Dell Endpoint Security Suite Enterprise Threat Simulation Testing
Summary: This article provides information about threat simulation testing.
Symptoms
- As of May 2022, Dell Endpoint Security Suite Enterprise has reached End of Maintenance. This article is no longer updated by Dell. For more information, reference the Product Life Cycle (End of Support / End of Life) Policy for Dell Data Security. If you have any questions on alternative articles, either reach out to your sales team or contact endpointsecurity@dell.com.
- Reference Endpoint Security for additional information about current products.
Affected Products:
- Dell Endpoint Security Suite Enterprise
Many threat simulators seek to emulate the behavior of ransomware by performing some actions similar to what ransomware would do if allowed to run on the computer. These tools contain no malware in a Portable Executable format that Dell Endpoint Security Suite Enterprise scans. The primary detection mechanism in Dell Endpoint Security Suite Enterprise is pre-execution: the agent would scan any potential malware and prevent bad behavior from occurring. In other words, Dell Endpoint Security Suite Enterprise does not decide whether a file is good or bad based on the behavioral characteristics of the sample, instead it looks at the static (pre-execution) characteristics of the sample. Malware generally looks different statically than legitimate software. These are the characteristics that Dell Endpoint Security Suite Enterprise analyzes, not any patterns of behavior generated after execution.
Cause
Not Applicable
Resolution
A typical workflow for these applications would be that the application makes a test directory in which to perform the following operations as a check:
- Replace the content of encrypted files.
- Encrypt test files w/ strong encryption and safely deletes original.
- Encrypt test files w/ strong encryption and forcibly deletes original.
- Delete original files, encrypts, and simulates key generation and handshake.
- Encrypts files with weak encryption and deletes originals
As you can see, none of these indicators are static indicators. Except for certain aspects of Memory Protection and Script Control, Dell Endpoint Security Suite Enterprise does not use the behavior of a program to attempt to identify it as malware. Memory Protection does not identify any of the actions that are mentioned above, as they are not attempting to directly exploit memory; they are performing legitimate actions (for example, encrypting a file) which happen to share this form of malware.
Keep in mind that many of these malware simulator vendors are IT security training firms that have a vested interest in their tools returning scary results to the user, prompting them to request training. Dell Endpoint Security Suite Enterprise performs well against real malware, but unfortunately, this tool does not correctly emulate the static attributes of malware enough to be an authoritative test of the product.
Example products include:
RanSim
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.