Jump to content

Ransomware Simulator


novice

Recommended Posts

  • Most Valued Members

The answer is in the name ....... It's a "Simulator" = not the real thing

Firefox and chrome both block you from downloading this and on the "KnowBe4" webpage they acknowledge this and tell you how to get "Around" this.

Why would ANY legitimate security vendor have to provide details on how to do this. Im sure they would be in contact with google and mozilla to have it unblocked if it was a mistake.



 

ran.jpg

Link to comment
Share on other sites

9 minutes ago, cyberhash said:

The answer is in the name ....... It's a "Simulator" = not the real thing

This is the convenient answer , to justify failure. The Antiransomware protection on ESET is based on HIPS , which cannot distinguish between a simulator an a real threat (unless the simulator is on a white list)

See here a test with Eicar, another "simulator"

Yet, ESET will detect it as a normal threat.

eicar.jpg

Edited by claudiu
Link to comment
Share on other sites

  • Most Valued Members
6 minutes ago, claudiu said:

This is the convenient answer , to justify failure. The Antiransomware protection on ESET is based on HIPS , which cannot distinguish between a simulator an a real threat (unless the simulator is on a white list)

See here a test with Eicar, another "simulator"

Yet, ESET will detect it as a normal threat.

 

It's not a convenient answer , its a fact

Eicar is a "test" file that pre-dates any HIPS type system. It's not a simulator.

Never heard of "knowbe4" , the app needs torn apart to see how it works. But i suspect its nonsense that would return the same result when run under any security product......... the old term "Scareware" comes to mind ?

Link to comment
Share on other sites

6 minutes ago, cyberhash said:

But i suspect its nonsense that would return the same result when run under any security product

I wouldn't so sure: see the detection of Malwarebytes (everything disabled . only Antiransomware protection active )

This is the purpose of "Test Files" : to test a capability .

An answer as " we know that is a test file , that's why we did not detect it" is an insult to a paying user.

MBAM.jpg

Link to comment
Share on other sites

  • Most Valued Members
15 minutes ago, claudiu said:

I wouldn't so sure: see the detection of Malwarebytes (everything disabled . only Antiransomware protection active )

This is the purpose of "Test Files" : to test a capability .

An answer as " we know that is a test file , that's why we did not detect it" is an insult to a paying user.

MBAM.jpg

Obviously we have different opinions on what this "Simulator" actually does or achieves.

Like i said above, the application needs looked at properly to see if it does "what is advertised" on the label. From what i can see on the screenshots, every test just "encrypts files and deletes the originals". I could do exactly the same thing creating a password protected file using Winrar, which is legitimate.

Link to comment
Share on other sites

6 minutes ago, cyberhash said:

I could do exactly the same thing creating a password protected file using Winrar, which is legitimate.

Yes , you could! But I rather prefer ESET to detect even this (RAR encryption) and to let me know that "RAR is trying to encrypt" YES or NO.

At this point , ESET had ZERO reactions to any test run.

Link to comment
Share on other sites

@claudiu, instead of constantly complaining about lack of Eset protections, you need to first and prior to posting see if the subject has been posted previously in the Eset forum. This "simulator" was discussed extensively previously in the Eset forum. In fact the postings became so ridiculous, I actually posted a detailed analysis on this in the Comments section: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/

Link to comment
Share on other sites

  • Administrators

While eicar is a test file with an exact definition that virtually all AV vendors agreed to detect for testing purposes, RanSim is a tool created by a particular company that does not do actual harm.

Definition of eicar (http://www.eicar.org/86-0-Intended-use.html?
... it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

On the other, RanSim tries to simulate of of zillions of ways of encryption. Given that there's no standard defined for detection of ransomware behavior (it'd be useless anyways since malware authors use different ways of encryption to avoid detection), applications that seemingly pass these test may miserably fail in real world when it comes to protection from real ransomware.

The lesson to learn is, do not put trust into simulators but real world tests.

Since everything has been said and explained in the above topic, we'll draw this one to a close.

Link to comment
Share on other sites

  • Marcos locked this topic
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...