Checkmates Post

Ransomware Simulator Tool with Check Point Endpoint

Checkmates Link :

https://community.checkpoint.com/t5/SandBlast-Agent/Ransomware-Simulator-Tool-results-showing-Check-Point-Endpoint/m-p/56677#M486

Setup:

OSGAIA R80.20
Client PackageE80.96 , E81.00 ,E80.97
Windows Machine (Test)Windows 10 Pro, Windows 7 Pro, Windows 8 Pro
Jumbo HotFixTake_47

Tools Name: knowbe4

Link: https://www.knowbe4.com/ransomware

KB: https://support.knowbe4.com/hc/en-us/articles/229040167

Issue: When I ran this application and start scanning then see some different results.

Results 1: Windows 7 with E81.00 package, Suddenly Anti-Malware blade is not worked and we unable to find the SAB agent on the taskbar.

Results 2: Windows 10 and 8 with E80.96 package, The application is started initially but suddenly it terminated but we got 4 results and checkpoint SBA is showing not vulnerable. (Reason: Maybe SBA behave kowbe4 application done some unknown activity so SBA terminate this application).

I exclude the three process “Ranstart.exe”, “Starter.exe” and “Collector.exe”.

Out of 14, 4 is showing vulnerable.

Anti Malware version: 201906191126

Still, I need to check whether SBA is able to block those Ransomware or not but please requesting everyone to look into this. I am sure that SBA will block those ransomware that showing vulnerable.

Solution 1 By Pasha_Pal (Checkmates)

Note: the following is about SBA Anti-Ransomware only.

So this test tool does not simulate reality.

The primary issue with this test tool is that it Creates the samples it wants to encrypt. As a result, when Anti-Ransomware gets triggered it first checks if the incident created the files that it modifies and it sees that it does, and does not detect.

If you stop to think about it, real ransomware attacks modify already existing files on a system.

This validation greatly reduces false positives. The side-effect is that it also greatly reduces the detection of “ransomware simulators”.

In essence, this tool will not trigger Anti-Ransomware based on its file activity, unless the files already exist on the system.

Additional Notes:

This tool is detected as “riskware” by our reputation.

One last thing, your exclusions would block SBA Anti-Ransomware and Behavioral Guard to detect on the files, because “ranstart.exe” is one of those processes that is encrypting the files.

My Query (In response)

But I have one simple query, If that Simulator Tool is treated as  “riskware” by reputation then why SBA does not block the application on the initial stage itself?

Solution 2 By Pasha_Pal (Checkmates)

SBA does not use online reputation directly to block files. We have many engines some of which use reputation to make a decision on the deletion of files. Blocking based on reputation only is on our roadmap

Leave a Reply

Your email address will not be published. Required fields are marked *