topic Re: Ransomware Simulator Tool results showing Checkpoint Endpoint unable to detect known Ransomware in Endpoint

Ransomware Simulator Tool results showing Check Point Endpoint unable to detect known Ransomware

Chinmaya_Naik — Sun, 23 Jun 2019 22:48:17 GMT

Hi Team,

Setup
OS: GAIA R80.20
Client Package : E80.96 , E81.00 ,E80.97
Windows Machine (Test): Windows 10 Pro, Windows 7 Pro, Windows 8 Pro
Jumbo HotFix: Take_47

Tools Name: knowbe4

Link: https://www.knowbe4.com/ransomware

KB: https://support.knowbe4.com/hc/en-us/articles/229040167

Issue: When I ran this application and start scanning then see some different results.

Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar.

Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and it's showing checkpoint SBA is not venerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application).

I exclude the three process "Ranstart.exe", "Starter.exe" and "Collector.exe".

Then again I start scanning and see the below results after scanned completed.

Out of 14, 4 is showing vulnerable.

Anti Malware version: 201906191126

Still, I need to check whether SBA is able to block those Ransomware or not but pls requesting everyone to look into this. I am sure that SBA will block those ransomware.

Regards

@Chinmaya_Naik

Re: Ransomware Simulator Tool results showing Checkpoint Endpoint unable to detect known Ransomware

Pasha_Pal — Sun, 23 Jun 2019 13:22:19 GMT

Note: the following is about SBA Anti-Ransomware only.

So this test tool does not simulate reality.

The primary issue with this test tool is that it Creates the samples it wants to encrypt. As a result, when Anti-Ransomware gets triggered it first checks if the incident created the files that it modifies and it sees that it does, and does not detect.

If you stop to think about it, real ransomware attacks modify already existing files on a system.

This validation greatly reduces false positives. The side-effect is that it also greatly reduces detection of "ransomware simulators".

In essence, this tool will not trigger Anti-Ransomware based on its file activity, unless the files already exist on the system.

Additional Notes:

This tool is detected as "riskware" by our reputation.

One last thing, your exclusions would block SBA Anti-Ransomware and Behavioral Guard to detect on the files, because ranstart.exe is one of those processes that is encrypting the files.

Re: Ransomware Simulator Tool results showing Checkpoint Endpoint unable to detect known Ransomware

Chinmaya_Naik — Tue, 25 Jun 2019 06:29:03 GMT

Thank You so much @Pasha_Pal , thanks for the information.

But I have one simple query, If that Simulator Tool is treated as "riskware" by reputation then why SBA does not block the application on the initial stage itself.

regards

@Chinmaya_Naik

Re: Ransomware Simulator Tool results showing Checkpoint Endpoint unable to detect known Ransomware

Pasha_Pal — Tue, 25 Jun 2019 19:17:06 GMT

SBA does not use online reputation directly to block files. We have many engines some of which use reputation to make a decision on deletion of files. Blocking based on reputation only is on our roadmap.

Re: Ransomware Simulator Tool results showing Checkpoint Endpoint unable to detect known Ransomware

Chinmaya_Naik — Wed, 26 Jun 2019 07:48:14 GMT

Tank you @Pasha_Pal for the update.

Hopeso we will see such a feature soon 👍

@Chinmaya_Naik