Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor
Jump to solution

Ransomware Simulator Tool results showing Check Point Endpoint unable to detect known Ransomware

Hi Team,

Setup
OS: GAIA R80.20
Client Package : E80.96 , E81.00 ,E80.97
Windows Machine (Test): Windows 10 Pro, Windows 7 Pro, Windows 8 Pro
Jumbo HotFix: Take_47

Tools Name: knowbe4

Link: https://www.knowbe4.com/ransomware

KB: https://support.knowbe4.com/hc/en-us/articles/229040167

Issue: When I ran this application and start scanning then see some different results.

Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar.

Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and it's showing checkpoint SBA is not venerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application).

2019-06-19_170120.png

2019-06-19_171916.png

I exclude the three process "Ranstart.exe", "Starter.exe" and "Collector.exe".

2019-06-19_173538.png

2019-06-19_175123.png

Then again I start scanning and see the below results after scanned completed.

2019-06-19_173311.png

Out of 14, 4 is showing vulnerable.

Anti Malware version: 201906191126

2019-06-19_175004.png

Still, I need to check whether  SBA is able to block those Ransomware or not but pls requesting everyone to look into this. I am sure that SBA will block those ransomware.

Regards

@Chinmaya_Naik 

 

1 Solution

Accepted Solutions
Pasha_Pal
Employee Alumnus
Employee Alumnus

Note: the following is about SBA Anti-Ransomware only.

 

So this test tool does not simulate reality.

The primary issue with this test tool is that it Creates the samples it wants to encrypt. As a result, when Anti-Ransomware gets triggered it first checks if the incident created the files that it modifies and it sees that it does, and does not detect.

If you stop to think about it, real ransomware attacks modify already existing files on a system.

This validation greatly reduces false positives. The side-effect is that it also greatly reduces detection of "ransomware simulators". 

In essence, this tool will not trigger Anti-Ransomware based on its file activity, unless the files already exist on the system.

 

Additional Notes:

This tool is detected as "riskware" by our reputation.

One last thing, your exclusions would block SBA Anti-Ransomware and Behavioral Guard to detect on the files, because ranstart.exe is one of those processes that is encrypting the files.

View solution in original post

4 Replies
Pasha_Pal
Employee Alumnus
Employee Alumnus

Note: the following is about SBA Anti-Ransomware only.

 

So this test tool does not simulate reality.

The primary issue with this test tool is that it Creates the samples it wants to encrypt. As a result, when Anti-Ransomware gets triggered it first checks if the incident created the files that it modifies and it sees that it does, and does not detect.

If you stop to think about it, real ransomware attacks modify already existing files on a system.

This validation greatly reduces false positives. The side-effect is that it also greatly reduces detection of "ransomware simulators". 

In essence, this tool will not trigger Anti-Ransomware based on its file activity, unless the files already exist on the system.

 

Additional Notes:

This tool is detected as "riskware" by our reputation.

One last thing, your exclusions would block SBA Anti-Ransomware and Behavioral Guard to detect on the files, because ranstart.exe is one of those processes that is encrypting the files.

Chinmaya_Naik
Advisor

Thank You so much  @Pasha_Pal , thanks for the information.

But I have one simple query, If that Simulator Tool is treated as  "riskware" by reputation then why SBA does not block the application on the initial stage itself.

regards

@Chinmaya_Naik 

0 Kudos
Pasha_Pal
Employee Alumnus
Employee Alumnus

SBA does not use online reputation directly to block files. We have many engines some of which use reputation to make a decision on deletion of files. Blocking based on reputation only is on our roadmap.

 

0 Kudos
Chinmaya_Naik
Advisor

Tank you @Pasha_Pal for the update.

Hopeso we will see such a feature soon 👍

@Chinmaya_Naik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events