How did ransomware slip past MSE?

Discussion in 'other anti-malware software' started by delerious, Dec 24, 2012.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    I'm running MSE on Windows 7, and earlier today this screen suddenly popped up showing a "Department of Homeland Security" message mentioning stuff about piracy, etc. and that I had to submit a payment of something like $250 to unlock my computer. It also turned on my webcam. Obviously ransomware.

    I did a CTRL-ALT-DEL and tried to get to Task Manager, but Task Manager didn't appear. So then I did a CTRL-ALT-DEL and told the computer to Restart, and that's when the ransomware screen disappeared, and I saw a MSE popup saying that it had caught malware and was asking me to remove it. So I told it to remove it. But how did the ransomware screen pop up in the first place if MSE had caught it? Can malware actually run before MSE is able to detect and catch it?
     
  2. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    Because MSE is a horrible product, with virtually no detections, or detections so bad it has been delisted by some test sites? It also lost certifications recently.

    Frankly, it's useless.
     
  3. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Because you don't use multi-layered protection.
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I don't think you'll get an answer to your question unless you can provide the sample to an MSE expert willing to analyse exactly what happened. The more important question is what unpatched/vulnerable software you're (presumably) running that allowed the ransomware to infect your system in the first place.
     
  5. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Ah, I haven't kept up. I know it used to be held in high regard, too bad that's not the case anymore.

    Is there any sort of FAQ or something that lists the different layers you should have, along with suggested programs for each layer? I think that'd be easier than trying to go thru some of these threads (like the 1117 page "what's your security setup these days?")

    I had Firefox open (latest version) and I wasn't visiting any shady sites. I was also running a Java app from my broker (TD Ameritrade) that lets me look at streaming stock quotes. Just checked the Java version - it is at update 9, but there is an update 10 available. Could it have come from my broker? Doesn't seem likely, but I guess it's possible.

    I also ran scans on the other computers in the house, and one of them (a Vista PC) also had a ransomware on it, but it was in someone's download folder and I don't think it ever executed on that computer (or else the person who uses it would surely have come running to me in a panic). I wonder if one of the computers transferred the ransomware to the other computer? Both are running the Windows Firewall.
     
  6. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    It misses one piece of malware and it is condemned as being useless.:rolleyes:
    Care to share which av you use which doesnt miss anything?o_O :cautious:
     
  7. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Because no signature based AV is perfect. . . ;)
     
  8. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    MSE has started to lose certifications, and is dropping rapidly on a few popular test sites. This is pretty much fact. It's fallen 'well below' industry average.

    http://www.theregister.co.uk/2012/11/30/microsoft_security_essentials_loses_av_test_certification/
    Microsoft Security Essentials, Redmond’s free antivirus tool for home users and business with up to ten PCs, can detect just 64 per cent of zero-day threats when running under Windows 7. That low detection rate has cost it the AV-TEST Institute’s seal of approval, a certification it hands out to products that meet 11 of 18 criteria it assess.

    Me? I use bullguard, between the 2 engines (and 4 signature bases), hips, firewall, vuln scanner, and insane commtouch HTTP scanning, I have been unable to 'purposely' infect my test machine. Which is why I use it now. It also happens to score 99-100% on virtually every test (for the 2013 IS version). With 70%+ off, it's really cheap, and effective. Since you asked.
     
  9. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    obviously MSE doesn't have an outbound FW, HIPS, HTTP scanner, so the comparison is not a fair one.

    sure with my HIPS set to max, i am unable to infect my machine either. I just have to make ~50,000 clicks a year...
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,762
    Location:
    Texas
    Am I missing something here? ----
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    While not a fair comparison it's valid because many people only install one security software and don't think about how comprehensive the protection is.
     
  12. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    MSE removed it. How is it useless?

    Maybe MSE's behavioral engine detected it?
     
  13. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Agreed. Users need to realize that some products are more robust then others. Likewise, being robust doesn't necessarily translate into better production. Your product might have a (scanner, firewall, spyware blocker, etc.), but it don't mean nothing if most of those additional functions/features score low. Likewise, you may be thinking that using an array of security/privacy products is a great idea. I'll use this for the firewall ... this for the scanner, etc. If these products aren't compatible and configured to work alongside one another. Even then, product updates can be a headache. I've had computers crash simply because company A added feature X in the latest update. Later to find, that it doesn't work to well along company B's product. Your security/privacy don't mean nothing. User incompetence is the greatest threat to security ... followed by marketing gimmicks and disinformation.


    Security Applications detect malicious agents at different stages. It's possible MSE was delayed in it's notification or detection of the malicious agent. Also, if the application is disabled or disrupted then the reboot may have given it the precedence (priority @start-up) it needed to squash the infection. Blind guesses without further detail.
     
    Last edited: Dec 24, 2012
  14. DrBenGolfing

    DrBenGolfing Registered Member

    Joined:
    Nov 29, 2012
    Posts:
    251
    Location:
    Hometown of Van Cliburn
    MSE's cloud may have caught it since it doesn't look like it's signatures did. One of the raps on MSE is it catches stuff after it has done it's dirty work and dropped a load of other stuff, too. Sounds like there might have been cross-pollination in your local network. Sandboxie or Comodo firewall recommended for MSE.
     
    Last edited: Dec 25, 2012
  15. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Because its pure signatures and has no HIPS or sandbox to back up its signatures when something gets past that.
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ppl still blindly believe that MSE has any form of heuristics or cloud functionality... heuristics go as far as variants of existing known stuff and cloud is just a non existent tech in MSE.

    Only explanation about the ransomware getting activated and MSE still displaying popup is probably the fact that it only caught a part of it. One component of the ransomware app. Hopefully the one which encrypts all the files and you'll only have to deal with its frontend thats suppose to scare the user...
     
  17. DrBenGolfing

    DrBenGolfing Registered Member

    Joined:
    Nov 29, 2012
    Posts:
    251
    Location:
    Hometown of Van Cliburn
    It does have a cloud - used to be called spy net but version 4 changed the name - anyhow, you have to check a box to opt in to it, sends stuff in (maybe) to be analized or let's the user send samples in. Does it work? If it does it's usually too late to matter. Best solution - use something else.
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Thats not cloud, thats just malware/suspicious submission. Something most has been doing for years. But you never get any actual feedback from this so called cloud. And thats why MSE is so poor in most of the tests.
     
  19. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I use a HIPS set to max and I only install software I can trust (Norton's reputation analysis helps here). This way I rarely see pop-ups.
     
  20. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    What version of MSE (Client, Engine, Definitions etc.) were you running?
    What are your MSE settings for updates and scans?
    When was your last full scan?
    What version of Windows 32 or 64 ?
    How is your Windows Update set to update?
    Do you check optional updates?
     
  21. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    The forums are full of this exact question and only the AV in use being different. The bottom line is that no AV, none if fact, are capable of blocking all the malware that a user can encounter. By all means try other AVs but don't be disappointed if they all fail at one stage or another. As mentioned in 3rd post, you need a multi-layered approach; with updated OS and AV of your choice, with scripting blocked for all sites but untrusted ones and with a bit of common sense and general education of what and what is not safe to do on the net.
     
  22. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Delerious- From what you originally posted, it looks like MSE did its job well (if you were able to reboot and the machine was functional). The mechanism of action of Ransomware varies with the type of malware involved. It seems the type that infected your computer did something pretty easy to clear up.

    All that the malware did was to open up a Webpage with the warning on it, and by the use of the WebBrowser Control set it to a TOPMOST attribute (the page will stay on top of EVERYTHING else on your desktop). So you can't kill the process by yourself it generated a script to kill both Taskmanager and Explorer- the cool thing is that a script was generated to keep both dead via an infinite loop. Not having a sandbox MSE could detect and delete the trojan but not prevent the script from running, thus your temporarily ransomed machine.

    Anyway, MSE did destroy the malware and prevented the restart of the script. You really lucked out, btw. Most are a bunch worse than that one (my fav is the one that calls up shutdown.exe, and on reboot screws the MBR- without a sandbox you are lost with that one).

    Merry Christmas!!

    (ps- I just reviewed the above post and it almost seems that I approve of MSE. Although that is certainly not the case, my being infused with the spirit of the Joyous Holiday I'll refrain from calling it the Vile Piece of Trash that it is.)
     
    Last edited: Dec 25, 2012
  23. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I would have thought that if the download/install was true ransomware that once installed it would have been "game over". I have not seen true ransomware that can be killed with CTR/ALT/DEL and then removed by an av.
     
  24. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Thanks for the replies everyone, and happy holidays!

    I am now looking into Sandboxie and EMET to expand my defenses. I've read about how Java has tons of security holes, but unfortunately I need it for one application so I cannot uninstall it.

    I was wondering about how it worked. If all it did was open a webpage, could it still turn on my webcam? I didn't think you could activate a webcam with just HTML and Javascript. That makes me think an executable actually got run. I also ran a few MBR scanners and it doesn't look like my MBR got infected, so that's good. But still out of paranoia, I am reinstalling Windows right now!
     
  25. Disney

    Disney Registered Member

    Joined:
    Oct 15, 2012
    Posts:
    103
    Location:
    USA
    It is simple . MSE is not a good product . Multilayered makes no difference . Condemned by missing one thing makes no difference . It is a poor product . Period . Use something else .
     
Loading...
Thread Status:
Not open for further replies.