TDR slow to detect dangerous file
I am testing a new product which can detect and prevent encryption of files. The product seems to work and detects a encryption is in process and after 3 files has been encrypted, it will kill the process.
Now TDR has a signature for the file MD5 hash (3B1B33770C1AC6DBB35E3810F40FD9B6). So for a test i have disabled "the other product" to see how effective TDR is.
I am at cybercon level 3 and every option is ON exept Allow Baselines on Host Sensors
and Enable Kernel Host Containment Action.
If i run a encryption test of files, 96 files will get encrypted before TDR detects it and quarantine the file. How come it takes TDR so long before stopping the process?
I have also seen TDR failure to quarantine the file which also doe snot makes sense to me.