Best Antivirus/EDR vs Unknown Ransomware

Поделиться
HTML-код
  • Опубликовано: 24 ноя 2024

Комментарии • 1 тыс.

  • @pcsecuritychannel
    @pcsecuritychannel  3 месяца назад +334

    FAQ:
    What about Kaspersky & other products? There are only so many products I can fit into one video, so tried to get the most popular ones, I'll try to do a part 2 with Kaspersky, ESET and others.
    Why is the file encryption slow, maybe it would be detected if it was fast? False. The encryption is fast, the version used in the test is slow cause of added delays b/w files, we tested all versions with these products and the ones that failed to detect also failed when run without the delay where the whole process happens in seconds.
    How is this a malware simulation, isn't it like 7zip encrypting files? No. This is custom code that is unsigned and obfuscated that encrypts files like ransomware without asking the user. 7zip is a trusted application, with a cli and nothing like the file we are running.
    If any vendors want help with improving their detections or get in touch with our community members who helped with the test, I'd be happy to facilitate. Our goal is to improve cybersecurity for everyone.

    • @vjay4297
      @vjay4297 3 месяца назад +12

      Hi, can you please include MS defender with One Drive in your next video. I'm curious to know if OneDrive's claim that it protects you from ransomware is valid. I've seen it asking for rollback if you change a lot of files. Does this behaviour of OneDrive enable MS defender to kick in and save the day??

    • @jairo8746
      @jairo8746 3 месяца назад +23

      It is time to completely ignore Kaspersky.

    • @MrComplainer
      @MrComplainer 3 месяца назад +11

      Don't forget Malwarebytes

    • @kingofstrike1234
      @kingofstrike1234 3 месяца назад +2

      I would like to see virus total and malwarebytes. Also, can you test the prevention rate in another video ( can it detect malware file before you run it / while downloading ), and can you add percentage scoring into the code ( % of corrupted files vs protected files )

    • @nathanyong8060
      @nathanyong8060 3 месяца назад +6

      Don't forget Norton

  • @EricParker
    @EricParker 3 месяца назад +555

    Great showing for Bitdefender! I like this as a realistic comparison, given a lot of malware attacks are able to get around signature detection, especially when the EDR is known to the attacker.

    • @pwhittak88
      @pwhittak88 3 месяца назад +39

      @EricParker so legends watch other legends. Nice to see you here. To anyone who does not know this guy check him out now. Excellent source of knowledge. Much respect.

    • @realsleepi
      @realsleepi 3 месяца назад

      ​@@pwhittak88agreed if you're on this channel you'll love Eric!!

    • @Krullfath
      @Krullfath 3 месяца назад +5

      Bitdefender didn't roll back the encrypted filesz did they?

    • @rootdevelopment
      @rootdevelopment 3 месяца назад +13

      @@Krullfath They did not; They deleted the files and just called it a day :)

    • @East13566
      @East13566 3 месяца назад +1

      Hey eric

  • @HCG
    @HCG 3 месяца назад +352

    For everyone asking for Kaspersky and other AVs, he commented under another comment that he will be doing a part 2 with Kaspersky, ESET and other AVs.

    • @onlywolf9981
      @onlywolf9981 3 месяца назад +22

      I hope, i'm excited to see the result but i don't think ESET and Kaspersky will have trouble to detect the ransomware.

    • @2235-n7x
      @2235-n7x 3 месяца назад

      @@onlywolf9981 hope not massive eset enjoyer.

    • @horizont6172
      @horizont6172 3 месяца назад +6

      Thank god, I’m using Kaspersky rn

    • @TiagrajI
      @TiagrajI 3 месяца назад +5

      Yes kaspersky!

    • @Chikowski101
      @Chikowski101 3 месяца назад +16

      kaspersky is the best competitor to bitdefender it's more light weight and less resource intensive and less expensive for a non-american it's a great relief

  • @stage6fan475
    @stage6fan475 3 месяца назад +85

    7:00 'There goes the library of Alexandria'

  • @tonyrivera7048
    @tonyrivera7048 3 месяца назад +32

    You are defintely my favorite cybersecurity content creator by far. No cringe weird marketing tactics that only work on 12 year olds or anything. Straight to the point, no bs, I love it

    • @Chucho992
      @Chucho992 3 месяца назад +2

      agreed, this channel is a gem for me.

  • @fhgnius
    @fhgnius 3 месяца назад +47

    That is really interesting information! Would absolutely love to see n episode directly comparing business products from SentinelOne, Crowdstrike, ESET, Bitdefender, and whichever other endpoint there is against a large malware collection. I think as far as a single new malware this video is basically that (minus ESET), because I doubt the detection engine in personal vs business products is any different, but they are set up quite differently so would be interesting to see - and probably an extremely valuable resource for small businesses.

    • @madness1931
      @madness1931 3 месяца назад +6

      I'd also add in Kaspersky. I know some folks in the community don't like them, due to Russia, but they've proven to be very effective in the past.

    • @fhgnius
      @fhgnius 3 месяца назад +3

      @@madness1931 I used them in the past, but as someone in the US, that's no longer an option, which is why I didn't mention it.

    • @logician44
      @logician44 3 месяца назад +2

      ​@@fhgniusus citizens aren't allowed to use products that detect the backdoor efforts of the alphabet crew. Safe and secure ...

    • @Light-uw5es
      @Light-uw5es 3 месяца назад

      the government should use their own trusted companies, this isn't just related to Kaspersky but as a general rule. Now Kaspersky is fine for everyone else.​@@fhgnius

  • @jamesparker7939
    @jamesparker7939 3 месяца назад +56

    Love seeing Bitdefender do well. Been my go to for a long time.

    • @cokezero1
      @cokezero1 3 месяца назад +1

      🙌🙌

    • @rootdevelopment
      @rootdevelopment 3 месяца назад +9

      Bitdefender did stop it; but the files that were encrypted were just deleted. So hopefully if you encounter ransomware in the future with Bitdefender, pray that the first few files it deletes aren't crucial.

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад +7

      @@rootdevelopment Yes, damage was minimized but not fully prevented by Bitdefender. Still better showing than others.

    • @HAYWIRE2466
      @HAYWIRE2466 3 месяца назад

      Combo with Onedrive should be workable, right?

    • @ShantanuBaviskar
      @ShantanuBaviskar Месяц назад

      @@HAYWIRE2466 I think so, so long as the encrypted file was backed up by OneDrive

  • @HTW_1
    @HTW_1 2 месяца назад +4

    So thankful I have a 10 user ultimate security license for Bitdefender for myself, wife, my daughters and their boyfriends. This video was certainly very comforting that I made the right decision. Thanks Leo.

  • @Sunny-n7b
    @Sunny-n7b 3 месяца назад +11

    Excellent video @pcsecuritychannel ,It seems likely that behavior analytics aren't enabled for the CS product, as files are being encrypted and deleted immediately, which should be flagged by behavior monitoring. However, the key takeaway is spot on-it's crucial to pentest your high-cost solutions and regularly audit your prevention policy settings. Very informative.

    • @Light-uw5es
      @Light-uw5es 3 месяца назад +1

      ClownStrike 🤡 just sucks

  • @BOOSTEDDUDE
    @BOOSTEDDUDE 3 месяца назад +7

    Wow, Bitdefender did really good! Sophos also but I like how Bitdefender has the graphical display of the files.

  • @xpower7125
    @xpower7125 3 месяца назад +35

    crowdstrike is the best one, it won't make you run the file because it will make your pc bootloop

    • @_vindicator_
      @_vindicator_ 2 месяца назад +5

      360 degree protection, no way to boot, completely safe

  • @TheawesomeMCB
    @TheawesomeMCB 3 месяца назад +15

    I’m an little surprised that bitdefender didn’t restore the files, I mean in the ransomware remediation section there is an option to have to checked to automatically restore files that were encrypted by ransomware, and an manual button to restore files that have been encrypted. Great video though Leo!

    • @youtuvi7452
      @youtuvi7452 2 месяца назад

      I may be wrong, but Leo used the free version, maybe that didn't apply the remediation?

    • @WantedForTwerking
      @WantedForTwerking Месяц назад

      @@youtuvi7452 yeah the free version needs you to click restore manually. in gravity zone there are options to do this automatically and I think the paid version of home as well. ( could be wrong with the consumer BD versions, don't deal with them much)

  • @Ponyo3816
    @Ponyo3816 3 месяца назад +133

    Now do Malwarebytes EDR and Roll Back protection.

    • @kecourt
      @kecourt 3 месяца назад +6

      Yes please.

    • @cliffordjamesbloomfield4161
      @cliffordjamesbloomfield4161 3 месяца назад +2

      Agreed!

    • @Chikowski101
      @Chikowski101 3 месяца назад +5

      malwarebytes more like "malware-bites" , kaspersky is definitely a better substitute to all of them

    • @Ponyo3816
      @Ponyo3816 3 месяца назад +16

      @@Chikowski101 I would never buy that Russian backdoor software friend.

    • @Chikowski101
      @Chikowski101 3 месяца назад +4

      @@Ponyo3816 it's okay brother

  • @daemonspudguy
    @daemonspudguy 3 месяца назад +15

    New Danooct1 video and a new and unknown ransomware video from TPCSC. Today is good.

  • @dennisdefotis3553
    @dennisdefotis3553 3 месяца назад +35

    I have heard that some cybersecurity insurers are requiring the insured company to use an EDR as part of their security solution. Which makes this report even more interesting.

    • @friendoflaphoroaig
      @friendoflaphoroaig 3 месяца назад +2

      Some insurers will give you a discount on your premium if you enroll in certain MDR providers. I have not heard of them making it mandatory - not that you are wrong, I just hadn't heard of it. Are you able to name the carriers that make EDR a requirement?

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад

      Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files!
      Closely followed by Bitdefender that managed to stop the attack quickly but files got lost.
      S1, Crowdstrike and Microsoft Defender seem to have missed this.
      Insurance should definitely take that into account as this is where damage will occur.

  • @ek2719
    @ek2719 3 месяца назад +5

    Good video. Sophos will restore any files encrypted before the alert, I.e before the behaviour is recognised to be malicious.

  • @patrikondo7684
    @patrikondo7684 3 месяца назад +19

    I love how the program thread is called "Womp 1.0" 7:56

  • @BLIZZnBLASTER
    @BLIZZnBLASTER 3 месяца назад +7

    glad to see sophos still perfomes well in you tests since i've been using ever since you first showcased it in you channel and back then it was the best in you tests, because of the build in hitman pro

  • @velo1337
    @velo1337 3 месяца назад +307

    imagine paying big bucks for crowdstrike and still your data is gone

    • @ТоварищКамрадовСоциалистКоммун
      @ТоварищКамрадовСоциалистКоммун 3 месяца назад +14

      crowdstrike is meant to prevent from outer attacks. It has a better chance to stop downloading the malicious soft. I might be wrong but it probably has nothing or little to do with files already located at your PC

    • @vaidkun
      @vaidkun 3 месяца назад +51

      @@ТоварищКамрадовСоциалистКоммун outer attacks? the file somehow still got on the pc to execute or was it just born on the test VM?

    • @ТоварищКамрадовСоциалистКоммун
      @ТоварищКамрадовСоциалистКоммун 3 месяца назад +14

      the file doesn't just appear on a PC, right? it's either created by the user, and hence it's his/her responsibility,
      or downloaded from outside, normally internet. The traffic analysis is the main task for many corporate security suits. It totally makes sense for many realistic scenarios, including outer attacks, like DDOS etc

    • @Mario583a
      @Mario583a 3 месяца назад +1

      Oops!
      𝕄𝕪 𝕤𝕪𝕤𝕥𝕖𝕞 𝕔𝕣𝕒𝕤𝕙𝕖𝕕.
      𝔹𝕦𝕥 𝕀 𝕙𝕒𝕕 𝕒𝕟 𝕒𝕟𝕥𝕚𝕧𝕚𝕣𝕦𝕤.

    • @satorugojo9833
      @satorugojo9833 3 месяца назад +7

      imagine paying big bucks cybersecurity companies and your data is still sold by the big international companies 😂😂😂

  • @GodofLibra
    @GodofLibra 3 месяца назад +45

    Hey, I am Sophos Security engineer, I do see that you are using the home premium version here, but I would like to share that the enterprise solution which is sophos central endpoint has more behavioral based component which is HMPA along with the XDR data collection.
    My suggestion would be to test the sophos endpoint rather than the home version as the endpoint product is more targeted towards enterprise solutions.
    Otherwise love watching you videos and you are making a serious contribution to the cybersecurity fields. Keep up the good work. Cheers!

    • @eabelcourt
      @eabelcourt 3 месяца назад +36

      As he said at 7:15 the home and enterprise product "behaved exactly the same" so only showed one. It's actually a major plus point that the home product beats out the enterprise products and was shown instead of IX EDR, that's the takeaway for your free marketing.

    • @mathiasdeweerdt1400
      @mathiasdeweerdt1400 3 месяца назад +7

      He did mention, if he showed the free or home versions, that the enterprise variant performed exactly the same

    • @presjar4016
      @presjar4016 3 месяца назад +25

      Why don't Sophos provide the same protection to home users? Seems scummy.

    • @compmanio36
      @compmanio36 3 месяца назад +8

      @@presjar4016 Every AV provider does this. Why have a paid expensive version if the home or free version does exactly the same?

    • @xszl
      @xszl 3 месяца назад

      @@compmanio36 Why have a free version if it just gives a bad experience and is pretty useless?
      It wont get people to pay for it.

  • @SysTek2000
    @SysTek2000 2 месяца назад +6

    Great video! Would really like to see M365 Defender for Endpoint if you are able to. Would be neat to see how Microsoft's EDR solution fares.

  • @Official_M000N
    @Official_M000N 3 месяца назад +1

    I've been watching your channel for awhile now. It has helped me in my career for Cyber-Security. I got accepted into a university for my bachelors degree. I'll let you know how I do in 4 years!!

  • @DudditsJoeFinemusic
    @DudditsJoeFinemusic 3 месяца назад +12

    I don't want to brag, but being a Romanian, i have to give to the rest of the world(those that still have no clue what Bitdefender is) this piece of information here:
    Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East. The company was founded in 2001 by the current CEO and main shareholder, Florin Talpeș. Wikipedia

    • @ahmed92
      @ahmed92 3 месяца назад

      Everyone knows that, and greetings to you from Egypt

  • @BeesCantSwim
    @BeesCantSwim 3 месяца назад +18

    I'd like to see MalwareBytes with this test.

  • @dk-ib8ok
    @dk-ib8ok 3 месяца назад +12

    Looks like Sophos is the only solution to not just detect, but block and reverse the attack fully with restoring all files!
    Closely followed by Bitdefender that managed to stop the attack quickly but files got lost.
    S1, Crowdstrike and Microsoft Defender seem to have missed this.
    Can you run this same attack but this time doing a remote execution? Meaning the ransomware is run remotely which is a popular approach in ransomware right now?

  • @anonymous6666
    @anonymous6666 Месяц назад +1

    "just to make this video more exciting" actually got me on the edge of my seat

  • @Turco949
    @Turco949 3 месяца назад +4

    Leo, it would be really interesting if you could include two other components to a test like this: 1) A synch tool like OneDrive or Dropbox 2) An external drive that has a copy of a few of each typical file types. This would allow people to see what would happen if they have their backup drive connected or a file sync app running when such a threat hits.

    • @SmilerRyanYT
      @SmilerRyanYT 3 месяца назад

      In terms for cloud syncing (google drive, dropbox and onedrive) you can undelete the original files and then delete the encrypted ones. As for external drives in theory it should just act the same and encrypt those too.

  • @HAYWIRE2466
    @HAYWIRE2466 3 месяца назад +2

    Good to see Bitdefender working as expected.

  • @andrewortiz8044
    @andrewortiz8044 3 месяца назад +66

    Crazy how the 2 companies that brag about being ‘next-gen AVs’ lose to a ‘legacy AV’

    • @DamirUlovec
      @DamirUlovec 3 месяца назад +3

      Well, not the first time that marketing team must do something to get the product on the market. That's why we never should trust marketing claims.

    • @runge340
      @runge340 3 месяца назад +16

      That’s just one case, one malware. That does not cover the whole landscape.
      Also, these products need to be configured correctly. He didn’t show his setting which is not professional behavior.

    • @A42yearoldARAB
      @A42yearoldARAB 3 месяца назад +5

      @@runge340 They lost, no excuses he mentioned that he turned everything on.

    • @runge340
      @runge340 3 месяца назад +19

      @@A42yearoldARAB no, he specifically mentioned that he had the malware detection on moderate. Those are enterprise solutions requiring enterprise configuration. This guy is kind of clueless when it comes to enterprise solutions.

    • @Trustmebro091
      @Trustmebro091 3 месяца назад +1

      @@runge340 that’s the impression I’ve got too. Have had SentinelOne configured correctly with Huntress on thousands of endpoints. Many ransomware attack attempts and not a single one got through. I’ve also managed CrowdStrike. Same thing. He even put EDR solutions and used the built in Defender instead of Defender 365. There’s a difference. Video is very misleading and leaves out details. Not a video that I would base my own XDR research on.

  • @n3sc4ubr94
    @n3sc4ubr94 3 месяца назад +2

    Awesome video! Waiting for the part 2 with Kaspersky, Eset and others.

  • @InaMopar
    @InaMopar 3 месяца назад +3

    Let’s go I just bought Bitdefender 2 days ago

  • @Pyrelil
    @Pyrelil 3 месяца назад +2

    I would like to see more consistent tests with the same actions for every single run, if you check something on one edr, you should do the exact check (if possible) on the rest. I think it would be super helpful for you to go through all the settings of each one. While you said these were from all different tests when doing a lot of tests, but without that consistency the video is, just trust us.

  • @shaffiq
    @shaffiq 3 месяца назад +20

    Are you currently using Windows Defender Antivirus, or do you have the full Microsoft Defender for Endpoint (MDE) solution implemented? This will help us determine the level of security you're working with.
    Windows Defender Antivirus and Microsoft Defender for Endpoint are distinct solutions. You can't compare a consumer antivirus like Windows Defender Antivirus with something like CrowdStrike, which is an EDR solution. A fair comparison would be between CrowdStrike and Microsoft Defender for Endpoint, as both are EDR solutions.

    • @Scio-to1ur
      @Scio-to1ur 3 месяца назад +7

      This isn’t Defender for Endpoint you can tell by the fact the security settings can be manipulated amongst other things. He claims Defender was configured with its full protection, but I guarantee its cloud protection level is on “default/normal” and cloud check timeout wasn’t at 60 seconds.

    • @IPendragonI
      @IPendragonI 3 месяца назад +1

      Yeah that's definitely not MDE.

    • @stevevujnovich2990
      @stevevujnovich2990 3 месяца назад

      I wish that he would have shown if the "Controlled Folder Access" was enabled as well under the Ransomware protection for Windows Defender.

  • @the_2663
    @the_2663 3 месяца назад +1

    Thank you for doing independent testing.

  • @pwhittak88
    @pwhittak88 3 месяца назад +54

    I'm a CrowdStrike engineer (and a fan boy) and would love to review what settings you have opted for in your prevention policy. I don't expect a reply but I had to offer.
    Edit - excellent video that is really valuable. Many of these enterprise solutions are not easily accessible for the general public to test without jumping through hoops.

    • @rikachiu
      @rikachiu 3 месяца назад +8

      Hello, we currently have crowdstrike falcon on all our endpoints and this video has me concerned. Can you provide some documentation to ensure that our CS agents running on our devices are correctly configured to protect against what is shown in this video? Greatly appreciate your help and time. I am looking at bit defender lustfully currently -_-.

    • @pwhittak88
      @pwhittak88 3 месяца назад +17

      @rikachiu unfortunately I can not and as you are aware documentation can be found when logged into the management console. Look up prevention policies and stay up-to-date with news as new features will be added and will need updating.
      Remember you will never be contacted through comments. Do not take advice from comments, they pose a huge risk.

    • @rikachiu
      @rikachiu 3 месяца назад

      @@pwhittak88 ty, appreciate the feed back. When we purchased crowdstrike, we were under the impression it would be completely managed for us, so it is definitely concerning how easily this ransomeware encrypted everything without the CS sensor even doing anything about it

    • @counterdefense
      @counterdefense 3 месяца назад +2

      ​@@pwhittak88isnt it obvious he doesn't have the product and only wants the documentations?

    • @aussiegruber86
      @aussiegruber86 3 месяца назад +9

      I just get Bluescreens 😂

  • @JosephHardy-hx5od
    @JosephHardy-hx5od 2 месяца назад

    If you are expecting the separation of Admins and Users to be your primary safety net nowadays, then you are in for trouble. Having safeguards even on admin executed tasks can be annoying, but it can also be life saving. This video is a good example of why heuristic detection exists, thanks for posting this.

  • @dlt9621
    @dlt9621 3 месяца назад +6

    Prevention is key which is why ThreatLocker is needed over detection software.

    • @imKanda
      @imKanda 3 месяца назад +1

      Threatlocker can only be installed on Windows so how exactly does it cover the need for IDS?

    • @imKanda
      @imKanda 3 месяца назад +1

      @@dlt9621 the threatlocker koolaid going CRAZY

  • @ForzaE2
    @ForzaE2 3 месяца назад +1

    I can't wait for part2, thank you.

  • @darthbubba866
    @darthbubba866 3 месяца назад +6

    I don't use any of the tested security programs, except the USB stick bootable Bitdefender utility, but I appreciate your efforts.

  • @JohnDontFollowMe
    @JohnDontFollowMe 3 месяца назад +1

    I love these tests.

  • @JaneWayne-u1m
    @JaneWayne-u1m 3 месяца назад +7

    Any Chance to get this test with a remote ransomware attack?
    would be fascinating to see, how the respective solutions act, when the ransomware is not running on the target system, but accessing the fileshare of a system running the endpoint protection.

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад +3

      That's super relevant to current threat landscape - we need to see this in a test!

  • @303topgun
    @303topgun 3 месяца назад +2

    A good security product should have enough default configuration from factory to provide protection from zero day attacks. Then sysadmin can further customise the product to liking. If these expensive products fail in behaviours attacks then we already lost the battle.

  • @ChairmanMeow1
    @ChairmanMeow1 3 месяца назад +9

    I honestly expected Microsoft AV to catch it.

    • @arsh6212
      @arsh6212 3 месяца назад +4

      Thats why im honestly skeptical of this video. I have had programs (crackmes) quarantined for just using XORs and simple obfuscation, txt documents blocked for having php shell scripts that have literally nothing to do with the OS and others, from Windows Defender alone (non enterprise of course).
      Something isn't adding up here hopefully he releases the mock malware code that was used so there can be some more context.

    • @cristiannunez372
      @cristiannunez372 2 месяца назад

      @@arsh6212 "Unknown Ransomware" Says it all...

  • @gr0wnup5
    @gr0wnup5 3 месяца назад +2

    Skipped directly to the Crowdstrike test, coz I was too curious 😅
    Very Expected I guess, Thank you PCSC for your work 👏

  • @davidc5027
    @davidc5027 3 месяца назад +9

    Interesting results -- There is a lot of unknown details with the enterprise versions. For Crowdstrike, I see Leo said the Prevention settings were set to "moderate". Crowdstrike Prevention settings are "disabled", "cautious", "moderate", "aggressive" and "extra aggressive". I would NOT think "most" would use "moderate" settings (I know I don't). Having said that, I'm not sure "aggressive" would have behaved any differently in this test. Would have liked to see further testing. 6 figures? Ha! Enterprises are in 7 figures these days (Especially if leveraging MDR). False sense of security? Not I. That's why you carry insurance, do vulnerability testing, perform system hardening, do annual cyber assessments, do employee training, patch management, Disaster Recovery, not to mention all the other facets of Cyber that greatly increase costs in an effort to reduce risks. Even doing everything you can, it takes one sample, like Leo is demonstrating, to ruin a weekend or longer.

    • @nicolassama2740
      @nicolassama2740 3 месяца назад +1

      What CS would say is that the malware does not represent the attacks they see in the real world and thus, wasn't blocked, which is a fair thing to say, EDRs products you can't add overrides/exclusions without the security team reviewing the event and giving it a thumbs up or not. Our team did a similar test to this video and CS missed it, S1 blocked it but also had more false positives on other legitimate software.
      It's hard to imagine an actual ransomware would leave a window visible and output the files its encrypting. Some AV products keep track of the files accessed by processes and lock anything hat modifies/opens files in disk at a high frequency, whether it's ransomware or not doesn't matter, it will trigger the ransomware protection. Is it nice? Probably, in some cases, particularly in consumer-grade computers, but this kind of mitigation is prone to false positives and can be bypassed by higher-complexity attacks.
      A ransomware goes beyond encrypting files, it should delete shadow copies/backups, it should be fast and target other services that are typically non existent on customer-grade computers, I understand a file acting like a ransomware is something people want to see blocked but when you look at the whole picture, it's a different paradigm of malware, malware that targets ent setups is specialized on those.
      I still think EDRs/MDRs/XDRs have a ton of flaws but IMO this video doesn't do a good job at pointing them,. Regarding the configuration, IIRC medium is recommended for tier3 workloads where a compromise is like... whatever, aggro and very aggressive are the go-to, but I don't think it would have made any difference in this case.
      I believe the reason why settings aren't shown is because both EDRs have a clause that forbids public benchmarks without consent so. this makes it harder to track the accounts being used; if S1/CS want to track the original account they will have to do some digging.

    • @Scio-to1ur
      @Scio-to1ur 3 месяца назад +3

      Leo is also demonstrating why properly configuring your XDR solution is important. There are at least a dozen settings in CS and without seeing their configuration the results are something to take with a big grain of salt.

    • @davidc5027
      @davidc5027 3 месяца назад +1

      @@Scio-to1ur I agree with what you are saying, as well as some times I wonder if Leo doesn't have an axe to grind (I don't have to wonder). Also, you are absolutely right about the settings, because there's quite a few options. Having said that I've got this little guy on my shoulder telling me even with the most optimal settings, the test would not have ended any differently. Clearly this test shows Crowdstrike has work to do with their product. If I were Crowdstrike, I would get that sample from Leo, and learn from it.

    • @davidc5027
      @davidc5027 3 месяца назад

      I did more research -- It could be aggressive would have blocked this.. why? the detections between moderate and aggressive are pretty much the same. The difference is aggressive automatically blocks more. We never saw the Crowdstrike dashboard and what it detected due to it being in moderate mode. It could very well be aggressive would have blocked it.

  • @kaikiefer2016
    @kaikiefer2016 10 дней назад +2

    You say "pretty much everything turned on"... would like to start seeing your policy settings

  • @Rue21341
    @Rue21341 3 месяца назад +33

    i miss Kaspersky

    • @arvydasurbonavicius5170
      @arvydasurbonavicius5170 3 месяца назад +4

      Kaspersky is malware in the next level

    • @Wahinies
      @Wahinies 3 месяца назад

      ​@@arvydasurbonavicius5170proof?

    • @MrDomingo55
      @MrDomingo55 3 месяца назад

      @@arvydasurbonavicius5170 If I was living in Russia maybe I would use Bitdefender. If I was living in USA, I would Definitley use Kaspersky. There is a reason Kaspersky is a target of US authorities; Kaspersky likely would not ignore NSA / FBI /MI6 malware and Kaspersky likely rejected any such request. All other AV software is likely designed to ignore such 3LA generated malware.

    • @danielivo5313
      @danielivo5313 3 месяца назад

      @@arvydasurbonavicius5170 Bias much? By that logic you have malware in your PC too. Even Windows is spyware.

    • @azeQify
      @azeQify 3 месяца назад

      ​@@arvydasurbonavicius5170but that applies only to the few believing in it.

  • @real45x63
    @real45x63 2 месяца назад

    This was a *BIG* reason as to why I recently chose Bitdefender for my Mac (Yes, Macs get malware too 😅) Ransomware is causing a lot of havoc around the world, and Bitdefender's technology easily detects it!

  • @DimitriRytsk
    @DimitriRytsk 3 месяца назад +3

    1.26 Why Windows Defender SmartScreen did not popup when you click on exe? It looks like ‘Check apps and files’ is Off in ‘App & browser control’ tab which you did not show at 0:50

  • @testaaa88
    @testaaa88 3 месяца назад +3

    Is this Windows Defender (free and embedded) or Defender for Business (commercial product like CrowdStrike) with all EDR and a
    attack surface reduction enabled?

  • @a-ezzat5677
    @a-ezzat5677 3 месяца назад

    you are my best instructor ever , greetings from egypt

  • @z3row0rm
    @z3row0rm 3 месяца назад +5

    I really enjoy your humor @0:30, can't get enough of these videos!
    Edit: CrowdStrike LMAO

  • @noobnoob-c137
    @noobnoob-c137 3 месяца назад +1

    Love the channel and thanks for all of your extensive tests man!
    A few others have stated that you should show the EDR's settings and I agree. I mean even the bad guys can obtain a free trial if they really want to, so I don't see a reason why you can't show it. No need to show ALL the policy settings or anything, but the main detection setting is critical for managed EDR products like S1, CS, Webroot, Malwarebytes, etc. (Maybe do another more in depth video on your "TPSC Business" channel and link it here?)
    For SentinelOne, it did look as if you set it to "Detect" only, can you please confirm?
    I would have liked for you to have shown the endpoint in the dashboard under "Incidents" at the end showing in fact that nothing was detected. This is a business and managed product after all which REQUIRES a tech to confirm the detected results.
    If you had in fact set both settings to "Protect" and "Rollback" or at least Remediate, would this still have occurred (I have doubts). Otherwise this is a severe issue and S1 should see this video and take action with the highest priority.
    Please Look at Lawrence Systems's video from 2yrs ago showing that exact setting.
    ruclips.net/video/SSDITOd56Os/видео.htmlsi=K-q-VFJIv3AgVyBz&t=725

  • @cleverman234
    @cleverman234 3 месяца назад +34

    any chance to include ESET , Kaspersky and Malwarebytes?

    • @pcsecuritychannel
      @pcsecuritychannel  3 месяца назад +19

      Yup, thinking of doing a part II with those.

    • @Thiccum069
      @Thiccum069 3 месяца назад

      Only sponsored one's allowed

    • @shabsZA
      @shabsZA 3 месяца назад

      As well as f secure

    • @nelsone.hernandez6654
      @nelsone.hernandez6654 3 месяца назад +1

      Trend Micro would be nice too

    • @blk-00000
      @blk-00000 2 месяца назад

      ​@@pcsecuritychannel see how Symantec endpoint protection holds up nowadays that its transferred to Broadcom

  • @justyouraveragelurker
    @justyouraveragelurker 3 месяца назад +2

    I think everyone can agree that for enterpise EDR like CS and S1 you should show us the configuration.

  • @jgaming2069
    @jgaming2069 3 месяца назад +15

    Holy shit dude please turn down the bell 🔔 sound effect

  • @vipinramesh6005
    @vipinramesh6005 3 месяца назад +1

    Awesome video! Surprised to see most of the major EDR didn’t detect weird behaviour on the machine as real time detection is one of the key components of EDR.
    One addition to running the EDR with real time, exploit detection etc. , do we need to implement much more tighter policies like quarantine any files that initiates certain child processes, renaming of a file to .exe? I’m certain Defender has attack surface reduction feature, not sure about other EDR

  • @roelofdirkx1623
    @roelofdirkx1623 3 месяца назад +5

    Eset would have been a very good addition to the test!
    Eset gets to little tested.

  • @Treamsc
    @Treamsc 3 месяца назад

    Thanks for testing all of these programs

  • @eek0212
    @eek0212 3 месяца назад +9

    this is why organization should get the backup sollution too not just EDR or Anti Vrisus. these days backup sollution have feauture alarm the administrator when they notice massive amount of file change during backup procedures and this can be very useful for the organizations to detect ransome ware situation much earlier and also you could restore with backed data.

    • @IPendragonI
      @IPendragonI 3 месяца назад

      SentinelOne comes with VSS snapshot capability for ransomware rollback

    • @imKanda
      @imKanda 3 месяца назад

      "detect ransome ware situation much earlier and also you could restore with backed data"
      you wouldn't know the data is encrypted until the next backup job, which normally runs once every 24 hours. backups are not a useful tool to detect ransomware. security in layers has been the approach for any competent IT , utilizing EDR + immutable backups + zero-trust to thwart phishing, malware, ransomware, and loads more.

    • @Scottdvz
      @Scottdvz 3 месяца назад

      Rubrik has that capability.

    • @Light-uw5es
      @Light-uw5es 3 месяца назад

      ​​@@IPendragonIworks well for common malware but it sucks against ransomware. Only Kaspersky has true rollback action.

    • @IPendragonI
      @IPendragonI 3 месяца назад

      @@Light-uw5es What are you talking about. Rollback is literally meant for ransomware. I wouldn't trust Kaspersky if it was the only AV on the market.

  • @enkaskal
    @enkaskal 3 месяца назад

    interesting…was surprised to see bitdefender instead of eset so looking forward to part 2 😀👍

  • @sandeeepkiran1130
    @sandeeepkiran1130 3 месяца назад +10

    Malwarebytes, Kaspersky & Huntress next please

    • @abrahamdeutsch3175
      @abrahamdeutsch3175 3 месяца назад

      “Huntress does not provide protection; it can isolate a computer, but it won’t completely prevent encryption on this computer

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад

      @@abrahamdeutsch3175 Huntress fully relies on Defender to prevent. It would be helpless here.

  • @Jason-zh7wo
    @Jason-zh7wo 3 месяца назад

    Great demonstration! Thanks

  • @snubbelbuff1471
    @snubbelbuff1471 3 месяца назад +10

    Ooooh! 'CrowdStrike:'! Spicy!

  • @davidg3944
    @davidg3944 3 месяца назад

    Thanks. Even for this non-computer jock, this was eye-opening...

  • @ad5786
    @ad5786 3 месяца назад +3

    Would be intresting to do the same test with Microsoft Defender for Endpoint EDR.

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад

      no difference as the EDR tools comes with no additional ransomware protections

    • @ad5786
      @ad5786 3 месяца назад +1

      @@dk-ib8ok Not protection, but additional detetctions, MDE has some more capabilities then WDAV

  • @Ferdinand-m7d
    @Ferdinand-m7d 3 месяца назад +1

    After the Crowdstrike issue..i'd trust Kaspersky more than ever.

  • @zetectic7968
    @zetectic7968 3 месяца назад +16

    Bitdefender FTW! 😃

  • @Flames-nx2qq
    @Flames-nx2qq 3 месяца назад

    Wow u have improved X10000

  • @Chikowski101
    @Chikowski101 3 месяца назад +10

    kaspersky will out-smoke all of them , kaspersky is the snoop dogg of AVs

    • @od1sseas663
      @od1sseas663 3 месяца назад +2

      True.

    • @nelsone.hernandez6654
      @nelsone.hernandez6654 3 месяца назад

      Can’t wait to see that

    • @lightningrodofh8509
      @lightningrodofh8509 3 месяца назад +2

      LOL Who in their right mind would be installing software from Russia on their computers on purpose?
      I guess some people just want to skip the middleman and go right for the malware.

    • @nelsone.hernandez6654
      @nelsone.hernandez6654 3 месяца назад

      @@lightningrodofh8509 Kaspersky is still popular outside the US and many people use it, so a lot of people is interested to see how it goes in Leo’s test

    • @Light-uw5es
      @Light-uw5es 3 месяца назад +1

      ​@@lightningrodofh8509provide proof of it being malware, the US COULDN'T and I doubt that you will.

  • @lupoal4113
    @lupoal4113 27 дней назад

    Bitdefender... my antivirus since years, I can't be more happy then so

  • @ROREAX
    @ROREAX 3 месяца назад +5

    I recall making a recommendation to you a while back in one of your previous videos to test enterprise EDR solutions, so It's nice to see you do this, however the main issue with this experiment is that you didn’t show how any of the prevention policies were configured. Crowdstrike Falcon, when properly configured with the prevention polices all enabled, specifically for ransomware, ML, and cloud based analysis, would have blocked this threat without issue. The long sleep is a dead giveaway for ML/Heuristics. Not trying to critique the video too harshly, just wanted to suggest that showing each product in its best possible configuration will give more accurate results.

    • @pcsecuritychannel
      @pcsecuritychannel  3 месяца назад +1

      The prevention policies were all enabled so that is just not true. I demonstrated that with a different ransomware sample. I don't show the policies on video for privacy reasons since many of these tests were configured by community members.

    • @enigma3474
      @enigma3474 3 месяца назад +7

      ​​​@@pcsecuritychannel then your test is invalid if you can't show us the settings . You need to be transparent. If not then there's no point in doing these tests and you're chasing clout.

    • @ROREAX
      @ROREAX 3 месяца назад +4

      @@pcsecuritychannel Thanks for the prompt reply. I'm not sure I completely understand your response as it relates to privacy concerns as nothing in the CS tenant prevention policy gives away any sort of identifying or sensitive information however, with that said, would you be willing to share the sample of the example ransomware you ran on the CS box? I'll gladly run this in my own Crowdstrike tenant, record a video, and show you it mitigating this threat with the proper prevention policy configured.

    • @enigma3474
      @enigma3474 3 месяца назад +1

      ​​@pcsecuritychannel either have better transparency and stop making excuses or don't make these videos. Share the hash of the file used. Or else this is chasing clout

    • @lightningrodofh8509
      @lightningrodofh8509 3 месяца назад

      @@enigma3474 Are you paid by Crowdstrike or something? Clearly the software sucks in you need to make a bunch of changes from the default settings to make work as good as Bitdefender out of the box.

  • @keypresspunisher
    @keypresspunisher 3 месяца назад

    super great video, please keep up the good work

  • @bumblebunny2
    @bumblebunny2 3 месяца назад +5

    other people mention run it against Acronis or F-Secure or Malwarebytes. maybe what I think would fail is Norton or McAfee! OH nearly forgot it how about Avast too?

    • @runge340
      @runge340 3 месяца назад +1

      Acronis is just Bitdefenser whitelabel lol

    • @bumblebunny2
      @bumblebunny2 3 месяца назад

      have no idea if that is so but will say even if Acronis has Bitdefender app coding inside it Acronis might act differently due to software is very different to Bitdefender? this is assuming Bitdefender is inside Acronis.

  • @lukes4720
    @lukes4720 2 месяца назад

    Great demo thanks well done.

  • @petersimmons7833
    @petersimmons7833 3 месяца назад +7

    Even with SentinelOne, you could tag any of those behaviors as a Storyline and then issue the Rollback command. It would have reversed all the encryption. Thats why it is different. Even if it “misses” it can reverse it.

    • @ТоварищКамрадовСоциалистКоммун
      @ТоварищКамрадовСоциалистКоммун 3 месяца назад +2

      people who cannot afford paid software can use free backup utilities. It's a good protection against non-legit data encryption, as well as data loss, corruption, accidental removal etc

    • @logician44
      @logician44 3 месяца назад +2

      Still way late to the party and increases the cost and man-hours of remedy.Coulda-woulda-shoulda does not hold much favour.

    • @doleph1
      @doleph1 3 месяца назад +5

      @@logician44 Spoken like someone that's not familiar with S1. It really can roll back file changes once the malicious activity is tagged, and it pushes that policy to all affected endpoints in real-time. Just showing that it didn't catch it preemptively isn't enough to showcase all the platform can do, and that's a misrepresentation of the product as a whole.

    • @petersimmons7833
      @petersimmons7833 3 месяца назад +4

      @@logician44 reversing encryption and file damage is a key differentiator that other tools don’t have. Being able to turn back time in damaged files is a key difference. All the repair bits were there in the scenario; it just wasn’t used.

    • @Scio-to1ur
      @Scio-to1ur 3 месяца назад +1

      @@logician44not having rollback enabled actually makes a gigantic difference…. Same goes with detect interactive threat. If the latter setting was enabled, that script would have been terminated.

  • @tbard
    @tbard 3 месяца назад

    Pretty much the result I expected from everyone of them, except Bitdefender, that was a nice surprise. If you're going to do a part 2 as you wrote, mind adding some Open Source alternatives like Wazuh? I honestly I am not expecting much, but it would be nice to compare the few open source solutions around to commercial ones!

  • @knuthansen8524
    @knuthansen8524 3 месяца назад +55

    Will Kaspersky also be sanctioned here now?

    • @pcsecuritychannel
      @pcsecuritychannel  3 месяца назад +151

      Planning a part 2 with Kaspersky, ESET and others.

    • @Blackdeath939
      @Blackdeath939 3 месяца назад +27

      ​@@pcsecuritychannelyou should pin that before the dislikes run in

    • @Gateastrologykc
      @Gateastrologykc 3 месяца назад

      @@pcsecuritychannel include zonealarm as well, they use sophos and their own engine and xcitium

    • @josemmm11
      @josemmm11 3 месяца назад +3

      @@pcsecuritychannel I will love to see this. Kaspersky EDR or Kaspersky Antivirus?

    • @Capt-Intrepid
      @Capt-Intrepid 3 месяца назад +3

      Kaspersky will no longer be supported in the USA after September 30, 2024.

  • @LT53
    @LT53 3 месяца назад

    Cannot wait for the second part of this.

  • @SchiKrom
    @SchiKrom 3 месяца назад +3

    you used some non enterprise versions, right?
    like for bitdefender we use bitdefender gravityzone and i have no clue if that would protect me as well. we are about to buy crowdstrike, what exact version of crowdstrike did you test?

    • @pcsecuritychannel
      @pcsecuritychannel  3 месяца назад +3

      We use free versions for BD/Sophos simply cause it is easier to deploy. The enterprise versions block it as well.

  • @Baulder13
    @Baulder13 3 месяца назад +3

    goddamnit SentinelOne

    • @Deus_Juvat
      @Deus_Juvat 3 месяца назад

      He never showed the policies settings. I call bullshit.

    • @tg9754
      @tg9754 Месяц назад

      @@Deus_Juvat Hi Desues_Juvat, I'm new to S1 (Control version) and I've installed it on 75 endpoints. I'm still learning the product but it sounds like you are very experienced with it. If so, can you list the proper settings required to make sure ransomware is detected and stopped immediately along with making sure the rollback process is enabled? Thanks in advance.

  • @redhonu
    @redhonu 3 месяца назад +1

    I would be interested is seeing if the detection changes if you use an info stealer. How much potentially confidential Data can an attacker get before it’s detected.
    In an enterprise, you should have a snapshot/ backup of the important data and alerting if a large number of files change. Not just against ransomware but also against accidental deletion/ changes.

  • @Emansky84
    @Emansky84 3 месяца назад +7

    sorry but instead of Windows Defender I suggest using Defender for Endpoint which is the enterprise grade endpoint security from Microsoft since this is not Apples to Apples.

    • @dk-ib8ok
      @dk-ib8ok 3 месяца назад

      Yes, only Crowdstrike, and SentinelOne solutions were enterprise...funnily enough the ones that didn't catch it

  • @teknologyguy5638
    @teknologyguy5638 3 месяца назад +1

    Curious to know what Falcon policy was configured at the time of the test. There are are ways to configure the falcon sensor to detect only and I think it would be helpful to show in a video like this exactly what posture is applied to the sensor. Same goes for SentinelOne and others.
    Without this information being included, it can appear as if the video was gamed to produce a specific outcome.

  • @AgentM124
    @AgentM124 3 месяца назад +4

    How would a system differentiate between a user deliberately encrypting some sensitive data, and some malware encrypting it?

    • @ТоварищКамрадовСоциалистКоммун
      @ТоварищКамрадовСоциалистКоммун 3 месяца назад +3

      normally it should be based on a program signature. No valid digital sign, no data access without clear administrator permission. Tht's the reason why I'm usually very skeptical about tests like this )

    • @TungstenViper
      @TungstenViper 3 месяца назад +1

      Maybe because the encryption is done systematically and in 1 go. Also usually the user needs to specify the files that he wants to encrypt

    • @bobcrusader
      @bobcrusader 3 месяца назад +2

      Exactly - this test could simply have run 7Zip with a command line, and zipped all the documents with a password and it would look exactly the same. No ransom notes? No extension changes?

    • @ТоварищКамрадовСоциалистКоммун
      @ТоварищКамрадовСоциалистКоммун 3 месяца назад

      7Zip if I remember has no digital signature recognized by Certificate Authorities. It could certainly be a bad encryption program )
      I guess 7Zip is somehow put into a white list, to avoid false positive detections

    • @incandescentwithrage
      @incandescentwithrage 3 месяца назад +1

      ​@@bobcrusaderYeah if I was performing an operation like that on a batch of files *with script console output* , I'd be annoyed if the AV kept getting involved

  • @mellowtones1985
    @mellowtones1985 3 месяца назад +1

    Nice video, requesting Xcitium/Comodo in next test.

  • @andreylucass
    @andreylucass 3 месяца назад +9

    Looks like we won't be seeing Kaspersky here from now on...

    • @andrewortiz8044
      @andrewortiz8044 3 месяца назад +7

      He making a part 2 with ESET and Kaspersky and something else

  • @elexbeats
    @elexbeats 2 месяца назад

    Crowdstrike offers you a SOC team for your company. Yes it’s a complete shame to them that it didn’t find that behavior as ransomware, but still their SOC is another level.

  • @alexramossr
    @alexramossr 3 месяца назад +9

    No Malwarebytes?

    • @videogamebot1211
      @videogamebot1211 3 месяца назад

      this videos for enterprise antiviruss only aka ones for critical company computers and servers. Next video will be regular anti viruses I believe.

  • @chrisjinks5414
    @chrisjinks5414 3 месяца назад

    it would have been interesting to see what would have happened if you had enabled the Defender ASR rules. Still a great video thank you

  • @asinthaprabhashwara7352
    @asinthaprabhashwara7352 3 месяца назад +7

    Dear Leo, I miss Kaspersky In this test badly 😔😔😔😔😔

  • @timk8869
    @timk8869 3 месяца назад +2

    I know u will be doing a part 2, but I feel like kaspersky and eset should have been in this test vs some lesser know alternatives

  • @RickOShay
    @RickOShay 3 месяца назад +4

    Great review and test. There is absolutely no excuse. If a comparatively small company like Bitdefender can offer effective heuristic protection free of charge (albeit no product is 100% reliable and this was just one test) then these lumbering multi-billion corporate security giants can do much better.
    The fact that the majority of security products have such poor heuristics (based on other tests) - especially given how advanced AI is these days - highlights just how appalling the security industry really is. You have to wonder just how committed they really are - after all threats and risk drive sales.
    Particularly products from huge companies like Crowdstrike and Sentinel One and other enterprise solutions.
    You have to wonder how these products pass security vetting, selection and wide-scale deployment.
    It illustrates that at an enterprise level security decisions are often made in the boardroom and not in a tech lab.
    To highlight just how bad this is - bad actors are already using sophisticated AI tools to attack corporate and government enterprises - the probability of unknown malicious attacks is rapidly escalating.

  • @TheOfficialSethos
    @TheOfficialSethos 3 месяца назад +1

    I would love to see a gaming benchmark between windows defender, bitdefender, Eset, Kaspersky etc. see which one has the least direct impact

  • @koliore
    @koliore 3 месяца назад +4

    I'm eager to see how Kaspersky will perform against this ransomware

    • @arvydasurbonavicius5170
      @arvydasurbonavicius5170 3 месяца назад

      Kaspersky is the next generation of ransomware.

    • @od1sseas663
      @od1sseas663 3 месяца назад

      @@arvydasurbonavicius5170 Nice joke.

    • @arvydasurbonavicius5170
      @arvydasurbonavicius5170 3 месяца назад

      @@od1sseas663 next generation ransomware - when you don't even suspect that your data is stolen and encrypted somewhere

    • @Light-uw5es
      @Light-uw5es 3 месяца назад

      ​@@arvydasurbonavicius5170no proof provided by the US and Germany so keep talking...

    • @arvydasurbonavicius5170
      @arvydasurbonavicius5170 3 месяца назад

      @@Light-uw5es and you don't know who they are? Insufficient argument KGB mafia? 🙂

  • @DevilbyMoonlight
    @DevilbyMoonlight Месяц назад

    Top work!

  • @simoncroston4581
    @simoncroston4581 3 месяца назад +6

    I think there is a element of bollocks here. S1 has decoy files and rollback - the decoy files would have been touched by the encryption and you could the roll back using the vss snapshots - there is so much missing here I say it’s bollocks.

  • @timetraveller6643
    @timetraveller6643 3 месяца назад +2

    Don't ever use that BELL again. OUCH ! DING! DING! DING! DING! DING!

  • @LordMacGyver13
    @LordMacGyver13 3 месяца назад +3

    KASPERSKY?

  • @spierd
    @spierd 3 месяца назад +1

    Interesting video but more should be disclosed about the Malware being deployed, as was promised in the video.