Solved! How Did Antivirus Miss This?

[johnrc123]

How does a (Win 10) PC get slammed by RansomWare while Bitdefender is fully installed and in 'watch mode'? Yes, I asked the developers but have received no response to date.

Although the virus didn't seem to completely execute, it did encrypt/corrupt a lot of files. Including those in OneDrive that were synching to the local HD and backups on external HD's.

Making matters worse, I see the first signs of attack at noon and the last near midnight. The thing was thrashing around on the computer for nearly 12 hours?

I don't open email attachments from unknown sources and I avoid dubious websites, although I thought the antivirus watched for these things too.

Can one activate a virus by only reading the body of an email in a client like Outlook or browser based Gmail?

 

[okcnaline]

1) Anti-viruses never claim to be 100% accurate, so...
2) Yes. See danooct1's videos.

 

[rgd1101]

Do you know how they get new definition, is from user like you, at least you are the first at something.

 

[Dark Lord of Tech]

There are a ton of video's on the YouTUBE where Ransomware gets through fully functional Internet Security Suites. Signatures can never be at 100% for real-time detections to block with so many variants of Ransomware.

 

[mdd1963]

Many ransom package distributors slightly change their code occasionally (good 'ole classic obfuscation!) to get past the known signature-based AVs...

 

[mdd1963]

https/www.foolishit.com/cryptoprevent-malware-prevention/#gsc.tab=0

Foolish IT's product for stopping ransomware was successful in the past, and, although too late now, perhaps it can save someone else in the future...and, there's a free version.

 

[Avast-Team]

The bad guys are constantly evolving malware and ransomware to get past security software. As a result, our Threat Labs and developers are constantly working on technologies that help detect unknown or never-before-seen malware.

Two examples:

CyberCapture - analysis of unknown downloaded files, and isolating them so they can't do damage. They're first analyzed by our AI/machine learning, and if a detection cannot be made, it's sent to our Threat Labs for further analysis. Source: https/blog.avast.com/an-in-depth-look-at-the-technology-behind-cybercapture

Behavior Shield - real-time process monitoring to detect malicious activity on the fly. Source: https/blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

Where signatures come in is speeding up detections for known threats; an "unknown" threat can go to "known" very quickly with a system of layered protection that starts with pro-active detection.

To answer your initial question, it is possible that if the malware was "dropped" by a malicious process, simply opening the item could have compromised you, but it depends on the exact strain/variety that you were infected by.

On a side note, if it's something you're curious about we have a feature in certain versions of Avast that can "lock" files so nothing can edit or change them without your permission (Ransomware Shield) as an extra layer of assurance.

I hope all of this helps and gives some context for you! Stay safe

 

[johnrc123]

Thank you to all for your time and comments. It's been a grueling couple of weeks trying to find and restore files.

I understand that nothing is 100%. But the effects and nature of this attack indicate something closer to 0%. I'm taking Avast for a test drive.

Official Avast Representative... or anyone... whenever I check Spam Boxes there are always a lot of those no-subject emails from someone in my address book, but I know they're not sent by them. They typically contain a URL in the message body:

- To my earlier question, if I do not click on and open that link, can my system still be infected just by looking at and perhaps scrolling through the message?

- Does the fact that it's using addresses either from my address book; or from legitimate emails I've received; or from address books of the people that have sent me emails in the past, indicate where this malware thing exists? is it on the systems of people I know? Is there something on MY system?