RanSim Ransomware Simulator test and discussion thread

Discussion in 'other anti-malware software' started by Stupendous Man, Dec 26, 2016.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    If you notice that RanSim does not run as intended, as shown in your screen capture, you can look for what happened, and whitelist the concerning exe in the security software.

    Ah, well, in that case, with SBGuard or AppCheck active, I suppose you cannot run RanSim as intended.
     
  2. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787
    Last night I checked your video again and saw some comment about proactive mode. So I switched from Firewall to Proactive and disabled HIPs, then everything was blocked. My only concern is if I recall, Proactive mode is less user friendly (i.e. more FPs)
     
  3. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787
    I kind of agree with LR. With every new version of Comodo that comes out, I want to like it, but ultimately end up going back to something else. This version of Comodo is the best, most user friendly yet, but I still am on the fence if it will last on my PC or not. Or if I can install it on family members PCs. For instance I have some programs that don't appear to be signed, like my VPN, bittorrent client, etc.. Every time they update, the install file gets blocked or sand boxed and I have to add them to safe files and re-run.

    The closest thing to the "deny everything not known" approach I have seen so far that is still user friendly is Avast Hardened Mode.
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    Thanks very much.
    I edited the thread's start post.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    There in lies the farce of all these simulators.....having to disable protections so they can run. I decided to test against my setup. 1st had to disable EIS to even install it, then with installed and everything on, EIS shut it down before it started. So setup is good.
     
  6. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    HMPA passed ALL the tests with v1.0.2.4

    Won't be testing the rest of the antiransomware software since there are no new ransomware inside v1.0.2.4
     
  7. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Retested with new ransim version and avast stills scores 0/10 fails.
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    Thanks very much for testing.
    But with your previous test, using RanSim 1.0.2.2, you reported HMPA failed Streamer only, not InsideCryptor (different from the tests on my system, and different from what Erik Loman confirmed), so I suppose your new test cannot be conclusive regarding whether or not version 1.0.2.4 fixed the bug in 1.0.2.2.
     
    Last edited: Dec 30, 2016
  9. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787
    That's interesting. Yesterday I got 9/10, and with the new version 10/10 blocked.

    Edit: Yesterday with the prior version, Avast blocked everything even with Cybercapture and Hardened mode off. Today, it requires hardened mode on to get 10/10 otherwise it gets 0/10.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    If the EXE of each RanSim test is blocked PRIOR the encryption then this is a failure in my opinion.

    Some AVs have added signatures to block each test EXE. These AV dinosaurs are totally missing the point of zeroday protection.
     
  11. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787
    I just tried with Zemana AntiMalware premium, and it scored a disappointing 0/10.
     
  12. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I'm pleased with avasts performance, I was surprised a "set and forget" type program like crytoprevent completely failed.
     
  13. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    This was to be expected, and renders RanSim worthless., because encryption does not happen, nor is it even tried.

    "AV-dinosaurs" :D
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The RanSim.exe host should wait for a signal from each of its testers to validate it started properly.
    If the signal is not received, RanSim should state FAILED instead of NOT VULNERABLE.

    At SurfRight we use our own ransomware tester to validate each build. It can perform encryption from other processes too like explorer.exe, iexplore.exe and winword.exe.

    We had a debate on releasing our tool to the public. But since Sophos is a vendor the public likely will not accept the tool's verdict.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I tried uninstalling it, and it was detected as malware and it took a reboot to get rid of it.
     
  16. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    A false positive, from your AV-dinosaur :D
     
  17. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    Does ZAM protect against RW? I though only ZAL did?

    Did you test ZAL?
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I just tested 1.0.2.4.

    The bug is still not fixed.
    Oddly though, HMPA now blocks the Streamer. I guess KnowBe4 have changed its behavior slightly by touching the originals (as normal ransomware would).

    10blocked.png

    The InsideCryptor is still broken though. All files are still in their original state.

    Results.png

    A side note:
    RanSim should use proper test files. Some of its test files look corrupted in their original state. Check our this screenshot:

    Originals.png

    Also these files are really small, just 2748 bytes! Who has important .jpg files that are 2748 bytes? o_O
     
  19. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    This will offend but, I'm never impressed by developers condemning competitors software or products connected with related software...I seem to remember this happening on more than one occasion...Glad to see it seems to relate to one only...Its an end users choice, live with it.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    Thanks, Erik.
    I edited the thread's start post.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  22. Yoda1953

    Yoda1953 Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    163
    Location:
    Netherlands
    Winpatrol WinAntiRansom (paid) didn't give a peep on Windows10 o_O!!! Failed 10/10
     
  23. jaodsvuda

    jaodsvuda Registered Member

    Joined:
    Feb 27, 2011
    Posts:
    161
    ZAL kiled it,NVTERP ß blocked it...so I shut them down...but the moment I clicked on that big red "Check it" button - Ransim was dead.
     

    Attached Files:

  24. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    o_O So ZAL did good?
     
  25. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    As jaodsvuda said, "so I shut them down", regarding both ZAL and NVTERP ß, I suppose jaodsvuda meant that both stopped RanSim, so RanSim didn't run as intended.

    (See start post, regarding whitelisting RanSim.exe, Launcher.exe and RanSimSetup.exe)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.