RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    A valid test is one which accomplishes the objective. We have different objectives. Let me give you a real live analogy. Years ago I applied for a job with Ford Motor Co. They were hiring for the test group. The had two groups of testers. The first took cars that were wired up like lab rats. They monitor temperature points, various pressures, totally measuring the heart beat of the engine,transmission, drive axles, just about everything. The 2nd group just drove the car. On the track, out on the highway, and what they were monitoring was the experience of the driver and passengers. How it was in a short to the store visit, and how it was for a 5 day trip. Different tests.

    Same is true here. I don't use any special samples, just as they are released. Although I know generally how the software I use works, I don't need to know. Also I don't need to know how the malware works either. All I need to know for ME, is does the software detect and stop the malware as claimed. It's that simple. Once detected one can chose the method of remedying the problem. This tells me if the claims made by a developer are valid for the malware most likely to be encountered.

    Frankly, it bothers me that you are tailoring the tests to the product. I feel it puts a cloud over the impartiality of the tests, and opens the door to claims that you are testing for self serving claims you make. I am not at all saying you do that, but you do open the door for that.

    Hope that makes sense.

    Pete
     
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,160
    Location:
    Paris
    Peter- you misunderstood about the samples. Far too often malware samples are just thrown together without thought to the mechanism or even if they actually work. A test consisting of 10 different Locky's or Cerber's really does not achieve very much, does it. Diversity in mechanism should really be important.

    Further what malware one comes across in the Real World depends on what part of the Real World the person resides. A Petya (Yellow) was an issue in Germany but not Australia; a RAAcrypt killed it in Russia but not Mexico. Once again diversity is needed for completeness.

    Finally I could save very much time and just throw on any malware that comes up when I do a test. This would make many happy as the results would be Unicorns and Rainbows. I however prefer the truth.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Hi CS

    Okay, that I do understand and respect. I guess and hope folks understand, I am testing only from my perspective and that is a difference. Glad we could discuss this openly.



    Pete
     
    Last edited: Jan 25, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,962
    Location:
    U.S.A.
    Great points, CS.

    To this I will add that it is a well known fact that VM aware malware will alter its behavior as noted below:

    In an attempt to evade analysis and bypass security systems malware authors often design their code to detect isolated environments. Once such an environment is detected the evasion mechanism may prevent the malicious code from running, or it may alter the malware’s behavior to avoid exposing malicious activity while running in a VM.

    For example: when running on real hardware the malware will connect to its Command and Control (C&C) server, but when a VM is detected it will connect to a legitimate domain causing the analyst or the security system to believe this is legitimate code.


    Ref.: https://www.cyberbit.net/endpoint-security/anti-vm-and-anti-sandbox-explained/
    The proper way to test malware is on dedicated hardware with a fresh installed OS and the security software installed that is to be tested. This is how the AV Labs perform their testing.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    True, but with VS analysis I already know this and have confirmed it. No surprise. The VS analysis in some cases spells out what they detect and how they detect it. can be library's or registry keys. All different
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Just saw CS's latest Ransomfree test video. I'll pass
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    2,972
    Location:
    DC Metro Area

    https://www.youtube.com/watch?v=nbUNqfL2hxE
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    would you consider VMware the same type isolation as Shadow Defender? I have not use VMware in years. actually I think I was one of the first wilders member to use it. that was just before they came out with VMware Player and on XP I think it was. I also used quietzone till it was abandoned. I don't they use the same techniques but I do think malware like to detect especially VMware, since that is what most use. maybe second being shadow defender.
    personally I like to see peoples posts on testing no matter who they are.
     
  9. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    218
    Location:
    USA
    So CruelSister is also only targeting the honey pots? What about the other protection methods?

    As PC Matic says it stopped all their malware, I'm still a little suspicious about the methodology the testers here are applying and the assumptions being made, especially as people here have shown themselves predisposed to condemn the product from the start.

    Sorry, still not convinced that the self testers here are that much more competent than the developers and other commercial testers.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Hi Boredog

    You picqued my interest as I was playing around with the idea of using ShadowDefender. Yes some malware does detect VM stuff. I don't think much does with Shadowdefender. One of the things I tested in playing with that was could I image in Shadowmode, then exit Shadowmode and restore the image and get back the system state when Shadowed. The answer was yes, but with a huge caveat. I am on Win 7 X64 Pro and my drives have only a single partition no 100mb partition.

    I've since realized I can skip the SD step, and just image more frequently. Macrium Home makes this viable. One huge advantage with SD is I can shadow all 3 internal drives. I've gotten around that with Fides.

    Also Boredog, if you want to keep seeing my crazy testing posts I shall continue.

    Pete
     
  11. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,074
    Location:
    UK

    Seeing as in reading or seeing as in videos such as cruelsisters, do you post on youtube too?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Reading. I am not really set up to do videos and I really don't have the time. Make you a deal. Next time I post if I am not clear about what I did, give me a tap on the shoulder.
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    "Sorry, still not convinced that the self testers here are that much more competent than the developers and other commercial testers."

    sorry snowy. I know you been around here along time too but I can tell you both Peter and cruel sister know what they are doing. and as you know the tests by the special testing companies are paid for tests.
    I also know it is human nature for some posters here to be over paranoid and not even post in their sig their security software. and that is fine by me. Dan from voodoo like you do shield has posted YouTube vids and you do not think he knows what he is doing?
    anyway I still am not sure why I get myself into these dissuasions. most of them are just ****** contests.
    at my age I am not into ****** contests anymore. not enough testosterone anymore :D
     
  14. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    218
    Location:
    USA
    Oh really, boreing? PC Matic was paid to test RansomFree?

    Look trust who you want, but I think both sides need to be presented. You place your faith in CS and Peter, fine, but I'll continue to look at all the evidence.
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    "Oh really, boreing? PC Matic was paid to test RansomFree?"

    YOUR boring statement does not bother me at all. and you did not even spell it right. use your spell checker dude. you are attacking me and that is your choice.
    did not expect that from an old time member. do you want to take it PM?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Simple. Test it for yourself.
     
  17. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    218
    Location:
    USA
    Simply responded in kind, leaving out the rant about childish bodily functions, and asked a legitimate question.
     
  18. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    218
    Location:
    USA
    Thanks for the suggestion, but I don't play with malware. I'll just continue to look at all the evidence.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,962
    Location:
    U.S.A.
    I also recommend reading the SANS article that is referenced by link. Although long, the article details sandbox bypasses not commonly discussed.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    I think it's safe to say it doesn't offer 100% protection, and it also didn't protect all partitions, which is a blunder. But I don't know about the newest version. That doesn't mean it's total crap, I'm sure it might stop some ransomware variants.
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    "Simply responded in kind, leaving out the rant about childish bodily functions."

    no comment you do not deserve it as far as I m concerned.
     
  22. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    218
    Location:
    USA
    Agreed Rasheed, I don't believe any software is 100% safe, but it should be given a fair chance at the same time.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    What link?
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    Okay SnowWalker. I gave them another chance. It did protect the files in Documents and the desktop. BUT no way. First I ran a piece of ransomware, when it was done I got a warning that if there any screen messages, or count timer I would have to delete them manual. But the worst. I turned of FIDES on my 2nd drive. Not only was everything encrypted, but I had a base and 3 incrementals from Macrium. It deleted the base and 2 out of the 3 incrementals. NO WAY!!
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,962
    Location:
    U.S.A.