Is VIPRE able to prevent ransomware - split thread from: VIPRE Antivirus + Antispywar

I was wondering if VIPRE is able to prevent ransomware, such as gpcode. I ask, for VIPRE is suppose to detect suspicious behaviors. So, I guess that would make it possible to prevent them, right? Or not at all?

So far I haven't seen any behavior analyzer tool to stop it. Would be interesting to know if you guys at Sunbelt have already tried (ransomware) against VIPRE full power.

If not possible at the moment, are you considering to enhance VIPRE, so that it does protect against ransomware?

 

Re: VIPRE Antivirus + Antispyware is now released

DarkButterfly:

We treat ransomware just like any other form of malware -- we write detections for it, then we detect and remove it. If the user's box has already been compromised before we get there (and their docs or files are already encrypted and held for ransom), that's a whole 'nother kettle of fish.

Eric L. Howes
Sunbelt Software

 

Re: VIPRE Antivirus + Antispyware is now released

Interesting point of view, considering that VIPRE stands for Virus Intrusion Prevention Remediation Engine.

So, where exactly can we see the Prevention part?

Lets suppose you have detections for X ransomware, but not for Y.
In this situation, despite the "Prevention" in VIPRE, there will be no prevention at all. Meaning that if a ransomware wants to do its job, it will.

I know that VIPRE reports for suspicious actions, after all I have been testing it since beta 3. That's why I was wondering if it would report any suspicious action take could be occuring, in this case caused by ransomware.

Best regards

 

Re: VIPRE Antivirus + Antispyware is now released

DarkButterfly:

Our detections can both preemptively block and remove after installation.

If you're looking for behavioral detections of ransomware, I'd be interested to know just what behaviors you would have an anti-malware app fire on without causing scads of false alarms for users.

Eric L. Howes
Sunbelt Software

 

Re: VIPRE Antivirus + Antispyware is now released

How can you define any given ransomware's actions as "suspicious"? All they do is encrypt files. Something that changes the security settings for the browser is suspicious, something that tries to silently connect to the outside Internet is suspicious, something that hooks the keyboard is suspicious, but encrypting files is not a suspicious action. You can't expect a behavioral prevention to cover this kind of scenarios.

 

Re: VIPRE Antivirus + Antispyware is now released

I understand that VIPRE scans files just like 'other' AVs, using malware signatures ? That should at least partly do the trick.

 

Re: VIPRE Antivirus + Antispyware is now released

Fly:

You wrote:

We have several different types of signatures, plus we can do more prosaic hash-based detections as well. And VIPRE has basic heuristics, which we will be expanding over the next few months.

Eric L. Howes
Sunbelt Software

 

Re: VIPRE Antivirus + Antispyware is now released

Malware signatures are not "behavior-based" protection. Nor are heuristics for that matter. And while I can see behavior-based protection covering several cases of unknown malware, I don't think 'ransomware' malware can be between them in any way. In fact, between heuristics, signature-based, sandbox-based, hips, etc, behavior-based is probably the most unlikely to be of any help with this type of malware.

 

Re: VIPRE Antivirus + Antispyware is now released

So, what you are saying is that a process encrypting files, without any apparent reason, is not a sign of a suspicious action?

I do not find suspicious Notepad creating a text file, for example. I do find it suspicious a process encrypting files, specially when we are not the ones encrypting them. Unless it is a process we know to be good. Then we can allow it.

Perhaps this is a wrong approach.

It is obvious there are tools that act as disk shields that do a pretty good job protecting, as they allow us to restore to a previous state. It is also obvious that malware still can bypass that kind of protection, hence I asked if VIPRE was able to prevent it.

I personally do not care at all, as I do not have any important files in my system.

But then again, I am not a security expert. I wouldn't know much.

 

Re: VIPRE Antivirus + Antispyware is now released

"Apparent reason"? How do you define "apparent reason" in this case? How is the AV supposed to know whether you launched an encryption program willingly or not and if you know what it did or not? For all it knows, it's just an encryption program executing. Whether it's a malicious one or not can be only determined through signatures or at most heuristics, certainly not through behavioral analysis.

"We"? How can a program know "who" is encrypting them?

 

Re: VIPRE Antivirus + Antispyware is now released

I define apparent reason as in - what the hell would, for example, notepad want to shutdown the system or delete any important system file. There's no apparent reason for that.

Why the hell would a word document be encrypted, for example, if I did not perform such task. I ask does Microsoft Word or alike tool do it without your knowledge?

Why would a mp3 file, for example, want to eliminate the "C:\Windows" directory.

Those are things that are not suppose to happen. Those are reasons for suspicious behaviors.

By intercepting the attemptive and alert the user for an action, perhaps?

You also said before:

"How can you define any given ransomware's actions as "suspicious"? All they do is encrypt files. Something that changes the security settings for the browser is suspicious, something that tries to silently connect to the outside Internet is suspicious, something that hooks the keyboard is suspicious, but encrypting files is not a suspicious action. You can't expect a behavioral prevention to cover this kind of scenarios."

If I change the security settings of my browser will that be considered a suspicious behavior? It isnt, but a good tool will intercept it and ask the user (who by sign is making the changes) for an action. And so on.

Anyway, all I wanted to know was if VIPRE was able to prevent unkown ransomware based on the "Prevention" it has on its name. That was all.

 

Re: VIPRE Antivirus + Antispyware is now released

DarkButterfly:

Your original question was about "ransomware," not Notepad shutting down the system or an MP3 file deleting the Windows directory. And TNT has done a pretty good job pointing out the problems with attempting to build behavioral detections for ransomware.

You can't translate "apparent reason" into anything that a software could determine by itself. You asked:

And there's the nub of the problem. How is a software program supposed to determine that YOU are not doing the encrypting and that it was not YOUR intention -- at least not without popping an AP box to ask. Are you going to pop an AP box every time encryption activity occurs on the PC? You could be flooding the user with AP prompts. See user responses to UAC for an indication as to how well that would go over.

Furthermore, at the point you're talking about intervening, the malware is already on the box and running. The whole point of Active Protection is to prevent the malware from even getting close to the point where it could encrypt some files.

Eric L. Howes
Sunbelt Software

 

Re: VIPRE Antivirus + Antispyware is now released

Eric, eBurger

I read this thread because I am interested in a brand new AV and how it is going to be developed. In your argumentation your are posing 'return' questions, but this are questions which should be solved by the security industry

ThreatFire f.i. first checks after the first intrusion wheter it is a known malware, the series of events is key here. ThreatFire also uses some sort of differentiation between the infection risk of a security application, meaning system processes are allowed more than for instance webbrowsers and e-mail programs.

NeoavaGuard had an innovative approach of giving intrusions a bad behaviour value. When the threshold was reached it did intercept the process.

PRSC does classify intrusions into a behavior category and the risk it can evoke. The sequence of invents in which an intrusion builds translated to behaviour patterns are limited (e.g. < 1000 in PRSC's case).

Sensive Guard (old application) and Risng's AntiVirus HIPS part, some how do implement their limitations depending on whether the user started it (e.g. simply having Explorer as parent proces, without an hook, message, memory violation being the source of the trigger).

Policy sandboxes like DefenseWall and GeSWall have shown that LUA environment applied to threatgate application result in a simple, pop-up less defense.

Online Armor (next release) also has an option to run unknown programs in a limited environment. For a program that started as an Anti Executable that is a paradigm shift.

DSA has an anomoly detection which for instance triggers when a lot more emails are send than normal, So there are answers to the questions as long as your differentiate

 

Re: VIPRE Antivirus + Antispyware is now released

So, you'd flag TrueCrypt as ransomware because it does exactly that whenever you save/copy anything to an encrypted area (disk, partition, volume).

 

Re: VIPRE Antivirus + Antispyware is now released

I have to say that the posturing going on here is quite astonishing, and I am particularly concerned to see supposedly security 'experts' taking such a black-and-white view of issues. While I won't do so, it would be easy to interpret eburger68's postings here to mean that VIPRE is nothing more than an age-old signature-based engine which has no concept of 'behaviour'. That would be worrying indeed for a product Sunbelt hail as revolutionary.

Most anti-malware products nowadays have some sort of behavioural detection (and I use that term in its widest sense), and can detect such actions as installing keyboard hooks, adding values to the registry 'start' keys, or listening on TCP ports, etc. as dangerous or 'potentially unwanted', say. On this level, it could be argued (but see below) that encrypting files is a potentially-unwanted behaviour and should be intercepted. If VIPRE (or whatever) has a signature for the offending app then all well and good, but if not then it could check against an integrated whitelist of the known good encrypting apps (e.g., TrueCrypt and the like). If on the whitelist, the app would be allowed without further action, else the user would be prompted for an action. Whitelists associated with suspicious behaviors would be small and would not unduly increase the size of 'signature' databases or unduly increase the maintenance workload of the security software vendors.

The problem I see, in this particular case, is that it is difficult to detect 'encrypting' behaviour. There are so many encryption methods, and a limitless number of customised ones can be built that would make generic detection very difficult, and herein would lie the challenge for vendors.

Just my twopence worth.

 

Re: VIPRE Antivirus + Antispyware is now released

spm:

You wrote:

And that would be a mistake, as VIPRE does indeed have behavioral-based protection such as you describe.

That is the ultimately the question raised -- whether it would be productive to treat encryption activity as an inherently "suspicious" behavior. I'm simply skeptical of the relative value of such an approach.

And there's another problem: what would be defined as a "known good encrypting app," given that "ransomware" could very well be using libraries associated with a "known good encrypting app" to do its dirty work.

Even putting aside that issue, the number of encryption apps and modules out there is vast -- it would not be a trivial task to put together such a list and maintain it.

And that is another issue, though presumably one could watch for calls to a list of known encryption modules which the bad guys would be likely to use. Coding strong crypto is itself not a trivial task, and if they wanted strong "protection" for the files they encrypted they would be likely to use something off-the-shelf. If they code their own crypto, then it's much more likely that the protection would not be strong and the files ultimately recoverable.

I don't doubt that some coder (or a team of clever coders) probably could come up with a scheme to flag potentially suspicious encryption activity. But I question the relative value of devoting all manner of resources to identifying suspicious crypto activity, when one could be using those resources to go after malware of all kinds in other ways.

Eric L. Howes

 

Re: VIPRE Antivirus + Antispyware is now released

Kees1958:

You wrote:

The schemes you describe are all quite innovative and interesting as methods for guarding against potential malware intrusions, but they are using a wide range of potentially anomalous behaviors and qualities to sniff out malware. The problem with encryption activity performed by ransomware is that its behavior at that point would be difficult to characterize as anomalous.

There probably would be a whole range of behaviors associated with that malware's intrusion onto the box that one could and probably should flag, but those behaviors would be associated with malware more generally, not just ransomware.

I would be interested to know which of the apps you mention is actually using "encryption behavior" (however that is determined) as a flag in their schemes for identifying and limiting the intrusion of potential malware.

Eric L. Howes

 

Re: VIPRE Antivirus + Antispyware is now released

OK, Eric, there's a lot of "we can't do that" postings from you here. Might it not be better to post what you actually can do, or approaches that might be worth you looking at, instead? You can respond all you like about how difficult it is to defend against 'ransomware', but the simple fact is that it is a threat and it needs to be dealt with.

 

Re: VIPRE Antivirus + Antispyware is now released

Eric, sandboxes do not "shiff out" malware- it's just a modified environment most malware can't survive with. Ransomeware is not an exception.

 

Re: VIPRE Antivirus + Antispyware is now released

Ilya:

You wrote:

I understand how sandboxes work -- it was hasty, poor choice of verbs to summarize the range of applications mentioned in the post I was responding to. Take my final *general* characterization instead: "schemes for identifying and limiting the intrusion of potential malware."

And I never said that sandboxes (or any of the other schemes mentioned in that post) couldn't be a potentially effective defense against ransomware. The question under discussion, though, was behavioral detections of ransomware. And my point was that, in my view, it simply didn't seem productive to pursue that line in comparison with more general approaches to detecting or limiting the intrusion of malware more generally.

Eric L. Howes

 

Re: VIPRE Antivirus + Antispyware is now released

spm:

You wrote:

Strictly speaking, I never said "we can't do that." Indeed, I even allowed that some kind of behavioral detection might be possible. My point was simply to highlight out the difficulties in developing such a thing and question whether that effort would be productive relative to other schemes for dealing with malware.

Again, I never said "ransomware" wasn't a threat or even that, generally speaking, it was a more difficult threat to deal with than other forms of malware. I was simply addressing the very specific question at hand.

Folks, the question of developing schemes for dealing with ransomware is an intriguing one. Perhaps this discussion ought to be split off into a dedicated thread?

Eric L. Howes

 

Re: VIPRE Antivirus + Antispyware is now released

It was being considered, so We'll go ahead and attempt that move now. Hopefully the above beginning post was a suitable starting point and that all relevant posts made it on the voyage.

 

Re: VIPRE Antivirus + Antispyware is now released

I completely agree with you. Generally, it's almost impossible to generalize behavioral detection for ransomeware. I even wrote it somewhere here, at Wilders previously.

 

Re: VIPRE Antivirus + Antispyware is now released

I guess that TrueCrypt wouldn't be installed on the system without the user consentment, and same goes for other encrypting tools that we use to encrypt.

I don't think ransomeware would be something running with our consentment.

 

Re: VIPRE Antivirus + Antispyware is now released

Bubba:

You wrote:

Thanks. Although the subject still mentions VIPRE, I think it would be appropriate to open up the discussion to approaches/schemes for dealing with/flagging/managing ransomware more generally.

Eric L. Howes
Sunbelt Software