Default settings are already enough to cover ransomware but you can turn ON trusted application for a stronger barrier. http://support.kaspersky.com/11158 https://securelist.com/analysis/publications/64608/a-new-generation-of-ransomware/
Best way to protect from ransomware is through a backup/image restoration. Most computers nowadays are sold with a recovering solution (other than an installation CD) which should be easy to activate even for laymen. This should be the first concern upon buying a new computer, but for some reasons most people think AVs come first...
Automatic backups can be disastrous as well. They can backup infected files and replace original backups with them. Depends on settings of course.
I wasn't really talking about automatic backups and besides who is going to backup a system infected with ransomware? It's something that would be evident to anybody. Ransomware is about documents, and even documents alone could be copied directly to another external drive without any backup technology.
Well there is not any reason to backup anything else, when talking about ransomware, system files are the least of the concern. I stopped using autobackups, because they destroy files. Google Drive is a stupidity by itself, deletes original and backups all together.
Newb ransomeware question. If you are a victim and your screen is locked, does the lock come before or after the system attempts to boot into the OS. In other words, can you eliminate the problem by reinstalling Windows and then restoring the encrypted material via a back up? Will a re-ininstall of the OS eliminate the encrypted files from your PC?
It depends on the version, some will block your screen and you can bring up task manager and end the process. Some will modify the Shell entry so as soon as Explorer.exe gets loaded (ie on boot) it will load the malware so you cant do much. In the worse case scenario you can use a boot-able Linux Distro and find the file and remove the infection. Reboot and you will be good to go. You don't need to re-install Windows, remove the malware, clean-up any dropped files then restore from backups. The Encrypted files are no threats to your PC.
Some variants use file infection to spread: http://blog.trendmicro.com/trendlab...rlock-combines-file-infection-and-ransomware/ In that case format an reinstall is a must. Also nothing on that computer should be executed again and fresh installers for software and drivers should be downloaded.
^ Agreed if its a file infector your best bet it to nuke it and start again. You can try to clean it out but its nearly always quicker and more effective to format and re-install.
Indeed, I do not get all the fuss about it. It is a virus like millions before it, a prevention is fairly simple. It drops files to Temp folder and executes them after startup, unless it was run by a user (no UAC), then it gets a little complicated. So deleting startup items and cleaning Temp folders (~CCleaner) before shutdown is just fine.
Have a look at HitmanPro Alert. It has a feature called CryptoGuard (paid feature) which blocks the encryption process itself regardless of the malware type. There's also CryptoPrevent that uses software restriction policies to block crypto-ransomware. Both of these can be used along with antivirus and antimalware real time apps.
The most effective measure is security policies to block crypto malware from executing from the %AppData% folder. You can disallow executable files from running there and whitelist the few legitimate applications that do run from there.
If you have a backup system like Rollback RX or Commodo Time Machine installed - in the event you are infected somehow, you can revert back in time to an earlier clean snapshot and then delete the infected snapshot. No need to go to the extreme to do a clean install of Windows.
I am fairly certain that this is how Bitdefender's free Anti-Ransomware program works, yet the claim is that it only protects against CryptoWall and CTB-Locker.
Try this: https://www.wilderssecurity.com/thre...ct-folders-and-use-as-anti-executable.369503/ Really cool tool to defend against ransomware and also other intrusions.
A friend was infected with Ransomware a couple of years ago. I put MBAM on a CD and then transferred it to his system. A Quick Scan got rid of it in one pass. I do not remember what it was. Jerry
There are different types of ransomware. Some, like the so called "FBI virus" are only a bluff. They lock the computer and try to scare people into sending money. Then there's crypto-ransomware which actually encrypts all of the data on the computer. In this situation it's not removing the virus that's the main problem, it's finding a way to get your data back. That's what I was referring to.
Came across some older HIPS registry rules that will protect you against Winlock which is one of the more prevent version of ransomware. I supplemented what Kapersky posted for x64 WIN 7. These rules would be applicable to any HIPS. Make sure you set the created rule to "ask." ref: http://support.kaspersky.com/viruses/common/7193#block3 In order to secure your computer protection, it is required to create a rule that will control applications' access to some registry keys. It is recommended to create rules for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Winlogon\ Shell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Windows\ AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Winlogon\ Userinit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\* HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\*\ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\*\* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\* Notes: 1. If using 32 bit OS, eliminate WOW6432Node registry keys. 2. Some older software plus at least Zemana Antilogger and some Intel drivers will store stuff inAppInit_DLLs registry key. However this is a well know key where malware installs stuff. Also the above "Image File Execution Options\*" keys could cause a lot of alerts from the HIPS since application software installs an entry there. For a bit less protection and less HIPS interaction, you could only cover these keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\userinit.exe\* HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\userinit.exe\* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\explorer.exe\* HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\explorer.exe\* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\taskmgr.exe\* HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\taskmgr.exe\*