I agree with this. Vendors already thought of it and now there's a potential security product for the average user, high profitable market indeed.
I don't agree because an AV/security product claims to secure things and because of this especially beginners should get information and abilities to e.g. play with Windows own GPO's and other things directly from such products, destroy windows spying (which is open source btw) can do this automatically and several other products too, of course they are not AV's but it's enough to show as an example that this is very easy possible even with 'handmade' scripts which every noob can google/understand what's going on. With an AV you don't have control because as said it controls everything on his own, it install an Certificate, monitors all traffic and other stuff people complain about Windows but not on AV's ? This is wired/strange/crazy whatever it's just giving up one trustable thing and change it against another you must simply trust and why not use one instead of 2 or more which scan all your files/folders/OS and possible submit your things into a cloud? Again no control on mobile platforms this gets more worst because there are ads, well Kaspersky and others also starting to implementing this and this is just another hole because ads provider could infected or whatever drive-by it comes with just because you want everything for free. I think to install an AV or any other solution is so 1999, they not evolved but the OS did. Most stuff is well handled already by the OS and should be fixed in there and not with 3th party tools, well it's just my opinion but marketing always wins. And again what I already said in another thread I never trust an company which are not able to handle cracks, Malwarebytes is crackable, Kaspersky and others, so if they not can handle this why should I trust, do people still belive that crackers/hackers not test against VirusTotal or other engines? I don't think so. If it would be so easy they always telling us no one had ever one virus but in fact it's much more complicated and now people using 2 or more scanners which makes this not better. Windows Defender showed us that the cloud reputation is 'everything' and now they are almost as good as every other (20 years on market) products and what to say about this ... For me it's to make money and for me I better use that money/time to harden the OS so that I don't need to trust (yet another) one which want to play the game to make money. For me this would be all okay but it must be clear visible and mentioned. And remember not everyone needs it because the Browser also getting more and more better with integrated list, sandboxes and whatever so as I said AV is dead (for me). Don't get me wrong but for experts such products are useless, if you harden and restrict the dirs the malware usually writes in and you executing them they simply have no power to lock you out. Even if you're locked out it takes 10 minutes to install the OS or to use safe mode or a live cd to fix things yourself. It isn't that complicated in times of youtube and a lot of stuff that is already million times mentioned on the internet.
I have been monitoring this since it was posted. Might be the next gen of ransomware. The user's drives all show formated as "raw." MBR fixes appear ineffective although he never mentioned trying to restore same from an image backup. So far the malware has the bleepingcomputer.com folks stumped.
This bugger is a nasty one: Even though the backup drive was also encrypted/partition table corrupted, luckily they had rotated their backup drives right before. We restored the server from backup and all was well. Until we rebooted the workstations... Now all of the workstations are infected with this as well. The problem, as it always seems, is that there were a few key users who kept some incredibly important files outside of their redirected folders and on their local systems. Also Fabian looked at his MBR and it looked OK. I am wondering if Hacking Team nailed him with "BadBIOS."
What's with the long posts? And this topic is not about AV's, it's about pro active protection against ransomware. Policies and Windows hardening won't help against ransomware delivered via spear phishing attacks for example. End of story.
Actually, as long as the user isn't an admin or anyone with enough privilege to disable the said policies and restrictions... As for "Encrypted Boot Ransomware" et al, nothing will stop a determined user with admin rights. Maybe if your anti-whatever can convince them, or lock them out.
SRP wouldn't help there? How is executing ransomware delivered through spear phishing any different from any other code execution?
Sr, you're wrong first most AV's comes bundled with 'pro active protection' included, same as Windows (if correct settings are choosed). Second, Windows hardening help against 99% of everything from my experience, just install Enterprise Edition which included AppLocker and you get the same here and even without it there are restrictions you can set via GPO's. About spear phishing, of course hardening helps and also not need any AV installed to be 'secure' mostly it comes (same as ransomware) via email/attachment, simply not open it or if you're unsure open it via cloud or submit it (again no AV needed). If you not use any social media or simply scan unknown stuff then you will be secure too.And again this wasn't mentioned in any AV I tested ever, no security tips that affects windows directly, you not believe? Install any AV you can get, see -> no Option to harden Windows options or show news about Windows attacks and how to protect against e.g. the whole chiper story. You only see in some AV's advertisements or links (they call 'news' to there own pages). As said it would be no problem but they simply not evolved it's not like the 90's anymore. I think we need open source + a crowd which truly maintain these because most people not want to read entire forums and reports in there. In fact this needs admin right's so what's the deal with it, no admin rights no problems, I think this is the most known 'trick' which works since 1994. Also not forget that the crowd/community/we doing a lot of work for the AV industry because we report and submit the stuff which safes them a lot of money, same like on Windows I think that it was improved dramatically over the years and most attacks needs also several addition steps that the user directly behind the screen needs to be executed to be 'infected' and again today it's more like to steal data and not to destroy your Windows and AV or pro active or whatever never helps against data thefts because there are a lot of easier way to get data via social media/social engineering directly from the manipulated hardware, manipulated certificates/connections and and and I doubt that any AV can handle it and also not if you run 10 to the same time. I was just saying and stop this here, it's not against any products in general but just to get an context that especially for professionals this is not needed because several mentioned points and I only complain about that there is no visible indicator for such peoples except to play with the fears.
I'm speaking of a scenario where users download and install apps themselves, it doesn't matter if it's via some email attachment or a download site. Regular users just want stuff to work, so they don't want to deal with anti-exe and restrictions. And that's where mainstream security tools come in, they will let you do whatever you want and will only alert about or block stuff when they think it's malicious. So what I'm trying to say is, there is nothing "overhyped" about anti-exploit and anti-ransomware.
It is, because if you install Software on an Admin account (online) you're on your own, even with AV because it then have full access and can/could bypass any AV. On restricted account you must type-in an password + you have that annoying secure dark desktop which warns you, that's more as I see on most AV's because they only inform you directly after the software is installed or in the case it scans directly the extraction of executable/zip then you get the warning - again this is so 1999 because no one care about it, as long it's not been manually clicked/executed the malware doesn't do anything - again it's playing with fear of people and the never ending question -> what if? It's hyped for me because the showed ransomware on the video needs admin privileges to work, so you really telling us that it's dangerous to download stuff from unknown/untrusted places and executing them? That's not new and also from the 90's. With or without protection there is also no guarantee so I would slow down and work with GPO's/ALO's instead if you are professional, and you only need this once because you can import/export it this software and most do not allow to import/export settings (offline) I only saw a few these days and Windows can do this also since Vista and even before on server editions. Alert here and there but who knows if that is false positive or not, especially if you not an expert you get alerts for toolbar installers and such kind of integrated things, so it's matter of understand. Again it's not against any product in general but to clear things especially on forums with 'advanced'/expert users. And we not getting any thanks or licenses or any specials to 'improve' there products. In my usually download database (heise.de) they already check against several AV's so what's then the point of installing an own on my system and waste system resources? I don't see it.
You sound like a broking record and are not even making a lot of sense. This discussion is about security tools like anti-ransomware and if they are really needed or not. I've already explained why they are not overhyped. Fact of the matter is that ransomware is a real threat, criminals have made millions in the last years. Most regular users and even experienced users, don't want the hassle of using software restriction policies, that won't even help if malware is started manually. End of story.
Sounds you not understand what I've said because you so hardly want such software instead of opening your mind, I did explained that professionals not need it, got it? I hope. I also explained that with restrictions it won't work, even without AV 100% I tested it by analysing the Crypto Wall 4.0 ransomware. And other ransomware not working quite different, if yes show me proof and we can start another discussion but I don't think so. I agree but that's the fault of users + AV industry because they want you to buy there software, as I also said it would be no problem if they would integrate several options to harden the OS. Remember that your arguments are useless if we talking about 'Layers', Malwarebytes believe in layers, but the same can be used to bypass every AV on earth, because they simply can't e.g. access several layers, and example is Boot partitions that aren't mounted or the BadUSB attack which the AV don't have access to it, because the OS isolates it for several reasons, even if it detects (somehow) it it can not remove it because no write access, this is a serious problem. Even if you're not an expert I see such things critical, normally the IT section or your business should filter/protect/harden your working environment and not you, so I doubt that 'millions' are infected by this, more home users I think and we don't have any objective chart since this coming from (mostly) AV developers. I think I made now my statement and it's clear that it isn't necessary, if you want believe in myths then okay it's yours but the OS should fix such things and not another tools which can't give you any guarantee.
Do you really think that I don't understand what your point is, after all of that text? I'm just saying that you're not making a lot of sense. And it's not up to you to decide if professionals don't need certain tools. When it comes to ransomware that's started directly by the user, SRP and even AV might not help, so that's why "set and forget" anti-ransomware tools that offer pro-active monitoring are needed. You can post all day long, and write whole essays, but that's just a fact.
You you don't get it, after all re-read my posts, you don't need it since I explained how to protect, and again there is no guarantee that your loved tools are not compromised (faked AV) or always detect xyz new method, as in the past most AV's failed on new 0day stuff, and no one knows how they fail in general since the AV developer never admit that there are problems (or I never found any statement about false/positive + 0day problems). You only get 'we're working on it'. Pro-active is not needed, and I never said everyone needs to listen what I say but I gave several examples you just ignored and not give any proof of any of your words. The only real problem is that user not want or know about internal protection mechanism and I blame the AV industries about that because such tools never telling any words about this. Kaspersky and others coming with workarounds e.g. to clean cookies and such but not telling anything about it, so I wondering why, because money and that's it. If you not like discussions then you're better not log-in into forums. I give up, use your tools and think you are secured but you're not that's a fact if it comes to my examples.
I don't like dumb discussions with people who keep repeating the same stuff without making any sense. If you don't need certain security tools then just don't use them, nobody is forcing you. But don't spread nonsense about these products.
No proof from you but saying nonsense, you made my day, I skip and ignore you now. Ignorance at his best. I think this tip is still the best (not need any AV) just block appdata and temp and nothing can be executed.
Agreed! If one runs as limited account and doesn't allow elevation via UAC to admin, then ransomeware will fail.
Apparently ransomware such as CryptoLocker does not require admin rights: http://www.infotech.us/company-blog/189-cryptolocker http://www.bleepingcomputer.com/for...leased-that-makes-it-harder-to-recover-files/
The best defense is common sense and best practices. It seems like, sometimes, av products are designed to babysit users and their activities.
Well, thanks for ignoring me, you're doing me favor. I totally forgot about the ignore feature of the forum, I think I will be needing it since it seems you started to spread the same nonsense in other threads.
I agree. But I also understand that some users just don't want to worry about security. They just want to turn on computer, do whatever they want to do with it and turn it off. They are willing to pay somebody else to take care of security so they don't have to. But even for those users some basic security education could significantly improve their computing security. After all - in computing "common sense" is sometimes not so common.
Okay, I didn't know that. In this case, files stored in a protected directory will be safe if Cryptolocker runs with limited rights. Really, no sensitive data should be stored where everyone has access to them.
It still needs a combination of read/write and execute permissions. If there is nowhere on the system it can find that combination, it will be foiled. The basic premise I use for ACLs, SRP and Applocker is that read/write and execute permissions are mutually exclusive for non administrators so the ransomware will need to elevate its privilege level to work. In a default Windows--and Linux--user account, ordinary users do have that combination in their home folders so a piece of ransomware just has to copy itself to a users folder and run. That is easily changed by removing execution privilege from those folders for non administrators. Then they can only run software from the system and program files directories and the ransomware can't copy itself there without administrator privilege.
