novice 20 Posted July 28, 2018 Share Posted July 28, 2018 Just run a ransomware simulator (RanSim) from here : https://www.knowbe4.com/ransomware-simulator On a win7 /64 with NOD32, the result is --->see attachment. Any comments???? Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted July 28, 2018 Most Valued Members Share Posted July 28, 2018 The answer is in the name ....... It's a "Simulator" = not the real thing Firefox and chrome both block you from downloading this and on the "KnowBe4" webpage they acknowledge this and tell you how to get "Around" this. Why would ANY legitimate security vendor have to provide details on how to do this. Im sure they would be in contact with google and mozilla to have it unblocked if it was a mistake. Link to comment Share on other sites More sharing options...
novice 20 Posted July 28, 2018 Author Share Posted July 28, 2018 (edited) 9 minutes ago, cyberhash said: The answer is in the name ....... It's a "Simulator" = not the real thing This is the convenient answer , to justify failure. The Antiransomware protection on ESET is based on HIPS , which cannot distinguish between a simulator an a real threat (unless the simulator is on a white list) See here a test with Eicar, another "simulator" Yet, ESET will detect it as a normal threat. Edited July 28, 2018 by claudiu Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted July 28, 2018 Most Valued Members Share Posted July 28, 2018 6 minutes ago, claudiu said: This is the convenient answer , to justify failure. The Antiransomware protection on ESET is based on HIPS , which cannot distinguish between a simulator an a real threat (unless the simulator is on a white list) See here a test with Eicar, another "simulator" Yet, ESET will detect it as a normal threat. It's not a convenient answer , its a fact Eicar is a "test" file that pre-dates any HIPS type system. It's not a simulator. Never heard of "knowbe4" , the app needs torn apart to see how it works. But i suspect its nonsense that would return the same result when run under any security product......... the old term "Scareware" comes to mind ? Link to comment Share on other sites More sharing options...
novice 20 Posted July 28, 2018 Author Share Posted July 28, 2018 6 minutes ago, cyberhash said: But i suspect its nonsense that would return the same result when run under any security product I wouldn't so sure: see the detection of Malwarebytes (everything disabled . only Antiransomware protection active ) This is the purpose of "Test Files" : to test a capability . An answer as " we know that is a test file , that's why we did not detect it" is an insult to a paying user. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted July 28, 2018 Most Valued Members Share Posted July 28, 2018 15 minutes ago, claudiu said: I wouldn't so sure: see the detection of Malwarebytes (everything disabled . only Antiransomware protection active ) This is the purpose of "Test Files" : to test a capability . An answer as " we know that is a test file , that's why we did not detect it" is an insult to a paying user. Obviously we have different opinions on what this "Simulator" actually does or achieves. Like i said above, the application needs looked at properly to see if it does "what is advertised" on the label. From what i can see on the screenshots, every test just "encrypts files and deletes the originals". I could do exactly the same thing creating a password protected file using Winrar, which is legitimate. Link to comment Share on other sites More sharing options...
novice 20 Posted July 28, 2018 Author Share Posted July 28, 2018 6 minutes ago, cyberhash said: I could do exactly the same thing creating a password protected file using Winrar, which is legitimate. Yes , you could! But I rather prefer ESET to detect even this (RAR encryption) and to let me know that "RAR is trying to encrypt" YES or NO. At this point , ESET had ZERO reactions to any test run. Link to comment Share on other sites More sharing options...
itman 1,743 Posted July 28, 2018 Share Posted July 28, 2018 @claudiu, instead of constantly complaining about lack of Eset protections, you need to first and prior to posting see if the subject has been posted previously in the Eset forum. This "simulator" was discussed extensively previously in the Eset forum. In fact the postings became so ridiculous, I actually posted a detailed analysis on this in the Comments section: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted July 28, 2018 Administrators Share Posted July 28, 2018 While eicar is a test file with an exact definition that virtually all AV vendors agreed to detect for testing purposes, RanSim is a tool created by a particular company that does not do actual harm. Definition of eicar (http://www.eicar.org/86-0-Intended-use.html? ... it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* On the other, RanSim tries to simulate of of zillions of ways of encryption. Given that there's no standard defined for detection of ransomware behavior (it'd be useless anyways since malware authors use different ways of encryption to avoid detection), applications that seemingly pass these test may miserably fail in real world when it comes to protection from real ransomware. The lesson to learn is, do not put trust into simulators but real world tests. Since everything has been said and explained in the above topic, we'll draw this one to a close. Link to comment Share on other sites More sharing options...
Recommended Posts