SentinelOne adds feature to restore files hit by ransomware

Discussion in 'other anti-malware software' started by ronjor, Nov 18, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,838
    Location:
    Texas
    ronjor, Nov 18, 2015
    #1
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,593
    Location:
    U.S.A.
    The rollback feature leverages built-in capabilities in Microsoft's Windows and Apple's OS X. Both operating systems take snapshots of files on a computer. In Windows, it's known as Volume Shadow Copy Service and on OS X as journaling.

    The technologies are used for restoring systems. The snapshots of the files are kept in a secure area and wouldn't be affected by ransomware if it infected a machine. Gemmell said. SentinelOne is also adding some anti-tampering defenses to make sure the snapshots aren't affected

    From the above, it is obvious the author has no idea how ransomware i.e. CryptoLocker variants work. Most will execute one of the following commands depending on delivery method used to delete all volume shadow copies:

    C:\Windows\syswow64\vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\System32\vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\syswow64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
    Any anti-exec or HIPS can monitor those commands. Or, just rename vssadmin.exe as bleepingcomputer.com recommends here: http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
     
    itman, Nov 18, 2015
    #2
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This is an enterprise solution. They don't disclose price so it's probably out of the home user range.

    Pete
     
    Peter2150, Nov 18, 2015
    #3
  4. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    They even don't have a public trial version to assess SentinelOne. ;-)
     
    ropchain, Nov 18, 2015
    #4
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,559
    Location:
    The Netherlands
    LOL, lately you have been on fire, thanks for the interesting posts.
     
    Rasheed187, Nov 18, 2015
    #5
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,559
    Location:
    The Netherlands
    Rasheed187, Jul 30, 2016
    #6
  7. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,879
    They probably put System Restore and Shadow Copies in an encrypted folder.

    Ransomware can only infect what it can see. Even if it encrypts all your files, your Restore snapshots and stored data are still unaffected.

    So in theory, you can go back in time before you were infected. You just will lose more recent work unless you already backed it up before the ransomware hijacked your system.

    SentinelOne offers an interesting approach to thwarting a zero day threat.
     
    NormanF, Jul 30, 2016
    #7
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...