Is Ransomware Protection really effective?

JFTN
JFTN Posts: 9 Observer

Hello I wanted to make sure the Ransomware Protection was indeed protecting me.

As far as I understand, the purpose of this layer is to protect me from a new ransomware that would go undetected.

So I made a small test, and the result is I don't feel confident about the protection in certain conditions.

Based on my test, I suspect that if the malware is not detected by the "Virus Protection" and "DeepGueard" layers, then the "Ransomware Protection" does not prevent my files from being encrypted.

Details of my test follow.

I just want to test the Ransomware Protection layer, not Virus Protection nor DeepGuard (which are doing a good job).

I can just disable Virus Protection, but DeepGuard has to be active in order for the Ransomware Protection to be active as well.

My test conditions:

  • Virus Protection disabled
  • DeepGuard active but machine offline
  • Ransomware Protection active

DeepGuard was very efficient at blocking ransomware in online mode, so I had put the machine offline.

An interesting sample is DeriaLock (found in Endermanch GitHub repo - warning be cautious).

DeriaLock does not reboot the machine to encrypt the files, it's done directly in Windows.

Result is, all the files are actually encrypted, with or without Ransomware Protection.

My concern is that a new ransomware might go through Virus Protection and DeepGuard and successfully encrypt the files.

This is why I fear the Ransomware Protection layer is ineffective in this scenario.

Ukko

Answers

  • JFTN
    JFTN Posts: 9 Observer

    As a side note, I made the same test with Kaspersky Security Cloud and obtained the same result, this is why I would like your opinions on this case.

  • JFTN
    JFTN Posts: 9 Observer

    As a side note to the side note, Windows Defender had no issues protecting the files.

  • Jaims
    Jaims Posts: 601 Moderator

    Hi @JFTN

    For you to test our Ransomware Protection, Deepguard must be turned On as well. This is how our protection works!

    You can read more about this on the help page below;

    https://help.f-secure.com/product.html#home/safe-windows/latest/en/task_8A1E6E8336D94A2996A1596289339773-safe-windows-latest-en

  • JFTN
    JFTN Posts: 9 Observer

    As I said

    My test conditions:

    • Virus Protection disabled
    • DeepGuard active but machine offline
    • Ransomware Protection active


  • JFTN
    JFTN Posts: 9 Observer

    I think that your Randomware Protection is useless, because either the ransomware is detected by DeepGuard and not executed, or the ransomware is free to encrypt all files.

  • Ukko
    Ukko Posts: 3,248 Superuser

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions). So, only my own feelings.

    And, actually, F-Secure with an excellent white papers and blogs/articles about their technologies and things around.

    As far as I understand, the purpose of this layer is to protect me from a new ransomware that would go undetected.

    Maybe. But also to define protected folders, where more stringent checks should be.

    I just want to test the Ransomware Protection layer, not Virus Protection nor DeepGuard (which are doing a good job).

    I think that the Ransomware Protection mostly is "extension" for both modules VP (as such) and surely DeepGuard.

    DeepGuard active but machine offline

    Very good point to test, but current F-Secure SAFE (and DeepGuard) with high requirement to be with Security Cloud connection. So, online state for much more proper detections and even much more detections.

    And especially if to threat this layer as protection against "a new ransomware".

    My concern is that a new ransomware might go through Virus Protection and DeepGuard and successfully encrypt the files.

    In general, such a situation is possible. But, with up-to-date state of system and F-Secure solution, with online connection, with other proper settings in 'on' mode - there less percents to be so.

    It also depends on how malware works. Against some forms F-Secure can be more powerful or not. It always fine to contact their F-Secure Labs - if there any 'undetected' (unknown) samples around.

    This is why I fear the Ransomware Protection layer is ineffective in this scenario.

    But one point to ask - what is this scenario? Offline machine?

    It was not just too clear enough about your conclusion - F-Secure detected all described (then) Ransomware with online connection? And only with offline state - DeriaLock encrypts files? Also was it Administrator type account (just for sure)?

    I think that Randomware Protection is useless, because either the ransomware is detected by DeepGuard and not executed, or the ransomware is free to encrypt all files.

    Probably, there is no such thing as "only" Ransomware Protection. If malware is not detected by DeepGuard by default, then there is a possibility that can be detected with enabled "Ransomware Protection" and when 'protected folders' in trouble.

    But this is just a small portion of my opinion. I have not tested this layer. Just as a discussion between community users.

    Thanks!

    JFTN
  • JFTN
    JFTN Posts: 9 Observer

    Thank you for your answer.

    What I want to test is the behavior of the Ransomware Protection against unknown malware.

    Windows Defender is effective in this scenario, whereas F-Secure is not.

    So my conclusion is there is malware protection but there is no "ransomware protection". This is a lie.

    Ukko
  • Ukko
    Ukko Posts: 3,248 Superuser
    edited June 30

    Hello,

    And thank for your response! Yes, your concern is quite good and clear.

    What I want to test is the behavior of the Ransomware Protection against unknown malware.

    I just think that, perhaps, "Ransomware Protection" as such is an option for DeepGuard and overall Protection of F-Secure SAFE. So, it is partially impossible to test only this option against unknown malware (in a sense).

    Again, if in the online state - 'unknown' malware was blocked - then this is how the current (modern) protection designed and works. However, indeed quite good to be with 'extra' protection even when offline.

    So my conclusion is there is malware protection but there is no "ransomware protection". This is a lie.

    Difference between "malware" and "ransomware" is only about more specific way to disturb and so things. Thus, when Ransomware Protection option is enabled - then DeepGuard and other Protection parts are ready to combat against it as about something specific rather than general malware. So, more specific checks or strict ones when "unknown" (suspicious or untrusted) process / file / something tries to do tricky things with protected folders.

    Anyway, if I understood right - your test results are about next statistics: all samples were detected by F-Secure with disabled "Ransomware Protection" option? And no one sample detected specifically when this option is enabled? If so - indeed somewhat strange, but still there can be a certain ransomware that will be detected only with this enabled option (probably).

    // ... Sorry for my English.

    Thanks!

    Jaims
  • JFTN
    JFTN Posts: 9 Observer

    This is not easy to test actually. I only have well known ransomware at hand, and obviously if I'm online they are all detected and removed immediately by Deep Guard.

    I am trying to understand the additional protection provided by the "ransomware protection" layer.

    So far, my conclusion is "none".

  • JFTN
    JFTN Posts: 9 Observer

    Ok I finally could find zero-day ransomware for my test, which I could execute with all F-Secure protection layers active.

    And I am happy to tell you, the Ransomware Protection layer is actually doing SOMETHING!

    It detects suspicious changes in protected files, and immediately reports to Deep Guard, which in turn blocks the ransomware process.

    Result: I had one file half-encrypted that was not recovered, but my other files have been protected. I feel better now.

    Also, this explains the result obtained by "The PC Security Channel" on YouTube ("F-Secure: Test vs Malware", July 2021): in his test with many ransomware samples, each ransomware was able to encrypt ONE file before being blocked by Deep Guard.

    Have a nice day

    Ukko