Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Emsisoft
What's good about Emsisoft?
Message
<blockquote data-quote="MacDefender" data-source="post: 840446" data-attributes="member: 83059"><p>Just for fun I repeated that test today. Used Visual Studio to make two C# applications: </p><p></p><p>(1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one.</p><p>(2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item.</p><p></p><p>I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing.</p><p></p><p>All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item.</p><p></p><p>The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change.</p><p></p><p>I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP.</p><p></p><p>Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory....</p><p></p><p>I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 840446, member: 83059"] Just for fun I repeated that test today. Used Visual Studio to make two C# applications: (1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one. (2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item. I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing. All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item. The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change. I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP. Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory.... I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files. [/QUOTE]
Insert quotes…
Verification
Post reply
Top