Troy Taylor
asked on
ESET AV for Business versus Ransonware
Please let me know your experience with ESET AV's effectiveness against ransomware. I used the KnowBe4 RanSim vulnerability test against my Vipre AV and it scored a perfect 10 on on the protection.
https://www.knowbe4.com/ransomware-simulator
I ran the same test on ESET AV for Business and it failed all 10 tests. ESET support told us the simulation isn't "fair" since the RanSim application both creates the temporary test folders and files and then performs the simulated crypto attack on them. I don't think that is a "fair" answer. Even MS Windows Defender and an old version of AVG 2013 stopped at least one of the 10 attack methods.
Maybe there are some settings in ESET I'm missing.
Thanks,
Troy Taylor
https://www.knowbe4.com/ransomware-simulator
I ran the same test on ESET AV for Business and it failed all 10 tests. ESET support told us the simulation isn't "fair" since the RanSim application both creates the temporary test folders and files and then performs the simulated crypto attack on them. I don't think that is a "fair" answer. Even MS Windows Defender and an old version of AVG 2013 stopped at least one of the 10 attack methods.
Maybe there are some settings in ESET I'm missing.
Thanks,
Troy Taylor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As per advice given.
ASKER
Troy
>> Marcos' post
This is just a simulator of a specific behavior. It doesn't tell how well a particular AV protects from ransomware. That said, AV that fails the "tests" may protect you way better from ransomware file encryption than most of AVs that pass them. We don't detect innocuous applications as part of the detection process is also checking its code in memory for resemblance with actual malware to prevent FPs and this application (simulator) is indeed innocuous.
By the way, I reckon that in order to pass the tests it should be enough to create a HIPS rule that would ask for an action if a write operation on "my documents" folder is attempted.
As long as you use the latest version (ie. Endpoint v6 in business environment) and have all features enabled, the chance of getting files encrypted by malware should be pretty low. I don't tell none because there's no security solution in the world that would provide 100% protection from all threats without excessive number of false positives.