Jump to content
mynamesismd

Trying to get HIPS / Antiransomware to trigger on generic samples

Recommended Posts

One test that I usually run with antivirus software is to compile a .NET binary that simply goes into My Documents and starts placing file by file into a zip file, then going back and deleting every file it zipped up. This triggers many other antivirus programs' cryptoransomware behavior blocker.

 

When I try the same with ESET (the latest version), it silently allows the attack to run to completion. I have all of the advanced heuristics options enabled, and the antiransomware module as well as HIPS on either Automatic or Smart (it sounds like Smart might be more sensitive than Automatic?)

 

Is ESET's antiransomware module intended to block this kind of activity? I can provide a file sample if that helps, but really, it's just 10 lines of code that creates a ZIP file and places a designated set of documents into it.

 

https://pastebin.com/XRVrupP9

Share this post


Link to post
Share on other sites

No, Ransomware shield is not supposed to detect it. We do not detect simulators, only actual malware. If it really did something malicious, it would be detected or a smart detection would be added and the sample would be considered a new kind of ransomware. However, creating actual malware for the purpose of testing AVs is not considered ethical.

Share this post


Link to post
Share on other sites
56 minutes ago, mynamesismd said:

One test that I usually run with antivirus software is to compile a .NET binary that simply goes into My Documents and starts placing file by file into a zip file, then going back and deleting every file it zipped up. This triggers many other antivirus programs' cryptoransomware behavior blocker.

I will also add that if the security solution triggers on this behavior, it is actually flagging an unknown process per reputation status deleting files in the My Documents folder. The problem is this process could be a legit one designed to copy and delete files in this directory.

If this type of activity is a concern, you can always create Eset HIPS rules to monitor file modification activities in the My Documents directory and then create corresponding allow rules for trusted processes that do the same. However, this is far from "bullet proof" since a malware could perform for example process hollowing to inject malicious code in the trusted process and you're nailed.

Edited by itman

Share this post


Link to post
Share on other sites

Thank you for the responses! This makes sense to me. So the HIPS is more of a traditional definition of a HIPS. ESET's choices here seem reasonable if the philosophy is to lower false positives.

A lot of other AV programs use the terms HIPS and behavior blocker / Antiransomware to mean they look for these kinds of behaviors and for a file with low cloud reputation, it's basically on a hairpin trigger. While it might help with zerodays and custom-written malware, you guys are absolutely right in that the risk is high risk of false positives.

 

BTW Huge props to ESET for the latest update. I'm pretty impressed by the detection against actual known malware -- it's doing a fantastic job against real world new malware variants, especially against malvertising that delivers randomly generated variants of PUAs.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...