Can not detect and block some ransomware sample

huang1111

<p><strong>Reproduction steps:</strong></p>
<p><span><img src="https://cloud.qainfo.ru/s/zNCv7EJMqNggv1K" alt="" />This problem is more serious, there are questions about SW defense ransomware</span></p>
<p>Virus sample download address 1 (normal version): <a href="https://cloud.qainfo.ru/s/SshTyjY2pPikmjZ" target="_blank" rel="noopener">https://cloud.qainfo.ru/s/SshTyjY2pPikmjZ</a></p>
<p>Virus sample download address 2 (using VMP): <a href="https://cloud.qainfo.ru/s/M3mNmNTJ5aVZcvu" target="_blank" rel="noopener">https://cloud.qainfo.ru/s/M3mNmNTJ5aVZcvu</a></p>
<p>Double-click the sample as shown in this image (https://cloud.qainfo.ru/s/zNCv7EJMqNggv1K)</p>
<p><img src="https://cloud.qainfo.ru/s/zNCv7EJMqNggv1K" alt="https://cloud.qainfo.ru/s/zNCv7EJMqNggv1K" /></p>
<p><strong>Actual result:</strong></p>
<p><span>Defense failure</span></p>
<p><strong>Expected Result:</strong></p>
<p><span>Defense success</span></p>
<p><span></span></p>
<p><span>There are still some words that I want to say to the development team:This is no accident. When the ransomware modifies the original files without deleting them, Kaspersky’s defenses are ineffective. I have discovered this problem more than once. I thought I uploaded them to the anti-virus department. I will pay attention to it, but the result is very disappointing. They just learn my sample machine and not solve the problem of SW.</span></p>

Jarvis

hello!
If there are no files on desktop to encode - nothing happens, KIS don't detect anything
If there are any file to encode - KIS detect and delete ransomware, when timer gets 0

huang1111

<p>@jarvis said in <a href="/post/5967" target="_blank" rel="noopener">Kaspersky System Watcher Defect</a>:</p>
<blockquote>hello! If there are no files on desktop to encode - nothing happens, KIS don't detect anything If there are any file to encode - KIS detect and delete ransomware, when timer gets 0</blockquote>
<p>Hello, the timer time is 30 seconds, I just tested it, Kaspersky still miss (at this time, Kaspersky virus database is already the latest version), jpg images stored on the desktop can not turn on.If you can't reproduce it, please try the Chinese version of Kaspersky.</p>

Wesly.Zhang

<p>The sample is from <a href="https://bbs.kafan.cn/thread-2155970-1-1.html" target="_blank" rel="noopener">here</a> if I don't guess incorrectly. <img src="/plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cool.gif" alt="cool" /> This sample is very intersting.</p>

huang1111

<p><span><span>@ wesly-zhang在</span></span><a href="/post/5975" target="_blank" rel="noopener"><span><span>卡巴斯基系统观察者缺陷中说</span></span></a><span><span>：</span></span></p>
<blockquote>
<p><span><span>如果我没猜错</span><span>，样本就是从</span></span><a href="https://bbs.kafan.cn/thread-2155970-1-1.html" target="_blank" rel="noopener"><span><span>这里来的</span></span></a><span><span>。</span></span><img src="/plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cool.gif" alt="凉" /><span><span>这个样本非常有趣。</span></span></p>
</blockquote>
<p>这个样本是温馨小屋那个会员测试以后PM我的，卡巴检测不出来，但我不清楚为啥他们这边可以检测出来<img src="/plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cool.gif" alt="cool" />我已经在上传一段视频到G云盘，你方便看的话也看一下</p>

huang1111

<p>@jarvis said in <a href="/post/5967" target="_blank" rel="noopener">Kaspersky System Watcher Defect</a>:</p>
<blockquote>hello! If there are no files on desktop to encode - nothing happens, KIS don't detect anything If there are any file to encode - KIS detect and delete ransomware, when timer gets 0</blockquote>
<p>Hello, I recorded a video, please take a look: https://drive.google.com/file/d/1G7RS4q3AsX5derEhSPvFd5pyJlGGljVB/view?usp=sharing</p>

Jarvis

Cannot Reproduce