How did ransomware slip past MSE?

You really didn't need to reinstall the OS. The malware just ran the script blocking the two processes. The fact that you could use the keyboard to force reboot shows Winlogon wasn't affected, and the ransom page not showing up on reboot means no registry entries were played with to make the module start with Windows. So basically you just had Script Runonce. No biggie.

This was really a 5th grade level malware code (probably would get past Sophos, though).

 

Most MSE reviews show it still detecting stuff after it has completed a full scan and the reviewer has deleted all files it found/quarantined. What exactly is that?

 

""Because you don't use multi-layered protection.""

I don't have it either
I guess I may be outvoted here because I read a lot of people
run that way but I believe if you need multiple programs then
each program must be lacking, Instead I would just run a good HIPS

 

Don't know, but probably another reason one shouldn't use MSE?

I never have any virus on my systems so I can't say from my own experience how good or bad detection is of MSE. But I never liked this software and it wasn't nearly as "light" in terms of ressources etc. as it was advertised, on the contrary. - So I ditched it always in short time. Then I saw recently one really bad test result where it lost certification or something like that. - So I really wouldn't bother why it isn't working as it should and just switching to something that does (better). - You can take pretty much every other solution I guess.

 

Flawed design? And multilayer doesn't necessarily mean you need to use 10 security apps. You can have multilayer approach within existing app. Take avast! for example. Yes, it's a single app that many would instantly flag as single layer but in fact it has several layers.

- file system layer (file detection)
- HTTP layer (traffic scan and URL blocking)
- TCP/IP layer (IDS style exploit blocking)
- all the e-mail layers, IM and P2P
- file reputation (FileRep)
- behavior analysis (Dyna through Auto Sandbox)

And what does MSE have?

- file system layer
- exploits prevention for known exploits only (only those that aren't patched with update)
- supposedly existing cloud (which no one has seen to date)
- supposedly existing behavior analysis (which no one has seen to date)

And that's basically it.

 

I don't think any other AV generates so much controversy as does MSE.

 

There is inherit problem with "trusted" or "signed" software. So you are taking a risk right there. But each to their own.

 

A little bit of a tangent here- Aside from Ransomware, Banking trojans are quite popular as a means to make some extra cash. Just a few weeks ago a new updated version of the Carberp trojan (Banker) has come on the market at the usual places (don't ask).

The twist for this one is that it is packaged with a new version of the Rovnix bootkit trojan. When run, it will give the malware Ring 0 privilege in the Volume Boot Record (Kernel Mode)- so basically once in it ain't going nowhere as AV's are blind to it.

The price is one of the steepest that I've ever seen at 40,000USD (you can also get either Premium or basic support), so a typical Putz won't be buying it. However there have been popping up a number of Fraudware-as-a-Service outfits that will happily run it for you for a few thousand a month.

Oh yeah- you can also get a ransomware package instead of the banking package, and they are promising to code up an installer package for newbies.

знание русского языка помогает