Jump to content

RanSim test

BALTAGY

By BALTAGY
in General Discussion

 Share

Recommended Posts

  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

Simulation tests do not tell anything about how a particular AV would perform in a real world with actual malware. We don't react to it rather deliberately.

Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • Author
  • ESET Insiders
Posted
4 minutes ago, Marcos said:

Simulation tests do not tell anything about how a particular AV would perform in a real world with actual malware. We don't react to it rather deliberately.

Isn't these testes act like a real ransomware ? why ESET don't block the operation of encrypting these files ?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

It would be easy if ransomware actually worked like the simulator but since there are numerous ways how to encrypt files, actual malware usually works differently. Moreover, the simulator won't encrypt your own files plus it's relatively already widespread which are another factors that substantially affect detection.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

I will say this.

If one wants to test a security product's ransomware detection capability, go to Github and download one of the "educational" ransomware there. These actually encrypt your My documents, etc. folders and provide a decyption key to unencrypt your files. Obviously, do so at your own peril and ensure all your folders are backed up prior to testing.

Ref.: https://github.com/Sh1n0g1/ShinoLocker

Details here: https://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/

For the truly adventuous, "go for the full monte" and use actual ransomware: https://github.com/FozzieHi/Ransomware

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

"Exploring the outer limits" of bypassing security product's ransomware detection simulation is this one: https://www.nyotron.com/collateral/RIPlace-report_compressed-3.pdf .

At least with a bit coxing, Eset detects this one as a PUA. 

Edited by itman
Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • Author
  • ESET Insiders
Posted
5 hours ago, itman said:

Yikes! This is still coming up after three years.

I wrote about this here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ and methods employed by Ransim and why Eset ignores their tests.

I remember i did read something about it but did search and didn't find anything, thanks for the info

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Finally when it comes to ransomware, you could just find yourself plain screwed.

Such was the case last year when a security researcher discovered a vulnerability in the Win's Encrypting File System; i.e. EFS, that would allow an attacker to deploy that to maliciously encrypt a target's files. Microsoft, as expected, initially "pooh-pooh" it but came to its senses and patched it. This one caused Eset and a whole bunch of other AV vendors to issue security advisories. Luckily, this one wasn't exploited in-the-wild.

Ref.: https://safebreach.com/Post/EFS-Ransomware

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...