Reply to thread

Message

Just for fun I repeated that test today. Used Visual Studio to make two C# applications:

(1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one.
(2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item.

I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing.

All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item.

The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change.

I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP.

Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory....

I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files.

<blockquote data-quote="MacDefender" data-source="post: 840446" data-attributes="member: 83059">Just for fun I repeated that test today. Used Visual Studio to make two C# applications: (1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one.(2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item.I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing.All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item.The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change.I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP.Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory....I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files.</blockquote>

[QUOTE="MacDefender, post: 840446, member: 83059"] Just for fun I repeated that test today. Used Visual Studio to make two C# applications: (1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one. (2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item. I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing. All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item. The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change. I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP. Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory.... I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files. [/QUOTE]

Top