Stackhackr is it adequate malware test?

[SimeonGG 0]

https://stackhackr.barkly.com/builder

I use default settings for ransomware and they bypass EES 7. Can you test it too? It's good that launcher.exe is not detected as false positive, but after launch, it's execute all of his code without any restriction.

 

[Marcos 5,070]

I stopped reading at "This will simulate the common behavior of deleting shadow volume copies (no files will actually be deleted or encrypted)."

Simulators are not subject to detection. Also there are numerous ways to encrypt files and to bypass ransomware behavior detectors so the simulator won't tell how well an AV would protect you against actual malware.

ESET detects deletion of shadow copies by HIPS but it's only one of the events that contribute to behavior detection. Deletion of shadow copies itself doesn't mean that ransomware was run.

[itman 1,659]

Talk about a useless test. My Eset HIPS rule to monitor script execution easily detected it:

Quote

Time;Application;Operation;Target;Action;Rule;Additional information
1/16/2019 9:12:27 AM;C:\Users\xxxx\Downloads\launcher.exe;Start new application;C:\Windows\System32\wscript.exe;blocked;User rule: block script executables;

Also of note is LiveGrid submission of launcher.exe to Eset's cloud servers upon its execution.

-EDIT- Blocking criteria used. Unknown executable (to me) running from C:\Users\xxxx\Downloads\ directory is attempting to launch a script.

Edited January 16, 2019 by itman

[itman 1,659]

A security analyst a while back wrote a blog posting about Barkley's Stackhackr simulator . The blog is titled 'Security Through Absurdity'.

I am posting excerpts below but you really should read the entire article. Overall, chalk this one up as more Next Gen marketing FUD:

Quote

Stackhackr; Useless for Testing – Good for Marketing

Barkley, a self-proclaimed security company, has revived the 1990’s era Rosenthal Virus Simulator; an application that called false positives good while claiming to test the quality of antivirus products. Some users believed that this simulator indicated if an antivirus product was good at detecting malware. As a result some AV companies wrote detection specifically for Rosenthal’s harmless files. The customers wanted harmless false positives for harmless files and so they got them.

Barkly has come out with a free product they call stackhakr. Stackhackr is a lead generation application that is disguised as a security product testing tool. In reality it is another Rosenthal type program that convinces users that false positives mean better security.

 

According to Barkly “The malware you create won’t actually cause any harm, but whether it runs or gets blocked will tell you if your system is vulnerable to the real thing.”

 

Really? If a completely ineffective security product writes detection specifically for this application then you are not vulnerable to the real thing? If a product false positives and detects your harmless files, then the company’s customers are not vulnerable to ransomware?

 

Stackhakr does not test the ability of a product to detect ransomware, malware, or the ability of a product to effectively deal with any attacks. Due to the security effectiveness of application reputation Barkly specifically calls out this type of detection as a false positive. Barkly claims that detection of their launcher application is a false positive because the launcher file is harmless and not part of the test. Seriously? Detecting a harmless launcher is a false positive but detecting the harmless files it writes is not?

http://randy-abrams.blogspot.com/2017/07/stackhackr-useless-for-testing-good-for.html

Edited January 16, 2019 by itman