Hellos, Yesterday, i came across of AI coded ransomware(bazaar). Of course i was curious how some security solutions performs against this AI coded malware: Trend Micro - full block, suspicious (ransomware, loader, stager failed) Sophos Home Premium, partial block(process hollowing, some files encrypted) G DATA, failed miserably MacAfee Total Protection, partial block(some files encrypted) Avira, full block (HEUR/APC). This particular sample, encrypts, takes a screenshot and gathers information of the system. Full Block=no encryption, no screenshot of your desktop written, no outbound connection made(telegram api etc). Partial block=some files encrypted, screenshot written to the disk, system information gathered and then uploaded to several IPs. Epic Fail=Epic Fail What do you think about of AI maded malwares? Are signature based detections dead? Is the default-deny approach the best way to fight against AI malwares? I do like Trend Micro approach, especially in "hypersentive" mode, where it acts kinda default-deny method.
This stuff is likely to need a new approach but I am not a huge fan of default deny, especially when there is no override option. We had to ditch Trend Micro at work several years ago for the false positives and the disruptions it caused.
Highly AI made, javascript .js Macfee - Full block at the runtime(obusfucated script) Trend: Full block - Suspious G Data - Partial Block, stager 2 blocked by GD Beast BB, information sent Avira - epic fail Like we see, against AI malware, Trend Micro is a winner in this test, because of its default-deny approach.
