Bitdefender Free CryptoWall Vaccine

Announcement
http://labs.bitdefender.com/2014/12/bitdefender-offers-free-cryptowall-vaccine/

Download
http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

From BD Labs:
"The CryptoWall Immunizer is only effective in protecting systems that may get infected with versions one and two of the Cryptowall ransomware.

While we are making all efforts to update the tool as soon as CryptoWall is modified, we recommend that you keep your antivirus solution always on and use this tool as an additional layer of protection."

 

You tried it? I'm trying it, seems to be running perfectly well on my machine.

 

I'm trying it also. Minor peeve is the icon is exactly like the BIS 2015 icon. So far so good.

 

How does it work?
Anti exploit like hitmanpro?

 

Amazing news Thank you Bitdefender for your 'foresight'.

 

A limited anti-executable in a nutshell, yep...

 

So NVT anti exe would do the same or voodooshield or HIPS even

 

trott3r it just disallows program executions in AppData and Startup folders. Any anti-executable and classical HIPS or even the built-in SRP can take care of it more than adequate enough.

 

imho I have more faith in HitmanPro.Alert than in BitDefender CryptoWall Vaccine. CryptoWall Vaccine just seems to be too limited in order to offer protection against crypto malware in general.


(Please note that I don't have experience with both tools with regard to crypto ransomware)

 

oops wrong tab

 

thanks
Any notification on block or just deny all

 

I don't know. I might be going to try it out just to see how it performs.

 

Hmm
C:\Documents and Settings\trotter\Application Data\crypto

put cryptopad exe in that dir and double clicked nothing from bitdefender and also installed cryptopad after webroot picked it up as not in their database

 

maybe its definitions based as well?

 

Not workan! =V

With immunization=on, executable could still be running in AppData folder. Could it be that it uses file hashes to block process executions?

Do all anti-ransomware work like this? If yes, I'd rather use an AV instead.

 

Doesnt seem clever

 

It does two things: it enforces a software restriction policy to prevent ransomware from installing in AppData/Start folders and it blocks any ransomware that seeks to run.

Of course, if the SRP is already in place, a malicious CryptoWall payload won't have rights to run and if does its blocked by BD Anti-Ransomware.

 

Which begs a question, does it work with some sort of blacklist definition?

 

I think it works with some sort of list since the software is updated over the Internet whenever new CryptoLocker/CryptoWall variants appear in the wild.

 

Then I don't see a point of this thing if the user already has an AV.

 

It must be different. Because BIS doesn't prevent me from using it.

 

Its compatible with your AV since it offers an additional layer of protection by enforcing SRP policies in Windows.

 

Enforcement based on what? File hashes blacklisting? I tested it with a benign executable and BD's CryptoWall Vaccine didn't block it. It should've blocked it if it did use default-deny SRP enforcement.

 

Did you enable immunization? It should have activated the SRP.

 

I did.