Malware Hub Report SecureAPlus (APEX + WhiteListing) - September 2019 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
SecureAPlus (APEX + WhiteListing + UniversalAV Disabled) - September 2019 Report
Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.
__

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted
A: APEX / W: WhiteListing / LD: LockDown / UAV: Universal AV


* Dynamic BB Bonus Test (APEX Resident Protection disabled)
* Partially Blocked
* BSR: Before System Reboot
* ASR: After System Reboot

September
2019
Samples
Pack
Static
Detection
Dynamic
Detection
Total
Detection
Bait Files
Encrypted
2nd Opinion
Scanners
System
Final Status
Thread
Link
* Next
tests
will be
performed
in
Interactive Mode
(Default):
02/09/2019
28
15 (A) / 28
1 (A) + 9 (W) / 13
25 / 28
No
C: ZAM, NPE, HMP
I: WV
P - NC
03/09/2019
1
0 / 1
1 (W)
1 / 1
No
C
P
03/09/2019
3
3 (A) / 3
3 (W) / 3*
3 / 3
3 / 3*
No
C
C
P*
04/09/2019
19
9 (A) / 19
8 (W) / 10
17 / 19
No
C
P
06/09/2019
20
10 (A) / 20
7 (W) + 1 (W)* / 10
18 / 20
No
I
BSR: I
ASR:
I
06/09/2019
1
1 (A) / 1
1 (W) / 1*
1 / 1
1 / 1*
No
C
C
P*
07/09/2019
6
1 (A) / 6
5 (W) / 5
6 / 6
No
C
P
09/09/2019
22
10 (A) / 22
1 (A) + 11 (W) / 12
22 / 22
No
C: ZAM
I: WV, NPE, HMP
P - NC
11/09/2019
1
1(A) / 1
1 (W) / 1 *
1 / 1
1 / 1*
No
C
C
12/09/2019
1
0 / 1
1 (W) / 1
1 / 1
No
C
P
12/09/2019
1
1 (A) / 1
1 (W) / 1*
1 / 1
1 / 1*
No
C
C
13/09/2019
26
12 (A) / 16
10 (W) / 14
22 / 26
No
C
P
* Next
tests
will be
performed
in
LockDown Mode:
16/09/2019
21
10 (A) / 21
7 + 1* (LD) / 11
18 / 21
No
I
BSR: I
ASR: I
17/09/2019
18
10 (A) / 18
6 (LD) / 8
16 / 21
No
I
BSR: I
ASR: I
17/09/2019
3
2 (A) / 3
1 (LD) / 1
2 (LD) / 2*
3 / 3
No
C
P
18/09/2019​
5​
0 / 5​
5 (LD) / 5​
5 / 5​
No​
C
P
19/09/2019​
17​
6 (A) / 17​
11 (LD) / 11​
17 / 17​
No​
C
P
20/09/2019​
1​
1 (A) / 1​
1 (LD) / 1*
1 / 1
1 / 1*
No
C
C
P*
20/09/2019​
3​
0 / 3​
3 (LD) / 3​
3 / 3​
No​
C
P
21/09/2019​
1​
1 (A) / 1​
1 / 1*
1 / 1
1 / 1*
No​
C
C
P*
22/09/2019​
1​
1 (A) / 1​
1 / 1*
1 / 1
1 / 1*
No​
C
C
P*
* Next
tests
will be
performed
in
Defaults Settings
(APEX + UAV + WL):
23/09/2019​
20​
12 / 20​
4 (WL) + 1(UAV) / 8​
17 / 20​
No​
C
P
* APEX
at
Maximum
Level:
24/09/2019​
18​
10 / 18​
2 (A) + 5 (WL) / 8​
17 / 18​
No​
C
P
24/09/2019
1
1 (A) / 1
1 / 1*
1 / 1
1 / 1*
No
C
C
P*
* SAP Essential 6
APEX
at
Minimum:
25/09/2019​
16​
10 / 16​
2 (UAV) + 4 (WL) / 6​
16 / 16​
No​
C
P
25/09/2019​
1​
1 / 1​
1 (WL) / 1*
1 / 1
1 / 1*
No​
C
C
P*
27/09/2019​
15​
7 / 15​
7 (WL) / 8​
14 / 15​
No​
I
BSR: I
ASR: I
29/09/2019​
1​
1 / 1​
1 (WL) / 1*
1 / 1
1 / 1*
No​
C
C
P*
30/09/2019​
1​
1 / 1​
1 (WL) / 1*
1 / 1
1 / 1*
No​
C
C
P*
30/09/2019​
19​
13 / 19​
2 (UAV) + 4 (WL) / 6​
6 / 6​
No​
C
P
 
Last edited:

woodrowbone

Level 10
Verified
Dec 24, 2011
480
Great Harlan!
Do you send them the files that APEX missed?
Submit
Just to train APEX against them (y)

I did just test APEX against aprox 400 new malware (90% ransomware) and it nailed all of them.
I just guess their AI learned all there is from the samples I get my hands on, good that you have other sources.

/W
 

woodrowbone

Level 10
Verified
Dec 24, 2011
480
You could be correct regarding exe files only, somewhere in the back of my head I think I heard this before from SAP.
Maybe he can confirm?
And if so when will APEX cover more extensions?

If APEX only detects exe files it should be possible to change under "scan settings" disable Register as Antivirus, and let Microsoft Defender enable itself. Run ConfigureDefender on High settings to pick up both exe and the rest. Hopefully APEX as a companion jumps in if Defender misses any exe.

As I only get my hands on exe files I cant test this combo that I think would be awesome, but that could be a subject for testing later on if you have the time Harlan.

Keep up the much appreciated work (y)

/W
 

woodrowbone

Level 10
Verified
Dec 24, 2011
480
You can run Whitelisting in "Observation mode".
App settings, Application whitelisting, Advanced settings, in here you enable observation mode.
I run it this way as I use CFW + CS settings, making the whitelisting feature redundant.

/W
 

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Yeah I know "Observation Mode" will allow all unkwon applications to run... but I guess that SAP without WhiteListing and only with APEX will get easily infected in the Hub since APEX only monitors exe files :) until now in my Hub tests WhiteListing has been complementing APEX...
 

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Hum probably They don't contemplate APEX detecting extra files types for now since SAP already has Universal AV cloud multi engine, this way this is also a complement to APEX only detecting exe files...
 
Last edited:

sap

From SecureAge
Verified
Developer
Well-known
Sep 26, 2014
189
True, I hope SAP will show up here and confirm APEX exe only.

/W
Sorry, I have just read this. Yes, APEX detects executable files only, or to be precise the all the files with PE (Portable Executable) header. It is not necessary .exe, but also includes other extensions, such as .dll, .sys, .ocx, etc.

For documents, harlan4096 was right, the application whitelisting will complement APEX.
Usually document's malware will have a payload. This can be a script, exe, or a command line (e.g. poweshell command). The application whteilisting component should block this when it try to execute.
 

sap

From SecureAge
Verified
Developer
Well-known
Sep 26, 2014
189
One more question I forgot to comment, in the last tests (today 2 exe samples) I've found that some .exe samples are not detected by APEX, but They appears as detected/known by APEX at VirusTotal :unsure: :unsure:
APEX on VirusTotal uses the High sensitivity setting. As what I understand, you are using Medium sensitivity for your testing.
 

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
@sap:
For documents, @harlan4096 was right, the application whitelisting will complement APEX.
Usually document's malware will have a payload. This can be a script, exe, or a command line (e.g. poweshell command). The application whteilisting component should block this when it try to execute.
Last week in 2 malware packs tests 2 documents (Emotet) dropping/spawning .exe files bypassed even SAP WhiteListing and LockDown Mode :unsure: :unsure:
 

sap

From SecureAge
Verified
Developer
Well-known
Sep 26, 2014
189
@sap:

Last week in 2 malware packs tests 2 documents (Emotet) dropping/spawning .exe files bypassed even SAP WhiteListing and LockDown Mode :unsure: :unsure:
If you don't mind, can you send us the sample files that SAP missed to secureaplus@secureage.com?
If you still have the log files, can you also send it to us (also send to secureaplus@secureage.com)? The log file is: "C:\ProgramData\SecureAge Technology\SecureAge\log\whitelist.log"
As the file may be big, please compress the file before sending. If the file size is still too big to be sent via email, you can send it via: Send large files up to 5GB for free

We will check what happened and try to improve this in the future.

Thanks.
 

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
@sap:

I don't have the logs, since the tests were performed last week and after every malware test, I revert to clean snapshot...

I already sent the samples via the service: SecureAPlus Submit Malware - Cloud-based Antivirus, Application Whitelisting and Offline Antivirus but I can send them again via pm...

You can check in the 1st post of this thread the table of results days:

06/09/2019: https://malwaretips.com/threads/mixed-threats-20-06-09-2019.94826/post-832954

16/09/2019: https://malwaretips.com/threads/malware-samples-21-16-09-2019.95024/post-834811

17/09/2019: https://malwaretips.com/threads/mixed-threats-18-17-09-2019.95045/post-834988

In those 3 cases a .doc -> dropping/spawning .exe files bypassed WhiteListing / LockDown...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top