Malware Hub Report Qihoo 360 TS - April 2020 Report

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.

stefanos said:
I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.
Click to expand...
And the extension still rubbish.
 
  • Like
Reactions: AtlBo, roger_m, Der.Reisende and 5 others
The Cog in the Machine said:
Hello, Harlan. Thank you very much for your efforts testing different security solutions. Could you please test 360's sandbox and see how effective it is in isolating malware?
Click to expand...
Hum Ok, I will try to run in sandbox some of the undetected samples in next pack...
 
  • Like
  • Thanks
  • Applause
Reactions: Der.Reisende, DDE_Server, AtlBo and 6 others
Hello,

I saw you latest test that you turn off "file system protection" for dynamic BB test, but this is actually part of 360 HIPS that uses to protect system or critical files from being modified by malware, especially useful for ransomware. The real part that is file scanning (RTP) is "scan when saved" and "scan when opened" these two options. If you disable them, then there would be no signature scanning.

Since their HIPS is also combined with cloud detection, there is no a pure way to only test HIPS. One way to distinguish whether a threat is blocked by BB (HIPS) or by RTP is to see the alert windows -if in middle then blocked by HIPS, right bottom blocked by RTP.

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.
 
  • Like
  • +Reputation
  • Thanks
Reactions: Der.Reisende, AtlBo, bribon77 and 6 others
Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.
Click to expand...

Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS :unsure:, I remind here in the forum was a hot discussion in the past about it :)

Update: applying Your settings and also mine, I got the same result:

BB.png1.png
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: Der.Reisende, AtlBo, bribon77 and 6 others
harlan4096 said:
Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...



Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS :unsure:, I remind here in the forum was a hot discussion in the past about it :)

Update: applying Your settings and also mine, I got the same result:

View attachment 236234View attachment 236233
Click to expand...

Yes. You will get same result as their BB also has cloud detection capacity and this sample is in their cloud database.

Their BB is mostly like a smart HIPS with cloud rules. This can extend not only single-step block (same as traditional HIPS) but also multi-step block (BB based on rules rather than ML model). So you are right. It's not a simple HIPS.

You know the traditional HIPS has AD (Application Defense), FD ( File Defense), and RD (Register Defense), right? So in the setting "Malicious Behavior Blocking" matches AD, "File system Protection" matches FD, and "Register Protection" matches RD. So once you disable FPS, you disable FD of 360 HIPS.

I don't know if this is allowed in MT test, but 360 TS BB only has cloud detection based on hash, so if you just modify the sample a little bit (like adding '0' at the end of PE), then it can bypass BB's cloud detection and it will be a real BB Bonus test (But also need to disable Cloud Analysis: once HIPS detected an PE with unknown reputation, it will be uploaded to the cloud)

And VT is not working at you VM🤔, so 360 HIPS will be much weaker there as it cannot detect some malicious actions(such as remote injecting), so BB Bonus test may not looking good.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Der.Reisende, AtlBo, bribon77 and 8 others
Refer to https://malwaretips.com/threads/unknown-ransomware-7-04-2020.99763/#post-871842
360 BB recognizes this ransomware sample as presenting ransomware behaviors in my VM with Intel VT enabled.
That's what I said disable VT will significantly impact the protection of 360 BB - some actions could not be detected by HIPS.

Annotation 2020-04-07 160126.png
Annotation 2020-04-07 160359.png

Annotation 2020-04-07 160424.png

Annotation 2020-04-07 160442.png

Terminate process successful
Annotation 2020-04-07 160455.png
 
Last edited:
  • Like
  • +Reputation
Reactions: Der.Reisende, Fel Grossi, Gandalf_The_Grey and 6 others
harlan4096 said:
I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...
Click to expand...
Do you get last one on my pictures with "detect ransomware" popup? The block bottom of this window will terminate the whole process rather than just block this action and can roll back some parts of encrypted files if had.
 
  • Like
Reactions: Der.Reisende, Gandalf_The_Grey, harlan4096 and 6 others
harlan4096 said:
I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...
Click to expand...
Same here. I've been trying it for about 3 years now. I always have the same problem against ransomware. If I catch and press the block at 29 I lose some files. If I'm late ..............:eek::eek:
 
  • Like
  • Wow
Reactions: Der.Reisende, Gandalf_The_Grey, harlan4096 and 6 others

You may also like...