Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
WiseVector StopX vs 0-day ransomware (KnowBe4)
Message
<blockquote data-quote="miguelang611" data-source="post: 983513" data-attributes="member: 86982"><p>Hey there!!</p><p></p><p>KnowBe4 is one of those tests I like to run from a while to while on different scenarios and with different AVs. My choice is to run the AVs signaturless, to simulate a real 0-day attack. Blocking the exes which launch the ransomware tests is not valid for me, since it doesn't prove any sort of behavioural blocking.</p><p></p><p>Until today, the only AV which has managed to get a clean sheet out of the box is Kaspersky, both Free and Premium ones, thanks to System Watcher. Not even BitDefender when it turns to the ransomware shield itself (although it passes with AV shield).</p><p></p><p>WiseVectorX v305 out of the box blocks the launch of the test, so it is needed to exclude them.</p><p></p><p>1. Once that's done, if test runs, It gets all the threats (exe and cxp) via the malware engine. They are targeted as these ones:</p><p></p><p>[ATTACH=full]265726[/ATTACH]</p><p>[ATTACH=full]265733[/ATTACH]</p><p></p><p>It gets a clean sheet. All non vulerable!!</p><p></p><p>I think it is a sort of signature based engine as well (since I tested it some days ago and it failed against every non .exe, all .cxp were missed).</p><p></p><p>2. Seen that, If i disable malware engine and rely on pure ransomware shields, it just manages to block 4 ransomwares:</p><p></p><p>[ATTACH=full]265727[/ATTACH]</p><p></p><p>[ATTACH=full]265728[/ATTACH]</p><p></p><p>3. However, using deception based ransomware shield, which relies on 2 random folders with some test files, to compare if those are changed in any way, results will differ.</p><p></p><p>[ATTACH=full]265729[/ATTACH]</p><p></p><p> If I copy those 2 folders under one of the test folders and add them to deception protection...</p><p></p><p>1. Before test begins --> the folders are deleted by the test, and therefore, deception shield is bypassed. I guess because I excluded MainRunner and RanStart on malware shield? And also affects ransomware ones?</p><p></p><p>2. Once the test has started and the original KnowBe4 docx, txt, xlsx are copied --> WiseVector catches it and prompts me to restore the files.</p><p>However, in case the user misclick I don't find the way to restore them (as in the opposite way you have quarantine, but not for ransom rollback).</p><p></p><p>-IMPORTANT NOTE: I moved KB4 to my Documents folder, which is supposed to be protected by Deception shield by defualt (that SS is from that folder itself). HOWEVER, WiseVector won't detect the changes if are made on subfolders!!!!- (except manually recopied and included in WV settings as described in these 2nd option)-</p><p></p><p>[ATTACH=full]265725[/ATTACH]</p><p></p><p>Using that 2nd otpion on 2 test folders (0 and 2), we will move from this...</p><p></p><p>[ATTACH=full]265730[/ATTACH]</p><p></p><p>To this:</p><p></p><p>[ATTACH=full]265732[/ATTACH]</p><p></p><p>Test just began:</p><p></p><p>[ATTACH=full]265718[/ATTACH]</p><p></p><p>Ransom executed:</p><p></p><p>[ATTACH=full]265719[/ATTACH]</p><p></p><p>Rollback prompt:</p><p></p><p>[ATTACH=full]265721[/ATTACH]</p><p></p><p>Result after "apply":</p><p></p><p>[ATTACH=full]265722[/ATTACH]</p><p></p><p>On logs it is marked as ransom : D (WV log doesn't work properly and even without a reboot it got flushed :/ )</p><p></p><p>[ATTACH=full]265724[/ATTACH]</p><p></p><p>Anothe side note, while test is executing WiseVector interface usually becomes unresponsive and even closes. Fortunately, WV service still runs on background and is able to protect the PC.</p><p></p><p>Also, the deception protection is included by default on admin documents folder, but not on other users one! Important if you run a non-priviledged account as I use to do, since you will need to manually add them.</p><p></p><p>Hope you find this little test interesting!! I think WV concepts are strong, deception protection is powerful, but the exclusions and subfolder problems should be addressed!!</p><p></p><p>See you!</p></blockquote><p></p>
[QUOTE="miguelang611, post: 983513, member: 86982"] Hey there!! KnowBe4 is one of those tests I like to run from a while to while on different scenarios and with different AVs. My choice is to run the AVs signaturless, to simulate a real 0-day attack. Blocking the exes which launch the ransomware tests is not valid for me, since it doesn't prove any sort of behavioural blocking. Until today, the only AV which has managed to get a clean sheet out of the box is Kaspersky, both Free and Premium ones, thanks to System Watcher. Not even BitDefender when it turns to the ransomware shield itself (although it passes with AV shield). WiseVectorX v305 out of the box blocks the launch of the test, so it is needed to exclude them. 1. Once that's done, if test runs, It gets all the threats (exe and cxp) via the malware engine. They are targeted as these ones: [ATTACH type="full" alt="1649630547618.png"]265726[/ATTACH] [ATTACH type="full" alt="1649620842433.png"]265733[/ATTACH] It gets a clean sheet. All non vulerable!! I think it is a sort of signature based engine as well (since I tested it some days ago and it failed against every non .exe, all .cxp were missed). 2. Seen that, If i disable malware engine and rely on pure ransomware shields, it just manages to block 4 ransomwares: [ATTACH type="full" alt="1649630564313.png"]265727[/ATTACH] [ATTACH type="full" alt="1649630574439.png"]265728[/ATTACH] 3. However, using deception based ransomware shield, which relies on 2 random folders with some test files, to compare if those are changed in any way, results will differ. [ATTACH type="full" alt="1649630594523.png"]265729[/ATTACH] If I copy those 2 folders under one of the test folders and add them to deception protection... 1. Before test begins --> the folders are deleted by the test, and therefore, deception shield is bypassed. I guess because I excluded MainRunner and RanStart on malware shield? And also affects ransomware ones? 2. Once the test has started and the original KnowBe4 docx, txt, xlsx are copied --> WiseVector catches it and prompts me to restore the files. However, in case the user misclick I don't find the way to restore them (as in the opposite way you have quarantine, but not for ransom rollback). -IMPORTANT NOTE: I moved KB4 to my Documents folder, which is supposed to be protected by Deception shield by defualt (that SS is from that folder itself). HOWEVER, WiseVector won't detect the changes if are made on subfolders!!!!- (except manually recopied and included in WV settings as described in these 2nd option)- [ATTACH type="full" alt="1649630346818.png"]265725[/ATTACH] Using that 2nd otpion on 2 test folders (0 and 2), we will move from this... [ATTACH type="full" alt="1649630632837.png"]265730[/ATTACH] To this: [ATTACH type="full" alt="1649630715862.png"]265732[/ATTACH] Test just began: [ATTACH type="full" alt="1649629955542.png"]265718[/ATTACH] Ransom executed: [ATTACH type="full" alt="1649629991189.png"]265719[/ATTACH] Rollback prompt: [ATTACH type="full" alt="1649630063244.png"]265721[/ATTACH] Result after "apply": [ATTACH type="full" alt="1649630070762.png"]265722[/ATTACH] On logs it is marked as ransom : D (WV log doesn't work properly and even without a reboot it got flushed :/ ) [ATTACH type="full" alt="1649630179816.png"]265724[/ATTACH] Anothe side note, while test is executing WiseVector interface usually becomes unresponsive and even closes. Fortunately, WV service still runs on background and is able to protect the PC. Also, the deception protection is included by default on admin documents folder, but not on other users one! Important if you run a non-priviledged account as I use to do, since you will need to manually add them. Hope you find this little test interesting!! I think WV concepts are strong, deception protection is powerful, but the exclusions and subfolder problems should be addressed!! See you! [/QUOTE]
Insert quotes…
Verification
Post reply
Top
