WSA fails KnowBe4 Ransim ransomware simulation test

  • 2 November 2017
  • 2 replies
  • 55 views

We have run the KnowBe4 Ransim v1.1 simulation and found that WSA has trouble protecting against this quite useful ransomware test simulation. This is an updated version of the test that did pass according to previous Webroot testers.
Previous older version of the Ransim test is mentioned here:
https://community.webroot.com/t5/Product-Questions/Knowbe4-RanSim-Ransomware-Simulator/td-p/273428
 
We have enabled PUA detection on a copy of the Recommended Default Policy in Endpoint Protection console and checked the policy was updated on the Win7 endpoint.
 
Any other recomendations?
 


2 replies

Badge +7
It's being blocked now during the install process so I can't verify what happened in your test.  My guess is that it was doing just enough "Safe" stuff that it wasn't triggering our hueristics.  
 
During your test, did you notice if the process was untrusted or being monitored by the Webroot agent?  If so, then that's the journaling part of the journaling and rollback feature.  So, it could be that during the test, your fake test files were being stored safely in the Webroot journal.  Then when it was detected as bad (as it is now) then those files would be rolled back.  
 
Hope that helps.
Previous Webroot tests using this tool have produced a good result with all 5 tests passed. (screenshot below)
If there is no way to get a "passed" result to show to our clients is there another tool that can show the efficacy of Webroot? (Eicar test is too simple)
Thanks
 

Reply