rlarjsdn122 Posted January 2, 2020 Report Share Posted January 2, 2020 (edited) I failed to submit a report via http://www.immunet.com/false_positive, so I report here. OS: Windows 10 Home ver.1909 Korean Immunet ver: 7.0.2.11454 Name of file causing FP: SimulatorSetup.exe Sha256 of file causing FP: 121e868268ab84f9d9ab83af3f107ed57dfa8e2a5695c307a0db1de9f191a5d2 Size of file causing FP:17.2MB Alert name: Win.Dropper.Generic::mash.rt.sbx.vioc This file is for installing RanSim made by KnowBe4, Inc. This program is a ransomware simulator. RanCERT(https://www.rancert.com/) providing by innotium.inc(https://www.innotium.com/) introduce Koreans to this program. So, I think the program is safe. Edited January 2, 2020 by rlarjsdn122 Link to comment Share on other sites More sharing options...
ritchie58 Posted January 3, 2020 Report Share Posted January 3, 2020 Immunet's False Positive reporting site is the best place to submit this type of data as it will be analyzed much quicker for authenticity than if you report it here. Then the program can be whitelisted if it's deemed the code is not malicious in nature. Did you have some sort of difficulties submitting the data at that link? Regards, Ritchie... Link to comment Share on other sites More sharing options...
ritchie58 Posted January 3, 2020 Report Share Posted January 3, 2020 I personally am quite curious about what exactly this software does? If it a tool to teach future cyber security technicians how to recognize suspicious/malicious code that would be a great thing! There actually is a growing shortage of trained cyber security personal worldwide. This doesn't bode well for the average computer user as malware is sure to become more complex & prevalent as well because of this. Link to comment Share on other sites More sharing options...
novirus Posted January 3, 2020 Report Share Posted January 3, 2020 RanSim is a tool that simulates the behavior of ransomware. The purpose of RanSim is to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations. ............................................maybe similar to cisco/talos amp,network protection 1 Link to comment Share on other sites More sharing options...
novirus Posted January 3, 2020 Report Share Posted January 3, 2020 i was trying if immunet blocks ransomware but i use chrome add on like norton malwarebytes ,they prevent web page to open anyway Link to comment Share on other sites More sharing options...
ritchie58 Posted January 3, 2020 Report Share Posted January 3, 2020 Thanks for the explanation for what the software does novirus. I could see where that could be a very useful tool for IT or security professionals! Immunet does block "known strains" of ransomware. It's the brand new, emerging forms of ransomware that can be problematic for users until new malware definitions are created to block it. Congratulations btw novirus! Since you now have over 10 posts you are no longer a Newbie, instead you are the "newest official Member to the Immunet community!" Link to comment Share on other sites More sharing options...
Rob.T Posted January 6, 2020 Report Share Posted January 6, 2020 Thanks for the new tool rlarjsdn122, Immunet's expected behavior for demo and test "benign malware" is to block it from running, alert, and quarantine it. This is standard behavior across the AV industry. The same goes for the Eicar test file, and a vanquish test rootkit. That being said, we should be able to do better than the Alert name: "Win.Dropper.Generic::mash.rt.sbx.vioc" to at least indicate it's the knowbe4 test file. I'll escalate this internally with our sig dev team and see if we can at least get it appropriately named. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now