AV-Comparatives Blog - Proactive Protection for WannaCry

Here is a link to an interesting post on the AV-Comparatives blog. The post shows the results of a test to determine which av products would have detected WannaCry pre-May 12 on unpatched systems. One thing that jumps out is that they say that ESET Internet Security would not have detected WannaCry. That seems to be directly counter to ESET's statements on their forums.

http://weblog.av-comparatives.org/proactive-protection-wannacry-ransomware/

 

This is the email I got from ESET:

 

From what I understand, ESET IS would have prevented the vulnerability that helped the malware spread not the malware itself.
An update was needed to detect it on memory.

Here's the post: https://forum.eset.com/topic/11948-massive-ransomware-attack/?do=findComment&comment=60078

 

I have received emails from multiple vendors all claiming that they prevent it, while some seem to imply they are they only ones that do.

 

Was going to say, that does not seem correct about ESET.

 

Ditto got emails from multiple av companies with the same verbiage.

 

In my experience (nothing scientific) just Kaspersky, Emsisoft and Bitdefender offers adequate protection against zero-day ransomwares.

Ps: Yes I am biased

 

Ehmmmm, ever heard about Comodo

 

Comodo isnt a traditional antivirus (it isnt even on Av Comparatives tests anymore), it has a solid focus on HIPS and Sandbox, a well configured Comodo will block almost all threats.

Unlike those solutions that I cited, Comodo demands much more from the user, but this isnt bad per se.

 

It depends on how you set it.
For example, Comodo Firewall at Cruelsister's settings won't need almost any user interaction. The same is true for CCAV at default settings.
Of course, the user should be aware of what the green border means (sandboxed app) and how to whitelist it (if the app is good)

 

tssssss, those vendors are weaklings compared to Appguard, BRN doesn't need such trivial and puny mail campaign , because ransomware just can't past it in the first place !

Ps: I'm biased too

 

Me too am biased!

Yesterday I run WannaCry in a shadowed session (Shadow Defender). Devilish nasty program encrypted tons of files in C and D drive, one for system the other for documents (4GB). Really quick this encryptor indeed.

Clicked restart... Suddenly all back to normal

 

Hi Mister X,
I also have Shadow Defender and I feel quite safe for now. But a question comes to my mind, is there any possibilities that one day ransomware will
be able to block a restart?

 

Anything's possible with computers. If such comes to happen just push reset button or power button and you'll be just fine.

 

I don't get it, why would ESET have failed to protect? It couldn't recognize it by signature or behavior blocker?

 

@hamlet
Thanks for sharing link to this interesting test.

 

Interesting. Thanks for sharing, hamlet.

17 of the 21 tested would have prevented it beforehand......not sure whether to feel good about that, or be concerned that all 21 didn't catch and stop it. On the surface, though, at least that does seems to speak well for those antivirus programs and solutions that DID successfully thwart and prevent it.

Either way you look at it, it is interesting to see....and I'm glad that someone took the time to test these products in a prior state to see what "would have" happened.

 

I was surprised to see that Eset IS did not protect since it was one of two that MRG Effitas had a 100% detection.
Jerry

 

Panda did well, considering that it's a cloud av and they tested an offline system

 

I'm borderline shocked that Eset did not pass this test. They usually perform so well detecting, and blocking Ransomware.

 

Avira came through, so I have to be happy about that.

 

When asked whether ESET had a sort of behavior blocker, they mentioned the Advanced Memory Scanner.
https://forum.eset.com/topic/5283-behavior-blocker/#comment-29725

However if you click the link I posted above. Marcos states "I would also add that a WannaCrypt memory detection was added in update 15403"
So, it appears to required signatures and probably shouldn't be considered a behavior blocker.

And since this was done with definitions prior to May 12, ESET couldn't detect it by any signature.

 

That's why I never trusted Eset software...

 

There seems to be some misunderstanding - I will add a note to clarify (the test looked at the ransomware part only; ESET would have detected the spreading part though).

 

MSE