Interesting AntiRansomware freeware

In regards to SmartScreen, read this; especially the links posted in regards to SmartScreen: https://www.wilderssecurity.com/thr...ansomware-freeware.391031/page-2#post-2642455 .

SmartScreen is primarily designed, including the recent enhancements, to protect malicious activity originating from the browser. In Win 10, Smartscreen is constantly running whether the browser is active or not. My testing of Win 10 SmartScreen with it disabled in IE11 was not very encouraging. It only protected against download activity and was only marginally effective at that. In others words, it has to be enabled within the browser to be optimally effective. I would also assume that SmartScreen is enabled by default in all Win 10 native apps.

If ransomware is being delivered via browser activity, it could be by any method currently in existence that malware delivers malware via the browser; exploit, drive-by download, etc.. It is possible that an infected web page could be using a malicious script that could deliver a malware download. Note that most ransomware payloads are Trojans.

I have not tested SmartScreen against malicious web page script ransomware activity. It is possible that there is an interface built into SmartScreen to Win Defender under Win 10 to use AMSI to monitor web page script activity. If so, it would be Win Defender that is blocking the web page script activity; not SmartScreen. Third party security software uses their own web filters to monitor malicious web page script activity since they have no direct access to SmartScreen.

However, I have seen evidence in Win 10 that Win Defender is not totally disabled when using third party security software. So it may be indeed the case that SmartScreen is interfacing with Win Defender via the AMSI interface with third party security software installed. My security solution however in almost every case will detect the browser based malware prior to any SmartScreen detection.

-EDIT- Also worth noting is if your browser is being run in AppContainer, the malware download is in the AppContainer as noted below:

\Device\HarddiskVolume3\Users\xxx\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\VGY7334N\PotentiallyUnwanted.exe​

 

Thank you Peter- any info would be most appreciated!

M

 

Cool AppCheck is now in Eng... it was June 2016 when I came across this software

 

@VoodooShield

You guys have an outstanding contribution to many with your efficient program but if I might, would like to solicit your opinion on AppCheck and if it has shown you something/anything that you favor in it.

Thanks for any flash assessment you can share on your own experience from taking it around the corner and kicking the tires like @cruelsister and a few others have done in checking out it's mechanics so to speak.

 

Thank you, I certainly appreciate that! I have not spent a lot of time with AppCheck (I did a quick and dirty test the other day with 30 or so samples), and it performed really well… it is really cool. I agree with CS that AppCheck’s approach is much better than simple policy restriction. And I also agree with Peter and Erik that never allowing a single line of malicious code to run is optimal.

To me, computer security should work like this…

1. Deny by default / Application whitelisting

2. Pre-Execution Ai and blacklist scanning

3. Behavior blocker

But as a secondary layer of ransomware protection, yeah, AppCheck is great! Then again, for the third layer, if I had to choose between the two, I personally would prefer a behavior blocker like Emsisoft… it is phenomenal.

 

People talk about how great is the BB is emsisoft but actually is a mediocre product as all we can see in the tests. Why would I prefer a pop-up asking me what to do with something when there are other BB that are able to make that decision correctly for me? Many of the detections that you see on tests are not base on signatures but in more advanced BB that other products have that doesn't require the user input and globally the products are able to protect the user better than emsisoft according to the tests

The fact that is one of the few products that it BB still relies on pop-ups tells that their technology is less advanced than their competitors. The other BB decides between bad and good and play with FP, while EAM just show a pop up if anything looks suspicious that is an easy way to play.

http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2016&month=Jul_Nov&sort=1&zoom=3

If you want pop-ups like EAM just set to the max the BB settings and sensitivity of any AV, that usually are set in low by default.

 

I don't know what graph you are looking at, but we are tied for the spot of the least compromised systems after F-Secure... .

I would argue that the fact that most other products let more malware infect and fully compromise a system without even as much as beep is a clear sign that they are inferior. But maybe I am just weird wanting to know my files and systems are safe.

 

The same than you, the problem is that you are just assuming that all users will click on block in the pop-ups. But let's not talk about the FP rate plus the FP introduced by the pop-ups of EAM

As I said take the BB of any AV and set the settings to max. It will show the same intelligent behaviour than EAM BB

Is very easy for any AV to show pop-ups when it has doubts about what to do with a file, as it very easy as well to find suspicious a file with high sensitivity settings to find any malware suspicious and show a pop-up

With your same vague argument I guess it will be better to use any hips than your product, let's the user decide before it gets infected... Or not

 

You can set the BB behaviour to block automatically and you have the same behaviour as the other AVs with an FP rate that is still below average. So the same way you can configure other AVs to be more more like EAM, you can configure EAM to be more like other AVs. Still don't see your point, sorry.

 

Not the same conditions EAM FP rate by default is above the average, I don't want to imagine where it will be with autoblock in the BB

 

Probably because I didn't answer you yet
Pick an AV with BB on which you can set the settings to max

Or take avast which has a poor BB and do this http://en.community.dell.com/resize...r-discussions-components-files/3522/zHIPS.png

Or try bitdefender you can do the same

 

You are aware that we only had 2 real FPs and the other 23 are BB warnings? So those 25 are already all "false" BB warnings counted against us. So switching the option would turn all the user dependent into automatic blocks and not change FPs at all.

 

OK thanks for the input but this enforces my thesis that your BB is just quite sensitive and flag any suspicious file but is not good enough to differentiate a good from a bad file since 22/25 FP are produced by the BB.
Meanwhile others products don't have this issue, still have high detection rates and doesn't rely on popups to get those high rates

 

High, but not as high. We have more aggressive defaults, yes. Especially the fact that we show when an application creates an autorun, which most setups do and the FPs are pretty much all setups. Interestingly enough that alert isn't even important for detecting malware as especially ransomware doesn't even care about establishing persistence.

Then again, your fix for the lacklustre performance of other products like Avast is to make their settings more aggressive. Do you assume the change you proposed will have no influence on FPs at all?

Also keep in mind that just because someone has a high detection rate doesn't mean it is because of BB. Trend Micro and Avira both don't have any meaningful behaviour blocking at all. They score due to either aggressive URL filtering or cloud usage, both of which have grave implications for privacy (which you may or may not care for). Bitdefender has a decent behaviour blocker, but from my own experience, I can tell you that Bitdefender was saved more by their aggressive cloud-based URL filtering during that test than by their behaviour blocking.

 

Lack of performance? I would say that the lack of performance comes from EAM which is not able to take decisions for the user, and it doesn't activate the block setting by default because you are aware that it will be a bigger issue.

But let's take bitdefender which by default with no popups, less PC load and 0 FP... Guess what, it has a BB, or any other top product in detection

If your BB is as good as the one in the other companies why it doesn't block by default, 0 pop-up and user intervention, and just accept the FP??

 

Thank You for answering and especially marking out the important sequence which i'm sure most already have laid out with their own approach.

I have personally always placed a high priority on programs such as VS and some of those others found to perform completely (for the most part) to expectations, and while I have taken some flack for my resistance to AV solutions, it's just the way it is and I just can't in good conscience turn to any of them anymore.

The few times that I been caught off guard over the years by malware for some odd reason it was when I had AV programs guarding the system so they have failed me miserably and that's something you don't forget no matter how advanced they continue to claim that they are.

HIPS back on XP was the single most ABSOLUTE finest prevention and intrusion interruption invention to ever show up and I been building with that type of security ever since from separate individual programs be they freeware or commercial and the results stand alone.

Continued success with VS to you and no matter how hard these intrusive techniques test your team's talent & skills, it's with gratitude that rest assured those efforts are greatly appreciated and always will be.

 

I don't know. I feel seven times as many compromised systems is a lacklustre performance.

It's more that we don't see user decisions as a big issue. If you do, change the setting.

You may want to check your facts on Trend Micro and Avira using behaviour blocking in the same sense as BD's AVC or our Behaviour Blocker. Also, that test is of very limited use to judge behaviour blocking performance alone. I mean, it is pretty obvious for us which ones are guaranteed behaviour blocker detections, even though the number of what the BB detected is higher because a whole bunch of it is blocked automatically. But you have no idea what was responsible for the block for anyone else. For all you know Trend Micro just blocked every single download because of their URL filter. That doesn't mean they have the superior BB as you suggest (or that they have a BB at all).
You can argue that BD and Avira have the better "overall package", which I would tend to agree with, and there are things in the other layers we can and will improve upon in 2017.

We are accepting the FP already. It already gets counted as an FP. You see the FP right there in the report. We talked about switching the default internally a couple of times. The consensus is, that while it will make us look better in tests, where all alerts are already counted as FPs against us, we don't like patronising our user base, which for the most part likes how the product works right now. It comes up now and then during planning meetings, though, so we may just do it.

 

Noteworthy is there are ransomware strains where the script itself is the ransomware payload as described in the below Sophos link. The only download done by this strain is the encryption key from its C&C server. Also as evidence that you're compromised further once ransomware begins execution, this ransomware delivers a secondary malware infection as noted below:

That’s not all

Most ransomware attacks we’ve seen in the last few years have started by scrambling your files, and finished by unscrambling your files once you’ve paid up.

In other words, the cybercrime component was all about squeezing you to pay the ransom, with the ransomware aspect essentially being the beginning and the end of the crime.

After decrypting your files and making sure that the ransomware program has been removed so it can’t accidentally strike again, the theory is that you’re back where you were before the attack started.

But JS/Ransom-DDL is interestingly different, because it deliberately installs a secondary malware infection: a password stealer blocked by Sophos products as Troj/Fareit-AWR.

This Fareit infection isn’t downloaded; instead it is encoded using base64 into a JavaScript string that is stored inside the ransomware file, and installed as a parting gift by the ransomware.

The program code that drops the Fareit file onto your hard disk and launches it is deliberately obscured by encrypting it with AES, using a decryption key stored inside the malware:

The dropped Fareit malware is saved into your MyDocuments folder using the name st.exe.

Ref.: https://nakedsecurity.sophos.com/20...ats-100-pure-javascript-no-download-required/​

 

"HIPS back on XP was the single most ABSOLUTE finest prevention and intrusion interruption invention to ever show up and I been building with that type of security ever since from separate individual programs be they freeware or commercial and the results stand alone."

ProcessGuard

 

I see what you are saying, and I do respect the various AV lab tests, but I am guessing that most people who are impressed with Emsisoft’s BB, are impressed because they performed their own tests on various products.

There is never a good reason for the vast majority of users, mainly novice and average users, to automatically allow new executable code to run on their systems when they are surfing the web or checking email. If new executable code does want to run, I would suggest that it is best that the user is at least notified with a user prompt, because there is then at least a chance that they will block it, which is much better then to automatically allow questionable items by default.

I was actually just talking about this the other day in the following post:

https://www.wilderssecurity.com/threads/voodooshield.313706/page-546#post-2642905

In the post I wrote “That is the funny thing... most samples (95% or so) are relatively straightforward, and determining the maliciousness is quite simple. But around 5% of samples are extremely tricky, and there really is no way to conclusively determine whether the file is intended to be malicious or not (and I am not even talking about greyware).”

The 4.5% Emsisoft user dependent samples from the AV Comparatives test are most likely the 5% tricky samples where users should be notified… so 4.5% seems about right to me.

Sure, that is cool if the software auto decides… but it better be correct .

 

1) again you are assuming that the users will click on block when it's malware. Why don't you sell hips if you are so convinced about this behaviour.

2) BB is a very wide concept or use widely by many techs, any decent AV in cloud has one, some AV has a local one, but the fact is that they use it in a transparent and intelligent (to reduce FP) way and many of them gloably as a product get better results than EAM, so where it is the so good and advanced BB from EAM? All the clues shows that is at best just another BB module running locally.

3) I think you should change the default and still let the user decide if they want pop-ups, In case you don't predict any high rise of FP out of the close environment of AVC test. If this is not an issue I can't understand why.

In summary I was just expressing my opinion about EAM BB after reading several time from a couple of forum members that is the best thing in the world

 

Thank you EASTER, I appreciate that! Yeah, I agree, HIPS on XP was pretty cool .