Malware Hub Report SecureAPlus (APEX + WhiteListing) - September 2019 Report

[harlan4096]

SecureAPlus (APEX + WhiteListing + UniversalAV Disabled) - September 2019 Report

Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.

__

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted
A: APEX / W: WhiteListing / LD: LockDown / UAV: Universal AV

* Dynamic BB Bonus Test (APEX Resident Protection disabled)
* Partially Blocked
* BSR: Before System Reboot
* ASR: After System Reboot

September 2019	Samples Pack	Static Detection	Dynamic Detection	Total Detection	Bait Files Encrypted	2nd Opinion Scanners	System Final Status	Thread Link
* Next​	tests​	will be​	performed​	in​	Interactive Mode ​	(Default):​
02/09/2019​	28​	15 (A) / 28​	1 (A) + 9 (W) / 13​	25 / 28​	No​	C: ZAM, NPE, HMP I: WV​	P - NC​	Post#7​
03/09/2019​	1​	0 / 1​	1 (W)​	1 / 1​	No​	C​	P​	Post#4​
03/09/2019​	3​	3 (A) / 3​	3 (W) / 3*​	3 / 3 3 / 3*​	No​	C​	C P*​	Post#7​
04/09/2019​	19​	9 (A) / 19​	8 (W) / 10​	17 / 19​	No​	C​	P​	Post#6​
06/09/2019​	20​	10 (A) / 20​	7 (W) + 1 (W)* / 10​	18 / 20​	No​	I​	BSR: I ASR: I​	Post#3​
06/09/2019​	1​	1 (A) / 1​	1 (W) / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#2​
07/09/2019​	6​	1 (A) / 6​	5 (W) / 5​	6 / 6​	No​	C​	P​	Post#8​
09/09/2019​	22​	10 (A) / 22​	1 (A) + 11 (W) / 12​	22 / 22​	No​	C: ZAM I: WV, NPE, HMP​	P - NC​	Post#7​
11/09/2019​	1​	1(A) / 1​	1 (W) / 1 *​	1 / 1 1 / 1*​	No​	C​	C​	Post#4​
12/09/2019​	1​	0 / 1​	1 (W) / 1​	1 / 1​	No​	C​	P​	Post#6​
12/09/2019​	1​	1 (A) / 1​	1 (W) / 1*​	1 / 1 1 / 1*​	No​	C​	C​	Post#4​
13/09/2019​	26​	12 (A) / 16​	10 (W) / 14​	22 / 26​	No​	C​	P​	Post#4​
* Next​	tests​	will be ​	performed​	in​	LockDown Mode:​
16/09/2019​	21​	10 (A) / 21​	7 + 1* (LD) / 11​	18 / 21​	No​	I​	BSR: I ASR: I​	Post#6​
17/09/2019​	18​	10 (A) / 18​	6 (LD) / 8​	16 / 21​	No​	I​	BSR: I ASR: I​	Post#4​
17/09/2019​	3​	2 (A) / 3​	1 (LD) / 1 2 (LD) / 2*​	3 / 3​	No​	C​	P​	Post#5​
18/09/2019​	5​	0 / 5​	5 (LD) / 5​	5 / 5​	No​	C​	P​	Post#2​
19/09/2019​	17​	6 (A) / 17​	11 (LD) / 11​	17 / 17​	No​	C​	P​	Post#2​
20/09/2019​	1​	1 (A) / 1​	1 (LD) / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#3​
20/09/2019​	3​	0 / 3​	3 (LD) / 3​	3 / 3​	No​	C​	P​	Post#2​
21/09/2019​	1​	1 (A) / 1​	1 / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#3​
22/09/2019​	1​	1 (A) / 1​	1 / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#3​
* Next​	tests​	will be​	performed​	in​	Defaults Settings​	(APEX + UAV + WL):​
23/09/2019​	20​	12 / 20​	4 (WL) + 1(UAV) / 8​	17 / 20​	No​	C​	P​	Post#4​
* APEX​	at​	Maximum​	Level:​
24/09/2019​	18​	10 / 18​	2 (A) + 5 (WL) / 8​	17 / 18​	No​	C​	P​	Post#6​
24/09/2019​	1​	1 (A) / 1​	1 / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#3​
* SAP Essential 6​	APEX​	at ​	Minimum:​
25/09/2019​	16​	10 / 16​	2 (UAV) + 4 (WL) / 6​	16 / 16​	No​	C​	P​	Post#3​
25/09/2019​	1​	1 / 1​	1 (WL) / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#3​
27/09/2019​	15​	7 / 15​	7 (WL) / 8​	14 / 15​	No​	I​	BSR: I ASR: I​	Post#3​
29/09/2019​	1​	1 / 1​	1 (WL) / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#4​
30/09/2019​	1​	1 / 1​	1 (WL) / 1*​	1 / 1 1 / 1*​	No​	C​	C P*​	Post#4​
30/09/2019​	19​	13 / 19​	2 (UAV) + 4 (WL) / 6​	6 / 6​	No​	C​	P​	Post#2​

 

[woodrowbone]

Great Harlan!
Do you send them the files that APEX missed?
Submit
Just to train APEX against them

I did just test APEX against aprox 400 new malware (90% ransomware) and it nailed all of them.
I just guess their AI learned all there is from the samples I get my hands on, good that you have other sources.

/W

 

[harlan4096]

Hi, yes... there is something interesting I've found in SAP APEX... it only detects exe files, but not other types of malware files such as MsOffice documents or scripts

 

[woodrowbone]

You could be correct regarding exe files only, somewhere in the back of my head I think I heard this before from SAP.
Maybe he can confirm?
And if so when will APEX cover more extensions?

If APEX only detects exe files it should be possible to change under "scan settings" disable Register as Antivirus, and let Microsoft Defender enable itself. Run ConfigureDefender on High settings to pick up both exe and the rest. Hopefully APEX as a companion jumps in if Defender misses any exe.

As I only get my hands on exe files I cant test this combo that I think would be awesome, but that could be a subject for testing later on if you have the time Harlan.

Keep up the much appreciated work

/W

 

[harlan4096]

For now I will test only SAP APEX + WhiteListing (can't be disabled I think) + Interactive (Default), later will perform also some tests changing Interactive Mode (Default) to LockDown Mode...

 

[woodrowbone]

You can run Whitelisting in "Observation mode".
App settings, Application whitelisting, Advanced settings, in here you enable observation mode.
I run it this way as I use CFW + CS settings, making the whitelisting feature redundant.

/W

 

[harlan4096]

Yeah I know "Observation Mode" will allow all unkwon applications to run... but I guess that SAP without WhiteListing and only with APEX will get easily infected in the Hub since APEX only monitors exe files until now in my Hub tests WhiteListing has been complementing APEX...

 

[woodrowbone]

True, I hope SAP will show up here and confirm APEX exe only.

/W

 

[harlan4096]

Hum probably They don't contemplate APEX detecting extra files types for now since SAP already has Universal AV cloud multi engine, this way this is also a complement to APEX only detecting exe files...

 

[harlan4096]

One more question I forgot to comment, in the last tests (today 2 exe samples) I've found that some .exe samples are not detected by APEX, but They appears as detected/known by APEX at VirusTotal

 

[woodrowbone]

Probably different models off APEX, they have released quite a few the last weeks, or different sensitivity settings?
I hope SAP can comment on all questions when he sees this thread.

/W

 

[harlan4096]

It seems @sap is away of the forum (last seen) since the end of August...

 

[sap]

True, I hope SAP will show up here and confirm APEX exe only.

/W

Sorry, I have just read this. Yes, APEX detects executable files only, or to be precise the all the files with PE (Portable Executable) header. It is not necessary .exe, but also includes other extensions, such as .dll, .sys, .ocx, etc.

For documents, harlan4096 was right, the application whitelisting will complement APEX.
Usually document's malware will have a payload. This can be a script, exe, or a command line (e.g. poweshell command). The application whteilisting component should block this when it try to execute.

 

[sap]

One more question I forgot to comment, in the last tests (today 2 exe samples) I've found that some .exe samples are not detected by APEX, but They appears as detected/known by APEX at VirusTotal

APEX on VirusTotal uses the High sensitivity setting. As what I understand, you are using Medium sensitivity for your testing.

 

[harlan4096]

Right, but in the last malware pack from yesterday used APEX at maximum, and for the next until end of month will use APEX at minimum (to check similar as the upcoming SAP Lite)

 

[harlan4096]

@sap:

For documents, @harlan4096 was right, the application whitelisting will complement APEX.
Usually document's malware will have a payload. This can be a script, exe, or a command line (e.g. poweshell command). The application whteilisting component should block this when it try to execute.

Last week in 2 malware packs tests 2 documents (Emotet) dropping/spawning .exe files bypassed even SAP WhiteListing and LockDown Mode

 

[woodrowbone]

Interesting! Over to you sap

/W

 

[harlan4096]

I just got version 6 in autoupdate! so next test will be performed with it!

Update: got SAP Essentials after SAP 6 update...

 

[sap]

@sap:

Last week in 2 malware packs tests 2 documents (Emotet) dropping/spawning .exe files bypassed even SAP WhiteListing and LockDown Mode

If you don't mind, can you send us the sample files that SAP missed to secureaplus@secureage.com?
If you still have the log files, can you also send it to us (also send to secureaplus@secureage.com)? The log file is: "C:\ProgramData\SecureAge Technology\SecureAge\log\whitelist.log"
As the file may be big, please compress the file before sending. If the file size is still too big to be sent via email, you can send it via: Send large files up to 5GB for free

We will check what happened and try to improve this in the future.

Thanks.

 

[harlan4096]

@sap:

I don't have the logs, since the tests were performed last week and after every malware test, I revert to clean snapshot...

I already sent the samples via the service: SecureAPlus Submit Malware - Cloud-based Antivirus, Application Whitelisting and Offline Antivirus but I can send them again via pm...

You can check in the 1st post of this thread the table of results days:

06/09/2019: https://malwaretips.com/threads/mixed-threats-20-06-09-2019.94826/post-832954

16/09/2019: https://malwaretips.com/threads/malware-samples-21-16-09-2019.95024/post-834811

17/09/2019: https://malwaretips.com/threads/mixed-threats-18-17-09-2019.95045/post-834988

In those 3 cases a .doc -> dropping/spawning .exe files bypassed WhiteListing / LockDown...