Solved

Knowbe4 RanSim Ransomware Simulator

  • 27 October 2016
  • 4 replies
  • 130 views

I recently discovered this ransomware simulator test from KnowBe4: https://www.knowbe4.com/ransomware-simulator
Actually found this on Spiceworks: https://community.spiceworks.com/topic/1874415-ransomware-simulator-we-failed
It simulates 5 different types of ransomware, and allows you to see if your security solution will protect you from it.
 
I had a new laptop that I had just provisioned for a user (I am an MSP), and after I installed Webroot SecureAnywhere Endpoint (Business), I decided to test how Webroot would fair. I am dissapoiinted to say that accoding to the results it failed 5 out of 5.  Webroot did quarantine the installation package when I attempted to copy it over to the laptop, but after recovering it from quarantine I was able to install it and run the simulator. One person in the Spicework community post stated that he had Webroot and it detected all 5 and was not vulnerable. I did not get the same results. My policy is pretty much the default settings from the Global Recommended Defaults policy.
 
I was wondering if anyone else has tested this and also if maybe Webroot support has more information to share. I would definitely like to see Webroot handling this test better. 
 
A screenshot of the results::
?
 
Thanks
LThibx
icon

Best answer by coscooper 16 November 2016, 17:01

View original

4 replies

Userlevel 3
Badge +10
Hi LThibx!
 
Apologis for the delay. We have re-ran this test and we now score a perfect score. I'm not sure quite what has happened in the interim but perhaps your test might have been using an incorrect policy? If you re-run this test with the default policy and you still get bad results perhaps this could hint to installation or comms issues so please contact our support.
 
Thanks
 
 
Userlevel 6
Badge +26
@ - I would highly recommend copying the default policy and change the PUA setting to on, especially when you're testing. All of us who work with customers always recommend as best practice to create a copy and use the defaults as templates and NOT assign them to any working endpoint. Change PUAs and you'll be better protected.
 
Policy -> Scan Settings -> (Scroll to the bottom)-> PUA - turn to on. (It's off by default).
 
HTH
~Shane
@, @,
 
Thanks to both of you for leading me in the right direction. 
  • First, I always make copies of the default policies and make my changes to those copies. Never change the defaults.
  • Second, Yes I had to turn the detection of PUAs in my policies Scan Settings. Once I enabled this detection the RanSim ran as expected:


 
I have now changed my policies at the global level, so now I feel a bit more confortable about the protection of all endpoints across my client base. 
 
Thanks again!
LThibx
Userlevel 6
Badge +26
@ - no problem, glad we could assist. I also went and grabbed the RanSim files after your post and tested them against several of our internal test VMs with 100% success. (PUAs on of course. 😎

Reply