Every Security Suite Failing His Tests...Bypassed...See Video

It says "explorer wanna execute XWC", he clicked "OK", so XWC.exe was actually executed (and later run sandboxed because unknown).
If he had clicked "Block", it would have been a "game over".
The other point is the sandbox level.

To be honest, he tested CCAV too and he bypassed it too (CCAV only has sandbox, not HIPS)

 

yes because the malware can't be executed, so how can you test a module bypass without executing the malware...?
to test a module bypass, the malware must run first, then the HIPS or whatever module should then react and block it; which is not the case, the HIPS didn't prevent the malware to encrypt (it should have).

i guess he wanted to demonstrate that the "payload" wasn't blocked; not that the malware can't be executed.

 

OK, this makes sense
So, the only doubt is about the sandbox level...

 

It may be default setting (but he didn't show it) if i remember correctly it is set as Partially Limited.

 

Let's poke @cruelsister

 

Hi Guys! I hope you don't mind an extensive post, But it may be appropriate. First off:

1). My compliments to Rodneym for this thread! I love thought problems (Oh God, I'm too pretty to be a Geek)!!!
2). I have no issue with a Blackhat not making a sample that was personally coded available for the masses. Actually this is Wisdom in the Extreme. I won't go into details, but Trust me on this- it will save One year of therapy.
3). Any comments on malware that a person does not actually have is Ignorance in the Extreme! It's like trying to determine if a shoe will be comfortable by looking at a picture of it (heal, toe, and straps). I'm sure you Guys have no clue about this, but any women out there know EXACTLY what I mean.
4). For those that may not know, I've done one or two videos myself. Although I always will edit out wasted time in my videos (Like for reboot times, Sleep times for malware, 2nd opinion scan times). I never ever (Never ever) will suppress the taskbar clock.

That being said, let's look at the Heal, Toe, and Straps of these shoes and see if they could be comfortable:

I've viewed a number of the videos by RoxasDev and have seen this:

1). The payload is run directly. no drops, no need for a download.
2). The malware payload ALWAYS has additional thingies coded in to it. Notice sometimes there is a forced reboot? Sometimes the cmd prompt does not work? But ALWAYS there is the Taskbar vanishing. As I was curious about the latter, I asked Ophelia (nasty cat!- especially when I run out of 10 year old Wisconsin cheddar). She informed me that the easiest way to make a video that would deceive the ignorant is to add a "taskkill /f /IM explorer.exe" command. This will kill the taskbar clock and allow the video author to do anything that they want and use as much time that would be needed to re-run the sample with the prime protection disabled. And God alone knows why on some videos the command prompt was called up and shown not to work. A simple taskkill /f /IM cmd.exe" would do this. Not exactly Rocket Surgery.

In conclusion- in spite of not having the file, I would never ever buy these shoes (if you catch my drift...).

 

Expanding on @cruelsister comments are the my following comments.

Since I see the malware sample sitting on the desktop, I assume this is a ransomware that was compiled on the local device and then moved to the desktop. Appears to me, this is a novice tester mistake. What he should have done is upload his test ransomware to a file sharing web site. Then delete all traces of it from the local device. Finally, download the ransomware from the file sharing web site and test detection by individual AV solutions. After all this is how one gets ransomware in the first place, by some type of download; whether direct, drive-by, or via e-mail attachment, etc.. I am sure his AV solution detection results would be far different than what he has posted on his Utube web site.

 

ITMan- what you say is totally correct. However running a malware sample from the Desktop tests the "Least Common Denominator" protection (ie: without any INET, Email, or USB protection modules); and as I do that all the time what else can I say?

What concerns me is the Taskkill of the explorer.exe module. There is no reason for this except for subterfuge

(ps- Marcos- I feel your pain. Although I'm no great fan of ESET, your product is being greatly wronged in this case.)

 

Since you're fluent in French, review his Win 10 1803 WD video which he rates as a "partial" bypass. To me something very "fishy" is going on in his test. When he runs the ransomware from a directory, WD triggers and alerts. Then he moves the ransomware to the desktop and runs it from there. Prior to that it appears he is fooling around with WD settings; perhaps disabling the controlled folder protection. Then I do see a WD alert again being generated which he quickly gets rid of.

Also like to know how he got around the native SmartScreen alert for an unknown process. Again indicating he never downloaded the ransomware since locally created, it would not have the mark-of-the-web.

 

Smart cat. FWIW, I located a gaggle of samples this person submitted to VT and other sites to test detection, and they all execute both taskkill /f /IM explorer.exe and cmd.exe. seemed like he had a difficult time with a few vendors because there were a bunch of repacked samples that had filenames including $expletive_$vendor in them. all samples also rename network interfaces and disable them.

 

Thanks Mounds for the confirmation!

Some things are just intuitively obvious. (ps- Ophelia is now pigging out on a fresh block of cheddar I acquired).

ITMan- I really hate to say it, but getting around WD is no great issue. I am always amazed when WD actually detects something a friend sends me when I unzip it (I do it for laughs- but understand that I also have never disabled WD on my Win10 system). But in that video once again we have the Taskbar vanishing prior to the Process Manger telling us we are screwed.

 

Excellent choice! Best cheese, ever!

 

Explain in layman terms for people like me. Are these tests fraud?

 

I would rather put as a person should view them with healthy skepticism.

 

i'd suggest viewing with skepticism, as cruelsister said