Jump to content

Anti ransomware - giving a false sense of security


Recommended Posts

Hi,

I tested MBAM against Wanacry.

With all shields enabled, MBAM will quarantine Wanacry upon execution ; nothing spectacular so far, each and any antivirus would do that.

With all shields disabled  , except "Ransomware protection", MBAM would automatically quarantine Wanacry as "Malware.Ransom.Agent.Generic" , AFTER SEVERAL FILES WERE ENCRIPTED ALREADY.

Is this how "Ransomware protection" should work????

Thanks!

 

Link to post
Share on other sites
  • AdvancedSetup changed the title to Anti ransomware - giving a false sense of security
  • Root Admin

Hello @lock

Though you mean well I'm sure, I would ask that you please fully read and try to understand how your testing proves nothing, and was the type of methods used a decade ago. This article only scratches the surface of why your testing method does not work and actually wastes your valuable time.

Third-Party Testing & Antivirus Replacement

I know you've heard it before as I've seen you in discussions about how your methods of testing are not proving anything, yet you continue using old methods. Please take the time to actually read and try to understand why the old ways just are not relevant today.

7 hours ago, lock said:

Is this how "Ransomware protection" should work????

 

No, ALL the Protection Modules should always be running. Would you flatten 3 of your 4 tires and try to go on a road trip and then blame the tire manufacturer that your one remaining good tire went flat from the strain of trying to take on the load of the other 3?

 

 

Thank you

Ron

 

Edited by AdvancedSetup
Link to post
Share on other sites

Hi Ron,

Thank you for your answer!

MBAM has 4 distinct individual shields (Web, Exploits,Malware, Ransomware)   which can be selected individually. These shields have been developed and sold as "stand alone" protections until recently , when they have been incorporated in the same "unit", MBAM 3.0

In fact , Exploit is still delivered as Perpetual Beta, and is expected to perform as such, without other shields.

I see the test perfectly valid, I tested the Ransomware  shield against a Ransomware , nothing else.

Hiding the inefficiency of Ransomware Protection behind the other shields, and hoping that somehow they will catch the ransomware by "definitions" , doesn't serve anyone.

 

In fact, in the second part of the test , the Ransomware protection worked quite well , using a behavior mechanism, and detected Wanacry as "generic" , which is perfect, tells me that indeed, is the behavior mechanism which detected it and not some short of definition.

The only problem: a few files were encrypted ( 4 .docx  files) before the Ransomvare shield reacted. Is this how "Ransomware protection" should work????

Link to post
Share on other sites

Additional information:

Here is how  Neil J. Rubenking  performs his testing for PC Mag, regarding "The Best Ransomware Protection of 2017"

https://www.pcmag.com/roundup/353231/the-best-ransomware-protection

Testing Anti-Ransomware Tools

"The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component."

 

"If Trend Micro Antivirus+ Security detects a suspicious process attempting file encryption, it suspends the process, backs up the file, and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. I couldn't specifically test this feature when I reviewed Trend Micro, because it's not possible to turn off other layers of protection and leave only the behavior-based system, but my contacts at the company assure me this is how it works."

 

So, is a clear cut procedure: turn off all other layers of protection and leave only the specific shield you want to test.

 

Thanks!

 

 

Link to post
Share on other sites
  • Root Admin

Not going to argue with you @lock you can do as you wish but you and Neil as well as many others are doing a disservice to any viewers that watch your testing. Yes, we did better than the others in your test, but it's still not even close to an accurate test for any of the products.

If you'd actually be interested in learning how to test I can have someone contact you to discuss further.

Cheers

Ron

 

 

 

Link to post
Share on other sites
4 hours ago, AdvancedSetup said:

Not going to argue with you @lock you can do as you wish but you and Neil as well as many others are doing a disservice to any viewers that watch your testing. Yes, we did better than the others in your test, but it's still not even close to an accurate test for any of the products.

If you'd actually be interested in learning how to test I can have someone contact you to discuss further.

Cheers

Ron

 

 

 

Hear, hear ! 

Link to post
Share on other sites
9 hours ago, AdvancedSetup said:

If you'd actually be interested in learning how to test ...

Hi AdvancedSetup,

I may agree with you that I, as an average user , do not know how to test MBAM.

But to claim that everybody out there ( AV Comparatives, AV Test, PC Mag) is testing MBAM in wrong way,  is a little bit too much.

Some of them were in business for so many years and are the "standards" in testing security solutions.

And over 20 security solutions  are comfortable with the methodology used....

 

Link to post
Share on other sites

Perhaps it is like you. They are comfortable in what they have always done. Plus of course editorial in magazines has to viewed with some caution.. Take a bold step forward and prepare to learn from experts in the real world, when it is offered to you.

Link to post
Share on other sites
On 12/2/2017 at 5:48 AM, lock said:

MBAM has 4 distinct individual shields (Web, Exploits,Malware, Ransomware)   which can be selected individually. These shields have been developed and sold as "stand alone" protections until recently , when they have been incorporated in the same "unit", MBAM 3.0

When the ransomware element was first developed as a standalone entity, it was always a weak sieve and could never exist as a standalone product. When it was rolled into v3 its weakness was shored-up by the remaining elements.

Link to post
Share on other sites
9 minutes ago, Telos said:

and could never exist as a standalone product

Could you elaborate, please? Do you have any proof of what are you claiming????

Even in v3, "Ransomware protection" is an individual shield which can be turned ON or OFF , regardless of the status of all other shields.

As I said, when I tested the "Ransomware protection" , I turned off all the other shields leaving active only this shield.

Wanacry was detected and quarantined by this particular shield , after has encrypted 4 files on my computer, which is great an expected for a module which is supposed to react based on behavior.

I was not interested to see if MBAM would protect me against an already known malware (Wanacry) based on definitions or web blocking.

All I wanted to know was if the behavior blocker from Ransomware protection works or not.

Link to post
Share on other sites
  • Root Admin
11 hours ago, lock said:

But to claim that everybody out there ( AV Comparatives, AV Test, PC Mag) is testing MBAM in wrong way,  is a little bit too much.

I didn't say just our product. They're testing the others wrong too. Because one works for a magazine trying to sell subscriptions does not make one an Expert.

Again, if you're seriously interested I can have someone contact you to assist you, but don't waste your time or their time if you don't have a LOT of time to set things up, learn, and do real testing. It is a very time consuming and potentially boring operation.

 

 

Link to post
Share on other sites
On 12/3/2017 at 1:21 PM, lock said:

Even in v3, "Ransomware protection" is an individual shield which can be turned ON or OFF , regardless of the status of all other shields.

You missed my point. What I was trying to say is that as a standalone program, the antiransomware element offered quite limited ramsomware protection. So yes it "exists" but would quickly be relegated to the dustbin if forced to stand alone.

Link to post
Share on other sites
2 hours ago, Telos said:

the antiransomware element offered quite limited ramsomware protection

The antiransomware shield is supposed to detect, strictly on behavior, a ransomware-like activity.

When the ransomware is new and not in web/malware database , this is when the antiransomware  shield should react, independently from other shields.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.