How did ransomware slip past MSE?

I'm running MSE on Windows 7, and earlier today this screen suddenly popped up showing a "Department of Homeland Security" message mentioning stuff about piracy, etc. and that I had to submit a payment of something like $250 to unlock my computer. It also turned on my webcam. Obviously ransomware.

I did a CTRL-ALT-DEL and tried to get to Task Manager, but Task Manager didn't appear. So then I did a CTRL-ALT-DEL and told the computer to Restart, and that's when the ransomware screen disappeared, and I saw a MSE popup saying that it had caught malware and was asking me to remove it. So I told it to remove it. But how did the ransomware screen pop up in the first place if MSE had caught it? Can malware actually run before MSE is able to detect and catch it?

 

Because MSE is a horrible product, with virtually no detections, or detections so bad it has been delisted by some test sites? It also lost certifications recently.

Frankly, it's useless.

 

Because you don't use multi-layered protection.

 

I don't think you'll get an answer to your question unless you can provide the sample to an MSE expert willing to analyse exactly what happened. The more important question is what unpatched/vulnerable software you're (presumably) running that allowed the ransomware to infect your system in the first place.

 

Ah, I haven't kept up. I know it used to be held in high regard, too bad that's not the case anymore.

Is there any sort of FAQ or something that lists the different layers you should have, along with suggested programs for each layer? I think that'd be easier than trying to go thru some of these threads (like the 1117 page "what's your security setup these days?")

I had Firefox open (latest version) and I wasn't visiting any shady sites. I was also running a Java app from my broker (TD Ameritrade) that lets me look at streaming stock quotes. Just checked the Java version - it is at update 9, but there is an update 10 available. Could it have come from my broker? Doesn't seem likely, but I guess it's possible.

I also ran scans on the other computers in the house, and one of them (a Vista PC) also had a ransomware on it, but it was in someone's download folder and I don't think it ever executed on that computer (or else the person who uses it would surely have come running to me in a panic). I wonder if one of the computers transferred the ransomware to the other computer? Both are running the Windows Firewall.

 

It misses one piece of malware and it is condemned as being useless.
Care to share which av you use which doesnt miss anything?

 

Because no signature based AV is perfect. . .

 

MSE has started to lose certifications, and is dropping rapidly on a few popular test sites. This is pretty much fact. It's fallen 'well below' industry average.

http://www.theregister.co.uk/2012/11/30/microsoft_security_essentials_loses_av_test_certification/
Microsoft Security Essentials, Redmond’s free antivirus tool for home users and business with up to ten PCs, can detect just 64 per cent of zero-day threats when running under Windows 7. That low detection rate has cost it the AV-TEST Institute’s seal of approval, a certification it hands out to products that meet 11 of 18 criteria it assess.

Me? I use bullguard, between the 2 engines (and 4 signature bases), hips, firewall, vuln scanner, and insane commtouch HTTP scanning, I have been unable to 'purposely' infect my test machine. Which is why I use it now. It also happens to score 99-100% on virtually every test (for the 2013 IS version). With 70%+ off, it's really cheap, and effective. Since you asked.

 

obviously MSE doesn't have an outbound FW, HIPS, HTTP scanner, so the comparison is not a fair one.

sure with my HIPS set to max, i am unable to infect my machine either. I just have to make ~50,000 clicks a year...

 

While not a fair comparison it's valid because many people only install one security software and don't think about how comprehensive the protection is.

 

MSE removed it. How is it useless?

Maybe MSE's behavioral engine detected it?

 

Agreed. Users need to realize that some products are more robust then others. Likewise, being robust doesn't necessarily translate into better production. Your product might have a (scanner, firewall, spyware blocker, etc.), but it don't mean nothing if most of those additional functions/features score low. Likewise, you may be thinking that using an array of security/privacy products is a great idea. I'll use this for the firewall ... this for the scanner, etc. If these products aren't compatible and configured to work alongside one another. Even then, product updates can be a headache. I've had computers crash simply because company A added feature X in the latest update. Later to find, that it doesn't work to well along company B's product. Your security/privacy don't mean nothing. User incompetence is the greatest threat to security ... followed by marketing gimmicks and disinformation.

Security Applications detect malicious agents at different stages. It's possible MSE was delayed in it's notification or detection of the malicious agent. Also, if the application is disabled or disrupted then the reboot may have given it the precedence (priority @start-up) it needed to squash the infection. Blind guesses without further detail.

 

MSE's cloud may have caught it since it doesn't look like it's signatures did. One of the raps on MSE is it catches stuff after it has done it's dirty work and dropped a load of other stuff, too. Sounds like there might have been cross-pollination in your local network. Sandboxie or Comodo firewall recommended for MSE.

 

Because its pure signatures and has no HIPS or sandbox to back up its signatures when something gets past that.

 

Ppl still blindly believe that MSE has any form of heuristics or cloud functionality... heuristics go as far as variants of existing known stuff and cloud is just a non existent tech in MSE.

Only explanation about the ransomware getting activated and MSE still displaying popup is probably the fact that it only caught a part of it. One component of the ransomware app. Hopefully the one which encrypts all the files and you'll only have to deal with its frontend thats suppose to scare the user...

 

It does have a cloud - used to be called spy net but version 4 changed the name - anyhow, you have to check a box to opt in to it, sends stuff in (maybe) to be analized or let's the user send samples in. Does it work? If it does it's usually too late to matter. Best solution - use something else.

 

Thats not cloud, thats just malware/suspicious submission. Something most has been doing for years. But you never get any actual feedback from this so called cloud. And thats why MSE is so poor in most of the tests.

 

I use a HIPS set to max and I only install software I can trust (Norton's reputation analysis helps here). This way I rarely see pop-ups.

 

What version of MSE (Client, Engine, Definitions etc.) were you running?
What are your MSE settings for updates and scans?
When was your last full scan?
What version of Windows 32 or 64 ?
How is your Windows Update set to update?
Do you check optional updates?

 

The forums are full of this exact question and only the AV in use being different. The bottom line is that no AV, none if fact, are capable of blocking all the malware that a user can encounter. By all means try other AVs but don't be disappointed if they all fail at one stage or another. As mentioned in 3rd post, you need a multi-layered approach; with updated OS and AV of your choice, with scripting blocked for all sites but untrusted ones and with a bit of common sense and general education of what and what is not safe to do on the net.

 

Delerious- From what you originally posted, it looks like MSE did its job well (if you were able to reboot and the machine was functional). The mechanism of action of Ransomware varies with the type of malware involved. It seems the type that infected your computer did something pretty easy to clear up.

All that the malware did was to open up a Webpage with the warning on it, and by the use of the WebBrowser Control set it to a TOPMOST attribute (the page will stay on top of EVERYTHING else on your desktop). So you can't kill the process by yourself it generated a script to kill both Taskmanager and Explorer- the cool thing is that a script was generated to keep both dead via an infinite loop. Not having a sandbox MSE could detect and delete the trojan but not prevent the script from running, thus your temporarily ransomed machine.

Anyway, MSE did destroy the malware and prevented the restart of the script. You really lucked out, btw. Most are a bunch worse than that one (my fav is the one that calls up shutdown.exe, and on reboot screws the MBR- without a sandbox you are lost with that one).

Merry Christmas!!

(ps- I just reviewed the above post and it almost seems that I approve of MSE. Although that is certainly not the case, my being infused with the spirit of the Joyous Holiday I'll refrain from calling it the Vile Piece of Trash that it is.)

 

I would have thought that if the download/install was true ransomware that once installed it would have been "game over". I have not seen true ransomware that can be killed with CTR/ALT/DEL and then removed by an av.

 

Thanks for the replies everyone, and happy holidays!

I am now looking into Sandboxie and EMET to expand my defenses. I've read about how Java has tons of security holes, but unfortunately I need it for one application so I cannot uninstall it.

I was wondering about how it worked. If all it did was open a webpage, could it still turn on my webcam? I didn't think you could activate a webcam with just HTML and Javascript. That makes me think an executable actually got run. I also ran a few MBR scanners and it doesn't look like my MBR got infected, so that's good. But still out of paranoia, I am reinstalling Windows right now!

 

It is simple . MSE is not a good product . Multilayered makes no difference . Condemned by missing one thing makes no difference . It is a poor product . Period . Use something else .