WinPatrol WAR (formerly WinAntiRansom)

Well, apparently it only checks if some app is digitally signed, so if ransomware is signed then it will fail to protect. I'm not sure if this is true, but the developer from HMPA mentioned this in another thread. I believe the name "WinAntiRansom" is misleading if it's not meant to specifically detect ransomware, but also all other malware. And not by blacklisting or behavior blocking but by using a simple white-list.

 

I think digital signature still has to be in its whitelist.
It should not allow "any" signature.

 

Yes I suppose it does indeed has an internal list of trusted publishers. But I now start to wonder why it sometimes gives false positives, is it simply because the app was not in the white-list? Or is it because the app acted similar to ransomware when it comes to modifying the file system? It's still not clear to me if it really watches for suspicious "file modification" operations, like HMPA and MBARW.

 

My own look under the hood and observation of its processes in Windows 7 and 10 establishes WAR is far more than your foggy assumptions. As well, to date the developer has provided me with three test versions to run and report on prior to an imminent public update.

It DOES NOT "only checks if some app is digitally signed."

It has a not-simple whitelist and registry protection that will detect malware, malware which doesn't otherwise escape anyone else's like-wise processes.

WAR has a proprietary AI engine (your notion of a "behavior blocker") as has been pointed out several times here. Sadly, this factor and several others exist outside of your attention span.

Granted, you have expertise in this arena but your unfulfilled insistence for the developer to show up and explain exactly how the product operates to your noble expectations does not allow for your continued infliction of UWAGs (uniformed wild arse guesses).

You didn't buy the program, don't use it, never watched it work and have no investment in it. WAR is an effective product and the development team is sincere in its efforts to sell the best results and are hard at work in its continued development and improvement. They don't deserve your continued misinformed twitter-inspired drive-by posing. Nor do their customers or potential customers prospecting for information.

Unless, of course, you can prove it doesn't do what it advertises to the same forensics and standards you hold up for other products in its class. Why don't you do that and get back to us? Thanks.

 

That version number was valid at the time of posting. It will have a different value.

 

@haakon great post, really like the UWAG abbreviation, but against who is this directed?

 

Sorry my bad, now I know

 

Ha, that's how it looks. I always wondered how you see posts from members you ignore

 

The thing is, these foggy assumptions come from the fact that Erik Loman (developer of HMPA) has also checked out WAR, and he did come to the conclusion that it's probably not using any behavioral monitoring techniques. This does not mean it's not effective as we all have seen, it's just that I always like to know how security tools exactly work, so I can make informed decisions whether it's worth buying or not, based on my own criteria.

The fact that it may or may not use behavioral monitoring does not mean I wouldn't recommend it, but I think people should at least have the right to know if it's comparable to HMPA and MBARW who do use file system monitoring. And I did watch it work on YouTube, but those videos told me nothing about the inner workings.

 

What Rasheed want to see is a comparison between HMPA, MBARW & WAR I assume. Which one block and which ones do not.

But you need to remember malwarbytes anti exploit in the sAME conversation

 

Ladies and gentlemen, I rest my case. I would were it not so pathetic.

I happen to watch actual inner workings with the likes of Sysinternals' Process Monitor, to name one.

Concluding something as probably defines the concept of foggy. Though it does strongly suggest that WAR's AI engine is not some ones notion of a "behavior blocker."

And it just so happens that Loman is in competition with Ruiware. Facts? Hmmmmmmmm.

 

Thanks. It hails back to a NASA engineering group and is actually Uneducated Wild A** Guess and a play on the more well-used SWAG, ScientificWAG, as there was little known about the tech at the time and education was ongoing.

It required toning back in this context, hence Uninformed. Rasheed187 is not uneducated.

 

Well, perhaps you're right, I just re-watched some videos and WAR does seem to analyze process behavior. So perhaps Erik Loman can explain why he came to the conclusion that WAR is a white-listing tool with a built-in list of trusted "digitally signed" apps.

If he's wrong, then I was perhaps too quick to draw any conclusions, my bad. To clarify, I was not trying to bash WAR, it seems to be quite effective, you can't argue with that. However, if Erik Loman is right, I can understand his statement about WAR and HMPA being totally different.

HMPA watches for file system modification (purely HIPS based), while WAR uses a mix of "white-listing, heuristics and definitions". It's the heuristics part that's mostly interesting to me. I just wonder if it's simply "better" than the techniques used by HMPA and MBARW. So far this does seem to be the case, unless Erik Loman is right.

 

WinAntiRansom v 2016.3.398 has been released.

What’s new in 2016.3.398 (posted April 11th, 2016)

• Added ability to Stop/Start Protection from tray application
• Added ability to define up to 10 SafeZones.
• Improved protection while reducing false positives.

https://www.winpatrol.com/mydownloads/

 

Is this a yearly sub?

 

I’m just wondering whether it support Asian operation system (Windows 10 X64) or not ? since I can’t see any related program as I’m trying to set SafeZone. Second, Anybody can show me how to set “Network Lockdown Action”,I have’t seen any options in the tab!

 

In case it helps anyone else, here is the answer from Bret Lowry:

Hi Paulderdash,

No, we do not allow using C:\Users\<Username> as the SafeZone folder. There are many user specific "Temp" folders contained within sub-folders of this folder. For instance, the AppData folders are all contained as a subfolder, these are used as a temporary file storage locations for many programs. Protecting temporary storage is not the intent of SafeZone.

Creating C:\Users\<UserName> as a SafeZone would result in a lot of frustration due to programs getting blocked.

We did just release an update today that allows you to define up to 10 SafeZones.
The link is found here: http://www.landzdown.com/winantiransom/winantiransom-beta-3-available/

Also, please remember that any wireless harddrives are 100% protect by our Network Lockdown feature.

I hope this helps,
Thanks,
Bret.

 

Hi, I've read some of the posts in this thread and thought I should respond.

First, our WinAntiRansom engine uses many factors in determining if software is potentially malware. I've seen people claim we only use signatures, the answer to that is absolutely not. We use far more in making our determinations and are evolving our engine all the time as we learn more, see more in an effort to continuously improve our protection.

I don't care what the other companies say about our products, we are here to help and protect our customers and are focusing our efforts on improving our products.

As for what the numbers in our prompts mean, those help us determine how we determined to block the ransomware. In retrospect, we should not have included them in the prompts because they simply lead to questions. We will not make those determination public for many reasons, including tipping off malware authors how we are detecting them. Also, I'm sure our competitors would love to know our algorithms as well. How many Antivirus companies make their algorithms public?

As for support in Full Chinese versions of Windows, I did find a bug today in how we process new programs and will be fixing. Bugs happen, no software is perfect, the true test of character is how you react to the bugs not the fact that they are found.

As for network lockdown, that will automatically configure for you. All drives determined to be network drives will automatically be protected. That includes wireless hard drives.

We're small but growing, we may not reply to every thread in forums but that doesn't mean we don't care. It simply means we may be busy doing something else. Please let us know if something needs our attention.

Thanks,
Bret.

 

You said it well Bret.

 

It's always nice to hear directly from the developer! It's helpful to know more details about how a program works so that compatibility and overlap with other security software can be determined. Many of us run multiple apps trying to maximize security while avoiding conflicts so thanks for sharing some details (It's perfectly understandable why you don't want to reveal too much though).

 

Great reply: bottem line is that it does the job

 

Thanks for clearing things up. So I suppose WAR is indeed also using file system monitoring in order to identify ransomware. And I don't believe that Erik Loman meant to bash WAR, he just wanted to point out that HMPA works a bit different. On the other hand, it did cause a bit of confusion. But I don't see why people wouldn't combine HMPA with WAR, since they both bring different things to the table. Of course people should first make sure that there aren't any conflicts.

 

Cruelsister's testing of WAR shows that it offers very impressive protection against Ransomware. WAR has performed best out of all the Ant-Ransomware products she has tested. Go through her channel, and look at the test she has conducted on all the different Anti-Ransomware products on the market. I like the way she tests better than most. https://www.youtube.com/channel/UC6rpY1_vDoNV2AhS63enMZg