Jump to content

Ransomware shield question


Recommended Posts

Hello. I used your product NOD32 in the past, and I heard that a new version has been released recently. I am currently concerned with ransomware protection, so I am very interested in capabilities of the ransomware shield component. I don't want to lose my data to something like bad rabbit :(.

So, I've decided to check if NOD32 is the product that I need. As I understand it, ransomware outbreaks happen because it takes time to add malware signatures to antivirus database, so most antivirus products have good dynamic analysis. I wanted to test how ESET deals with "unknown" ransomware. To do it, I've disabled real-time file system protection and advanced memory scanner, leaving ransomware shield enabled. After that I launched a WannaCry sample, and it successfully encrypted my test files. In my understanding, ransomware shield must have been sufficient to stop a well-known sample. What am I doing wrong? Should I enable some additional settings?

Link to post
Share on other sites
  • Administrators

You should not disable any of the protection modules either for a test or permanently. Ransomware protection is a part of HIPS which communicates with and receives important information about file operations from real-time protection. Also Advanced Memory Scanner is a part of HIPS and works as the last layer of protection after file execution when already unpacked malware in memory is scanned. AMS is very effective when it comes to detection of new malware variants.

Performing a test by disabling various protection modules substantially reduces protection capabilities and such "tests" will never tell you even a bit about how effectively ESET can protect you from new malware or specifically ransomware.

Link to post
Share on other sites
56 minutes ago, Enrico said:

After that I launched a WannaCry sample, and it successfully encrypted my test files.

Were the test files on a device connected to your network? I assume you are doing your testing on all unpatched devices?

Link to post
Share on other sites
2 hours ago, Enrico said:

Hello. I used your product NOD32 in the past, and I heard that a new version has been released recently. I am currently concerned with ransomware protection, so I am very interested in capabilities of the ransomware shield component. I don't want to lose my data to something like bad rabbit :(.

So, I've decided to check if NOD32 is the product that I need. As I understand it, ransomware outbreaks happen because it takes time to add malware signatures to antivirus database, so most antivirus products have good dynamic analysis. I wanted to test how ESET deals with "unknown" ransomware. To do it, I've disabled real-time file system protection and advanced memory scanner, leaving ransomware shield enabled. After that I launched a WannaCry sample, and it successfully encrypted my test files. In my understanding, ransomware shield must have been sufficient to stop a well-known sample. What am I doing wrong? Should I enable some additional settings?

My test experience showed that for some threats that can be block in early layers (like scanning or AMS), the later layers might not block it. The ransomware shield is restricted to certain families. In my tests, locky family is the one that is more likely to be blocked. Also, enabling livegrid might be necessary

Link to post
Share on other sites
3 hours ago, Enrico said:

I am not talking about spreading to other machines in network, only about file encryption.

I really don't know what your attempting to prove.

Eset Internet/Smart Security detects the exploits used in WannaCry, EternalBlue and DoublePulsar, by CVE using its IDS  which is part of its Network Protection. Ditto for the recent Bad Rabbit ransomware which used the EternalRomance exploit. Since you are using NOD32 which doesn't include network protection, you are not protected against these exploits.

When you disabled NOD32's realtime protection, you also disabled any heuristic scanning and corresponding sandboxing. These components are used to supplement Eset's signature detection when a process performs suspicious activities including those associated with ransomware. It is assumed that the heuristic scanner will signal the HIPS to apply pre-defined rules used to detect ransomware activity by the process.  The problem here is that encryption activity per se is not malicious since Window's itself performs like activities. Therefore, Eset needs to identify "good vs. bad" encryption activities.

Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...