2 Replies Latest reply on Jun 21, 2017 6:22 AM by wyrm

    Episode 01 : SoreBrect Ransomware vs McAfee ENS 10.5 (DAC /RP)


      SoreBrect Ransomware was publicly made known on the public on June 15, 2017 by third party researcher (http://www.securityweek.com/fileless-code-injecting-ransomware-sorebrect-emerges )


      Among its highlights of the ransomware capabilities are:-

      • A  Fileless Ransomware “SOREBRECT”  Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.
      • SOREBRECT developed with more stealthy and self-destruct routine capability make it as  Fileless Malware. Before terminating the main Binary  it executes the encryption routine to inject the code into legitimate process called svchost.exe
      • It’s Evasion Technique  Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.
      • These stealthy functions help to  SOREBRECT activities from being tracked.


      How did McAfee ENS 10.5 fare against this malware.=======================In the announcement by third party research, 6 known malware hashes were made known and we selected a sample to be tested against McAfee ENS 10.5.1.


      In the test, AV were turned off as to ensure only DAC and RP is providing the protection to the endpoint. As a result, the malware was successfully prevented by the DAC rules (which is shown below). A video of the testing is shown below




      • McAfee ENS 10.5 (DAC / RP) successfully detected and prevented the ransomware from infecting the machine. Below are the DAC rules that prevented the ransomware
      DAC RulesIncluded in McAfee ENS 10.5 Best Practices for DAC (referring to McAfee Default Security)
      Executing any child processYES
      Modifying the Services registry locationYES
      Modifying users' data foldersNO
      Modifying the hidden attribute bitYES
      Modifying user policiesYES
      Writing to files commonly targeted by ransomware-class malwareYES


      • McAfee ENS 10.5 provided the protection against this ransomware since Dec 2016, whereas the ransomware was made known to public on the 15 June 2017. Taking those two dates, McAfee endpoint solution provided pre-emptive protection of 6 months before this ransomware was publicly known