PROBLEM SOLVED: see my Post below
I wanted to test ransomware detection inside a VM (network disconnected).
I tried the Thanos ransomware: the malware was detected while unpacking a zip containing the malware -> ok fine
Then I disabled real-time file scanning (within the endpoint client). However, ransomware detection and all other features were still active. In this configuration I was able to unpack and run the malware. The malware ran for several minutes and then all files were encrypted. There was no alert or other response from Sophos Endpoint Protection.
Why didn't Sophos detect this (old) ransomware? Do features like ransomware detection rely on real-time scanning, or does ransomware detection require the internet?
Has anyone tried to explicitly test the ransomware?
I tried the Thanos ransomware: the malware was detected while unpacking a zip containing the malware -> ok fine
Then I disabled real-time file scanning (within the endpoint client). However, ransomware detection and all other features were still active. In this configuration I was able to unpack and run the malware. The malware ran for several minutes and then all files were encrypted. There was no alert or other response from Sophos Endpoint Protection.
Why didn't Sophos detect this (old) ransomware? Do features like ransomware detection rely on real-time scanning, or does ransomware detection require the internet?
Has anyone tried to explicitly test the ransomware?
best regards,
Bernd
(I downloaded the malware form "theZoo")
This thread was automatically locked due to age.
Quote