WiseVector StopX vs 0-day ransomware (KnowBe4)

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Hey there!!

KnowBe4 is one of those tests I like to run from a while to while on different scenarios and with different AVs. My choice is to run the AVs signaturless, to simulate a real 0-day attack. Blocking the exes which launch the ransomware tests is not valid for me, since it doesn't prove any sort of behavioural blocking.

Until today, the only AV which has managed to get a clean sheet out of the box is Kaspersky, both Free and Premium ones, thanks to System Watcher. Not even BitDefender when it turns to the ransomware shield itself (although it passes with AV shield).

WiseVectorX v305 out of the box blocks the launch of the test, so it is needed to exclude them.

1. Once that's done, if test runs, It gets all the threats (exe and cxp) via the malware engine. They are targeted as these ones:

1649630547618.png

1649620842433.png


It gets a clean sheet. All non vulerable!!

I think it is a sort of signature based engine as well (since I tested it some days ago and it failed against every non .exe, all .cxp were missed).

2. Seen that, If i disable malware engine and rely on pure ransomware shields, it just manages to block 4 ransomwares:

1649630564313.png


1649630574439.png


3. However, using deception based ransomware shield, which relies on 2 random folders with some test files, to compare if those are changed in any way, results will differ.

1649630594523.png


If I copy those 2 folders under one of the test folders and add them to deception protection...

1. Before test begins --> the folders are deleted by the test, and therefore, deception shield is bypassed. I guess because I excluded MainRunner and RanStart on malware shield? And also affects ransomware ones?

2. Once the test has started and the original KnowBe4 docx, txt, xlsx are copied --> WiseVector catches it and prompts me to restore the files.
However, in case the user misclick I don't find the way to restore them (as in the opposite way you have quarantine, but not for ransom rollback).

-IMPORTANT NOTE: I moved KB4 to my Documents folder, which is supposed to be protected by Deception shield by defualt (that SS is from that folder itself). HOWEVER, WiseVector won't detect the changes if are made on subfolders!!!!- (except manually recopied and included in WV settings as described in these 2nd option)-

1649630346818.png


Using that 2nd otpion on 2 test folders (0 and 2), we will move from this...

1649630632837.png


To this:

1649630715862.png


Test just began:

1649629955542.png


Ransom executed:

1649629991189.png


Rollback prompt:

1649630063244.png


Result after "apply":

1649630070762.png


On logs it is marked as ransom : D (WV log doesn't work properly and even without a reboot it got flushed :/ )

1649630179816.png


Anothe side note, while test is executing WiseVector interface usually becomes unresponsive and even closes. Fortunately, WV service still runs on background and is able to protect the PC.

Also, the deception protection is included by default on admin documents folder, but not on other users one! Important if you run a non-priviledged account as I use to do, since you will need to manually add them.

Hope you find this little test interesting!! I think WV concepts are strong, deception protection is powerful, but the exclusions and subfolder problems should be addressed!!

See you!
 

Attachments

  • 1649630052897.png
    1649630052897.png
    14.9 KB · Views: 27
Last edited:

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
627
I think it is a sort of signature based engine as well (since I tested it some days ago and it failed against every non .exe, all .cxp were missed).
Thanks a lot for your testing.

1. "WIBD:HEUR.MalBehavior.E" is behaviour based, not signature based.:)
2. We have not done anything related KnowBe4, it is very strange you said five days ago WVSX failed to block them.
3. If you add a file to Exclusions. WVSX will trust it and therefore will not detect it.
4. Ransomware protection rely on Behavior Analysis. Turning off Advanced protection will reduce the effectiveness of the protection.
 
Last edited:

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Thanks for the test, did you also test F-Secure Safe ?
Yes I did! But it is on another PC I don't have access right now. I think I will publish a comparative of the ones I tested (Kaspersky, Eset, BitDefender, F-Secure, Avast!, Avira, G-Data if I remember well).

However, as I said the only AV which passes the test relying on behavioural blocking fully is Kaspersky. F-Secure also failed once AV shield was disabled (if my memory goes well hehe! )
Thanks a lot for your testing.
It's behaviour based, not signature based.:)
Thank you too! Then I guess it learnt fast because some days ago they all were missed. However, how about deception shield problem regarding subfolders and non-admins? Are you going to look into it?

See you!
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
For me F-Secure blocks the Simulator with its behavioural component DeepGuard.
Unblock the simulator and let's test how it does against the real ransomware. For me as I said I don't count blocking the whole simulator tool. Almost all AVs do that, but what I want to see is the real protection against the "pure" ransomware behaviour not based on signatures (and without Internet, to avoid KSN or similar network which are kind of signatures at the end of the day)
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,839
Miguel- I hope this is not a hijack of the thread, but it may be fun for you (as you appreciate Ransim) to try this:

1) install Comodo Firewall, Install KillSwitch (done from the GUI under Watch Activity)
2). Open KillSwitch and from the menu select View>Show only Sandboxed Processes
3). run Ransim
4). After it finishes, open a File explorer and find c:\VTRoot
5). for the 24 tests, open the "x"-files directories (where x is the test number) to see the damage the test simulates.

m
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Miguel- I hope this is not a hijack of the thread, but it may be fun for you (as you appreciate Ransim) to try this:

1) install Comodo Firewall, Install KillSwitch (done from the GUI under Watch Activity)
2). Open KillSwitch and from the menu select View>Show only Sandboxed Processes
3). run Ransim
4). After it finishes, open a File explorer and find c:\VTRoot
5). for the 24 tests, open the "x"-files directories (where x is the test number) to see the damage the test simulates.

m
I will test once I have lil free time!! Thanks for the suggestion!
 
  • Like
Reactions: SecureKongo

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Thanks for the test, did you also test F-Secure Safe ?
For me F-Secure blocks the Simulator with its behavioural component DeepGuard.
Just did the test. DeepGuard just got 3 ransomwares. If AV component enabled, the story changes, but the point here is DeepGuard...

I attach 2 to see it was like this while already running...

1649799761724.png


1649799748569.png


Better than nothing but far from 23/23!!
 

Users who are viewing this thread