The End of My Search for What Can’t Be Found
It happens to me more than once a year to change the antivirus-cum-antimalware solution. This is because all of them suck, yet I need protection. With the ransomware epidemic of 2015-2016, this necessity is even more obvious.
Truth be told, I never really got infected but, should an infection with a ransomware happen, this might prove catastrophic, given that sometimes it takes me months before I make backup copies of everything that’s valuable. Most malware infections can be mitigated, but ransomware is a different kind of beast.
And the way Microsoft has designed its fucked-up operating system, ransomware is merely a disaster waiting to happen:
- Windows is designed to allow the execution of binaries from paths such as %temp%, %AppData%, %LocalAppData%, %userprofile%, %programdata%, %allusersprofile%, and everywhere else.
- Windows is designed to execute stupid Office macros that can “do things” not to the document itelf, but to the system.
- Windows is designed to execute Windows Scripting Hosts scripts written in no matter what language, including VBScript (.vbs/.vbe) and JScript (.js/.jse), or whatever a .wsf file can hold. And yes, obfuscated files are accepted: Microsoft even created an obfuscation tool for VBScript, but not an unobfuscation counterpart. Obfuscated JavaScript code can be seen everywhere.
This being said, signature-based malware detection is futile. There are days when I receive e-mails with zipped 0-day ransomware scripts even more than once a day–but there are also days of total silence.
The funny thing is that either of Kaspersky and ESET (and any of their security solutions, even the “simple” antivirus product) would block such a zipped script, but not because they recognize its malevolence: it’s just a general policy of not allowing such attachments. Should I unblock the attachment and unzip the script, in most cases I’d notice that the respective ransomware variant is not yet recognized, but it will become so in the next 48 h. So the 0-day protection can only be obtained by blocking everything?!
The Chinese Qihoo 360 Total Security has been criticized in the past for the heuristic of its own QVM II engine had the tendency to block almost all the obfuscated scripts and macros. In my view, all obfuscated scripts should be blocked by all the major security vendors, until a reliable way of signing such scripts is developed. But nobody asked me.
In fact, I disabled Windows Script Host on my laptop, and so far I didn’t have the need to re-enable it for a legitimate script to run. I have for the purpose of disabling and enabling WSH two tiny .reg files:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0"
and
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="1"
At the same time, this is not much: I can still get ransomware, I guess.
After some time with Kaspersky Total Security 15, Kaspersky Anti-Virus 16, ESET Smart Security 9, ESET NOD32 Anti-Virus 10 Beta, and Kaspersky Anti-Virus 17 (I manage to get 3-month French trials of KAV), I got sick of them. Why is that?
Because I am really pissed off when such a security product–quite reliable otherwise–only blocks a file not because it has scanned it, but because it was on a website that happens to be blacklisted, and especially as such a site is only one of the so many sites that might host malicious files, but most of the hosted files are not malicious. Also, because I don’t want to let anyone interfere with my browser’s traffic–nowadays, a browser tends to crash anyway when too many tabs are open and some JS manages to screw it, so I don’t need to make my browser even more unstable than it already is.
More than one month ago, I made an experiment. I’ve got an e-mail containing a ZIP that included an obfuscated JS that actually downloads a version of Locky. It doesn’t matter that the EXE to be downloaded can’t be downloaded anymore, what matters is that the JS is rotten and it tries to do things it shouldn’t be let do, such as using hundreds of lines to obfuscate some URLs and various operations, and also this kind of stuff:
var SomeStupidName = new ActiveXObject("Scripting.FileSystemObject"); var SomeOtherStupidName = new ActiveXObject("WScript.Shell");
I’ve uploaded the JS to VirusTotal. Initially, 3 obscure antiviruses flagged it as suspicious. Some 20 hours later, 25 products flagged it, including Kaspersky, Bitdefender and ESET. One more day later, 30 products are flagging it, this time even Microsoft and Qihoo-360’s own engine (not Bitdefender/Avira) knowing of it.
Then, I edited the file and renamed the variables, then I reuploaded the JS to see how smart a signature those security products have. Upfront, only 18 products flagged it! The useless security solutions that failed to recognize the JS after the name of the variables was changed included AVG, Avast, Avira, ESET, Microsoft, Qihoo 360 (own signatures only), Sophos and more.
I repeated the experiment with several other downloaders of ransomware, over a couple of weeks. What I noticed–to my surprise!–is that the only security solution that learn to adapt to new malware strains was… Qihoo 360! Without going back to its old habit to block everything, it got its obfuscated scripts heuristic adapted to cover minor changes, so that sometimes it offered 0-day protection while others didn’t! In the case of the tested files, the improved detections of virus.vbs.runner.i and virus.office.obfuscated.1 were made in the cloud, not locally, so maybe it was still signature-based, but I also noticed some fine-tuning in their HEUR-something detections.
Then, of course, it’s the behavior-based protection–let’s call it HIPS for simplicity. Fighting ransomware can’t be done with “standard” behavior-based protection, unless you can afford a limited number of encrypted files that can’t be recovered. Qihoo’s HIPS covers quite well code injection and several other mechanisms which, when they’re blocked, are incapacitating a ransomware.
I simply hate the Chinese antivirus Android apps, but on Windows I come back often to Qihoo 360 TS or TSE (usually with added Bitdefender signatures) precisely for its HIPS capabilities in a free and lightweight product.
What about the various anti-ransomware software solutions, one might ask. Well, let’s count some:
- HitmanPro.Alert is commercial, and it’s not as invincible as it claims to be.
- Malwarebytes Anti-Ransomware is a piece of shit that blocked and deleted legitimate software on my laptop.
- Bitdefender Anti-Ransomware is useless, it mostly works by blocking the execution from some locations.
- RansomFree by Cybereason is a new piece of useless crap that starts from the assumption that the writers of ransomware are a bunch of morons: “RansomFree starts by creating randomly-named folders on the infected system, which will act as honeypots. These folders are named with characters including ~ and !, as they are low on the ASCII table, and will be the first ones to be encrypted by the ransomware.” No, it doesn’t necessarily work this way.
- Kaspersky Anti-Ransomware Tool for Business is free and I tended to trust it, but it’s actually a sort of a fraud.
Here you have some videos I want you to watch. They all belong to a chick from NYC that goes by the handle of cruelsister on MalwareTips, same cruelsister on WildersSecurity, and of cruelsister1 on YouTube. They’re all about testing against 0-day ransomware:
- Malwarebytes Anti Ransomware
- ESET SmartSecurity
- Kaspersky AntiRansomware for Business beta Part 1 and Kaspersky AntiRansomware for Business beta Part 2
- RansomFree by Cybereason and RansomFree An addendum
- BitDefender Internet Security, BitDefender AV Plus, and BitDefender Free
- Avira Internet Security and Avira Free
- Avast Free and Avast CyberCapture
- Qihoo Total Security- An initial test and Qihoo Total Security- a Mechanistic Protection Test
Let me give you a quick summary of the 15 above videos: everyone failed–but Qihoo!
Now, how did Qihoo manage to protect against ransomware that passed the signature-based detection? Elementary, dear Watson, it detected the attempts to perform a code injection or to obtain specific kinds of unrestricted access! (By “mechanistic,” she means behavior-based or HIPS.)
Is Qihoo 360 Total Security or Total Security Essential the one fix to them all, the true panacea? Hell, no!
Because there’s also this video to watch: RanSim Ransomware Simulator. This is about a tool meant to simulate the actions of several kinds of ransomware (there are 10 tests in all); and Qihoo fails all the ten tests! The only solution that detects RanSim‘s attempts to “start doing things” is Comodo Firewall 10. Cruelsister’s preferred security setup is Qihoo 360 TS plus Comodo Firewall.
There are a few more things to be added. Firstly, RanSim doesn’t try to inject code; it just creates some files, encrypts them, and notices if anyone is preventing it to do so. I’m not sure in which way it employs 10 different mechanisms that are specific to different ransomware types, it’s just not detected by Qihoo. Secondly, Comodo Firewall is meant to block (and ask about) everything that is unknown to it and, as all Comodo products, includes HIPS capabilities that are normally part of an antivirus, not of a firewall. Thirdly, everything Comodo is a pain in the ass to configure, and I gave up after a while–too many exceptions to add, too many things to unblock, even files to remove from the quarantine (WTF is this, Bitdefender?).
So in the end, unlike Cruelsister, I didn’t choose to use Comodo’s HIPS-enhanced firewall, but only Qihoo’s TS/TSE (I’m currently bothered that TSE is still at version 8.8.0.1020, while TS is at 9.0.0.1085).
As I said, I never got infected, so using such a protection is only for my peace of mind.
But indeed, Qihoo 360 is such an ugly thing!
HINT: Should you want to test RanSim, make sure the program itself isn’t blocked (this is the case e.g. with Kaspersky). Add RanSim’s launcher.exe to the trusted files, so that you’ll be able to test your vulnerability to the supplementary binaries and scripts that are created and launched by RanSim once it’s allowed to run.
I have to admit that sometimes these Chinese are utterly crappy…
Hey, they are Chinese… 😀
You are always happy with the products?
Not entirely so.
What trust can one have in a signature-based security solution after having witnessed the following situation?
As reported on MalwareTips, a new strain of the TrumpLocker ransomware has been scanned by VirusTotal on 2017-02-22 17:48:43 UTC (first time submitted to VT on 2017-02-22 03:08:55 UTC, roughly 14h30m before). The original poster wanted to prove that Avast Internet Security 17 couldn’t catch it, even with CyberCapture and the Hardened mode enabled, which should have added some 0-day and behavior-based protection.
Few detections were available, mostly Avira (no cloud), Emsisoft (own engine A, not Bitdefender’s), Ikarus, Kaspersky, MBAM, Symantec.
Major failures included Avast, AVG, Bitdefender, Comodo, ESET-NOD32, F-Prot, F-Secure, GData, McAfee, Microsoft, Panda, Qihoo 360, Sophos, TrendMicro, Webroot.
Some 11 hours and 40 minutes later (+14h30m gives more than 26 hours since first submitted), on 2017-02-23 05:27:38 UTC, new detections were observed, mostly Baidu, DrWeb, ESET-NOD32, McAfee, Sophos, TrendMicro.
One hour and half later, on 2017-02-23 07:14:55 UTC, some changes: AVG detects it, but Avast doesn’t. Qihoo 360 and Rising detect it, but no change from Bitdefender, Panda.
3 hours and three quarters later, on 2017-02-23 10:59:35 UTC, Microsoft detects it, but no change from Avast, Bitdefender, Panda, and others.
The last time I tested it (you can test it yourself, the binary is here, password “infected”), on 2017-02-23 12:25:20 UTC, Panda had learned of it, but that was all that changed.
More than 18 hours since this ransomware was already detected by Avira, Emsisoft, Kaspersky and Symantec (but also by Ikarus and MBAM), and about 33 hours since the first submission, still no detection from Avast and Bitdefender! And they expect people to pay for their “security suites”?! Go figure, even Microsoft and Panda are detecting it.
Not to mention that this is by no means an “innovative” strain: it’s just VenusLocker in disguise! Moreover, Bleeping Computer’s Lawrence Abrams came across it on 2017-02-21, as stated in the linked article dated “February 22, 2017 05:50 PM.”
Let’s say that 2 days later, at least Avast and Bitdefender are utterly useless. Of course, as stated here, Avast manages to block the ramsomware on execution, with no file getting encrypted, but why can’t it be caught based on signature (i.e. statically), not only based on behavior?
EDIT: OK, I checked again at 2017-02-23 19:15:04 UTC, and Avast finally recognizes it as Win32:Malware-gen, but no sign from Bitdefender (hence Ad-Aware and F-Secure are also hopeless), nor from GData.
EDIT2: Oh well, at 2017-02-24 05:13:04 UTC, and Bitdefender has it as Trojan.Generic.20473595 (and Ad-Aware, F-Secure, GData, eScan too, as they use Bitdefender’s signatures). They took their time, didn’t they? Busy times in Romania…
I discovered a situation from March 2016 when, for that particular day and particular obfuscated JS downloader that presumably attempted to download a ransomware, almost everyone had signatures (even Microsoft and Panda had!), but Kaspersky and MBAM were… innocent! This is the analysis.
In practice, Kaspersky (and ESET-NOD32) would delete any such file coming as an e-mail attachment, but not following a scan; the simple fact that such a JS (usually zipped) comes as an attachment triggers the action. So the signature is useful when such a file is encounted in some other way, such as through a direct download.
While Kaspersky (and MBAM, and others) might also catch it upon execution, behavior-based, there’s no such guarantee. So one might wonder how can some major security solutions fail to add signatures for malware when most other security vendors, even those not reputed for trustworthiness, fare better.
More about cruelsister, from a comment she made on her video Comodo Firewall 10 against the Serpent:
So she basically trusts Comodo Firewall’s automatic sandboxing, not to mention that any malware nowadays tries to establish a remote connection. She doesn’t feel the need of a “real antivirus” (she recommended Qihoo 360 several times in the past, but apparently she herself can live without it). I don’t quite agree with the idea of using Avast as a supplementary protection–why not Avira? Also, while Kaspersky is good when you don’t use Comodo Firewall, Emsisoft has an even more powerful behavioral analysis–or at least this is how I see it.
As for her recommended CF configuration, it’s all here: Comodo Firewall 10 Setup. Too bad she couldn’t be bothered to describe the configuration in a short text–I hate videos, and I hate video podcasts and all that shit. What’s wrong with the people who are unable to fucking write a text instead of making a video?!
Bottom line: from cruelsister‘s security solution “Comodo Firewall + Qihoo 360” I selected Qihoo 360, but maybe I should have selected Comodo Firewall.
Let’s make sure we understand this: signature-based security solutions are dead. OK, but I don’t like sandboxing, and even less I like the cumbersome solutions offered by Comodo, being it only the firewall (with auto-sandboxing, Cloud malware database, HIPS and… a firewall). I would rather stress on behavior-based protection (HIPS and the like), especially for 0-day malware, and good behavior triggers can be encountered (not counting Comodo) in Emsisoft Anti-Malware, Kaspersky and… Qihoo 360.
As I have used all these products in the past, I’d definitely ditch Comodo for its verbosity. Even a seasoned professional might accept an action that should be denied, simply because when one encounters too many pop-ups, the discrimination tends to diminish. At the opposite end, while Kaspersky has better behavior capabilities than e.g. ESET or Bitdefender, it still doesn’t filter as many actions as Qihoo 360 does. When using the Chinese antivirus, almost every attempt to write the Registry or to a system directory would trigger a warning; more important, attempts to hijack processes e.g. through code injection are promptly blocked. (Annoyingly, when a program adds itself to HKLM:Run, Qihoo 360 only informs you, without offering the option to block the action.)
Emsisoft’s behavior blocker is a better mix of what Kaspersky and Qihoo 360 do: more pop-ups than Kaspersky, but with a better design than Qihoo’s, so that taking the right decision seems easier. Still, I’m not willing to pay the price, and I hate that it uses Bitdefender’s signatures, so that a very dangerous ransomware can be labeled as nondescript as “Trojan.GenericKD.4491937” (to be fair, stupid names can be encountered in other products too, e.g. Avast with “Win32:Malware-gen” or Qihoo 360 with “Trojan.Generic” or “HEUR/QVM03.0.0000.Malware.Gen”). And I miss Kaspersky’s “not-a-virus” labels for cracks, keygens or admin tools (e.g. “not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen,” “not-a-virus:PSWTool.Win32.PassView.vik,” “not-a-virus:RemoteAdmin.Win32.Ammyy.xmr”). Should Emsisoft be able to use Kaspersky’s signatures instead of Bitdefender’s…
But Emsisoft has its own engine too, marked “(A)” in VirusTotal’s detections, whereas Bitdefender-based detections in Emsisoft are marked “(B)”; the product is good, it’s just not my cuppa tea though. I simply don’t feel like paying for “protection” (sounds like the Mafia, right?). I never got infected, no matter how crappy was the security product I was using.
And I also hate the “security suites” or any “antivirus” that tries to block URLs. Blocking based on a list of “malware-hosting URLs” is even more dead than the security pundi[dio]ts want to accept: an URL is much worse than a signature! It’s like labeling a building “Everyone inside is a whore” when not everyone inside is a whore, and the next door there are unknown whores too. Just fucking let me access the site and download the requested files (being them HTML, JS, ZIP or EXE), then analyze them! (And no, I don’t need “phishing protection”…)
So I keep exploring “simple” protections that mix signatures and HIPS/behavior analysis. Qihoo 360 is however pissing me off because TSE is always left behind (program version: Aug 10, 2016), while TS is more and more of a bloatware. Also, I cannot decide between Avira’s and Bitdefender’s signatures (using both is a bit of an overkill and increases the RAM usage significantly during on-demand scans), as both sets are outdated (Qihoo doesn’t use the very latest ones even when an update is forced; it must be a policy of Avira and Bitdefender to delay the release to 3rd parties); as for Qihoo’s own engine, it’s good for some 0-day attacks, for obfuscated scripts or documents with malicious macros, but it doesn’t include so many signatures. Qihoo’s main asset remains the behavior monitoring…
Well, possibly against common reason, I decided to give a try to… Panda Free Antivirus 18.0! The UI changed in version 18 for the better (some say it’s for the worse, but I disagree), and the app now calls itself Panda Protection. Yes, it does have some “Behavior analysis” and “Behavior blocking”–and a “Process Monitor” with “Monitor the URLs accessed by each process”–but I just don’t know how effective it is!
So far, I determined that–unlike previous versions–it doesn’t have any negative impact on my laptop. Obviously, I did’t install Panda Safe Web. I also determined that–again, unlike previous versions and unlike Bitdefender Free Antivirus, even in its latest update–it never actually deletes a file without putting it in the quarantine first. “Ask before neutralizing a virus” is still ignored at times, but at least the quarantining works (Bitdefender Free often fails to quarantine and simply deletes the file).
Of course, Panda is far from being what it was before the Cloud-based overhaul that started in 2009 with Panda Cloud Antivirus 1.0. The old, “traditional” Panda AV never had a free edition and it became a huge CPU hog, but it was nonetheless a solution that I favored at the time, when even Kaspersky and TrendMicro were designed as if your system’s CPU and RAM were dedicated entirely to the AV!
It’s difficult to assess Panda’s free AV. I don’t have any virtual machine on my laptop, so I cannot test whether a malware that’s not detected by signature is blocked by behavior before anything bad happens.
Besides, Data Shield is not included in the free edition, and it’s not even mentioned by name as a reason to upgrade! Seriously, how are these morons managing to sell even one single license for non-corporate products?! Either way, it’s not such a great thing, it only monitors the folders specified by the user. (Kaspersky Anti-Ransomware Tool for Business is even more of a fraud: I thought it monitors by default some folders, e.g. Documents, Pictures, and it makes copies of the modified files when something feels suspicious–because it claims to be able to rollback such encryption actions. Tests revealed that it actually fails quite often, leaving a few unrecoverable files, and that it also relies on signatures, both local and from the Cloud!)
So I’m using Panda for a while. Let’s see what gets.
On-demand scans can still stop before completion, and Panda’s developers have no clue. I suspect that the scanning doesn’t actually stop, and that only the UI fails to get updated, but I can’t be sure yet.
One bad thing: submitting undetected or suspicious files is not encouraged in any way–the opposite of the pre-2009 approach. I submitted undetected strains of malware to virussamples@pandasecurity.com (zipped with password “panda”) only to see that it took them about 2 days until the detection was added to their database–so I take it that submissions are ignored. (I remember how in 2003 or 2004 I submitted an unknown malware to Panda, I received a feedback, and a couple of hours later updated signatures were available. Those were “good old times”…)
Another bad one: the account created for the antivirus (it’s optional, but it also allows me to activate the anti-theft feature in Panda for Android) is not connected to their forum, which is a crappy phpBB shit. I tried to create an account there twice (with two different e-mails), yet I never received the activation mail! “Resend activation e-mail” didn’t do anything either. No wonder then that their forum is such a silent place…
Speaking of their support forum–not the support for paying customers. All the replies from Panda’s employees are from… a single employee, Jorge Torre (Jorge Torre Riaño, actually). Strange from a company that claims to have 1,500 employees in 54 countries–most likely 99% of them are Marketing and Sales, then there are a dozen of people that develop the product, then… our Jorge Torre. (The customer support must be an externalized service, but I suspect it counts against the 1,500 headcount.)
The hilarious thing that they didn’t only decide they can afford a unique 3rd level support technician for the free product, but they also failed to provide him with anything but Spanish-language (virtual) machines! No English Windows installations are available to him, as revealed here, where it’s about the labels of the configuration checkboxes in Task Scheduler: «Sorry, I don’t have a machine with the operating system in English, so the translation may not be accurate.»
Several days into living with Panda Free Antivirus 18.0, I could only notice that it doesn’t bother me much, but also that it’s slow to add signatures.
Let’s put it straight: while there are so many smart and competent IT security experts out there (where?), the IT security companies that develop signature-based products must be employing morons for such tasks! Or is it that their bosses are mentally retarded? Traditionally, “antivirus maker companies” were known to set “honeypots” to catch malware. Beyond that, there are so many places that index the latest malware (or just suspicious binaries and URLs) that collecting and analyzing them should be a child’s play!
One doesn’t even need to have an expensive infrastructure to identify the newest malware. Really, there are several known sites where registered people can download hot malware samples. 0-day stuff, like. There are also forums where people discuss how badly the AV react to the newest malware strains. There are also agreements with VirusTotal, so that the submitted samples can be sent to AV makers. Then anyone can submit files for analysis e.g. to Payload Security.
Now, when someone sees in this analysis the 10 screenshots that prove we’re dealing with a ransomware (or a trojan that tries to act as a ransomware: there’s no info about the files that were actually encrypted), what’s the excuse for Panda to miss this samples even 44 hours after it was first submitted to VirusTotal, when even Microsoft detects it as Ransom:Win32/Shieldcrypt.A? (Qihoo 360 also fails to detect it by signature.) Of course I can’t tell what it does on execution, but what the heck, even Microsoft detects it on sight!
For another ransomware (enjoy the 8 screenshots), most products detected it within 24 hours, except for Avira, Microsoft, and Panda. Avira needed some more 12 hours, whereas Microsoft and Panda needed more than 2 full days.
A simpler trojan was initially detected mostly by Baidu, F-Prot, Qihoo 360. Some 40 hours later, Qihoo 360 somehow “lost the signature” (it still doesn’t detect it, except maybe on execution), but most vendors listed it as malware. AVG (Inject3.BYUM) needed 12 extra hours. Microsoft (Trojan:Win32/Injector.CB) needed some other half day. Panda (Trj/GdSda.A) needed an extra half day, and the signature is quite generic, being shared by both “mediocre trojans” and some ransomware strains!
As for this one, I don’t know what to think of it. It doesn’t do much, but it still should be blocked. Some detection names: ESET-NOD32 (a variant of MSIL/Kryptik.EMQ), Ikarus (Trojan.MSIL.Crypt), Kaspersky (Backdoor.MSIL.Bladabindi.fmr), MBAM (Backdoor.NJRat), Microsoft (Trojan:Win32/Dynamer!ac). Who doesn’t detect it? Well… Bitdefender (and Emsisoft, not even with its own engine), Panda, Qihoo 360, Symantec…
I’m not paid to test such things, so again: I don’t test the behavior “shields” against such malware. I’m just fed up with the incompetence of all those who are trying to make us pay for their lamentable “protection”…
Yet, I’ll still be with Panda for a while. Just for a little while…
Oops, I missed it:
I just discovered a useful bit of info in an Ukrainian review (written in Russian) of Panda Free 18.0.
The reviewer downloaded two malware files that were not detected by signature by Panda, but then, on execution… “my jaw dropped,” he wrote (at least, this is how Google translated it): the files were quarantined right away, being classified as “high-risk” by some proactive technologies. Further tests revealed that the actual blocker wasn’t any of “Behavioral blocking” or “Behavioral analysis”–was it the “collective intelligence” of the Cloud? But why only on execution?
However, if the downloaded files are copied to a virtual machine, they are not receiving the same treatment, therefore they’re not blocked. Apparently, downloaded files are considered more suspicious than other files, but the reviewer didn’t check whether the files transferred to the virtual machine still had the Zone.Identifier ADS (Alternate NTFS Data Stream).
Otherwise, Panda failed a number of intrusion tests, but most security products fail SpyShelter’s security test tool, and almost everyone fails the keylogger test!
I’ll keep using Panda Free 18.0 for a while. So far it’s still light and smoother than older versions (I guess the last one I tested was 16.1). I really need to find a way to test the behavioral protection…
The easiest ransomware simulator test was to run KnowBe4’s RanSim (downloaded from MajorGeeks). It works by simulating ten types of infection scenarios (InsideCryptor, LockyVariant, Mover, Replacer, Streamer, StrongCryptor, StrongCryptorFast, StrongCryptorNet, ThorVariant, WeakCryptor). In each case files with random names and probably variable contents are used, so that they wouldn’t be identified by signature.
An important point that many people are ignoring: many AV would block, quarantine or delete one or more of RanSimSetup.exe, RanSim.exe, Launcher.exe. These files need to be whitelisted in order to be able to run the test! In my case, I had to restore from quarantine and whitelist Launcher.exe and DataCollector.exe.
Panda passed the test successfully, with no vulnerabilities, which suggests that its behavioral shields work!
The 2 yellow “false positives” are not FP, as explained by cruelsister here: blocking a script that deletes files and a script that attempts to archive files via gzip (with password) is a good thing.
The two so-called FP are the 1st and the 5th in the quarantined items below:
Still, as in the aforementioned Ukrainian test, disabling the two behavioral switches didn’t change the results: how were these scripts blocked? I suppose there’s a need for many more test scenarios against false positives, with really innocuous scripts that wouldn’t be blocked by an AV…
There is one problem with Panda: it doesn’t update itself to version 18.01.00. This update was released on March 6, yet Panda 18.00.00 simply ignores it. (People complained that Panda didn’t update from 17 to 18, but Panda 18 is equally dumb.)
I found by accident that a newer version of Panda is out, and I searched for an updated Setup. Confusingly enough, both the online installer PANDAFREEAV.exe (1.9 MB) and the full installer FREEAV.exe (55.9 MB) are at version 15.14.3.0, with no indication of what they’re going to install (if you extract the contents, you’ll find the version inside), and this adds to the confusion.
I had to uninstall the old version, reboot and install again from scratch. Not the best possible scenario, eh?
The only novelty I noticed was the addition of “relevant security news” (pretty useless) to the “Panda news” (which should be disabled, as it prompts you to upgrade to the Pro version).
I just noticed how ESET-NOD32 totally failed KnowBe4’s RanSim test in December 2016 (VULNERABLE 10/10), and how they are trying to downplay it here and here.
They claim (1) that the AV shouldn’t consider the scripts generated by RanSim as malware–but they should!–and (2) that RanSim and the like are flawed because “they are simulating post-ransomware infection behavior”–but this is wrong! Opening an DOCX infected with a new strain of ransomware is a 0-day situation, and the infection only occurs when macros are enabled as suggested by Word! There is a difference between “an infected document is saved on the disk” and “a malicious script attempts to run from within such an open document”!
Idiots. Morons. I’ll never consider again ESET-NOD32.
Remember the ransomware I wrote about on February 23rd, first submitted on 22, and on which two weeks later almost everyone agrees it’s “The Trump Locker”? Here’s the VT analysis.
And here’s what Reason Core Security 2.0, scanning by (1) Signature analysis, (2) Heuristic analysis and (3) Cloud analysis had to say about it (on-demand scan):
Another useless commercial product. Again, even Microsoft’s built-in security product detects it!
On the other hand, I guess I’ll stay with Panda for some more time for one more reason: while using Qihoo 360, Revo Uninstaller Pro always failed to create a full Registry backup and a System Restore Point, although there was no pop-up whatsoever–I guess Qihoo was silently blocking such actions, for some weird reason. With Panda, Revo works as expected.
> With Panda, Revo works as expected.
Here, with Emsisoft, Revo works also as expected. 😉
Bizarre pour Quihoo…
I have (sort of) monitored how Panda reacts to new ransomware strains, and I was quite disappointed. It typically needs much more time than most of the major security vendors to identify by signature the newest malware; sometimes, several days.
E.g. for the 17 strains of malware that were lately known to Payload Security as being spread via the domain mbfce24rgn65bx3g.2kzm0f.com, the results were generally disappointing for many vendors. The most reactive ones were Avira, Kaspersky and Bitdefender. A bit of a tie between Avira and Kaspersky, but maybe Kaspersky’s behavioral monitoring would have helped (Avira doesn’t really have HIPS); and Bitdefender was really on the 3rd place. Here too, maybe Emsisoft’s HIPS, added to Bitdefender’s signatures, offers a better protection than suggested by VirusTotal. Heck, maybe even Panda would have reacted on execution to some of them–I just noticed it protested when I launched a patcher that wasn’t identified by signature!
Knowing how many anti-ransomware products fail in practice… I wouldn’t trust the behavioral/HIPS modules of any product! (Several anti-ransomware tools are setting “honeypots” by creating documents that should be encrypted before the real ones, but this stupid technique is useless against recent ransomware strains.)
Remember when I said that blocking by URL is stupid? The aforementioned domain isn’t known as malicious to most vendors, see here.
A side note: when 11 hours since the initial detection Kaspersky changes the detection from “UDS:DangerousObject.Multi.Generic” to “Trojan-Ransom.Win32.SageCrypt.adl” it means that the initial detection was pure luck, not a real detection. In contrast, when Qihoo acknowledges that something is ransomware, they normally enhance the pattern for e.g. “HEUR/QVM03.0.0000.Malware.Gen”–not the worst that can happen, the worst being Avast, which detects as “Win32:Malware-gen” both lethal ransomware and innocuous cracks/patches/keygens (such as those ignored by Kaspersky or identified as “not-a-virus:” or labeled by Malwarebytes as “RiskWare.Tool”) and doesn’t bother to change the detection.
As I watched cruelsister‘s new test of a new release of RansomFree (FAIL, obviously), I wondered what I should really use. Maybe I should really start with cruelsister‘s Comodo Firewall–the crux in her view.
I dug more on what cruelsister had to say on security.
On Kaspersky Anti-Ransomware:
On Comodo Firewall:
On sandboxing the browsers (something I hate and BTW, some versions of Comodo are known to crash Chrome when sandboxed):
Again, Comodo Firewall:
On VoodooShield, AppGuard, Comodo Firewall (March 7, 2017):
I have serious objections on using VoodooShield, and the price is only one of them. I agree here with Neil J. Rubenking that the local sandbox is almost useless, “as any application that requires Administrator-level access won’t function properly in this sandbox,” and the “Cuckoo sandbox” is brilliant, but slow: “I found the sandbox scan fascinating, but the average user almost certainly would not. There’s no requirement to use Cuckoo, fortunately.”
Maybe I need to try VoodooShield one more time and see whether the features available for free are helpful enough.
AppGuard is commercial-only, and I remember it didn’t convince me.
Comodo Firewall… OMG, the only good product in the mess made by Comodo! I mean, their AV has totally useless signatures. And this is not everything that’s wrong with Comodo. Their HIPS is a totally different thing than the “Behavior Blocker”–which is actually the “Auto-Sandbox”, as explained here: with HIPS disabled, the HIPS will still activate on unrecognized files that do not enter in the “Behavior Blocker” rules!
A last quote from cruelsister:
Hum, HIPS can sometimes be very effective… but not against ransomware.
Shopping list:
1. VoodooShield in free mode.
2. Comodo Firewall with cruelsister‘s settings (are these still OK?).
3. If no AV, Registry hack to prevent Windows Defender to get enabled, plus Registry hack to prevent Windows to complain of no active AV. Alternatively, short of going back to Qihoo 360, maybe I could keep Panda Free?
I don’t know what is cruelsister smoking, but VoodooShield seems developed by people with a mental handicap.
First, schtasks.exe (Task Scheduler Configuration Tool) must be digitally signed by Microsoft, and everyone has this file anyway. Besides, if the verdict is “Safe” (see the pic), then why the heck BLOCK is recommended?!
Oh my, rundll32.exe isn’t digitally signed either?! Being part of a command-line command, they want me to block it too!
Bitnami’s WAMP stack is declared safe, but despite that, there’s a 1/56 detection, labeled “False Positive”–not that this would matter! OK, allowing it to run is deemed “acceptable”…
Going beyond this crap I’ve met before, I happened to find a video from Feb 27, 2017 showing how VoodooShield 3.52 fails when facing a specific ransomware! The official replies from VoodooShield:
Yeah, sure, your product is perfect, but it lacks self-protection, so it can be bypassed if specifically targeted. How lame is that? The author of this exploit notified VoodooShield 10 months ago, yet nothing changed!
“We both know that this script never put anyone at risk” is just BS.
I thought that I’ll end up using using Comodo Firewall with Panda Free, but it might not be the case.
While using Comodo Firewall (Firewall: Safe Mode; Auto-Sandbox: Enabled; HIPS: Safe Mode; Viruscope: Enabled; Website Filtering: Enabled), I wasn’t bothered too much by its pop-ups, and I actually appreciated how it automatically intercepts all kinds of actions I’d actually want to prevent (e.g. an uninstaller calling back home to tell I uninstalled their crappy app–why do the fuckers need to know I removed their shit?).
I might uninstall it though. On occasions, I noticed a certain system sluggishness. Not a slowness in accessing Web pages. Not a slowness in the Internet speed. Not a slowness in programs that are network-centric. A general, unexplained way of explorer.exe hanging up for 1-2 seconds, then taking the delete command for the wrong folder. What the fuck has Comodo Firewall to do with a local file manager?
I noticed in their forums a thread from May 2016 where a certain Antone was complaining as follows:
Go figure, it was not the antivirus, but the firewall! Maybe it was the HIPS component. Maybe I was too fast in manipulating files and folder and it thought I might be a malware (ransomware?), but the behavior I noticed at that point with Windows Explorer is unacceptable.
On the other hand, if Comodo Firewall’s presence is noticeable–something which doesn’t come as a surprise: it was always this way with their products–this version of Panda seems to have no impact on the system. Forget the crappy AV Comparatives or AV Test reviews that say Panda slows down the system–it doesn’t. And, unlike past versions that gave me BSODs with Win7 and Win8.1, this one didn’t bother me in the least so far.
Sure thing, the level of protection it provides is rather mediocre. Not knowing what are the useful extras in the Pro edition, I read Neil J. Rubenking’s review of Panda Antivirus Pro (2017) (which is an updated version of the review from last year; the UK edition of the site is generally half-broken, and in this case it shows the text for 2017 with the title and rating from 2016!). Here’s an interesting thing under “Pro-Only Features”:
So basically this is a sort of a general app blocker aka “anti-executable”–in the line of AppGuard, VoodooShield, NoVirusThanks EXE Radar Pro–that can block everything that is not known by Panda as being safe. A great configuration e.g. for your kids, parents, etc.–but also the most effective 0-day protection! (It won’t help though those who’d like to run a crack, patch or keygen…)
But it’s in the Pro editions of Panda, which are several and confusing: Panda Antivirus Pro aka Basic Protection, Panda Internet Security aka Advanced Protection, Panda Global Protection aka Complete Protection, Panda Gold Protection aka Premium Protection (two editions also available as a monthly subscription). Unfortunately, Data Shield is not available in Panda Antivirus Pro, so Panda Internet Security is the minimum edition worth paying for! But let’s not forget that Panda has an abysmal customer service. Maybe they’re typically too busy to create alternative names that would confuse the user: Global, Complete, Gold, Premium, which is what?!
Pfff. What crap all these products, and what issues are these questions…
A simple solution: use Linux or BSD! And no more problems like these… 😉