Trying the same attack again, but this time with Minerva and McAfee in place, the Word file crashed every time we tried to enable macros on the infected document. The malware didn’t know what to do when given the bogus response from Minerva, and the program crashed. Checking memory, it was clear that it never launched the fake Explorer.
Our console flagged the attempts, however, so IT teams could respond and remove the infected document. No notice is sent to users. Minerva customers asked that their users be left out of it, since they wouldn’t know what to do about a malware notice anyway. But they are protected even if they don’t know it.
Our second test used the extremely popular and quite insidious Cryptoluck ransomware, which blew through antivirus, locking down our test system’s files and demanding a ransom for the decryption key. It was delivered by side-loading a valid Google-update process, another popular way malware defeats antivirus on endpoints.
Wiping out the VM and starting again, but this time with the Minerva agent in place to backup the antivirus, got completely different results. The Cryptoluck files could not run and would not install, even when we tried to force it to do so.
Here are the results of the various attacks thrown at an endpoint protected by the Minerva platform alongside traditional antivirus. None of them were successful, and all were logged in the main console for further investigation. Credit: John Breeden II
A special note on ransomware: Should some type of encryption-based ransomware somehow successfully run on your system, if its protected with Minerva, you should still be okay because of the anti-ransomware module. That module is basically ransomware-triggered backup. When files get encrypted, that module triggers an automatic backup of files that are placed within a local partition. So even if the worst happens, you should still have unencrypted copies of all your files. Relying on a last line of defense probably isn’t a great idea, but it’s nice to know you have one final safety net.
In every case, the Minerva platform used deception to prevent malware from sneaking around antivirus programs, while relying on that same traditional antivirus to stop direct threats from coming in the front door. The two technologies working together can shut down most attacks made against endpoints, whether they be loud and clumsy or sneaky and insidious.
Sign up for CIO Asia eNewsletters.