FAQ: What about Kaspersky & other products? There are only so many products I can fit into one video, so tried to get the most popular ones, I'll try to do a part 2 with Kaspersky, ESET and others. Why is the file encryption slow, maybe it would be detected if it was fast? False. The encryption is fast, the version used in the test is slow cause of added delays b/w files, we tested all versions with these products and the ones that failed to detect also failed when run without the delay where the whole process happens in seconds. How is this a malware simulation, isn't it like 7zip encrypting files? No. This is custom code that is unsigned and obfuscated that encrypts files like ransomware without asking the user. 7zip is a trusted application, with a cli and nothing like the file we are running. If any vendors want help with improving their detections or get in touch with our community members who helped with the test, I'd be happy to facilitate. Our goal is to improve cybersecurity for everyone.
Hi, can you please include MS defender with One Drive in your next video. I'm curious to know if OneDrive's claim that it protects you from ransomware is valid. I've seen it asking for rollback if you change a lot of files. Does this behaviour of OneDrive enable MS defender to kick in and save the day??
I would like to see virus total and malwarebytes. Also, can you test the prevention rate in another video ( can it detect malware file before you run it / while downloading ), and can you add percentage scoring into the code ( % of corrupted files vs protected files )
Great showing for Bitdefender! I like this as a realistic comparison, given a lot of malware attacks are able to get around signature detection, especially when the EDR is known to the attacker.
@EricParker so legends watch other legends. Nice to see you here. To anyone who does not know this guy check him out now. Excellent source of knowledge. Much respect.
kaspersky is the best competitor to bitdefender it's more light weight and less resource intensive and less expensive for a non-american it's a great relief
That is really interesting information! Would absolutely love to see n episode directly comparing business products from SentinelOne, Crowdstrike, ESET, Bitdefender, and whichever other endpoint there is against a large malware collection. I think as far as a single new malware this video is basically that (minus ESET), because I doubt the detection engine in personal vs business products is any different, but they are set up quite differently so would be interesting to see - and probably an extremely valuable resource for small businesses.
the government should use their own trusted companies, this isn't just related to Kaspersky but as a general rule. Now Kaspersky is fine for everyone else.@@fhgnius
So thankful I have a 10 user ultimate security license for Bitdefender for myself, wife, my daughters and their boyfriends. This video was certainly very comforting that I made the right decision. Thanks Leo.
Bitdefender did stop it; but the files that were encrypted were just deleted. So hopefully if you encounter ransomware in the future with Bitdefender, pray that the first few files it deletes aren't crucial.
You are defintely my favorite cybersecurity content creator by far. No cringe weird marketing tactics that only work on 12 year olds or anything. Straight to the point, no bs, I love it
Excellent video @pcsecuritychannel ,It seems likely that behavior analytics aren't enabled for the CS product, as files are being encrypted and deleted immediately, which should be flagged by behavior monitoring. However, the key takeaway is spot on-it's crucial to pentest your high-cost solutions and regularly audit your prevention policy settings. Very informative.
I have heard that some cybersecurity insurers are requiring the insured company to use an EDR as part of their security solution. Which makes this report even more interesting.
Some insurers will give you a discount on your premium if you enroll in certain MDR providers. I have not heard of them making it mandatory - not that you are wrong, I just hadn't heard of it. Are you able to name the carriers that make EDR a requirement?
Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files! Closely followed by Bitdefender that managed to stop the attack quickly but files got lost. S1, Crowdstrike and Microsoft Defender seem to have missed this. Insurance should definitely take that into account as this is where damage will occur.
crowdstrike is meant to prevent from outer attacks. It has a better chance to stop downloading the malicious soft. I might be wrong but it probably has nothing or little to do with files already located at your PC
the file doesn't just appear on a PC, right? it's either created by the user, and hence it's his/her responsibility, or downloaded from outside, normally internet. The traffic analysis is the main task for many corporate security suits. It totally makes sense for many realistic scenarios, including outer attacks, like DDOS etc
I’m an little surprised that bitdefender didn’t restore the files, I mean in the ransomware remediation section there is an option to have to checked to automatically restore files that were encrypted by ransomware, and an manual button to restore files that have been encrypted. Great video though Leo!
@@youtuvi7452 yeah the free version needs you to click restore manually. in gravity zone there are options to do this automatically and I think the paid version of home as well. ( could be wrong with the consumer BD versions, don't deal with them much)
Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files! Closely followed by Bitdefender that managed to stop the attack quickly but files got lost. S1, Crowdstrike and Microsoft Defender seem to have missed this. Can you run this same attack but this time doing a remote execution? Meaning the ransomware is run remotely which is a popular approach in ransomware right now?
glad to see sophos still perfomes well in you tests since i've been using ever since you first showcased it in you channel and back then it was the best in you tests, because of the build in hitman pro
Hey, I am Sophos Security engineer, I do see that you are using the home premium version here, but I would like to share that the enterprise solution which is sophos central endpoint has more behavioral based component which is HMPA along with the XDR data collection. My suggestion would be to test the sophos endpoint rather than the home version as the endpoint product is more targeted towards enterprise solutions. Otherwise love watching you videos and you are making a serious contribution to the cybersecurity fields. Keep up the good work. Cheers!
As he said at 7:15 the home and enterprise product "behaved exactly the same" so only showed one. It's actually a major plus point that the home product beats out the enterprise products and was shown instead of IX EDR, that's the takeaway for your free marketing.
Are you currently using Windows Defender Antivirus, or do you have the full Microsoft Defender for Endpoint (MDE) solution implemented? This will help us determine the level of security you're working with. Windows Defender Antivirus and Microsoft Defender for Endpoint are distinct solutions. You can't compare a consumer antivirus like Windows Defender Antivirus with something like CrowdStrike, which is an EDR solution. A fair comparison would be between CrowdStrike and Microsoft Defender for Endpoint, as both are EDR solutions.
This isn’t Defender for Endpoint you can tell by the fact the security settings can be manipulated amongst other things. He claims Defender was configured with its full protection, but I guarantee its cloud protection level is on “default/normal” and cloud check timeout wasn’t at 60 seconds.
I've been watching your channel for awhile now. It has helped me in my career for Cyber-Security. I got accepted into a university for my bachelors degree. I'll let you know how I do in 4 years!!
1.26 Why Windows Defender SmartScreen did not popup when you click on exe? It looks like ‘Check apps and files’ is Off in ‘App & browser control’ tab which you did not show at 0:50
That’s just one case, one malware. That does not cover the whole landscape. Also, these products need to be configured correctly. He didn’t show his setting which is not professional behavior.
@@A42yearoldARAB no, he specifically mentioned that he had the malware detection on moderate. Those are enterprise solutions requiring enterprise configuration. This guy is kind of clueless when it comes to enterprise solutions.
@@runge340 that’s the impression I’ve got too. Have had SentinelOne configured correctly with Huntress on thousands of endpoints. Many ransomware attack attempts and not a single one got through. I’ve also managed CrowdStrike. Same thing. He even put EDR solutions and used the built in Defender instead of Defender 365. There’s a difference. Video is very misleading and leaves out details. Not a video that I would base my own XDR research on.
Leo, it would be really interesting if you could include two other components to a test like this: 1) A synch tool like OneDrive or Dropbox 2) An external drive that has a copy of a few of each typical file types. This would allow people to see what would happen if they have their backup drive connected or a file sync app running when such a threat hits.
In terms for cloud syncing (google drive, dropbox and onedrive) you can undelete the original files and then delete the encrypted ones. As for external drives in theory it should just act the same and encrypt those too.
Any Chance to get this test with a remote ransomware attack? would be fascinating to see, how the respective solutions act, when the ransomware is not running on the target system, but accessing the fileshare of a system running the endpoint protection.
I don't want to brag, but being a Romanian, i have to give to the rest of the world(those that still have no clue what Bitdefender is) this piece of information here: Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East. The company was founded in 2001 by the current CEO and main shareholder, Florin Talpeș. Wikipedia
I would like to see more consistent tests with the same actions for every single run, if you check something on one edr, you should do the exact check (if possible) on the rest. I think it would be super helpful for you to go through all the settings of each one. While you said these were from all different tests when doing a lot of tests, but without that consistency the video is, just trust us.
I would be interested is seeing if the detection changes if you use an info stealer. How much potentially confidential Data can an attacker get before it’s detected. In an enterprise, you should have a snapshot/ backup of the important data and alerting if a large number of files change. Not just against ransomware but also against accidental deletion/ changes.
Is this Windows Defender (free and embedded) or Defender for Business (commercial product like CrowdStrike) with all EDR and a attack surface reduction enabled?
I'm a CrowdStrike engineer (and a fan boy) and would love to review what settings you have opted for in your prevention policy. I don't expect a reply but I had to offer. Edit - excellent video that is really valuable. Many of these enterprise solutions are not easily accessible for the general public to test without jumping through hoops.
Hello, we currently have crowdstrike falcon on all our endpoints and this video has me concerned. Can you provide some documentation to ensure that our CS agents running on our devices are correctly configured to protect against what is shown in this video? Greatly appreciate your help and time. I am looking at bit defender lustfully currently -_-.
@rikachiu unfortunately I can not and as you are aware documentation can be found when logged into the management console. Look up prevention policies and stay up-to-date with news as new features will be added and will need updating. Remember you will never be contacted through comments. Do not take advice from comments, they pose a huge risk.
@@pwhittak88 ty, appreciate the feed back. When we purchased crowdstrike, we were under the impression it would be completely managed for us, so it is definitely concerning how easily this ransomeware encrypted everything without the CS sensor even doing anything about it
A good security product should have enough default configuration from factory to provide protection from zero day attacks. Then sysadmin can further customise the product to liking. If these expensive products fail in behaviours attacks then we already lost the battle.
If you are expecting the separation of Admins and Users to be your primary safety net nowadays, then you are in for trouble. Having safeguards even on admin executed tasks can be annoying, but it can also be life saving. This video is a good example of why heuristic detection exists, thanks for posting this.
Thats why im honestly skeptical of this video. I have had programs (crackmes) quarantined for just using XORs and simple obfuscation, txt documents blocked for having php shell scripts that have literally nothing to do with the OS and others, from Windows Defender alone (non enterprise of course). Something isn't adding up here hopefully he releases the mock malware code that was used so there can be some more context.
@@cristiannunez372 Bad comprehension says it all... It's unknown ransomware because it's not in the wild and not in the antivirus database of KNOWN ransomware signatures. It's explained in the video... that arcsh6262 obviously did not actually watch. Arsh obviously doesn't understand this concept and is comparing detections that are known to MS with those that aren't. They're missing the entire point of the video.
@@arvydasurbonavicius5170 If I was living in Russia maybe I would use Bitdefender. If I was living in USA, I would Definitley use Kaspersky. There is a reason Kaspersky is a target of US authorities; Kaspersky likely would not ignore NSA / FBI /MI6 malware and Kaspersky likely rejected any such request. All other AV software is likely designed to ignore such 3LA generated malware.
normally it should be based on a program signature. No valid digital sign, no data access without clear administrator permission. Tht's the reason why I'm usually very skeptical about tests like this )
Exactly - this test could simply have run 7Zip with a command line, and zipped all the documents with a password and it would look exactly the same. No ransom notes? No extension changes?
7Zip if I remember has no digital signature recognized by Certificate Authorities. It could certainly be a bad encryption program ) I guess 7Zip is somehow put into a white list, to avoid false positive detections
@@bobcrusaderYeah if I was performing an operation like that on a batch of files *with script console output* , I'd be annoyed if the AV kept getting involved
Curious to know what Falcon policy was configured at the time of the test. There are are ways to configure the falcon sensor to detect only and I think it would be helpful to show in a video like this exactly what posture is applied to the sensor. Same goes for SentinelOne and others. Without this information being included, it can appear as if the video was gamed to produce a specific outcome.
you used some non enterprise versions, right? like for bitdefender we use bitdefender gravityzone and i have no clue if that would protect me as well. we are about to buy crowdstrike, what exact version of crowdstrike did you test?
other people mention run it against Acronis or F-Secure or Malwarebytes. maybe what I think would fail is Norton or McAfee! OH nearly forgot it how about Avast too?
have no idea if that is so but will say even if Acronis has Bitdefender app coding inside it Acronis might act differently due to software is very different to Bitdefender? this is assuming Bitdefender is inside Acronis.
Interesting results -- There is a lot of unknown details with the enterprise versions. For Crowdstrike, I see Leo said the Prevention settings were set to "moderate". Crowdstrike Prevention settings are "disabled", "cautious", "moderate", "aggressive" and "extra aggressive". I would NOT think "most" would use "moderate" settings (I know I don't). Having said that, I'm not sure "aggressive" would have behaved any differently in this test. Would have liked to see further testing. 6 figures? Ha! Enterprises are in 7 figures these days (Especially if leveraging MDR). False sense of security? Not I. That's why you carry insurance, do vulnerability testing, perform system hardening, do annual cyber assessments, do employee training, patch management, Disaster Recovery, not to mention all the other facets of Cyber that greatly increase costs in an effort to reduce risks. Even doing everything you can, it takes one sample, like Leo is demonstrating, to ruin a weekend or longer.
What CS would say is that the malware does not represent the attacks they see in the real world and thus, wasn't blocked, which is a fair thing to say, EDRs products you can't add overrides/exclusions without the security team reviewing the event and giving it a thumbs up or not. Our team did a similar test to this video and CS missed it, S1 blocked it but also had more false positives on other legitimate software. It's hard to imagine an actual ransomware would leave a window visible and output the files its encrypting. Some AV products keep track of the files accessed by processes and lock anything hat modifies/opens files in disk at a high frequency, whether it's ransomware or not doesn't matter, it will trigger the ransomware protection. Is it nice? Probably, in some cases, particularly in consumer-grade computers, but this kind of mitigation is prone to false positives and can be bypassed by higher-complexity attacks. A ransomware goes beyond encrypting files, it should delete shadow copies/backups, it should be fast and target other services that are typically non existent on customer-grade computers, I understand a file acting like a ransomware is something people want to see blocked but when you look at the whole picture, it's a different paradigm of malware, malware that targets ent setups is specialized on those. I still think EDRs/MDRs/XDRs have a ton of flaws but IMO this video doesn't do a good job at pointing them,. Regarding the configuration, IIRC medium is recommended for tier3 workloads where a compromise is like... whatever, aggro and very aggressive are the go-to, but I don't think it would have made any difference in this case. I believe the reason why settings aren't shown is because both EDRs have a clause that forbids public benchmarks without consent so. this makes it harder to track the accounts being used; if S1/CS want to track the original account they will have to do some digging.
Leo is also demonstrating why properly configuring your XDR solution is important. There are at least a dozen settings in CS and without seeing their configuration the results are something to take with a big grain of salt.
@@Scio-to1ur I agree with what you are saying, as well as some times I wonder if Leo doesn't have an axe to grind (I don't have to wonder). Also, you are absolutely right about the settings, because there's quite a few options. Having said that I've got this little guy on my shoulder telling me even with the most optimal settings, the test would not have ended any differently. Clearly this test shows Crowdstrike has work to do with their product. If I were Crowdstrike, I would get that sample from Leo, and learn from it.
I did more research -- It could be aggressive would have blocked this.. why? the detections between moderate and aggressive are pretty much the same. The difference is aggressive automatically blocks more. We never saw the Crowdstrike dashboard and what it detected due to it being in moderate mode. It could very well be aggressive would have blocked it.
Even with SentinelOne, you could tag any of those behaviors as a Storyline and then issue the Rollback command. It would have reversed all the encryption. Thats why it is different. Even if it “misses” it can reverse it.
people who cannot afford paid software can use free backup utilities. It's a good protection against non-legit data encryption, as well as data loss, corruption, accidental removal etc
@@logician44 Spoken like someone that's not familiar with S1. It really can roll back file changes once the malicious activity is tagged, and it pushes that policy to all affected endpoints in real-time. Just showing that it didn't catch it preemptively isn't enough to showcase all the platform can do, and that's a misrepresentation of the product as a whole.
@@logician44 reversing encryption and file damage is a key differentiator that other tools don’t have. Being able to turn back time in damaged files is a key difference. All the repair bits were there in the scenario; it just wasn’t used.
@@logician44not having rollback enabled actually makes a gigantic difference…. Same goes with detect interactive threat. If the latter setting was enabled, that script would have been terminated.
Awesome video! Surprised to see most of the major EDR didn’t detect weird behaviour on the machine as real time detection is one of the key components of EDR. One addition to running the EDR with real time, exploit detection etc. , do we need to implement much more tighter policies like quarantine any files that initiates certain child processes, renaming of a file to .exe? I’m certain Defender has attack surface reduction feature, not sure about other EDR
sorry but instead of Windows Defender I suggest using Defender for Endpoint which is the enterprise grade endpoint security from Microsoft since this is not Apples to Apples.
I recall making a recommendation to you a while back in one of your previous videos to test enterprise EDR solutions, so It's nice to see you do this, however the main issue with this experiment is that you didn’t show how any of the prevention policies were configured. Crowdstrike Falcon, when properly configured with the prevention polices all enabled, specifically for ransomware, ML, and cloud based analysis, would have blocked this threat without issue. The long sleep is a dead giveaway for ML/Heuristics. Not trying to critique the video too harshly, just wanted to suggest that showing each product in its best possible configuration will give more accurate results.
The prevention policies were all enabled so that is just not true. I demonstrated that with a different ransomware sample. I don't show the policies on video for privacy reasons since many of these tests were configured by community members.
@@pcsecuritychannel then your test is invalid if you can't show us the settings . You need to be transparent. If not then there's no point in doing these tests and you're chasing clout.
@@pcsecuritychannel Thanks for the prompt reply. I'm not sure I completely understand your response as it relates to privacy concerns as nothing in the CS tenant prevention policy gives away any sort of identifying or sensitive information however, with that said, would you be willing to share the sample of the example ransomware you ran on the CS box? I'll gladly run this in my own Crowdstrike tenant, record a video, and show you it mitigating this threat with the proper prevention policy configured.
@pcsecuritychannel either have better transparency and stop making excuses or don't make these videos. Share the hash of the file used. Or else this is chasing clout
@@enigma3474 Are you paid by Crowdstrike or something? Clearly the software sucks in you need to make a bunch of changes from the default settings to make work as good as Bitdefender out of the box.
0:56 Is Ransonware protection active on user folders? I have it blocking all "C:\Users" Since desktop is protected by default, and since you are running a ransomware infection, i would think this has to be ON
i wonder what exactly the av identified to flag the file. maybe it just identified a common crypto library along with multiple file writes or something but that would still give a ton of false positives
this is why organization should get the backup sollution too not just EDR or Anti Vrisus. these days backup sollution have feauture alarm the administrator when they notice massive amount of file change during backup procedures and this can be very useful for the organizations to detect ransome ware situation much earlier and also you could restore with backed data.
"detect ransome ware situation much earlier and also you could restore with backed data" you wouldn't know the data is encrypted until the next backup job, which normally runs once every 24 hours. backups are not a useful tool to detect ransomware. security in layers has been the approach for any competent IT , utilizing EDR + immutable backups + zero-trust to thwart phishing, malware, ransomware, and loads more.
I'd hate to say it but I am skeptical of this video, the reason being is that I've tested blackmatter on Windows Defender and SentinelOne and both protected against it. Blackmatter, blacksuit, darkmatter were all detected by S1 and Defender, it didn't matter if it was a .py .bat or .exe. You probably have an excluded file or folder for these EXEs to stay on disk and not raise any alerts.
He is not using signature based detection because the goal is to simulate a zero day malware encrypting your files on an EDR antivirus product. I'm sure that detection rate would be very good on all the products if it was testing for known malware.
Love the channel and thanks for all of your extensive tests man! A few others have stated that you should show the EDR's settings and I agree. I mean even the bad guys can obtain a free trial if they really want to, so I don't see a reason why you can't show it. No need to show ALL the policy settings or anything, but the main detection setting is critical for managed EDR products like S1, CS, Webroot, Malwarebytes, etc. (Maybe do another more in depth video on your "TPSC Business" channel and link it here?) For SentinelOne, it did look as if you set it to "Detect" only, can you please confirm? I would have liked for you to have shown the endpoint in the dashboard under "Incidents" at the end showing in fact that nothing was detected. This is a business and managed product after all which REQUIRES a tech to confirm the detected results. If you had in fact set both settings to "Protect" and "Rollback" or at least Remediate, would this still have occurred (I have doubts). Otherwise this is a severe issue and S1 should see this video and take action with the highest priority. Please Look at Lawrence Systems's video from 2yrs ago showing that exact setting. ua-cam.com/video/SSDITOd56Os/v-deo.htmlsi=K-q-VFJIv3AgVyBz&t=725
Security has to be established in a layered approach. No one solution is a 100% effective. This is one example of how one solution is strong where another is weak... at installation and with a zero day ransomware payload being detonated on top of it so soon after installation. I would like to see how S1 and CS were configured and to know how long they were allowed to establish a baseline for their EDR function to be effective. Otherwise, I feel this may be a bit of a misrepresentation by comparing home/small office products versus corporate/enterprise products and how they behave out-of-the-box in a "perfect storm" scenario.
Good video but it still leaves me wondering if windows would have detected the sample if we'd used DefenderUI to enable the advanced ransomeware protection feature.
LOL Who in their right mind would be installing software from Russia on their computers on purpose? I guess some people just want to skip the middleman and go right for the malware.
@@lightningrodofh8509 Kaspersky is still popular outside the US and many people use it, so a lot of people is interested to see how it goes in Leo’s test
This was a *BIG* reason as to why I recently chose Bitdefender for my Mac (Yes, Macs get malware too 😅) Ransomware is causing a lot of havoc around the world, and Bitdefender's technology easily detects it!
I think there is a element of bollocks here. S1 has decoy files and rollback - the decoy files would have been touched by the encryption and you could the roll back using the vss snapshots - there is so much missing here I say it’s bollocks.
You'll have to see in the next video that is coming out, but I can already give you a little spoiler and tell you that it was worse than bitdefender :)
@@Deus_Juvat Hi Desues_Juvat, I'm new to S1 (Control version) and I've installed it on 75 endpoints. I'm still learning the product but it sounds like you are very experienced with it. If so, can you list the proper settings required to make sure ransomware is detected and stopped immediately along with making sure the rollback process is enabled? Thanks in advance.
So i dont know much about this.. You say even the free version of Bitdefender can provide this much protection, but on their website it says protection against encryption by ransomware is not included in the free version. What's up and down?
FAQ:
What about Kaspersky & other products? There are only so many products I can fit into one video, so tried to get the most popular ones, I'll try to do a part 2 with Kaspersky, ESET and others.
Why is the file encryption slow, maybe it would be detected if it was fast? False. The encryption is fast, the version used in the test is slow cause of added delays b/w files, we tested all versions with these products and the ones that failed to detect also failed when run without the delay where the whole process happens in seconds.
How is this a malware simulation, isn't it like 7zip encrypting files? No. This is custom code that is unsigned and obfuscated that encrypts files like ransomware without asking the user. 7zip is a trusted application, with a cli and nothing like the file we are running.
If any vendors want help with improving their detections or get in touch with our community members who helped with the test, I'd be happy to facilitate. Our goal is to improve cybersecurity for everyone.
Hi, can you please include MS defender with One Drive in your next video. I'm curious to know if OneDrive's claim that it protects you from ransomware is valid. I've seen it asking for rollback if you change a lot of files. Does this behaviour of OneDrive enable MS defender to kick in and save the day??
It is time to completely ignore Kaspersky.
Don't forget Malwarebytes
I would like to see virus total and malwarebytes. Also, can you test the prevention rate in another video ( can it detect malware file before you run it / while downloading ), and can you add percentage scoring into the code ( % of corrupted files vs protected files )
Don't forget Norton
Great showing for Bitdefender! I like this as a realistic comparison, given a lot of malware attacks are able to get around signature detection, especially when the EDR is known to the attacker.
@EricParker so legends watch other legends. Nice to see you here. To anyone who does not know this guy check him out now. Excellent source of knowledge. Much respect.
@@pwhittak88agreed if you're on this channel you'll love Eric!!
Bitdefender didn't roll back the encrypted filesz did they?
@@Krullfath They did not; They deleted the files and just called it a day :)
Hey eric
For everyone asking for Kaspersky and other AVs, he commented under another comment that he will be doing a part 2 with Kaspersky, ESET and other AVs.
I hope, i'm excited to see the result but i don't think ESET and Kaspersky will have trouble to detect the ransomware.
@@onlywolf9981 hope not massive eset enjoyer.
Thank god, I’m using Kaspersky rn
Yes kaspersky!
kaspersky is the best competitor to bitdefender it's more light weight and less resource intensive and less expensive for a non-american it's a great relief
7:00 'There goes the library of Alexandria'
yup, he sure said that didnt he?
That is really interesting information! Would absolutely love to see n episode directly comparing business products from SentinelOne, Crowdstrike, ESET, Bitdefender, and whichever other endpoint there is against a large malware collection. I think as far as a single new malware this video is basically that (minus ESET), because I doubt the detection engine in personal vs business products is any different, but they are set up quite differently so would be interesting to see - and probably an extremely valuable resource for small businesses.
I'd also add in Kaspersky. I know some folks in the community don't like them, due to Russia, but they've proven to be very effective in the past.
@@madness1931 I used them in the past, but as someone in the US, that's no longer an option, which is why I didn't mention it.
@@fhgniusus citizens aren't allowed to use products that detect the backdoor efforts of the alphabet crew. Safe and secure ...
the government should use their own trusted companies, this isn't just related to Kaspersky but as a general rule. Now Kaspersky is fine for everyone else.@@fhgnius
So thankful I have a 10 user ultimate security license for Bitdefender for myself, wife, my daughters and their boyfriends. This video was certainly very comforting that I made the right decision. Thanks Leo.
Love seeing Bitdefender do well. Been my go to for a long time.
🙌🙌
Bitdefender did stop it; but the files that were encrypted were just deleted. So hopefully if you encounter ransomware in the future with Bitdefender, pray that the first few files it deletes aren't crucial.
@@rootdevelopment Yes, damage was minimized but not fully prevented by Bitdefender. Still better showing than others.
Combo with Onedrive should be workable, right?
@@HAYWIRE2466 I think so, so long as the encrypted file was backed up by OneDrive
You are defintely my favorite cybersecurity content creator by far. No cringe weird marketing tactics that only work on 12 year olds or anything. Straight to the point, no bs, I love it
agreed, this channel is a gem for me.
Excellent video @pcsecuritychannel ,It seems likely that behavior analytics aren't enabled for the CS product, as files are being encrypted and deleted immediately, which should be flagged by behavior monitoring. However, the key takeaway is spot on-it's crucial to pentest your high-cost solutions and regularly audit your prevention policy settings. Very informative.
ClownStrike 🤡 just sucks
Now do Malwarebytes EDR and Roll Back protection.
Yes please.
Agreed!
malwarebytes more like "malware-bites" , kaspersky is definitely a better substitute to all of them
@@Chikowski101 I would never buy that Russian backdoor software friend.
@@Ponyo3816 it's okay brother
I have heard that some cybersecurity insurers are requiring the insured company to use an EDR as part of their security solution. Which makes this report even more interesting.
Some insurers will give you a discount on your premium if you enroll in certain MDR providers. I have not heard of them making it mandatory - not that you are wrong, I just hadn't heard of it. Are you able to name the carriers that make EDR a requirement?
Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files!
Closely followed by Bitdefender that managed to stop the attack quickly but files got lost.
S1, Crowdstrike and Microsoft Defender seem to have missed this.
Insurance should definitely take that into account as this is where damage will occur.
imagine paying big bucks for crowdstrike and still your data is gone
crowdstrike is meant to prevent from outer attacks. It has a better chance to stop downloading the malicious soft. I might be wrong but it probably has nothing or little to do with files already located at your PC
@@ТоварищКамрадовСоциалистКоммун outer attacks? the file somehow still got on the pc to execute or was it just born on the test VM?
the file doesn't just appear on a PC, right? it's either created by the user, and hence it's his/her responsibility,
or downloaded from outside, normally internet. The traffic analysis is the main task for many corporate security suits. It totally makes sense for many realistic scenarios, including outer attacks, like DDOS etc
Oops!
𝕄𝕪 𝕤𝕪𝕤𝕥𝕖𝕞 𝕔𝕣𝕒𝕤𝕙𝕖𝕕.
𝔹𝕦𝕥 𝕀 𝕙𝕒𝕕 𝕒𝕟 𝕒𝕟𝕥𝕚𝕧𝕚𝕣𝕦𝕤.
imagine paying big bucks cybersecurity companies and your data is still sold by the big international companies 😂😂😂
crowdstrike is the best one, it won't make you run the file because it will make your pc bootloop
360 degree protection, no way to boot, completely safe
I’m an little surprised that bitdefender didn’t restore the files, I mean in the ransomware remediation section there is an option to have to checked to automatically restore files that were encrypted by ransomware, and an manual button to restore files that have been encrypted. Great video though Leo!
I may be wrong, but Leo used the free version, maybe that didn't apply the remediation?
@@youtuvi7452 yeah the free version needs you to click restore manually. in gravity zone there are options to do this automatically and I think the paid version of home as well. ( could be wrong with the consumer BD versions, don't deal with them much)
New Danooct1 video and a new and unknown ransomware video from TPCSC. Today is good.
Wow, Bitdefender did really good! Sophos also but I like how Bitdefender has the graphical display of the files.
Good video. Sophos will restore any files encrypted before the alert, I.e before the behaviour is recognised to be malicious.
Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files!
Closely followed by Bitdefender that managed to stop the attack quickly but files got lost.
S1, Crowdstrike and Microsoft Defender seem to have missed this.
Can you run this same attack but this time doing a remote execution? Meaning the ransomware is run remotely which is a popular approach in ransomware right now?
glad to see sophos still perfomes well in you tests since i've been using ever since you first showcased it in you channel and back then it was the best in you tests, because of the build in hitman pro
I love how the program thread is called "Womp 1.0" 7:56
Great video! Would really like to see M365 Defender for Endpoint if you are able to. Would be neat to see how Microsoft's EDR solution fares.
Hey, I am Sophos Security engineer, I do see that you are using the home premium version here, but I would like to share that the enterprise solution which is sophos central endpoint has more behavioral based component which is HMPA along with the XDR data collection.
My suggestion would be to test the sophos endpoint rather than the home version as the endpoint product is more targeted towards enterprise solutions.
Otherwise love watching you videos and you are making a serious contribution to the cybersecurity fields. Keep up the good work. Cheers!
As he said at 7:15 the home and enterprise product "behaved exactly the same" so only showed one. It's actually a major plus point that the home product beats out the enterprise products and was shown instead of IX EDR, that's the takeaway for your free marketing.
He did mention, if he showed the free or home versions, that the enterprise variant performed exactly the same
Why don't Sophos provide the same protection to home users? Seems scummy.
@@presjar4016 Every AV provider does this. Why have a paid expensive version if the home or free version does exactly the same?
@@compmanio36 Why have a free version if it just gives a bad experience and is pretty useless?
It wont get people to pay for it.
Are you currently using Windows Defender Antivirus, or do you have the full Microsoft Defender for Endpoint (MDE) solution implemented? This will help us determine the level of security you're working with.
Windows Defender Antivirus and Microsoft Defender for Endpoint are distinct solutions. You can't compare a consumer antivirus like Windows Defender Antivirus with something like CrowdStrike, which is an EDR solution. A fair comparison would be between CrowdStrike and Microsoft Defender for Endpoint, as both are EDR solutions.
This isn’t Defender for Endpoint you can tell by the fact the security settings can be manipulated amongst other things. He claims Defender was configured with its full protection, but I guarantee its cloud protection level is on “default/normal” and cloud check timeout wasn’t at 60 seconds.
Yeah that's definitely not MDE.
I wish that he would have shown if the "Controlled Folder Access" was enabled as well under the Ransomware protection for Windows Defender.
I've been watching your channel for awhile now. It has helped me in my career for Cyber-Security. I got accepted into a university for my bachelors degree. I'll let you know how I do in 4 years!!
I'd like to see MalwareBytes with this test.
1.26 Why Windows Defender SmartScreen did not popup when you click on exe? It looks like ‘Check apps and files’ is Off in ‘App & browser control’ tab which you did not show at 0:50
Crazy how the 2 companies that brag about being ‘next-gen AVs’ lose to a ‘legacy AV’
Well, not the first time that marketing team must do something to get the product on the market. That's why we never should trust marketing claims.
That’s just one case, one malware. That does not cover the whole landscape.
Also, these products need to be configured correctly. He didn’t show his setting which is not professional behavior.
@@runge340 They lost, no excuses he mentioned that he turned everything on.
@@A42yearoldARAB no, he specifically mentioned that he had the malware detection on moderate. Those are enterprise solutions requiring enterprise configuration. This guy is kind of clueless when it comes to enterprise solutions.
@@runge340 that’s the impression I’ve got too. Have had SentinelOne configured correctly with Huntress on thousands of endpoints. Many ransomware attack attempts and not a single one got through. I’ve also managed CrowdStrike. Same thing. He even put EDR solutions and used the built in Defender instead of Defender 365. There’s a difference. Video is very misleading and leaves out details. Not a video that I would base my own XDR research on.
Good to see Bitdefender working as expected.
Leo, it would be really interesting if you could include two other components to a test like this: 1) A synch tool like OneDrive or Dropbox 2) An external drive that has a copy of a few of each typical file types. This would allow people to see what would happen if they have their backup drive connected or a file sync app running when such a threat hits.
In terms for cloud syncing (google drive, dropbox and onedrive) you can undelete the original files and then delete the encrypted ones. As for external drives in theory it should just act the same and encrypt those too.
Awesome video! Waiting for the part 2 with Kaspersky, Eset and others.
Any Chance to get this test with a remote ransomware attack?
would be fascinating to see, how the respective solutions act, when the ransomware is not running on the target system, but accessing the fileshare of a system running the endpoint protection.
That's super relevant to current threat landscape - we need to see this in a test!
"just to make this video more exciting" actually got me on the edge of my seat
I don't want to brag, but being a Romanian, i have to give to the rest of the world(those that still have no clue what Bitdefender is) this piece of information here:
Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East. The company was founded in 2001 by the current CEO and main shareholder, Florin Talpeș. Wikipedia
Everyone knows that, and greetings to you from Egypt
I would like to see more consistent tests with the same actions for every single run, if you check something on one edr, you should do the exact check (if possible) on the rest. I think it would be super helpful for you to go through all the settings of each one. While you said these were from all different tests when doing a lot of tests, but without that consistency the video is, just trust us.
any chance to include ESET , Kaspersky and Malwarebytes?
Yup, thinking of doing a part II with those.
Only sponsored one's allowed
As well as f secure
Trend Micro would be nice too
@@pcsecuritychannel see how Symantec endpoint protection holds up nowadays that its transferred to Broadcom
I would be interested is seeing if the detection changes if you use an info stealer. How much potentially confidential Data can an attacker get before it’s detected.
In an enterprise, you should have a snapshot/ backup of the important data and alerting if a large number of files change. Not just against ransomware but also against accidental deletion/ changes.
Is this Windows Defender (free and embedded) or Defender for Business (commercial product like CrowdStrike) with all EDR and a
attack surface reduction enabled?
Thank you for doing independent testing.
Don't ever use that BELL again. OUCH ! DING! DING! DING! DING! DING!
You say "pretty much everything turned on"... would like to start seeing your policy settings
I'm a CrowdStrike engineer (and a fan boy) and would love to review what settings you have opted for in your prevention policy. I don't expect a reply but I had to offer.
Edit - excellent video that is really valuable. Many of these enterprise solutions are not easily accessible for the general public to test without jumping through hoops.
Hello, we currently have crowdstrike falcon on all our endpoints and this video has me concerned. Can you provide some documentation to ensure that our CS agents running on our devices are correctly configured to protect against what is shown in this video? Greatly appreciate your help and time. I am looking at bit defender lustfully currently -_-.
@rikachiu unfortunately I can not and as you are aware documentation can be found when logged into the management console. Look up prevention policies and stay up-to-date with news as new features will be added and will need updating.
Remember you will never be contacted through comments. Do not take advice from comments, they pose a huge risk.
@@pwhittak88 ty, appreciate the feed back. When we purchased crowdstrike, we were under the impression it would be completely managed for us, so it is definitely concerning how easily this ransomeware encrypted everything without the CS sensor even doing anything about it
@@pwhittak88isnt it obvious he doesn't have the product and only wants the documentations?
I just get Bluescreens 😂
A good security product should have enough default configuration from factory to provide protection from zero day attacks. Then sysadmin can further customise the product to liking. If these expensive products fail in behaviours attacks then we already lost the battle.
I really enjoy your humor @0:30, can't get enough of these videos!
Edit: CrowdStrike LMAO
you are my best instructor ever , greetings from egypt
Will Kaspersky also be sanctioned here now?
Planning a part 2 with Kaspersky, ESET and others.
@@pcsecuritychannelyou should pin that before the dislikes run in
@@pcsecuritychannel include zonealarm as well, they use sophos and their own engine and xcitium
@@pcsecuritychannel I will love to see this. Kaspersky EDR or Kaspersky Antivirus?
Kaspersky will no longer be supported in the USA after September 30, 2024.
If you are expecting the separation of Admins and Users to be your primary safety net nowadays, then you are in for trouble. Having safeguards even on admin executed tasks can be annoying, but it can also be life saving. This video is a good example of why heuristic detection exists, thanks for posting this.
Would be intresting to do the same test with Microsoft Defender for Endpoint EDR.
no difference as the EDR tools comes with no additional ransomware protections
@@dk-ib8ok Not protection, but additional detetctions, MDE has some more capabilities then WDAV
I can't wait for part2, thank you.
Let’s go I just bought Bitdefender 2 days ago
I think everyone can agree that for enterpise EDR like CS and S1 you should show us the configuration.
I honestly expected Microsoft AV to catch it.
Thats why im honestly skeptical of this video. I have had programs (crackmes) quarantined for just using XORs and simple obfuscation, txt documents blocked for having php shell scripts that have literally nothing to do with the OS and others, from Windows Defender alone (non enterprise of course).
Something isn't adding up here hopefully he releases the mock malware code that was used so there can be some more context.
@@arsh6212 "Unknown Ransomware" Says it all...
@@cristiannunez372 Bad comprehension says it all... It's unknown ransomware because it's not in the wild and not in the antivirus database of KNOWN ransomware signatures. It's explained in the video... that arcsh6262 obviously did not actually watch. Arsh obviously doesn't understand this concept and is comparing detections that are known to MS with those that aren't. They're missing the entire point of the video.
Why? They're not known signatures. MS has poor behavioral detection and relies heavily on known signatures stored in its cloud database.
I know u will be doing a part 2, but I feel like kaspersky and eset should have been in this test vs some lesser know alternatives
i miss Kaspersky
Kaspersky is malware in the next level
@@arvydasurbonavicius5170proof?
@@arvydasurbonavicius5170 If I was living in Russia maybe I would use Bitdefender. If I was living in USA, I would Definitley use Kaspersky. There is a reason Kaspersky is a target of US authorities; Kaspersky likely would not ignore NSA / FBI /MI6 malware and Kaspersky likely rejected any such request. All other AV software is likely designed to ignore such 3LA generated malware.
@@arvydasurbonavicius5170 Bias much? By that logic you have malware in your PC too. Even Windows is spyware.
@@arvydasurbonavicius5170but that applies only to the few believing in it.
Interesting to see that good old Bitdefender still does a better job than over-hyped enterprise AI stuff ;-)
No Malwarebytes?
this videos for enterprise antiviruss only aka ones for critical company computers and servers. Next video will be regular anti viruses I believe.
I just want to add, if the ransomware isnt super delayed to encrypt and a fresh sample is used, bitdefender will just delete all your encrypted files
anything that is NOT based on zero trust may fail
How would a system differentiate between a user deliberately encrypting some sensitive data, and some malware encrypting it?
normally it should be based on a program signature. No valid digital sign, no data access without clear administrator permission. Tht's the reason why I'm usually very skeptical about tests like this )
Maybe because the encryption is done systematically and in 1 go. Also usually the user needs to specify the files that he wants to encrypt
Exactly - this test could simply have run 7Zip with a command line, and zipped all the documents with a password and it would look exactly the same. No ransom notes? No extension changes?
7Zip if I remember has no digital signature recognized by Certificate Authorities. It could certainly be a bad encryption program )
I guess 7Zip is somehow put into a white list, to avoid false positive detections
@@bobcrusaderYeah if I was performing an operation like that on a batch of files *with script console output* , I'd be annoyed if the AV kept getting involved
Thanks!
Malwarebytes, Kaspersky & Huntress next please
“Huntress does not provide protection; it can isolate a computer, but it won’t completely prevent encryption on this computer
@@abrahamdeutsch3175 Huntress fully relies on Defender to prevent. It would be helpless here.
Curious to know what Falcon policy was configured at the time of the test. There are are ways to configure the falcon sensor to detect only and I think it would be helpful to show in a video like this exactly what posture is applied to the sensor. Same goes for SentinelOne and others.
Without this information being included, it can appear as if the video was gamed to produce a specific outcome.
you used some non enterprise versions, right?
like for bitdefender we use bitdefender gravityzone and i have no clue if that would protect me as well. we are about to buy crowdstrike, what exact version of crowdstrike did you test?
We use free versions for BD/Sophos simply cause it is easier to deploy. The enterprise versions block it as well.
I don't use any of the tested security programs, except the USB stick bootable Bitdefender utility, but I appreciate your efforts.
Hello, Please anyone knows where i can find this sample of that rassomware?
other people mention run it against Acronis or F-Secure or Malwarebytes. maybe what I think would fail is Norton or McAfee! OH nearly forgot it how about Avast too?
Acronis is just Bitdefenser whitelabel lol
have no idea if that is so but will say even if Acronis has Bitdefender app coding inside it Acronis might act differently due to software is very different to Bitdefender? this is assuming Bitdefender is inside Acronis.
I would love to see a gaming benchmark between windows defender, bitdefender, Eset, Kaspersky etc. see which one has the least direct impact
Holy shit dude please turn down the bell 🔔 sound effect
would like to see the tests again with M365 Defender for Endpoint
Interesting results -- There is a lot of unknown details with the enterprise versions. For Crowdstrike, I see Leo said the Prevention settings were set to "moderate". Crowdstrike Prevention settings are "disabled", "cautious", "moderate", "aggressive" and "extra aggressive". I would NOT think "most" would use "moderate" settings (I know I don't). Having said that, I'm not sure "aggressive" would have behaved any differently in this test. Would have liked to see further testing. 6 figures? Ha! Enterprises are in 7 figures these days (Especially if leveraging MDR). False sense of security? Not I. That's why you carry insurance, do vulnerability testing, perform system hardening, do annual cyber assessments, do employee training, patch management, Disaster Recovery, not to mention all the other facets of Cyber that greatly increase costs in an effort to reduce risks. Even doing everything you can, it takes one sample, like Leo is demonstrating, to ruin a weekend or longer.
What CS would say is that the malware does not represent the attacks they see in the real world and thus, wasn't blocked, which is a fair thing to say, EDRs products you can't add overrides/exclusions without the security team reviewing the event and giving it a thumbs up or not. Our team did a similar test to this video and CS missed it, S1 blocked it but also had more false positives on other legitimate software.
It's hard to imagine an actual ransomware would leave a window visible and output the files its encrypting. Some AV products keep track of the files accessed by processes and lock anything hat modifies/opens files in disk at a high frequency, whether it's ransomware or not doesn't matter, it will trigger the ransomware protection. Is it nice? Probably, in some cases, particularly in consumer-grade computers, but this kind of mitigation is prone to false positives and can be bypassed by higher-complexity attacks.
A ransomware goes beyond encrypting files, it should delete shadow copies/backups, it should be fast and target other services that are typically non existent on customer-grade computers, I understand a file acting like a ransomware is something people want to see blocked but when you look at the whole picture, it's a different paradigm of malware, malware that targets ent setups is specialized on those.
I still think EDRs/MDRs/XDRs have a ton of flaws but IMO this video doesn't do a good job at pointing them,. Regarding the configuration, IIRC medium is recommended for tier3 workloads where a compromise is like... whatever, aggro and very aggressive are the go-to, but I don't think it would have made any difference in this case.
I believe the reason why settings aren't shown is because both EDRs have a clause that forbids public benchmarks without consent so. this makes it harder to track the accounts being used; if S1/CS want to track the original account they will have to do some digging.
Leo is also demonstrating why properly configuring your XDR solution is important. There are at least a dozen settings in CS and without seeing their configuration the results are something to take with a big grain of salt.
@@Scio-to1ur I agree with what you are saying, as well as some times I wonder if Leo doesn't have an axe to grind (I don't have to wonder). Also, you are absolutely right about the settings, because there's quite a few options. Having said that I've got this little guy on my shoulder telling me even with the most optimal settings, the test would not have ended any differently. Clearly this test shows Crowdstrike has work to do with their product. If I were Crowdstrike, I would get that sample from Leo, and learn from it.
I did more research -- It could be aggressive would have blocked this.. why? the detections between moderate and aggressive are pretty much the same. The difference is aggressive automatically blocks more. We never saw the Crowdstrike dashboard and what it detected due to it being in moderate mode. It could very well be aggressive would have blocked it.
Even with SentinelOne, you could tag any of those behaviors as a Storyline and then issue the Rollback command. It would have reversed all the encryption. Thats why it is different. Even if it “misses” it can reverse it.
people who cannot afford paid software can use free backup utilities. It's a good protection against non-legit data encryption, as well as data loss, corruption, accidental removal etc
Still way late to the party and increases the cost and man-hours of remedy.Coulda-woulda-shoulda does not hold much favour.
@@logician44 Spoken like someone that's not familiar with S1. It really can roll back file changes once the malicious activity is tagged, and it pushes that policy to all affected endpoints in real-time. Just showing that it didn't catch it preemptively isn't enough to showcase all the platform can do, and that's a misrepresentation of the product as a whole.
@@logician44 reversing encryption and file damage is a key differentiator that other tools don’t have. Being able to turn back time in damaged files is a key difference. All the repair bits were there in the scenario; it just wasn’t used.
@@logician44not having rollback enabled actually makes a gigantic difference…. Same goes with detect interactive threat. If the latter setting was enabled, that script would have been terminated.
Awesome video! Surprised to see most of the major EDR didn’t detect weird behaviour on the machine as real time detection is one of the key components of EDR.
One addition to running the EDR with real time, exploit detection etc. , do we need to implement much more tighter policies like quarantine any files that initiates certain child processes, renaming of a file to .exe? I’m certain Defender has attack surface reduction feature, not sure about other EDR
sorry but instead of Windows Defender I suggest using Defender for Endpoint which is the enterprise grade endpoint security from Microsoft since this is not Apples to Apples.
Yes, only Crowdstrike, and SentinelOne solutions were enterprise...funnily enough the ones that didn't catch it
can we have a show down of all the free AV against malware/ransomware/viruses???
I recall making a recommendation to you a while back in one of your previous videos to test enterprise EDR solutions, so It's nice to see you do this, however the main issue with this experiment is that you didn’t show how any of the prevention policies were configured. Crowdstrike Falcon, when properly configured with the prevention polices all enabled, specifically for ransomware, ML, and cloud based analysis, would have blocked this threat without issue. The long sleep is a dead giveaway for ML/Heuristics. Not trying to critique the video too harshly, just wanted to suggest that showing each product in its best possible configuration will give more accurate results.
The prevention policies were all enabled so that is just not true. I demonstrated that with a different ransomware sample. I don't show the policies on video for privacy reasons since many of these tests were configured by community members.
@@pcsecuritychannel then your test is invalid if you can't show us the settings . You need to be transparent. If not then there's no point in doing these tests and you're chasing clout.
@@pcsecuritychannel Thanks for the prompt reply. I'm not sure I completely understand your response as it relates to privacy concerns as nothing in the CS tenant prevention policy gives away any sort of identifying or sensitive information however, with that said, would you be willing to share the sample of the example ransomware you ran on the CS box? I'll gladly run this in my own Crowdstrike tenant, record a video, and show you it mitigating this threat with the proper prevention policy configured.
@pcsecuritychannel either have better transparency and stop making excuses or don't make these videos. Share the hash of the file used. Or else this is chasing clout
@@enigma3474 Are you paid by Crowdstrike or something? Clearly the software sucks in you need to make a bunch of changes from the default settings to make work as good as Bitdefender out of the box.
0:56 Is Ransonware protection active on user folders?
I have it blocking all "C:\Users"
Since desktop is protected by default, and since you are running a ransomware infection, i would think this has to be ON
Eset would have been a very good addition to the test!
Eset gets to little tested.
i wonder what exactly the av identified to flag the file. maybe it just identified a common crypto library along with multiple file writes or something but that would still give a ton of false positives
this is why organization should get the backup sollution too not just EDR or Anti Vrisus. these days backup sollution have feauture alarm the administrator when they notice massive amount of file change during backup procedures and this can be very useful for the organizations to detect ransome ware situation much earlier and also you could restore with backed data.
SentinelOne comes with VSS snapshot capability for ransomware rollback
"detect ransome ware situation much earlier and also you could restore with backed data"
you wouldn't know the data is encrypted until the next backup job, which normally runs once every 24 hours. backups are not a useful tool to detect ransomware. security in layers has been the approach for any competent IT , utilizing EDR + immutable backups + zero-trust to thwart phishing, malware, ransomware, and loads more.
Rubrik has that capability.
@@IPendragonIworks well for common malware but it sucks against ransomware. Only Kaspersky has true rollback action.
@@Light-uw5es What are you talking about. Rollback is literally meant for ransomware. I wouldn't trust Kaspersky if it was the only AV on the market.
I'd hate to say it but I am skeptical of this video, the reason being is that I've tested blackmatter on Windows Defender and SentinelOne and both protected against it. Blackmatter, blacksuit, darkmatter were all detected by S1 and Defender, it didn't matter if it was a .py .bat or .exe. You probably have an excluded file or folder for these EXEs to stay on disk and not raise any alerts.
He is not using signature based detection because the goal is to simulate a zero day malware encrypting your files on an EDR antivirus product.
I'm sure that detection rate would be very good on all the products if it was testing for known malware.
@@borisdreyer4729 that's right. Known samples vs something new was the test here
KASPERSKY?
Thanks for testing all of these programs
Looks like we won't be seeing Kaspersky here from now on...
He making a part 2 with ESET and Kaspersky and something else
Love the channel and thanks for all of your extensive tests man!
A few others have stated that you should show the EDR's settings and I agree. I mean even the bad guys can obtain a free trial if they really want to, so I don't see a reason why you can't show it. No need to show ALL the policy settings or anything, but the main detection setting is critical for managed EDR products like S1, CS, Webroot, Malwarebytes, etc. (Maybe do another more in depth video on your "TPSC Business" channel and link it here?)
For SentinelOne, it did look as if you set it to "Detect" only, can you please confirm?
I would have liked for you to have shown the endpoint in the dashboard under "Incidents" at the end showing in fact that nothing was detected. This is a business and managed product after all which REQUIRES a tech to confirm the detected results.
If you had in fact set both settings to "Protect" and "Rollback" or at least Remediate, would this still have occurred (I have doubts). Otherwise this is a severe issue and S1 should see this video and take action with the highest priority.
Please Look at Lawrence Systems's video from 2yrs ago showing that exact setting.
ua-cam.com/video/SSDITOd56Os/v-deo.htmlsi=K-q-VFJIv3AgVyBz&t=725
What about huntress
It relies on Defender and therefore would be equally helpless as seen here in the example.
Security has to be established in a layered approach. No one solution is a 100% effective. This is one example of how one solution is strong where another is weak... at installation and with a zero day ransomware payload being detonated on top of it so soon after installation. I would like to see how S1 and CS were configured and to know how long they were allowed to establish a baseline for their EDR function to be effective. Otherwise, I feel this may be a bit of a misrepresentation by comparing home/small office products versus corporate/enterprise products and how they behave out-of-the-box in a "perfect storm" scenario.
I'm eager to see how Kaspersky will perform against this ransomware
Kaspersky is the next generation of ransomware.
@@arvydasurbonavicius5170 Nice joke.
@@od1sseas663 next generation ransomware - when you don't even suspect that your data is stolen and encrypted somewhere
@@arvydasurbonavicius5170no proof provided by the US and Germany so keep talking...
@@Light-uw5es and you don't know who they are? Insufficient argument KGB mafia? 🙂
interesting…was surprised to see bitdefender instead of eset so looking forward to part 2 😀👍
question, how Kaspersky goes against this same test? i have Kaspersky on my computer and on my family
A few months ago Kaspersky was doing a great job of blocking this behavior vs even Bitdefender so I would estimate it would fair well.
@@Vuranix im not in USA, and i dont think Leo is also in USA, from what i remember in one of his videos, he is from Europe
@@Vuranix their website says
Suite 5, 5 Greenwich View Place, London, UK | Contact for Business
© 2021 - The PC Security Channel LTD
PC Security Channel said: Planning a part 2 with Kaspersky, ESET, and others.
your family is in grave danger, get rid of that spyware if u care about security
Are the ASR rules for MDE configured? Specifically "Use advanced protection against ransomware".
Also, is "block at first sight" enabled?
Prevention is key which is why ThreatLocker is needed over detection software.
Threatlocker can only be installed on Windows so how exactly does it cover the need for IDS?
@@dlt9621 the threatlocker koolaid going CRAZY
Layered security is key. And detection software IS preventative.
Good video but it still leaves me wondering if windows would have detected the sample if we'd used DefenderUI to enable the advanced ransomeware protection feature.
No.
@@pcsecuritychannel Thanks!
kaspersky will out-smoke all of them , kaspersky is the snoop dogg of AVs
True.
Can’t wait to see that
LOL Who in their right mind would be installing software from Russia on their computers on purpose?
I guess some people just want to skip the middleman and go right for the malware.
@@lightningrodofh8509 Kaspersky is still popular outside the US and many people use it, so a lot of people is interested to see how it goes in Leo’s test
@@lightningrodofh8509provide proof of it being malware, the US COULDN'T and I doubt that you will.
This was a *BIG* reason as to why I recently chose Bitdefender for my Mac (Yes, Macs get malware too 😅) Ransomware is causing a lot of havoc around the world, and Bitdefender's technology easily detects it!
I think there is a element of bollocks here. S1 has decoy files and rollback - the decoy files would have been touched by the encryption and you could the roll back using the vss snapshots - there is so much missing here I say it’s bollocks.
ok
What if the decoy files weren't triggered. Seems like an easy evasion
Why didn't you enable the protected folder feature in the case of Windows Defender?
Because its not an actual behavior blocker but it just strictly denies access to anything trying to modify the files into the protected folder.
@@od1sseas663 What do you think the AV behavior will be if, for example, you decide to enable BitLocker?
sadly no kaspersky test. my bet: it would have been same or better then bitdefender
You'll have to see in the next video that is coming out, but I can already give you a little spoiler and tell you that it was worse than bitdefender :)
@@rootdevelopment Bitdefender minimized damage but file corruption occured nonetheles
@@dk-ib8ok ?
retarded?
super great video, please keep up the good work
why no kaspersky?
because its kremlin spyware
this av is banned
Could you also test Checkpoint Harmony? I'm eager to see how this antivirus software stacks up against others.
goddamnit SentinelOne
He never showed the policies settings. I call bullshit.
@@Deus_Juvat Hi Desues_Juvat, I'm new to S1 (Control version) and I've installed it on 75 endpoints. I'm still learning the product but it sounds like you are very experienced with it. If so, can you list the proper settings required to make sure ransomware is detected and stopped immediately along with making sure the rollback process is enabled? Thanks in advance.
So i dont know much about this.. You say even the free version of Bitdefender can provide this much protection, but on their website it says protection against encryption by ransomware is not included in the free version. What's up and down?