AV-Comparatives Blog - Proactive Protection for WannaCry

So most of the major AV vendors had this wannacry in the bag.

 

I'm puzzled, M$ added patches to its updates for machines but fails to add protection via Defender?

 

So the test is before patching and updates, more a test of the behavior blockers.

 

Ah, got it, I should have read more carefully.

 

A-V Comparatives has since updated the report to state that Eset was detecting the NSA exploit as of 4/25/2017; three weeks prior to the WannaCry outbreak.

 

Thanks for that. I knew ESET users were fine.

 

Sorry, maybe I didn't get it... Eset was able to stop the ransomware to spread through the network, but it was unable to prevent the encryption on the user's PC. Is it correct?

 

Depends. ESET protected users from the exploit that spread Wannacry. But what if it had gotten into your system by other means?

 

If A-V Comparatives is going to do testing like this, use an actual 0-day ransomware. Again, the whole purpose of malware detection is to stop it prior to execution. Detecting only the encryption part doesn't help if the ransomware installed a treasure trove of secondary malware payloads.

-EDIT- I also submitted the WannaCry payload hash to VT early in the morning of the day the attack surfaced and none of the AI/Next Gen solutions listed there including Cloudstrike detected it at that time.

 

Moot point since Eset was removed from the testing since its protection detected the exploit previously.

 

OK, this is clear enough

 

Other means like how? Email attachment? AFAIK, they had signatures for it like most other av vendors. However I am not Marcos, maybe he will chime in.

 

Yeah, I wonder if ESET could have protected the user if the ransomware had come from Email attachment (and maybe other ways we aren't aware of).

I can understand that no antivirus can detect 100%. But it seems concerning that while the majority of big names protected users from the ransomware, ESET didn't despite having dedicated ransomware protection.

Btw, does anyone what other vendor could have also prevented the exploit? I believe Norton was one...

 

See: https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/

 

This test actually is most appropriate because what you want to protect against is the employing of the exploit. Both Eset and Kaspersky Internet security suites have network protection modules that include an IDS.

 

Well said.

 

What's more concerning to me is that some products are able to detect and stop more sophisticated methods of intrusion, yet fail embarrassingly against blunt, cheap and simple methods. So the message to the bad guys is "Don't use kernel exploits, use e-mail instead".

 

The message to the bad guys is probably to use both.

 

That's what I also wonder about. I wonder if their ransomware protection is behavior based or not.

 

Sorry, must have missed this reply. But yes, apparently it hasn't got any true behavior blocker. This really makes ESET look a bit bad.

 

McAfee really disappointing
I am using it it my main laptop

 

See my replies #30 and #40. Also review the likewise test done by MRG.

Eset Smart Security blocked the exploit via its network protection module. So the ransomware portion of WannaCry never ran. Eset to date has scored 100% for any AV lab ransomware test performed. And it did so by stopping the initial infection from running. Not by post infection means that only stopped the encryption activity ensuring you're not infected with a bunch of secondary malware the payload may have delivered plus the ransomware itself.

 

Good post, generic mitigation is much more important than "simple" payload detection.

 

About the "network protection module":

If I remember me well, it has been said that Eset Smart Security blocked it but NOD32 couldn't. Do I remember me that well? If that is right, I am wondering a little bit, because NOD32 has also the "network protection module".

 

Good question.

Both products have a HIPS and there is exploit protection there. However, it is restricted in use as noted below per the Eset help documentation:

In other words, it is Eset's behavior blocker.

CVE identified exploits are handled in the IDS and Botnet features of Smart Security network protection which also includes the firewall.

Also of note is Eset's HIPS monitoring is restricted in scope to only critical system and registry areas by default. For example, the HIPS allows all drivers to load from Windows\System32\Drivers w/o a peep.