Trying to get HIPS / Antiransomware to trigger on generic samples

[mynamesismd 0]

One test that I usually run with antivirus software is to compile a .NET binary that simply goes into My Documents and starts placing file by file into a zip file, then going back and deleting every file it zipped up. This triggers many other antivirus programs' cryptoransomware behavior blocker.

 

When I try the same with ESET (the latest version), it silently allows the attack to run to completion. I have all of the advanced heuristics options enabled, and the antiransomware module as well as HIPS on either Automatic or Smart (it sounds like Smart might be more sensitive than Automatic?)

 

Is ESET's antiransomware module intended to block this kind of activity? I can provide a file sample if that helps, but really, it's just 10 lines of code that creates a ZIP file and places a designated set of documents into it.

 

https://pastebin.com/XRVrupP9

[Marcos 5,071]

No, Ransomware shield is not supposed to detect it. We do not detect simulators, only actual malware. If it really did something malicious, it would be detected or a smart detection would be added and the sample would be considered a new kind of ransomware. However, creating actual malware for the purpose of testing AVs is not considered ethical.

[itman 1,659]

56 minutes ago, mynamesismd said:

One test that I usually run with antivirus software is to compile a .NET binary that simply goes into My Documents and starts placing file by file into a zip file, then going back and deleting every file it zipped up. This triggers many other antivirus programs' cryptoransomware behavior blocker.

I will also add that if the security solution triggers on this behavior, it is actually flagging an unknown process per reputation status deleting files in the My Documents folder. The problem is this process could be a legit one designed to copy and delete files in this directory.

If this type of activity is a concern, you can always create Eset HIPS rules to monitor file modification activities in the My Documents directory and then create corresponding allow rules for trusted processes that do the same. However, this is far from "bullet proof" since a malware could perform for example process hollowing to inject malicious code in the trusted process and you're nailed.

Edited November 10, 2019 by itman

[mynamesismd 0]

Thank you for the responses! This makes sense to me. So the HIPS is more of a traditional definition of a HIPS. ESET's choices here seem reasonable if the philosophy is to lower false positives.

A lot of other AV programs use the terms HIPS and behavior blocker / Antiransomware to mean they look for these kinds of behaviors and for a file with low cloud reputation, it's basically on a hairpin trigger. While it might help with zerodays and custom-written malware, you guys are absolutely right in that the risk is high risk of false positives.

 

BTW Huge props to ESET for the latest update. I'm pretty impressed by the detection against actual known malware -- it's doing a fantastic job against real world new malware variants, especially against malvertising that delivers randomly generated variants of PUAs.