App Review Kaspersky system watcher VS 56 ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
_ExecutiveOrder_

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
this video is useless.
It's certainly one of the more terrible I seen in a long time, and extra so when it contains samples that's even as old from 2013. There's also way too much basic tools lacking from the test. Watching Kasperskys graphic user interface I personal rather do elsewhere. At least not for 55 minutes. :rolleyes::sleep:
 

fabiobr

Level 12
Thread author
Verified
Top Poster
Well-known
Mar 28, 2019
561
But one thing should be added that is, these are old samples so Kaspersky probably already updated System Watcher to make sure it is able to detect these ransomwares. If that's the case then even this should be applauded because not everyone does that.
Behavior Stream Signatures, system watcher is updated with the "behavior" or similar behavior trees of each malware family.
 

fabiobr

Level 12
Thread author
Verified
Top Poster
Well-known
Mar 28, 2019
561
Didn't like these tests too.

Engineers take hours producing a complete suite with modules that takes information from each other to came some youtube testers, turn off some of them and then start saying "this is great AV, this is awful" wtf?! And people believe it!
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635

ExecutiveOrder

Level 2
Sep 21, 2021
47
Hello, thanks for putting my video link here for discussion, and I really appreciate all of the responses and feedback.
I know this is too late to register just to respond but, first, I'm just an ordinary AV home product user without any cybersecurity background nor AV testing skill or knowledge.

The reason I test this is just out of curiosity wanted to see how certain components (of the product I choose to protect me) works by looking at how it detects the threats, I'm not a dedicated tester.
Here, can see some threats are immediately terminated and (sometimes need to wait to get) deleted after being loaded into memory, some need to drop further payload (changing registry, adding files like extension including the executables, creating ransom notes, and encrypting files in the critical area) before recognized as a threat by behavior and subsequently, rolled-back, terminated, and deleted. I can also see some of the encrypted files are just restored without deleting the encrypted one. Detections are varied from PDM, plain dangerous activity, dangerous object, or any generic detection. I really just want to post my recording if anyone wanted to see it (well, I also add a thumbnail to attract viewers but in the end, I'm not using my channel anymore, and too late to reply to the comment I didn't know it was there). I really surprised my amateur video is posted here when I found it at the bottom of Google search when I look up "Kaspersky System Watcher Whitepaper".

I have to clarify and point out some stuff. First, I believe that I didn't do anything that made KSN creating a cache for easier detection, thus disconnected is enough (I thought that time). I did knew that all components are able to communicate to KSN.
Second, how KSN or threat intelligence works, according to Kaspersky, if file behavior looks malicious (checked by other components and being sent or just analyzed by their expert), instantly adds it to the Urgent Detection System database (UDS prefix) available for other users, if another user executes the same threat, it will be instantly blocked after doing some cloud lookup check (this is just hashes like file-antivirus did, behavioral stream signature is not mentioned). Malware Hashes (UDS) is a set of file hashes detected by Kaspersky Lab cloud technologies based on a file’s metadata and statistics, this enables the identification of new and emerging (zero-day) malicious objects that are not detected by other methods (like behavioral method in System Watcher).
Third, Kaspersky Lab databases contain heuristic modules that contained all the latest technological developments. When an object is detected by this module, the name of the object begins with the “HEUR:” prefix. It's not from the cloud, I've checked it with a thousand random samples collected recently sometime ago (number of detection improved after turning on or set higher heuristic analysis, and getting better near-perfect after it adds UDS: detections or enabling KSN). KSN scan is very slow because of the responsivity of their server, I've benchmarked the time required, for me that time (for bulk scanning) is not worth it.

Fourth, The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix. It's not from Cloud. So, the hash detection from the cloud is with UDS: prefix, not PDM or HEUR.
Fifth, I did acknowledge that this is not an optimal thing to test for real life, I just want to test one component just out of curiosity (and checking the very base of the proactive module). BSS (Behavior Stream Signatures) module, System Watcher can independently make decisions as to whether a program is malicious based on the data it analyzes. In addition, the mechanism whereby the module continually exchanges information with other components - web antivirus, IM Antivirus, the HIPS, and the firewall. As a result, the security solution delivers better overall detection of malware and security policy breaches and is better at identifying the sequences of events that lead up to such incidents. System watcher also includes exploits prevention (prevents and blocks the actions of exploits) not just Application Activity Control, which performs an action specified in the component settings when it detects suspicious application behavior (the different thing with App Control module I think or because they exchange information each other).
Other BSS definitions from other official pages:

Behavior Stream Signatures (BSS) (also called "behavior stream signatures") contain sequences of application actions that Kaspersky Endpoint Security classifies as dangerous. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the specified action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.

Using old ransomware definitely easier to catch with up-to-date BSS, not because it knows the hash or something like that, but rather checking stream signature sequences of malicious activity. I could see how effective are these against old threats (I found out they need to wait for further activity, get file encrypted and restored, files cannot be fully rolled back like residual of encrypted files that already restored aren't deleted, notes from other ransomware also considered as valuable data encrypted or deleted by next ransomware and then getting restored anyway and other stuff).
VS new ransomware:
I do have tested in, shortly after that Kaspersky old, 2017, no update, only System watcher able to protect against newer ransomware, but with difficulties, some part is restored and some not (late detection or remediation or something like that), fully failing some threats, etc. I also did it with 2019 recently, able to protect against most but it's not enough (75% is considered as 'most samples'), that time I test this 2019 version (against new sample up to 2021) I searched up that whitepaper "Kaspersky System Watcher pdf" again to refresh what I've been reading multiple times.
I think I will test that 2019 version with all components except KSN and without an update (maybe disabling the internet if necessary) later but I don't think I'm gonna upload it just like the rest of the test I did last year.

It's unlikely somebody will reach my response especially all of this long ineffective writing (and English ain't my 1st language) just like the raw video I've uploaded last year. I really apologize for the inconvenience or problem caused by uploading that video and any information that might incorrect here. Once again thanks for all of your comments and feedback. Best regards.

Some main sources:
Kaspersky Security Intelligence Services Threat Intelligence Services (PDF)
Kaspersky Lab Whitepaper System Watcher ENG (PDF)
encyclopedia.kaspersky.com /knowledge/heuristic-and-proactive-detections/
kaspersky.com /blog/ksn/2561/
support.kaspersky.com /KESWin/10SP2/en-us/128012.htm
support.kaspersky.com /us/13759
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top