App Review More Fun with Ransomware Part 2

[mamamia]

The ESET detections (aside from the desktop Tesla) were the real-time scanner picking up control samples in a directory that I placed on the C drive. As there are so many fans of ESET on other forums, I thought it would be a good idea to show that ESET was running and detecting. ESET didn't detect any part of Winlocky.

cruelsister, for you and beyond Emsisoft, what antivirus have the best protection against Ransomware?.

 

[Tony Cole]

So, how would Comodo react, I've adjusted all the settings you suggested (thanks), it just shows that the future antivirus software will HAVE to incorporate sandbox/virtualization technologies!

 

[Deleted member 2913]

So, how would Comodo react, I've adjusted all the settings you suggested (thanks), it just shows that the future antivirus software will HAVE to incorporate sandbox/virtualization technologies!

IMO, with a product like Comodo, whatever settings/customization you use, it needs know how, how the product & features work or else you will face prob like program not working, not connecting, etc...

 

[cruelsister]

mamamia- I'm not a fan of any AV as they are defenseless against truw zero-day stuff, but I am sort of partial to Qihoo TS (nice startup monitor).

 

[minegroasprilla]

mamamia- I'm not a fan of any AV as they are defenseless against truw zero-day stuff, but I am sort of partial to Qihoo TS (nice startup monitor).

mm, Qihoo?. I have read comments from users who say that Qihoo has not detected some ransomware.

 

[TheMalwareMaster]

Quihoo is able to block lots of ransomware, but you will have troubles if them are not in their signatures (QVM II engine). Usually ransomware creates an other process from the original one, which will try to inject the code. Quihoo will prompt you that a process is about to inject code in an other process, and of course, if that is your host machine, you will click block. The problem is that Quihoo blocked only the second process, and the 1st one keeps creating new processes to try to inject code, and Quihoo will continue to block them but not Killing the one from which they are created (it will show the alert "blocked the following program on execution every two seconds). To completely kill the ransom, you can either kill his 1st process or reboot the system (The ransom won't execute again, tested in my VM)

 

[Der.Reisende]

Quihoo is able to block lots of ransomware, but you will have troubles if them are not in their signatures (QVM II engine). Usually ransomware creates an other process from the original one, which will try to inject the code. Quihoo will prompt you that a process is about to inject code in an other process, and of course, if that is your host machine, you will click block. The problem is that Quihoo blocked only the second process, and the 1st one keeps creating new processes to try to inject code, and Quihoo will continue to block them but not Killing the one from which they are created (it will show the alert "blocked the following program on execution every two seconds). To completely kill the ransom, you can either kill his 1st process or reboot the system (The ransom won't execute again, tested in my VM)

Perfectly described.
No AV is perfect, but for my experience, most RW samples were already detected by cloud when I picked them out of the Hub. If not, some orange popups came up, mostly describing something is going to add an autostart entry or amend files, just as @TheMalwareMaster described. To my experience, the droppers went suicide after running most of the time (ShadowDefender environment).

 

[TheMalwareMaster]

In my tests, the malware continues endlessly to create other processes that attempt to inject the code (until system is rebooted), which are stoppped by HIPS. The strange fact is that, if you SUD them the ransomware not flagged by QVMII, their reply is "sorry, we didn't find any malicious behaviour in this file". I can't really understand who is checking those files

 

[Der.Reisende]

In my tests, the malware continues endlessly to create other processes that attempt to inject the code (until system is rebooted), which are stoppped by HIPS. The ridiculous fact is that, if you SUD them the ransomware not flagged by QVMII, their reply is "sorry, we didn't find any malicious behaviour in this file". I can't really understand who is checking those files

Got that
Regarding the SUD issue, I notice that regularly, too, see the SUD reports at the Hub. Can't understand, some files clearly showed malicious behaviour (sometimes even blocked by QTS360 HIPS). Would love to get a Qihoo statement on that (@Qihoo 360 Support Team).

 

[mamamia]

The problem is that Quihoo blocked only the second process, and the 1st one keeps creating new processes to try to inject code, and Quihoo will continue to block them but not Killing the one from which they are created

So, according to your tests, What antivirus have the best protection against Ransomware?.

 

[TheMalwareMaster]

Well, if you would like to use quihoo it's OK, but in my opinion it should be better using comodo firewall with your favourite antivirus, because you are able to use the auto-sandboxing technology, which is really fine at preventing ransomware

 

[Tempnexus]

What if you don't trust Comodo and don't want to have anything to do with that devious company is there anything else that exists?

My wife has HitmanPro Alert installed on her desktop by me but now seeing that HPA failed to stop the ransomware makes me worry. She is running Webroot, HMPA and ESET Antivirus on the system.

 

[TheMalwareMaster]

Are you looking for something which blocks automatically or a manual tool like sandboxie?

 

[Tempnexus]

Are you looking for something which blocks automatically or a manual tool like sandboxie?

For myself I use WinAntiRansom but I would rather choose something more automatic...my wife has no patience for popups.

 

[TheMalwareMaster]

Using WinAntiransom you should just click ok If a ransomware la detected, right?

 

[jamescv7]

@TheMalwareMaster : Yes because the notification is shown that the possible execution as blocked immediately.

 

[TheMalwareMaster]

So, I don't really think that clicking an ok button requires patience, considering you don't have other options to choose and you are not downloading ransomware everyday. If you don't trust Comodo, I would make her using WinAntiRansom. Or, you can continue to use HPM alert. I think the chance you can get that particular type of ransomware (which, if I remember correctly, is only sent to particular industries now, and not to home users), that it can bypass ESET signatures is minimum. Better making a backup of all your data instead of buying a new software, considering you are already using alert

 

[Tempnexus]

So, I don't really think that clicking an ok button requires patience, considering you don't have other options to choose and you are not downloading ransomware everyday. If you don't trust Comodo, I would make her using WinAntiRansom. Or, you can continue to use HPM alert. I think the chance you can get that particular type of ransomware (which, if I remember correctly, is only sent to particular industries now, and not to home users), that it can bypass ESET signatures is minimum. Better making a backup of all your data instead of buying a new software, considering you are already using alert

I got winantiransom and installed it....will see if she notices.

 

[thehunter]

Any chance of sharing the hash and/or the sample you used for this video? Thanks

 

[cruelsister]

For a Canadian? Absolutely!