Owlyshield EDR VS Ransomware
- Thread starter Khushal
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
"Whoo, whoo"...? 
It didn't fare so well for the owl.
It didn't fare so well for the owl.
The video is too long with a kiddo walking on the street on the beginning."Whoo, whoo"...?
What is the final result?
Basically a two stage train wreck. The 1st sample did encrypt some files (10 year old ransomware sample). He ran a 2nd random sample and @8:05, "yep, the system is cooked"
BIG name is the answer.Basically a two stage train wreck. The 1st sample did encrypt some files (10 year old ransomware sample). He ran a 2nd random sample and @8:05, "yep, the system is cooked"
Here is the breakdown of why "Desktop Execution" yields incomplete results for Owlyshield (and most EDRs).
You Break the "Process Tree" (Context Loss)
This is the biggest issue. EDRs like Owlyshield heavily analyze the Process Tree (parent-child relationships).
Real Attack: A user opens a PDF → The PDF reader spawns PowerShell → PowerShell downloads and runs a .exe.
EDR View: "Why is a PDF reader launching PowerShell? Block."
This Test: You double-click malware.exe on the desktop.
Process Tree: explorer.exe (the Windows desktop) → malware.exe.
EDR View: "The user voluntarily launched a program from the desktop."
Result: This looks exactly like you launching Firefox or Calculator. By running it manually, you remove the "suspicious parentage" signal, making it harder for the EDR to detect the threat based on context.
It Only Tests the "Payload," Not the "Delivery"
Attacks often occur in stages.
Stage 1 (Delivery): Exploit, script, or macro.
Stage 2 (Payload): The actual RAT or ransomware. By dropping the malware on the desktop, you are skipping Stage 1 completely. You are testing if Owlyshield can catch the specific file signature or the ransomware behavior (file encryption), but you are failing to test if it would have caught the script that downloaded it in the first place.
Static Analysis vs. Behavioral Analysis
Static (On-Write/On-Access). When you paste the file to the desktop, Owlyshield (via its Minifilter driver) will see the file creation. If it has a known signature for that specific file, it might catch it immediately.
If the static check fails, the malware runs. Since you stripped the context (Point #1), Owlyshield now has to wait for the malware to do something visibly bad (like touching the LSASS process or mass-deleting shadow copies) to trigger an alert.
What it demonstrates, It tests if the EDR has a signature for that specific file hash, or if the malware is so noisy (e.g., instant encryption) that it triggers behavioral rules immediately.
What it misses, It fails to test "Novelty Detection" regarding exploitation chains, suspicious parent processes, and network delivery vectors.
You Break the "Process Tree" (Context Loss)
This is the biggest issue. EDRs like Owlyshield heavily analyze the Process Tree (parent-child relationships).
Real Attack: A user opens a PDF → The PDF reader spawns PowerShell → PowerShell downloads and runs a .exe.
EDR View: "Why is a PDF reader launching PowerShell? Block."
This Test: You double-click malware.exe on the desktop.
Process Tree: explorer.exe (the Windows desktop) → malware.exe.
EDR View: "The user voluntarily launched a program from the desktop."
Result: This looks exactly like you launching Firefox or Calculator. By running it manually, you remove the "suspicious parentage" signal, making it harder for the EDR to detect the threat based on context.
It Only Tests the "Payload," Not the "Delivery"
Attacks often occur in stages.
Stage 1 (Delivery): Exploit, script, or macro.
Stage 2 (Payload): The actual RAT or ransomware. By dropping the malware on the desktop, you are skipping Stage 1 completely. You are testing if Owlyshield can catch the specific file signature or the ransomware behavior (file encryption), but you are failing to test if it would have caught the script that downloaded it in the first place.
Static Analysis vs. Behavioral Analysis
Static (On-Write/On-Access). When you paste the file to the desktop, Owlyshield (via its Minifilter driver) will see the file creation. If it has a known signature for that specific file, it might catch it immediately.
If the static check fails, the malware runs. Since you stripped the context (Point #1), Owlyshield now has to wait for the malware to do something visibly bad (like touching the LSASS process or mass-deleting shadow copies) to trigger an alert.
What it demonstrates, It tests if the EDR has a signature for that specific file hash, or if the malware is so noisy (e.g., instant encryption) that it triggers behavioral rules immediately.
What it misses, It fails to test "Novelty Detection" regarding exploitation chains, suspicious parent processes, and network delivery vectors.
Last edited:
You explained very well, thank you, Divergent
As has been posted multiple times on the forum, how can we really trust some of these types of tests when it isn't done in a Real World Protection scenario for the way an AV was designed for, especially in this case of Owlyshield, besides Malware Protection testing which in this case was circumvented by launching it from a desktop file? So we really don't know what it is capable of, in regards to how it was "tested".I.E. another waste of my time in watching a poorly "executed" YouTube video
And no offense to you, @Khushal for posting it, as we/I learned from it 
Last edited:
You may also like...
-
Zero Day Ransomware vs Popular Antivirus and EDR- Started by Kongo
- Replies: 53
-
Ransomware Group abuses SentinelOne EDR for stealthy malware execution- Started by Khushal
- Replies: 1
-
Introducing VoodooSoft's RansomGuard EDR - Streamlined EDR for Consumers and SMB- Started by danb
- Replies: 37
-
