Jump to content

KnowBe4's RanSim is detected.


Recommended Posts

I failed to submit a report via http://www.immunet.com/false_positive, so I report here.

OS: Windows 10 Home ver.1909 Korean
Immunet ver:
Name of file causing FP: SimulatorSetup.exe
Sha256 of file causing FP: 121e868268ab84f9d9ab83af3f107ed57dfa8e2a5695c307a0db1de9f191a5d2
Size of file causing FP:17.2MB
Alert name: Win.Dropper.Generic::mash.rt.sbx.vioc

This file is for installing RanSim made by KnowBe4, Inc. This program is a ransomware simulator.
RanCERT(https://www.rancert.com/) providing by innotium.inc(https://www.innotium.com/) introduce Koreans to this program. So, I think the program is safe.

Edited by rlarjsdn122
Link to comment
Share on other sites

Immunet's False Positive reporting site is the best place to submit this type of data as it will be analyzed much quicker for authenticity than if you report it here. Then the program can be whitelisted if it's deemed the code is not malicious in nature.

Did you have some sort of difficulties submitting the data at that link?

Regards, Ritchie...

Link to comment
Share on other sites

I personally am quite curious about what exactly this software does? If it a tool to teach future cyber security technicians how to recognize suspicious/malicious code that would be a great thing!

There actually is a growing shortage of trained cyber security personal worldwide. This doesn't bode well for the average computer user as malware is sure to become more complex & prevalent as well because of this.

Link to comment
Share on other sites

RanSim is a tool that simulates the behavior of ransomware. The purpose of RanSim is to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.


............................................maybe similar to cisco/talos  amp,network protection

  • Like 1
Link to comment
Share on other sites

Thanks for the explanation for what the software does novirus. I could see where that could be a very useful tool for IT or security professionals!

Immunet does block "known strains" of ransomware.  It's the brand new, emerging forms of ransomware that can be problematic for users until new malware definitions are created to block it.

Congratulations btw novirus! Since you now have over 10 posts you are no longer a Newbie, instead you are the "newest official Member to the Immunet community!"

Link to comment
Share on other sites

Thanks for the new tool  rlarjsdn122,  Immunet's expected behavior for demo and test  "benign malware" is to block it from running,  alert, and quarantine it.  This is standard behavior across the AV industry.   The same goes for the Eicar test file, and a vanquish test  rootkit.  

That being said, we should be able to do better  than the Alert name: "Win.Dropper.Generic::mash.rt.sbx.vioc"    to at least indicate it's the knowbe4 test file.  I'll escalate this internally with our sig dev team and see if we can at least get it appropriately named.



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...