hake Posted February 11, 2020 ID:1361870 Share Posted February 11, 2020 I have just had the salutary experience of running Ransim by KnowBe4. 15 out of the 16 scenarios succeeded, i.e. my antiransomware failed. I am running MBARW build 278. Link to post Share on other sites More sharing options...
exile360 Posted February 11, 2020 ID:1361879 Share Posted February 11, 2020 Greetings, Thanks for the info. I'm not sure what methods are being used by the testing tool or how Malwarebytes' Devs and Researchers would expect MBARW to deal with simulations like this, however I will be sure to pass your findings on to the Product team for analysis. Thanks Link to post Share on other sites More sharing options...
LiquidTension Posted February 11, 2020 ID:1361880 Share Posted February 11, 2020 Hi @hake, What version of RanSim are you using? Could you provide a screenshot of your results please? Link to post Share on other sites More sharing options...
hake Posted February 12, 2020 Author ID:1362025 Share Posted February 12, 2020 The Ransim version appears to be 2.0.0.56 and is the latest version at this time. I suggest that you try it yourself. I have uploaded it to you. The key to extract from the zip file is 'knowbe4'. ransim knowbe4.zip Link to post Share on other sites More sharing options...
LiquidTension Posted February 12, 2020 ID:1362026 Share Posted February 12, 2020 (edited) The latest version of RanSim is completely unrealistic and does not simulate the behaviour that real-world ransomware typically exhibits. More concretely, the latest version of RanSim only encrypts files in a non-standard working directory inside %LocalAppData% (i.e. C:\Users\XYZ\AppData\Local\RSimulator\TestFolder\Tests\XX-Tests) and does not encrypt files in directories where real-world users’ files are typically found (e.g. Desktop, Downloads, Documents, etc.). Therefore, RanSim does not simulate real ransomware behaviour and therefore does not trigger our behaviour-based Anti-Ransomware detection engine. See the attached image. We have tested Malwarebytes Anti-Ransomware against all ransomware families that RanSim attempts to simulate, and we can confirm that we do detect and block (relying on behaviour, not signatures) the encryption activity of those ransomware families. The only exception is RigSimulator (which simulates a Monero mining rig) which is not ransomware. However, we detect the RigSimulator malware family with our rule-based anti-malware engine. Edited February 12, 2020 by LiquidTension Link to post Share on other sites More sharing options...
exile360 Posted February 12, 2020 ID:1362028 Share Posted February 12, 2020 Thank you for the clarification and additional details. Link to post Share on other sites More sharing options...
hake Posted February 16, 2020 Author ID:1362719 Share Posted February 16, 2020 I am sorry to have caused you guys to waste your time. It did occur to me that MBARW would have reacted as it was designed to do in the face of a real threat. Link to post Share on other sites More sharing options...
gonzo Posted February 19, 2020 ID:1363259 Share Posted February 19, 2020 Time not wasted. If you had not asked the question and showed concern, someone else would have. We got a chance to respond and everyone is a bit wiser now. Thank YOU! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now