Annabelle Ransomware bypassing SentinelOne in Full Protection Mode

I was testing SentinelOne to hope that it might replace our existing NextGen protection, Panda Adaptive Defense 360. But I was not very impressed and upset that it could not prevent Annabelle Ransomware from attacking the machine. SentinelOne is a very good product, but leaving a loophole such as if a user click "run" directly from MS Edge, the Annabelle Ransomware runs without ever being blocked or detected. Here is the POC.

From the beginning of the video, all seems well. Tool that I used to ensure SentinelOne always got a fresh MD5 is "hashmanager". The problem starts when the executable file is hosted in a webserver (in real world users might run directly), when user clicks "Run", instead of "Download" first... the Annabelle sample was left running without being detected right until the machine gets restarted.

Watch from 12:05 timeline

SentinelOne has a great feature which is able to roll back infections. But when it does not see anything, there won't be any rollback or the rollback feature will fail. What is more surprising that Annabelle encrypted the files TWICE. In the forensic details, you can see the file names embedded with ".annabelle.annabelle". I am so not going to depend on their Rollback to have an effective "Prevention" solutions.

Annabelle ransomware is a NOT a popular or famous ransomware. But if those ransomware out there adopted Annabelle's ransomware methodology, and users accidently click "Run" instead of "Download", users or company that uses SentinelOne will face a daunting task. The "Rollback" button was clickable but it does nothing to stop the infection and further damages.

Maybe it is not the right time to invest in SentinelOne yet, until they fix this super silly loop holes.