AV-Comparatives Blog - Proactive Protection for WannaCry

Discussion in 'other anti-virus software' started by hamlet, May 17, 2017.

  1. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    913
    Location:
    UK
    So most of the major AV vendors had this wannacry in the bag.
     
  2. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    913
    Location:
    UK
    I'm puzzled, M$ added patches to its updates for machines but fails to add protection via Defender?
     
  3. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    440
    Location:
    The Netherlands
    So the test is before patching and updates, more a test of the behavior blockers.
     
  4. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    913
    Location:
    UK

    Ah, got it, I should have read more carefully.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    A-V Comparatives has since updated the report to state that Eset was detecting the NSA exploit as of 4/25/2017; three weeks prior to the WannaCry outbreak.
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    Thanks for that. I knew ESET users were fine.
     
  7. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    208
    Location:
    Italy
    Sorry, maybe I didn't get it... Eset was able to stop the ransomware to spread through the network, but it was unable to prevent the encryption on the user's PC. Is it correct?
     
  8. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    415
    Depends. ESET protected users from the exploit that spread Wannacry. But what if it had gotten into your system by other means?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    If A-V Comparatives is going to do testing like this, use an actual 0-day ransomware. Again, the whole purpose of malware detection is to stop it prior to execution. Detecting only the encryption part doesn't help if the ransomware installed a treasure trove of secondary malware payloads.

    -EDIT- I also submitted the WannaCry payload hash to VT early in the morning of the day the attack surfaced and none of the AI/Next Gen solutions listed there including Cloudstrike detected it at that time.
     
    Last edited: May 18, 2017 at 10:31 AM
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    Moot point since Eset was removed from the testing since its protection detected the exploit previously.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    208
    Location:
    Italy
    OK, this is clear enough :)
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    Other means like how? Email attachment? AFAIK, they had signatures for it like most other av vendors. However I am not Marcos, maybe he will chime in.
     
  13. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    415
    Yeah, I wonder if ESET could have protected the user if the ransomware had come from Email attachment (and maybe other ways we aren't aware of).

    I can understand that no antivirus can detect 100%. But it seems concerning that while the majority of big names protected users from the ransomware, ESET didn't despite having dedicated ransomware protection.

    Btw, does anyone what other vendor could have also prevented the exploit? I believe Norton was one...
     
  14. Alikhan

    Alikhan Registered Member

    Joined:
    May 25, 2014
    Posts:
    22
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
  16. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    Well said.
     
  17. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,088
    Location:
    Germany
    What's more concerning to me is that some products are able to detect and stop more sophisticated methods of intrusion, yet fail embarrassingly against blunt, cheap and simple methods. So the message to the bad guys is "Don't use kernel exploits, use e-mail instead".
     
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,202
    Location:
    USA
    The message to the bad guys is probably to use both.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,910
    Location:
    The Netherlands
    That's what I also wonder about. I wonder if their ransomware protection is behavior based or not.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,910
    Location:
    The Netherlands
    Sorry, must have missed this reply. But yes, apparently it hasn't got any true behavior blocker. This really makes ESET look a bit bad.
     
  21. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    1,841
    McAfee really disappointing :eek::eek:
    I am using it it my main laptop
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    See my replies #30 and #40. Also review the likewise test done by MRG.

    Eset Smart Security blocked the exploit via its network protection module. So the ransomware portion of WannaCry never ran. Eset to date has scored 100% for any AV lab ransomware test performed. And it did so by stopping the initial infection from running. Not by post infection means that only stopped the encryption activity ensuring you're not infected with a bunch of secondary malware the payload may have delivered plus the ransomware itself.
     
  23. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    876
    Good post, generic mitigation is much more important than "simple" payload detection.
     
  24. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,685
    About the "network protection module":

    If I remember me well, it has been said that Eset Smart Security blocked it but NOD32 couldn't. Do I remember me that well? If that is right, I am wondering a little bit, because NOD32 has also the "network protection module".
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    Good question.

    Both products have a HIPS and there is exploit protection there. However, it is restricted in use as noted below per the Eset help documentation:
    In other words, it is Eset's behavior blocker.

    CVE identified exploits are handled in the IDS and Botnet features of Smart Security network protection which also includes the firewall.

    Also of note is Eset's HIPS monitoring is restricted in scope to only critical system and registry areas by default. For example, the HIPS allows all drivers to load from Windows\System32\Drivers w/o a peep.
     
    Last edited: May 19, 2017 at 7:56 PM
Loading...