Indeed, at first it has to be run, either by a user through a hidden exe like pdf.exe or by scripting, which can be disabled. Then it will create a startup entry to gain admin rights after restart, easily avoidable by simple deleting/blocking startup items. Some people will protect their precious anti-tools to the death. They do not understand, that anti-ransomware is just another antivirus based on signatures and heuristics, which will never work 100% unlike simple restrictions, which work 100%. But it is user's choice, so no hard feelings.
Have you looked specifically at the protection mechanisms of the MalwareBytes beta (MBARW) and HitmanPro.Alert? I'm not currently using the MBARW, but I do use HMPA and I don't see that it's based on signatures; instead it simply recognizes and prevents file encryption. It blocks legitimate encrypting tools and malware equally, and must be disabled for intentional file encryption. As for "simple restrictions" I also use CryptoPrevent. For me the point is not only which tools are better but also which ones are accessible to users who don't understand the intricacies of implementing protections manually or who don't want to invest the time. The vast majority of users need to rely on "anti-tools".
a completely proactive and signature-less technology https://forums.malwarebytes.org/index.php?/topic/177751-introducing-malwarebytes-anti-ransomware/ https://forums.malwarebytes.org/ind...-mbam-and-mbae-why-do-i-need-anti-ransomware/
They just use fancy names, that is how marketing works, but it is the same junk, it can not detect everything. I am pretty sure, they detect known ransomware based on signatures as well.
In the same way one would not run two primary AV's, would two anti-ramsomware softs conflict - specifically MBARW and WinAntiRansom? I guess it depends how they work, and the devs undertandably won't tell us ... CryptoPrevent just sets static rules so I guess that will work alongside/complement another anti-ransomware solution.
I feel this is an important consideration. Some people think they're better protected if they use multiple real-time monitoring tools, but without in-depth testing there's no way to know. It's not enough that the tools will coexist on the system. It needs to be demonstrated that they can actually work and not interfere with each other when responding to malware attack. I believe a better approach is use complimentary tools, for instance CryptoPrevent along with one of the real-time monitoring anti-ransomeware apps like HitmanPro.Alert or MBARW.
SRP won't help against ransomware that is executed by the user itself. What's so hard to understand about that? And anti-ransomware is based on behavioral monitoring, not on signatures. I don't think it's a smart move to combine WAR with MBARW, you never know they will interfere with each other, reducing security instead of improving it. CryptoPrevent will most likely work just fine combined with one of them.
Unless the user is denied Administrative rights on the machine. As explained by MisterB: So a user restricted to a Limited account, at least, can not execute the ransomeware as long as, of course, the SRP policy is correctly enforced.
That is not my point, I'm talking about people that actually want and need to install some app. They will of course allow apps to get admin rights. I'm not talking about people that are supervised by someone, but have full control of the PC.
Of course I figured that's what you meant, but then that's their problem if they are downloading and installing everything under the sun in a will-nilly manner, and clicking links in random unexpected emails.
Yes, and that's exactly why tools like MBARW and others are needed. These type of users probably make up 80% of the market. And don't forget about the paranoid like me, I use HIPS to monitor any app even when they are most likely not to be malicious.
For me most important thing is to guard my external USB drive since it contains my important data. I think, never tested though, Secure Folders protects the drive as a steel barrier. I really don't care if a cryptomalware fully runs in my PC cause I use Shadow Defender so a simple reboot then it's gone.
It would be interesting to find out. Do you have a setup where you could safely throw some crypto-ransomeware at the system and see how WAR and HMPA respond?
I already ditched WAR, as it created some pretty strange problems, like being unable to launch PortableApps (with no notifications).
Some here would scoff at this statement, but no doubt this approach serves you and others extremely well This leads me to ask: why is no one mentioning the use of anti-scripting extensions such as NoScript, uBlock, uMatrix and others, for example? Can anyone explain that the use of one of these extensions set to block at minimum 3rd party scripts and iframes, will fail to protect against the effects of a drive-by ransomeware attack?
Exactly, and as shown over here the best protection is still not to use admin account. Based on my own researches it does need Admin account to write and set the locked files on CryptoWall 4.0, also Malwarebytes (just as an example) show in there own Videos that it requires Admin privileges. If someone have an examples that works without, just pm me. As I also said you just need to 'lock' the places it want's o write into it and you'll be safe because nothing happens then. I think this entire Ransomeware is over-hyped, yes I say over-hyped because this isn't new but the OS already can handle it very well because the user just need to do several things to get this fully working. And I think very one knows that to play an .mp3 or show a picture not needs any higher privileges, so over and over re-spelling that millions are infected is just a lie, because even if you're infected you need to pay for this and this is a user decision + there are still possibility's I mentioned to get rid of it. So to over and over recommend tools make this discussion not better or helps because in the past also AV software have lowered the security of the OS in fact because several leaks, bugs and whatever but no one or only a few people talking about this because no or only few Av developer want to publish that there products are vulnerable or only if it's already leaked they confirm or deny it - Information is still the best an not a tool that's for sure. And don't forget ask yourself why you execute unknown or untrusted things on your computer in times of Cloud based sandboxes and email providers that filters already most malware, my provider often notifies me about 'strange behaviors' on email xyz because the scanned attachment.