Malware Hub Report Qihoo 360 TS - April 2020 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.

I try the 360TSEssentials from the morning. This version has no bloads but is older version from 360TS. Has olny the Avira engine. Is very light on my system .With malware samples i have good results. But with ransomware not good. If i clicked very fast to block I see some damage. If i clicked late ...totaly infection. I will wait your test with ransomware . Maybe the 360TS have improvement at HIPS.
And the extension still rubbish.
 

Jerry.Lin

Level 2
Verified
Apr 27, 2018
74
Hello,

I saw you latest test that you turn off "file system protection" for dynamic BB test, but this is actually part of 360 HIPS that uses to protect system or critical files from being modified by malware, especially useful for ransomware. The real part that is file scanning (RTP) is "scan when saved" and "scan when opened" these two options. If you disable them, then there would be no signature scanning.

Since their HIPS is also combined with cloud detection, there is no a pure way to only test HIPS. One way to distinguish whether a threat is blocked by BB (HIPS) or by RTP is to see the alert windows -if in middle then blocked by HIPS, right bottom blocked by RTP.

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.
 

harlan4096

Super Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...

RTP scanning is combined with cloud detection, QVM heuristic, QEX script heuristic, and local signature detection.

Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS :unsure:, I remind here in the forum was a hot discussion in the past about it :)

Update: applying Your settings and also mine, I got the same result:

BB.png1.png
 
Last edited:

Jerry.Lin

Level 2
Verified
Apr 27, 2018
74
Thanks, I didn't know which module was actually the real-time protection, since Disable Protection -> disables all modules...



Reading this seems there is no way to perform a real BB Bonus test (so many tied modules)... anyway I will try disabling "scan when saved" and "scan when opened"...

In Performance Profile, those settings are not enabled, so I'm not sure if only those 2 modules are enough to emulate r-t module.

I think BB != HIPS :unsure:, I remind here in the forum was a hot discussion in the past about it :)

Update: applying Your settings and also mine, I got the same result:

View attachment 236234View attachment 236233

Yes. You will get same result as their BB also has cloud detection capacity and this sample is in their cloud database.

Their BB is mostly like a smart HIPS with cloud rules. This can extend not only single-step block (same as traditional HIPS) but also multi-step block (BB based on rules rather than ML model). So you are right. It's not a simple HIPS.

You know the traditional HIPS has AD (Application Defense), FD ( File Defense), and RD (Register Defense), right? So in the setting "Malicious Behavior Blocking" matches AD, "File system Protection" matches FD, and "Register Protection" matches RD. So once you disable FPS, you disable FD of 360 HIPS.

I don't know if this is allowed in MT test, but 360 TS BB only has cloud detection based on hash, so if you just modify the sample a little bit (like adding '0' at the end of PE), then it can bypass BB's cloud detection and it will be a real BB Bonus test (But also need to disable Cloud Analysis: once HIPS detected an PE with unknown reputation, it will be uploaded to the cloud)

And VT is not working at you VM🤔, so 360 HIPS will be much weaker there as it cannot detect some malicious actions(such as remote injecting), so BB Bonus test may not looking good.
 
Last edited:

Jerry.Lin

Level 2
Verified
Apr 27, 2018
74
Refer to https://malwaretips.com/threads/unknown-ransomware-7-04-2020.99763/#post-871842
360 BB recognizes this ransomware sample as presenting ransomware behaviors in my VM with Intel VT enabled.
That's what I said disable VT will significantly impact the protection of 360 BB - some actions could not be detected by HIPS.

Annotation 2020-04-07 160126.png
Annotation 2020-04-07 160359.png

Annotation 2020-04-07 160424.png

Annotation 2020-04-07 160442.png

Terminate process successful
Annotation 2020-04-07 160455.png
 
Last edited:

Jerry.Lin

Level 2
Verified
Apr 27, 2018
74
I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...
Do you get last one on my pictures with "detect ransomware" popup? The block bottom of this window will terminate the whole process rather than just block this action and can roll back some parts of encrypted files if had.
 

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
I also got all of these warnings in my test even without VT Support, but files were finally encrypted even blocking them...
Same here. I've been trying it for about 3 years now. I always have the same problem against ransomware. If I catch and press the block at 29 I lose some files. If I'm late ..............:eek::eek:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top