Malware Hub Report Qihoo 360 TS - April 2020 Report

[stefanos]

I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.

I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.

And the extension still rubbish.

 

[Divine_Barakah]

Hello, Harlan. Thank you very much for your efforts testing different security solutions. Could you please test 360's sandbox and see how effective it is in isolating malware?

 

[stefanos]

Hello, Harlan. Thank you very much for your efforts testing different security solutions. Could you please test 360's sandbox and see how effective it is in isolating malware?

Is very good the sandbox.

 

[Divine_Barakah]

Is very good the sandbox.

Well, 360 is a good product and is worth the money. The unnecessary features can be disabled.

 

[harlan4096]

Hello, Harlan. Thank you very much for your efforts testing different security solutions. Could you please test 360's sandbox and see how effective it is in isolating malware?

Hum Ok, I will try to run in sandbox some of the undetected samples in next pack...

 

[stefanos]

 

[Jerry.Lin]

Hello,

I saw you latest test that you turn off "file system protection" for dynamic BB test, but this is actually part of 360 HIPS that uses to protect system or critical files from being modified by malware, especially useful for ransomware. The real part that is file scanning (RTP) is "scan when saved" and "scan when opened" these two options. If you disable them, then there would be no signature scanning.

Since their HIPS is also combined with cloud detection, there is no a pure way to only test HIPS. One way to distinguish whether a threat is blocked by BB (HIPS) or by RTP is to see the alert windows -if in middle then blocked by HIPS, right bottom blocked by RTP.

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.

 

[harlan4096]

Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.

Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS , I remind here in the forum was a hot discussion in the past about it

Update: applying Your settings and also mine, I got the same result:

 

[Jerry.Lin]

Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...



Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS , I remind here in the forum was a hot discussion in the past about it

Update: applying Your settings and also mine, I got the same result:

View attachment 236234View attachment 236233

Yes. You will get same result as their BB also has cloud detection capacity and this sample is in their cloud database.

Their BB is mostly like a smart HIPS with cloud rules. This can extend not only single-step block (same as traditional HIPS) but also multi-step block (BB based on rules rather than ML model). So you are right. It's not a simple HIPS.

You know the traditional HIPS has AD (Application Defense), FD ( File Defense), and RD (Register Defense), right? So in the setting "Malicious Behavior Blocking" matches AD, "File system Protection" matches FD, and "Register Protection" matches RD. So once you disable FPS, you disable FD of 360 HIPS.

I don't know if this is allowed in MT test, but 360 TS BB only has cloud detection based on hash, so if you just modify the sample a little bit (like adding '0' at the end of PE), then it can bypass BB's cloud detection and it will be a real BB Bonus test (But also need to disable Cloud Analysis: once HIPS detected an PE with unknown reputation, it will be uploaded to the cloud)

And VT is not working at you VM, so 360 HIPS will be much weaker there as it cannot detect some malicious actions(such as remote injecting), so BB Bonus test may not looking good.

 

[Divine_Barakah]

Is there a way to contact their support directly?

 

[stefanos]

Is there a way to contact their support directly?

the free version with e mail

 

[stefanos]

And in this version the problem with HIPS against ransomware remains. With both engines and custom protection hi I'm sure you will have the same result. Because Avira's signatures are delayed .

 

[harlan4096]

For now I'm not testing with Avira engine enabled

 

[stefanos]

For now I'm not testing with Avira engine enabled

I wait the result .......

 

[stefanos]

I formatted my laptop 5 times with 360ts I will see your next tests with foul protection. Thanks for your test my friend

 

[Jerry.Lin]

Refer to https://malwaretips.com/threads/unknown-ransomware-7-04-2020.99763/#post-871842
360 BB recognizes this ransomware sample as presenting ransomware behaviors in my VM with Intel VT enabled.
That's what I said disable VT will significantly impact the protection of 360 BB - some actions could not be detected by HIPS.

Spoiler: BB Test

Spoiler: Test config

Spoiler: Test result

Terminate process successful

 

[harlan4096]

I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...

 

[Jerry.Lin]

I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...

Do you get last one on my pictures with "detect ransomware" popup? The block bottom of this window will terminate the whole process rather than just block this action and can roll back some parts of encrypted files if had.

 

[stefanos]

I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...

Same here. I've been trying it for about 3 years now. I always have the same problem against ransomware. If I catch and press the block at 29 I lose some files. If I'm late ..............

 

[harlan4096]

At the moment of my dynamic test Cloud Analysis verdict was very ambiguous, probably later They corrected it:

Update: in fact now it is already detected as Trojan...