Monday, October 9, 2017

Who caught today's ransomware?

So, as readers of my blog will know, I am trying to find out who can trap malware, without having a signature for it, and without false positives. In other words, as it executes.

For today's test, I had a piece of ransomware, that had arrived in a buddies inbox yesterday. A quick check of its md5 on VirusTotal showed just a few sig detections.

I currently have ten products under test. They are the end-point versions of WebRoot, Kaspersky, Sophos, ESet, Avast, Symantec, Windows Defender, Panda, Avira, and Trend. I would have installed McAfee, except that it keeps barfing on one of the files it installs. It says mcmscins.dll, in the McTemp directory, is either not designed to run on Windows, or it contains an error. I tried calling their tech support about it, but the guy said he could find no record of that error. I expect this will sort itself out sometime soon, and I'll be able to add it to the test set, but that's a story for another day.

Five products missed it completely. One found a sig in memory, but it still got away, so that's really a miss. Two blocked it with a sig. Two found it with heuristics. I'll get to the names in a bit, but here's how the test works.

(1) I first run the malware on an unprotected Win7-32bit vm, and see what it does.
(2) All products are installed with default features. It is important to note that some products have extra features that can be turned on specifically to block ransomware by protecting some folders, but I am running with defaults.
(3) I don't update the signatures. The vms are only up for a minute or two, so most of the products don't have time to update, and I do that deliberately.
(4) Windows Defender is switched off in all vms, except, obviously, it's own test vm.
(5) To be fair, products could also have blocked the initial downloader, or even the website that it tried to reach for the ransomware. I did not test that, as it was outside the scope of this test.

Please remember that I am not knocking signature scanners, as they are an absolutely vital layer of defense, but with greater than a million new and unique samples every day, it's not possible to add sigs for them all. Remember also that, although within a few days most scanners will have had sigs added, some malware is changing every day, and only exists for one day. The real threat is not what was around a week ago. It's what's around today.

The MD5 of the malware under test is BE499852672E9A1E5D222427978EA421.

Please also remember that just because a product misses something today, it doesn't mean it's weak. Now, if it consistently misses, day after day, that might be a different story, but the world is a safer place if everyone gets stronger. The five that missed were Webroot, Windows Defender, Avira, Panda and Trend. The one that found a sig in memory (it named it Kryptic, iirc), but it still got away, was ESet. Two two that blocked it with a sig were Sophos and Avast. The two that caught it with behavior and/or heuristics, were Kaspersky and Symantec. Well done, lads. And lasses.

Let's see what tomorrow brings.

Cheers all.

No comments: