App Review Qihoo Total Security 360 - ransomware test

[Evjl's Rain]

Last video before I take a break

 

[worldless]

Although I'm an anti-fan of Chinese products, honestly 360 & (btw) Xiaomi's phone are those in my exception list.
p/s: I always set speed to 2x for this kind of reviews until I realize you already did

 

[Evjl's Rain]

Although I'm an anti-fan of Chinese products, honestly 360 & (btw) Xiaomi's phone are those in my exception list.
p/s: I always set speed to 2x for this kind of review until I realize you already did

true. nobody wants to watch >10-minute videos like me so I have to speed things up

I like xiaomi too but I don't like qihoo

 

[Parsh]

Another awesome review. Thanks @Evjl's Rain. With 360, the cases always get interesting.

One loony thing about 360 is that it apparently doesn't properly block the malware process until we click on 'block' andany delay in selecting 'block' can be trouble-inviting in case of fast encrypting RW as you said (since encryption isn't caused if you quickly select 'block', we assume that the same process is encrypting files).
Why in the world does it just not totally block the process until we take a decision?
It should be that way with any other AV.

 

[Evjl's Rain]

Another awesome review. Thanks @Evjl's Rain. With 360, the cases always get interesting.

One loony thing about 360 is that it apparently doesn't properly block the malware process until we click on 'block' andany delay in selecting 'block' can be trouble-inviting in case of fast encrypting RW as you said (since encryption isn't caused if you quickly select 'block', we assume that the same process is encrypting files).
Why in the world does it just not totally block the process until we take a decision?
It should be that way with any other AV.

that's how HIPS works
it blocks the process from doing certain things but won't terminate them. I don't like HIPS. It's annoying

in case of qihoo, the good thing is it automatically blocks after 30 seconds while most other HIPS-es don't

in case of 1.exe, it was not terminated and continuously generated HIPS popup. qihoo also had to block it continously => high CPU

 

[Parsh]

that's how HIPS works
it blocks the process from doing certain things but won't terminate them. I don't like HIPS. It's annoying

in case of qihoo, the good thing is it automatically blocks after 30 seconds while most other HIPS-es don't

Yeah, got that
But doesn't it keep that malicious process blocked for that 30 sec timeframe too? It should be doing so right... Then how could the RW encrypt some files on slow decision of the user since the process was supposed to be 'blocked'?

 

[Evjl's Rain]

Yeah, got that
But doesn't it keep that malicious process blocked for that 30 sec timeframe too? It should be doing so right... Then how could the RW encrypt some files on slow decision of the user since the process was supposed to be 'blocked'?

I don't know, it depends. I saw a few ransomwares encrypted the files before I clicked Block (in previous test I did silently, older version)

btw, qihoo is still one of the best antiransomware AVs
not as effective against other types of malware even with BD and avira enabled

 

[Parsh]

I don't know, it depends. I saw a few ransomwares encrypted the files before I clicked Block (in previous test I did silently, older version)

btw, qihoo is still one of the best antiransomware AVs
not as effective against other types of malware even with BD and avira enabled

I'll try to verify it sometime if slow action is the issue here.

It might not get powerful in real-time behavior blocking with Avira and BD, but the definitions can be quite useful to get rid of malware (that Qihoo engine is supposed to miss) earlier by preventing cleaning with their definitions. Both are top-notch in the same as we know.
The only downside, really slow updates!

 

[Evjl's Rain]

I'll try to verify it sometime if slow action is the issue here.

It might not get powerful in real-time behavior blocking with Avira and BD, but the definitions can be quite useful to get rid of malware (that Qihoo engine is supposed to miss) earlier by preventing cleaning with their definitions. Both are top-notch in the same as we know.
The only downside, really slow updates!

qihoo's signatures really really bad. You know these are the samples I used for all other tests, just some of them were new. You can see how many samples left in the folder after the scan. Too many

Avira's signatures are much better than BD because it's updated more recently

 

[Parsh]

Avira's signatures are much better than BD because it's updated more recently

True said!
Have you seen this pattern?
Sometimes when definitions are shown a day old and you update, they are still a day old.
And then after 2-3 times of selecting 'update' continuously, you get today's definition updates for both engines.
It's weird and I've seen this quite some time .
So, sometimes, if you don't update multiple times, it will have a day old of definitions in TS!

 

[Evjl's Rain]

True said!
Have you seen this pattern?
Sometimes when definitions are shown a day old and you update, they are still a day old.
And then after 2-3 times of selecting 'update' continuously, you get today's definition updates for both engines.
It's weird and I've seen this quite some time .
So, sometimes, if you don't update multiple times, it will have a day old of definitions in TS!

I don't know that but I will not use qihoo. It's not the best AV because we don't just have RWs to stop

 

[Parsh]

When I read about your comment on 360 against fast encrypting RW earlier, I got skeptical of using it on my home PC. But then I accompanied it with ZoneAlarm AV+FW (AV disabled, only for on demand scans).

Guess what, now I have engines of the top 3 AVs (definition-wise)(excluding Eset since not available) for preventive scanning and ZA firewall's process+identity control as a bonus, thanks to @Sr. Normal 2.0!
And it goes pretty well with 360's behavior blocker (hardly any overlaps)

EDIT: ZA Firewall should help catch RW's request for connection to remote host (for key etc) and ask regarding malicious actions with process control that 360 'might' miss. I usually block requests of unidentified applications.

 

[jamescv7]

The perks of having a backup component, mechanistic protection of Qihoo 360 is definitely impressive although of course it should stop not only the payload but the main source of execution to avoid encryption process.

 

[Parsh]

The perks of having a backup component, mechanistic protection of Qihoo 360 is definitely impressive although of course it should stop not only the payload but the main source of execution to avoid encryption process.

Yes it should block both of them.

But if you see the alerts carefully, 360 did alert about the process saying "program ..is attempting to modify photos and docs".
So it did intercept the encryptor, but the delayed action apparently resulted in a few files getting encrypted.
Be it any, it has got to improve its all-round protection against such RW.

 

[jamescv7]

@Parsh: Yup , I think Qihoo should formulate proper rollback feature despite of possible delayed action.

 

[Parsh]

@Parsh: Yup , I think Qihoo should formulate proper rollback feature despite of possible delayed action.

Why not block the threat completely till user doesn't take an action?
And if it is like what you said, that it misses some malicious process that does the dirty encryption thing, then that's a different case, a total downside for us.

I don't think that such apps will be able to recover the files lost to RWs in any way, except that they had some backup formulae implemented for certain folders.
Reversal in many cases other than RW attacks are possible and done as we know. Qihoo has the advanced repair engine right?

 

[_CyberGhosT_]

Any AV is only as good as it Signatures no matter how they dress it up and make it look attractive and or advanced.
Thanks for the vid as always Evil

 

[Evjl's Rain]

I agree that qihoo should suspend the process before users make the decision. In the test, I didn't see any "suspended" status in process explorer. Kaspersky and BD did it during their BB inspecting the file

 

[Parsh]

Any AV is only as good as it Signatures no matter how they dress it up and make it look attractive and or advanced.
Thanks for the vid as always Evil

Can we take a different perspective?
Subtract the definitions part from a good AV and you'll get a smaller, or maybe not smaller, but a decent version of sig-free security. How? We know

• Behavior Blocking
• Application Control (depends)
• Network attack blocking
• (limited) Exploit protection (depends)
• HIPS (depends) ....etc.

And we've seen these components in action in real-life, Malware hub and reviews.
Different components of different AVs may be well appreciated, but they do cover up a lot that their Old-Approach based engines cannot.

I'm considering the above features from some of the best AVs that provide these layers and cover many critical protection domains in one package so that you don't go after installing different kinds of protection apps to tighten different threat vectors.

They might not cover all of them but they provide an optimal threat protection in their known ways for the users.
Again, their Research influences the scope of protection.

Many sig-free apps will have tightened protection but in limited vectors (as per the needs), those, that may or may not be covered by the best AV solutions.
Whole point of this, you know

 

[_CyberGhosT_]

Whole point of this, you know

I feel ya brother , but I still refuse to install a Chinese AV solution and for very obvious and documented reasons.
If I did go back to sig based solutions Emsisoft would be my first stop for their BB