- Mar 28, 2019
- 561
Kaspersky system watcher VS 56 ransomware
- Thread starter fabiobr
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Mar 16, 2019
- 3,635
- Jun 26, 2020
- 440
- Aug 17, 2014
- 10,176
Why he testing against old Ransomware, all files hash are known to KSN, so it was clear from the beginning of his test that all of his samples will be detected by System-Watcher 
- Oct 2, 2020
- 439
AFAIK System Watcher doesn't contact KSN. File antivirus and other components and Application control do lookup in cloud but AFAIK not System Watcher. And all other components were disabled.Why he testing against old Ransomware, all files hash are known to KSN, so it was clear from the beginning of his test that all of his samples will be detected by System-Watcher
If you check video you would also see that detections were identified by "Dangerous application behaviour" and not by their name which is usually shown for detections from cloud.
EDIT: of course testing against new malware would better show how good their behaviour blocker is.
- Oct 2, 2020
- 439
OK thanks for explanation. So it would be even better to just disable internet to see how good BB is on it's own, without cloud.
- May 26, 2014
- 1,339
KSN is used by all modules of Kaspersky products, pre and post execution.
Source:
- Aug 17, 2014
- 10,176
If you don't believe me just asking @harlan4096
We have been performed our testing for years here in the Malware-Hub, it's known that even System-Watcher first check for hash on KSN, detection name is something like "PDM: ..." the file hash matters only and the detection name can be different on KSN.
- Mar 28, 2019
- 561
As far as I know, Kaspersky products have a local cache of KSN, so it's not enough to turn off KSN or the internet connection, there's still a local cache.
That's why you can't fully test system watcher on these cases.
And if you opt-out of KSN and this is only to not send files, you can still receive data from the cloud, you just not send it back.
And if you turn off the internet connection, there's still a local cache, just not updated anymore.
That's why you can't fully test system watcher on these cases.
And if you opt-out of KSN and this is only to not send files, you can still receive data from the cloud, you just not send it back.
And if you turn off the internet connection, there's still a local cache, just not updated anymore.
- Oct 2, 2020
- 439
OK, thanks for info. I thought System Watcher didn't use KSN since there is no option to disable KSN lookups in System Watcher's settings (similar to option in Application Control). Thank you for explanation.
- Mar 16, 2019
- 3,635
I believe System watcher didn't contact the cloud in this test. When all components are turned off and KSN is opted out it doesn't connect cloud database. Besides, if you check the notifications they were detected by application behavior and PDM detections. These are not cloud based. Another thing is one/two ransomware here was able to encrypt some files before Kaspersky could react (though the original file was intact). If Kaspersky had contacted the cloud I don't think this would have happened because the ransomware is already known and would've been stopped right away.
I myself previously tested Kaspersky with my Ethernet cable plugged off then restarted the system to make sure only System Watcher is tested without internet and local cache. It produced a similar result. Though I only tested 6-7 ransomware. So I believe Kaspersky's System watcher is capable of producing this type of result against ransomware. Also, I don't see why Kaspersky would keep a local cache of old ransomwares as it already must have local signatures for it. It doesn't make any sense for them to do that.
But one thing should be added that is, these are old samples so Kaspersky probably already updated System Watcher to make sure it is able to detect these ransomwares. If that's the case then even this should be applauded because not everyone does that.
I myself previously tested Kaspersky with my Ethernet cable plugged off then restarted the system to make sure only System Watcher is tested without internet and local cache. It produced a similar result. Though I only tested 6-7 ransomware. So I believe Kaspersky's System watcher is capable of producing this type of result against ransomware. Also, I don't see why Kaspersky would keep a local cache of old ransomwares as it already must have local signatures for it. It doesn't make any sense for them to do that.
But one thing should be added that is, these are old samples so Kaspersky probably already updated System Watcher to make sure it is able to detect these ransomwares. If that's the case then even this should be applauded because not everyone does that.
- Aug 17, 2014
- 10,176
Just going to download KART: Free Ransomware Protection | Kaspersky Anti-Ransomware Tool
Every file known to be malicious by KSN: detection name will be something like "PDM.Trojan.Win32.Bazon" (screenshot below)
But offline, KART is unable to detect anything, so it's proven that even detection names like "PDM..." is known to be cloud detection by KSN!
Note: My experience with any product or software is always based of testing by myself instead to speak about theoretical what is might be true...
- Jul 15, 2016
- 321
KART with KSN = GOD
KART without KSN= Hole everywhere.
KART without KSN= Hole everywhere.
- Feb 8, 2016
- 516
Yes because KART is practically based on KSN, in offline mode it will take much less.
With KIS/KTS if you only want to test the System Watcher you are forced to block KSN (no need to exit the KSN agree program because it will protect you anyway)/connection to the internet and close/reopen (alternatively restart the PC) to prevent malware from being taken from the cache generated by KSN.
Obviously if malware are old enough, the test may be useless as Kaspersky's engineers have already updated the system watcher algorithms, and they are easily detectable by System Watcher.
- Aug 17, 2014
- 10,176
Doesn't matter in this case, my point was to show that even detection by System-Watcher "PDM.Trojan.Win32.Bazon" cloud based detection by KSN
- Feb 8, 2016
- 516
Yes, but practically this happens almost always on KART. Try with an old and known malware will always be called: "PDM.Trojan.Win32.Bazon".
What is different is with the complete product. If it is taken from other modules (KSN included) it will have its specific naming, in the case of KSN will always appear UDS until Kaspersky can contact its cloud or use the existing cache.
The fact that the KSN is also used by System Watcher is right and obviously if the guy didn't make sure to avoid contacting the KSN this video is useless.
- Mar 16, 2019
- 3,635
Ok I was wrong in that case then. You learn something new every day. But like Andrew3000 said KVRT is basicaly KSN so it's not the same as Kaspersky's AV lineup.
So my main point still stands which is System Wacther is capable of detecting ransomware without any cloud connection similar to the test done by the YouTuber. Now I can't say with 100% certainty that the tester didn't do anything wrong but like I said above, I myself tested it with Ethernet cable plugged off so not a chance to access the cloud, and it produced similar results.
Last edited:
- Aug 17, 2014
- 10,176
I chosen KART only as the best example to show about KSN detection like "PDM..."
Of course, everyone know that KART isn't comparable to KAV/KIS/KTS or free KSC, that is useless to mention by you
For me it doesn't matter what any YouTuber doing wrong or not, I just wrote my commend to what is said wrong by other users in this thread.
- Mar 16, 2019
- 3,635
I even confessed that I was wrong and learned something new. But it feels like you ignored my main point which I already mentioned twice. Cloud based PDM or not System Watcher isI chosen KART only as the best example to show about KSN detection like "PDM..."
Of course, everyone know that KART isn't comparable to KAV/KIS/KTS or free KSC, that is useless to mention by you
For me it doesn't matter what any YouTuber doing wrong or not, I just wrote my commend to what is said wrong by other users here in the forum.
- Aug 17, 2014
- 10,176
I haven't ignored anything, I just didn't mentioned once more what you said:I even confessed that I was wrong and learned something new. But it feels like you ignored my main point which I already mentioned twice. Cloud based PDM or not System Watcher is
System-Watcher is able to detect/block suspicious files even OFFLINE, but about that I never said the opposite!
Please stop to quote me and I will doing the same for your comments from now, we all know what happens, our posts might be deleted by Staff...
Similar threads
