Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
EDR: Why Does EDR Not Detect RanSim Ransomware Simulator?
Environment
EDR Server: All Supported Versions
Question
Why does EDR not detect KnowBe4's RanSim ransomware simulator?
Answer
The actions done by this software are, simply dropping arbitrary documents into a folder that it creates and encrypts using a known routine. It expects security products to catch those actions. With the case of EDR, these actions aren't taking effect on user files and aren't seen as inherently malicious.
AV solutions that are effective are those that have signatures designed for the encryption, or ransomware, routines used by RanSim. They see a routine loaded into memory, recognize it as a routine used by known malware, and then block the operations. In this case, as it pertains to our detections, we trigger on the encryption of actual user directories, not an arbitrary directory of files using a specific set of code. With CBC we do prevent the encryption of user files but not in the ways that RanSim is used to test traditional AV.
