SeriousHoax 87 Posted December 9, 2019 Share Posted December 9, 2019 (edited) For testing purpose I ran this ransomware in a VM and it encrypted everything of Desktop and Library folders including Documents, Pictures, etc with MZ173801 extension. No alert from any ESET modules. The sample was automatically sent to ESET. Attached the ransom note below. Hopefully necessary steps would be taken so that ESET's ransomware module can detect this kind of encryption in the future and please stop caring too much about false positives if you can. Virustotal: https://www.virustotal.com/gui/file/7a92a80e742dbcb0d30948dbf6c4d7a6236a5692c5864a1276cfc84d5c71e375/detection This one looks like related to the ransomware as well. Does the same exact thing as the above: https://www.virustotal.com/gui/file/52d93471de20f886a059f5d6b5751afc1929e1aed28c5e39404445f462069479/detection Read_ME_PLS.txt Edited December 9, 2019 by SeriousHoax Link to comment Share on other sites More sharing options...
local 0 Posted December 9, 2019 Share Posted December 9, 2019 Hello, Would be possible to do the same test with Malwarebytes Antiransomware free? https://malwarebytes-anti-ransomware.en.softonic.com/ Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted December 9, 2019 Author Share Posted December 9, 2019 19 minutes ago, local said: Hello, Would be possible to do the same test with Malwarebytes Antiransomware free? https://malwarebytes-anti-ransomware.en.softonic.com/ Free version doesn't have real time protection so not possible. Link to comment Share on other sites More sharing options...
local 0 Posted December 9, 2019 Share Posted December 9, 2019 (edited) Malwarebytes Anti-Ransomware is a stand alone program, free for everybody. Is integrated in malwarebytes paid, but can be used as a standalone program. see here: https://blog.malwarebytes.com/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/ Edited December 10, 2019 by TomasP changed font size to regular Link to comment Share on other sites More sharing options...
Hpoonis 7 Posted December 9, 2019 Share Posted December 9, 2019 Whew! I think you need to make that louder. Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted December 9, 2019 Author Share Posted December 9, 2019 Ah silly me, I didn't notice it's the anti-ransomware you're talking about. I'll check that in my free time. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 9, 2019 Most Valued Members Share Posted December 9, 2019 27 minutes ago, Hpoonis said: Whew! I think you need to make that louder. I think it's because he copied and pasted from another link , recently malwarebytes have lost it's reputation that it built time ago , I stopped trusting them , for security products I would go for 3 of these , ESET , Kaspersky , HitmanPro(as a second opinion scanner) Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 I think learning machine and Ransomware Shield and Hips need to be improved I did test another one also with no alert from ESET SeriousHoax 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 9, 2019 Most Valued Members Share Posted December 9, 2019 2 minutes ago, BALTAGY said: I think learning machine and Ransomware Shield and Hips need to be improved I did test another one also with no alert from ESET Was HIPS set to Automatic or Smart? Susie white 1 Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 Just now, Rami said: Was HIPS set to Automatic or Smart? Automatic Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 9, 2019 Most Valued Members Share Posted December 9, 2019 Just now, BALTAGY said: Automatic Wondering if Smart makes any differences , Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 Just now, Rami said: Wondering if Smart makes any differences , Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried. I did test smart for sometime, i never got any alert Link to comment Share on other sites More sharing options...
local 0 Posted December 9, 2019 Share Posted December 9, 2019 (edited) 2 hours ago, Rami said: recently malwarebytes have lost it's reputation It is true, but the ransomware shield from Malwarebytes was acquired from another company, is not an "in house" product. Moreover , is a behavior shield, not signature based. I tested several times with live ransomwares (Wannacry one of them) each and every time I had 4 files encrypted and , after that ,the ransomware was quarantined. Edited December 9, 2019 by local Link to comment Share on other sites More sharing options...
Tachikoma 0 Posted December 9, 2019 Share Posted December 9, 2019 I would rather use this link instead of the softonic one https://www.bleepingcomputer.com/download/malwarebytes-anti-ransomware/ Link to comment Share on other sites More sharing options...
itman 1,741 Posted December 9, 2019 Share Posted December 9, 2019 (edited) The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities. Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection. If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories. -EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread? Edited December 9, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 16 minutes ago, itman said: The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities. Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection. If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories. -EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread? Personally i know there's no 100% protection but machine learning and hips need to be improved and used more Also folder control is another way to be more protected i agree When i tested another ransomware, Bitdefender machine learning detected it but not ESET, and today i saw 3 other new ransomware that not detected by ESET Link to comment Share on other sites More sharing options...
itman 1,741 Posted December 9, 2019 Share Posted December 9, 2019 Also it might be time to review how ransomware is delivered. It doesn't just "magically" arrive on your PC as a stand alone script or executable. The vast majority of ransomware is delivered via e-mail methods. If the dropper or delivery mechanism is detected, the ransomware is never executed. Bottom line - stand-alone ransomware sample testing is suspect to wrong assumptions about overall security product detection methods. Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 (edited) Have a look at this one, Bitefender don't detect it but Bitdefender machine learning didhttps://www.virustotal.com/gui/file/6a9042b3670116b6f553833799e1dd172c670341e48e9bb94309b87bdc28544a/detectionhttps://www.virustotal.com/gui/file/ca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23/detection Edited December 9, 2019 by BALTAGY Link to comment Share on other sites More sharing options...
local 0 Posted December 9, 2019 Share Posted December 9, 2019 (edited) 15 minutes ago, BALTAGY said: Have a look at this one, Bitefender don't detect it but Bitdefender machine learning didhttps://www.virustotal.com/gui/file/6a9042b3670116b6f553833799e1dd172c670341e48e9bb94309b87bdc28544a/detectionhttps://www.virustotal.com/gui/file/ca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23/detection Yes, but the common denominator is??? Microsoft detected all of them. Edited December 9, 2019 by local Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted December 9, 2019 Author Share Posted December 9, 2019 3 hours ago, BALTAGY said: I did test smart for sometime, i never got any alert Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 9, 2019 Most Valued Members Share Posted December 9, 2019 3 minutes ago, SeriousHoax said: Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet. Did you test it ? and had different results? (I'm just curious to know) Link to comment Share on other sites More sharing options...
ESET Insiders BALTAGY 32 Posted December 9, 2019 ESET Insiders Share Posted December 9, 2019 10 minutes ago, local said: Yes, but the common denominator is??? Microsoft detected all of them. Microsoft is known with very high false positive Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted December 9, 2019 Author Share Posted December 9, 2019 2 minutes ago, Rami said: Did you test it ? and had different results? (I'm just curious to know) No I didn't have the time yet. Maybe ESET is already detecting it via LiveGrid. I'll try checking when I get back home. Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted December 9, 2019 Author Share Posted December 9, 2019 (edited) 1 hour ago, itman said: If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories. You know this isn't suitable for day to day use, at least not the way ESET is at the moment. I create this kind of rule in Kaspersky and in case of Kaspersky instead of only AppData I select the whole C drive and other important folders in other drives. It's practical in Kaspersky thanks to Appliation Manager and reputation info from KSN, there you can make rules to allow trusted programs automatically and ask permission when something else try to do any modification. ESET doesn't have anything similar to that but it's very much possible to implement something like this into the product as it already has LiveGrid. Edited December 9, 2019 by SeriousHoax Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 9, 2019 Most Valued Members Share Posted December 9, 2019 It's now detected by ESET : Win32/Filecoder.NZG In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not. But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe. SeriousHoax 1 Link to comment Share on other sites More sharing options...
Recommended Posts