TDR slow to detect dangerous file

Hi,

I am testing a new product which can detect and prevent encryption of files. The product seems to work and detects a encryption is in process and after 3 files has been encrypted, it will kill the process.

Now TDR has a signature for the file MD5 hash (3B1B33770C1AC6DBB35E3810F40FD9B6). So for a test i have disabled "the other product" to see how effective TDR is.

I am at cybercon level 3 and every option is ON exept Allow Baselines on Host Sensors
and Enable Kernel Host Containment Action.

If i run a encryption test of files, 96 files will get encrypted before TDR detects it and quarantine the file. How come it takes TDR so long before stopping the process?

I have also seen TDR failure to quarantine the file which also doe snot makes sense to me.

Youtube has a video how to test:
https://www.youtube.com/watch?v=qiBpdxoxhXU

Roebrt

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RVilhelmsen

    There's quite a few things we can't see in your demonstration -- have you created a case for one of our technicians to help with this? If so, what's the case number -- I can check to ensure that this is with the correct team.

    For a product like TDR, I'd suggest opening support cases for the fastest support. This allows us to help since lots of the case involves looking at potentially sensitive/personal information from your network.

    -James Carson
    WatchGuard Customer Support

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative
    edited April 2021

    Good morning RVilhelmsen. I am sorry hear you are having issue with TDR.

    TDR has 2 operating methodologies at play here. What I like to call Pure Detection and Response. In this operating mode file and process events are sent to the cloud and the cloud responds with actions. Because of the periodic heartbeat the host sensor uses, this round trip time can take up to 90 seconds. The signature you mention TDR having is vulnerable to that round trip time.

    The second operating mode is Ransomware Prevention mode. While it is not vulnerable to the round trip time of D&R, it is not designed to only detect encryption. It is designed to detect malicious behavior baed on a Machine Learning model. As a last line of defense it detects encryption of select files on the filesystem. If your test encrypted 95 other files before hitting our canary like files, then this behavior will occur. Had your test exhibited other behaviors that ransomware exhibits, like registry key persistence, connection status checks, and connecting to key generation servers, it is likely the Ransomware Prevention module would have detected it.

    Thank you for letting us know about the Lucy Simulation tool, we'll look into it. Also, a support case like James suggested would be appreciated as well.

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Hi @Ricardo_Arroyo

    Thank you for this explanation which makes sense in my case. I learned
    something new today.

    I have a zip file with the encryption tester which can be downloaded here:
    https://1drv.ms/u/s!AuOwdE3caya8heYrdk1Fyx1EWaA95Q?e=6n6te4

    /Robert

Sign In to comment.