ESET Insiders BALTAGY 32 Posted July 23, 2020 ESET Insiders Posted July 23, 2020 Hi, I came across this tool that should be testing some ransomware scenarios Original linkhttps://www.comss.ru/page.php?id=3594 Shouldn't be ESET block these testes ?
Administrators Marcos 5,466 Posted July 23, 2020 Administrators Posted July 23, 2020 Simulation tests do not tell anything about how a particular AV would perform in a real world with actual malware. We don't react to it rather deliberately. mallard65 1
ESET Insiders BALTAGY 32 Posted July 23, 2020 Author ESET Insiders Posted July 23, 2020 4 minutes ago, Marcos said: Simulation tests do not tell anything about how a particular AV would perform in a real world with actual malware. We don't react to it rather deliberately. Isn't these testes act like a real ransomware ? why ESET don't block the operation of encrypting these files ?
itman 1,807 Posted July 23, 2020 Posted July 23, 2020 Yikes! This is still coming up after three years. I wrote about this here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ and methods employed by Ransim and why Eset ignores their tests. mallard65 1
Administrators Marcos 5,466 Posted July 23, 2020 Administrators Posted July 23, 2020 It would be easy if ransomware actually worked like the simulator but since there are numerous ways how to encrypt files, actual malware usually works differently. Moreover, the simulator won't encrypt your own files plus it's relatively already widespread which are another factors that substantially affect detection. BALTAGY and mallard65 2
itman 1,807 Posted July 23, 2020 Posted July 23, 2020 (edited) I will say this. If one wants to test a security product's ransomware detection capability, go to Github and download one of the "educational" ransomware there. These actually encrypt your My documents, etc. folders and provide a decyption key to unencrypt your files. Obviously, do so at your own peril and ensure all your folders are backed up prior to testing. Ref.: https://github.com/Sh1n0g1/ShinoLocker Details here: https://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/ For the truly adventuous, "go for the full monte" and use actual ransomware: https://github.com/FozzieHi/Ransomware Edited July 23, 2020 by itman
itman 1,807 Posted July 23, 2020 Posted July 23, 2020 (edited) "Exploring the outer limits" of bypassing security product's ransomware detection simulation is this one: https://www.nyotron.com/collateral/RIPlace-report_compressed-3.pdf . At least with a bit coxing, Eset detects this one as a PUA. Edited July 23, 2020 by itman
ESET Insiders BALTAGY 32 Posted July 23, 2020 Author ESET Insiders Posted July 23, 2020 5 hours ago, itman said: Yikes! This is still coming up after three years. I wrote about this here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ and methods employed by Ransim and why Eset ignores their tests. I remember i did read something about it but did search and didn't find anything, thanks for the info
itman 1,807 Posted July 23, 2020 Posted July 23, 2020 (edited) Finally when it comes to ransomware, you could just find yourself plain screwed. Such was the case last year when a security researcher discovered a vulnerability in the Win's Encrypting File System; i.e. EFS, that would allow an attacker to deploy that to maliciously encrypt a target's files. Microsoft, as expected, initially "pooh-pooh" it but came to its senses and patched it. This one caused Eset and a whole bunch of other AV vendors to issue security advisories. Luckily, this one wasn't exploited in-the-wild. Ref.: https://safebreach.com/Post/EFS-Ransomware Edited July 23, 2020 by itman BALTAGY 1
Recommended Posts