Hi, guys. How are you today?
I’ll go strictly to the point: I was testing old ransomware samples (Locky and Shade) on a VM with Kaspersky just to see how the ransomware behaves according to some configurations and I believe I’ve may found a problem: If you manually put the malicious file in the Trusted group, System Watcher does absolutely nothing and the program gets executed. This does NOT happen if you turn off application control or put the executable in another group (LR, HR)
Here is what happened:
- Since they were old variants, I’ve disabled File-AV
- I’ve executed the program and it was moved to the Untrusted group (correct) and then it was deleted (also correct)
- I’ve extracted the file again and moved it to the Trusted group
- After that, the program was successfully executed and all files were encrypted (not a word from System Watcher)
If you do the test disabling App Control instead of moving the file to Trusted, System Watcher stops it.
According to this test, it sounded to me like System Watcher does not observe programs that are in the Trusted group. If that is the case we may have a serious problem. An unknown malware with a valid certificate may go to Trusted group and do whatever it wants
I’ve sent this information to official support. Do you guys know anything about it?