WinPatrol WAR (formerly WinAntiRansom)

So true, agree completely

 

Been wondering why WAR isn't overly popular? Do they need a Dan?

Seriously, this program scores so well in ransomware tests, and I have yet to read anybody being unkind about it, yet it doesn't have the fan-base of VS. Is it because its name belies a focus on ransomware when, as I understand it, it's good at catching all sorts (I haven't seen a test demonstrating this if some kind soul would like to oblige)?

 

Well, VS has been around for almost five years. With it's full-tilt boogie VirusTotal API, VoodooAI and whitelisting, it is a key player in its market segment. How could it not have a loyal fan base?

WAR, on the scene a bit longer than a year, with its AI Engine and whitelisting has a fan base that is growing. "Overly popular" is on the way. It don't need Dan, but he's welcome...

Who is Dan??

VS started out as "virus protection like no other" "while a web app is running" (quoting their site), its ransomware protection is a by-product of a matured and superior technology. As I pointed out in an earlier post here, no where in VS's litany of features at voodooshield dot com is ransomware cited. (If you can find it, correct me on that please.)

WAR's technology was designed for ransomware. And well proven as superior. The "catching all sorts" is the by-product.

 

WinAntiRansom is effectively a whitelist\blacklist software - more so an anti-executable than a software restriction policy software. WAR is similar to NVT ERP more so than it is similar to AppGuard or Bouncer. In WAR there is no provision to run processes with limited rights nor any protections against memory attacks.

With that being said, the question is do you really need it on a typical user system ? That's for you to decide...

What is already on the system prior to WinAntiRansom being installed is allowed, what is newly introduced is prohibited. Of course you can tweak it - which should be done by all means.

Clean install Windows, install desired softs from USB, install WinAnitRansom, lock down system. Simple concept.

Combined with a decent adblocker and simple Windows Firewall desktop GUI like TinyWall, and that combo will do a good job.

You can increase the system security in case of an exploit by blacklisting the vulnerable rubbish shipped with Windows - like Powershell - which is nothing but a menace.

What remains to be seen is how well WAR can withstand an exploit and whitelisted process abuse - something that all other anti-executables have failed to prevent.

I know someone who has used NVT ERP + uBlock for years by now (both tweaked) + Windows Defender, Firewall and Smartscreen - and hasn't come close to being infected.

There isn't anything about WAR that is revolutionary. It's simple, and simple can be enough to protect a system.

It ain't bulletproof. Bulletproof is a pipe-dream...

 

The primary component in WindowsAntiRansom is its
proprietary Artificial Intelligence Engine

 

You can call it whatever you wish, but it is an anti-executable...

 

duh ok

 

So, if you already have an anti-exe installed, WAR doesn't have anything significant to add to your security?

 

WAR has a "filtering" algorithm that more than likely inspects a file's path, digital signature, age on system, origin, what it is attempting to access on system, etc. I don't know which file attributes are inspected, but the inspection algorithm is definitely there and it's called artificial intelligence. Some refer to it as a behavior blocker.

It's "smarter" - if you so choose to call it that - than NVT ERP, but both are based upon the same concept. That's all there is to it.

Given the choice, I would choose WAR over NVT ERP since ERP is a little outdated by now - though I think NVT ERP is still gold.

The advantage to WAR is that it will notify upon suspicious or malicious actions for which it "filters" whereas NVT ERP just relies upon file path and digital signature.

Combining WAR with another anti-executable isn't going to make your system more bulletproof - but instead will potentially annoy you with duplicate alerts.

 

WAR is very reasonable as far as price goes... I may try it one day, but I'm still a huge fan of ERP.

 

But isn't the fact that it blocked ABP and Revo a sign that it is indeed using some form of behavior monitoring? Of course the question is on what basis it blocked them both.

On what basis do you say this? According to cruelsister, it most likely does watch for suspicious file system activities. So it's more than a simple anti-exe tool. I believe the developer of WAR has also said this, but I may be wrong.

 

https://www.wilderssecurity.com/threads/winantiransom-plus-thread.382364/page-16#post-2608721

WAR is a good, solid soft - but it isn't magical...

It's an AE with some file inspection and behavior monitoring - with the objective to reduce the burden (more appropriately "guesswork" required of) on the user.

 

Yes, but you made it sound like it's mostly an anti-exe product. To me the most important thing is if it uses behavioral monitoring or not, if it didn't then I would call it less advanced, no matter if it was effective or not.

If I'm correct, the white-list is used to avoid false positives. And that's the difference between WAR, and HMPA and MBARW, I believe the last to are purely behavior based. But I haven't got a clue which of the 3 is the most advanced.

 

WAR is an AE - despite what others might state. So, it's a little "smarter" than a more basic AE like NVT ERP where the vast majority of decision making is the user's responsibility. Add an AI\machine learning\behavioral monitoring capability to a "dumb," basic AE (or HIPS for that matter) and all of a sudden some want to argue that since the product can detect something about a file or file action that is not wanted - without any user interaction, then all of a sudden that product is no longer an AE. It's a debate not worth having.

The behavioral monitoring can't be any more sophisticated (perhaps it is more refined, better tuned) than any of the multitude of other behavioral monitoring components on the market.

WAR is a good, solid product, but like I said it isn't magic...

Given the choice, I would protect my system with HMP.A before choosing WAR or MBAE, but that's just my personal choice based upon a side-by-side comparison of each product - and what I choose should be irrelevant to anyone else.

 

Yo! Boys and girls!

I have it on Good Authority the next release of WAR, due soon, will have greatly enhanced blocking of RAT/Trojan-centric ransomware.

Be on the lookout.

 

Yes, but that is not the point. There is a big difference between a regular AE and an AE combined with some form of BB/HIPS. VS, AG and ERP to name a few, can not spot malicious file system behavior being used by ransomware, while WAR, MBARW and HMPA all can.

 

I agree in so far that it is a usability improvement.

 

Like I said, to me the most important thing to know, is if it watches the file system for suspicious activity or not. If it doesn't, then I agree it's a "smart" anti-exe tool, but I would then not be impressed at all. I just read a PM that I got from a developer, and he also thinks that WAR is NOT specifically monitoring the file system. But Cruelsister thinks it does, and the WAR developer won't give this info for some reason. So it's all very confusing.

 

Confusion is unlikely to be resolved, it is obvious that this program intercepts a lot more malware than just ransomware, I also think it is obvious that the WAR developer is unlikely to give info on the inner workings of his product and explain in any detail the relative meaning of "Artificial Intelligence".

 

Yes that's the whole problem. I can understand it if the WAR developer doesn't want to tell at what parameters it's looking in order to determine if some app might be ransomware. However, he can at least solve this mystery by telling if it watches for suspicious file modification or not. There's nothing top secret about that, either it does or it doesn't.

 

one thing we have not talked much about is the protected registry actions tab.

what important registry keys are default protected and is there a good list to manually add?

some years ago I remember a list someone made up for another program.

 

Haakon said
"Oh there is so so so much more to ransomware than an exploitable executable."

not sure if ransomware uses file less malware but there are some nasty's that do. powerliks

"the victim is enticed to enable macros. Once enabled, the macro opens cmd.exe, which then calls PowerShell, a native Windows framework that uses a command-line shell to manage tasks, to download a malicious script" I think cruel sister used this in a video to bypass WAR not sure. anyway I don't know if WAR is god at this but most likely will be after that video.

this is where appguard comes in handy

 

cruelsister is really smart at getting ransomware past the defences of protection software but has been impressed with WAR, and rules out just simple "dumb detection" . This might not be the proof undeniable that you seek, but this clever lady's opinion is the most intelligent judgement we are likely to get given the developer is choosing to say nothing on his products inner workings.

 

I saw the video and I have used the app, and honestly with the amount of fp's (popups) you get, it easily could show a popup for any ransomware out there...

 

It comes down to the fact that a great many users cannot evaluate things like UAC prompts, update notifications, etc. Making limited accounts the default would increase the burden on the average user who already cannot effectively respond to prompts from the OS and third party security software. The carnage will continue. If computers were cars there would be a lot more dead people lol. Seriously an important part of the task for developers is to take the user out of the decision loop to the greatest possible extent.