener with proper settings, it would be very hard to bypass HM aggressive (not moderate mode)
Hardened mode only support .exe files so other extensions can easily bypass it. Syshardener will block most scripts and vectors that can bypass HM
I have used and tested avast for 3 years. There was only 1 bypass, which was a PUP

Totally agree with you! In case you add syshardener it is almost impossible to bypass it, but it's the same for the other antiviruses as well.

 

[Evjl's Rain]

Totally agree with you! In case you add syshardener it is almost impossible to bypass it, but it's the same for the other antiviruses as well.

I agree. However, there are few AVs which offer something like HM, especially for free.
Kaspersky has TAM
Some AV have HIPS, but this generates too many prompts, does not automatically allow if the file is safe
Windows has Smartscreen, which works almost exactly the same as HM but a file must be downloaded from a web browser or Smartscreen won't check it
Comodo has autosandbox, reputation-based
.......

 

[Xjoker]

I agree. However, there are few AVs which offer something like HM, especially for free.
Kaspersky has TAM
Some AV have HIPS, but this generates too many prompts, does not automatically allow if the file is safe
Windows has Smartscreen, which works almost exactly the same as HM but a file must be downloaded from a web browser or Smartscreen won't check it
Comodo has autosandbox, reputation-based
.......

Agree about the HM in AVAST, it must be the only av offering such an option for free! As far as I know Kaspersky 2021 won't have TAM anymore.