Interesting AntiRansomware freeware

Discussion in 'other anti-malware software' started by Windows_Security, Dec 30, 2016.

  1. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Of course. I am sure things are FUNDAMENTALLY different, and stuff only got better since then. I wish I could be as naive again. Spent too much time in the industry to afford those luxuries I fear.

    I am not moving to a hacker. Just listed a few things how an employee can access data they aren't supposed to because your defence was essentially: "Oh, they do cloud securely!"

    There is a difference between don't or can't. All cloud records will contain information about the origin. It is simply necessary for tamper protection, so you can identify rogue clients submitting wrong data to your cloud, attempting to poison your data set, and drop all data associated with them. This will be the license key, some unique identifier that identifies your computer, your IP address, or a combination of that. You can use those identifiers to link the datasets. URLs, which almost every AV for some reason insists on processing "in the cloud", you visited may contain your name (Facebook, social media in general), email address or other personally identifiable information. Or just take the update data linking your IPs, license keys or unique identifiers to the person who paid for it.

    You argued people hate it. We ask what people hate. "Too many popups." doesn't show up. You don't have to believe that of course. I can't show you the data unfortunately.
    The survey itself is designed as an open survey with primarily freeform text boxes. We try not to lead people on. It's bad practice as anyone working in surveys and statistics will attest you. You can essentially word a survey any way you want to get the result you want if you really wanted to.

    And when all fails, just go ad hominem. That always works! I am not a native speaker, no. But I think my English is decent enough. If you find mistakes, please point them out. Always eager to improve it.

    Okay. I am not sure how that fits with the rest of the narrative in your initial post ("The fact that is one of the few products that it BB still relies on pop-ups tells that their technology is less advanced than their competitors. The other BB decides between bad and good and play with FP, while EAM just show a pop up if anything looks suspicious that is an easy way to play."), but I just give you the benefit of the doubt. I already said that the biggest difference are just different defaults. You already said you can configure some systems to act more like EAM and EAM to act more like other AVs. That doesn't have much to do with technology. We do have the technology to change an INI file value to something else and change a setting. ;)

    I am not upset. You insisting otherwise doesn't change that.

    [Edit: Since people are getting annoyed with us, feel free to send me a PM if you are interested in continuing the dialogue. :) I may sound grumpy, but everyone knowing me knows it's more "German-ness" than grumpiness. I like conversations like these because I get to read opinions that aren't the usual "you are so great", which while certainly flattering, aren't exactly useful when it comes to improving one's product.]
     
  2. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    You are correct. Petya and other MBR based ransomware can still cause trouble, though. Some of them don't check if the system is booted via BIOS or UEFI and will happily overwrite the first sectors anyway, damaging the GPT. You can recover from that, so it is not as bad as having your data encrypted, but it is still annoying.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Maybe I'm kind of stupid or something but, wasn't this thread about these two AntiRansomware freewares?
    - MBRFilter
    - AppCheck AntiRansomware

    Just saying as this thread has gone FAR beyond off-topic, imo.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    mister X I agree I think these people should take their conversation private.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I know it's dead horse now but yes indeed that BB had quite the potential as a supplement to my safety systems and worked great!

    As you point out the system impact was tiny but boy could it ever jump up and snatch bad behavior files in a flash!
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Lets drop the BB discussion. The thread is about two programs neither of which has BB involved.
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Pete... hopefully it will be okay to post the results from the possible VS bypass... have you finished testing yet? Thank you!
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    We can take to the VS thread, but no bypass so far.
     
  9. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    Post removed.

    In fact any more off topic posts regarding discussion of Emsisoft BB will be removed too.

    Take it to PM's
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    But you do generally use NVT ERP and HMPA as well right?
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  12. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    131
    Location:
    Spain
    One question though, can they be combined with MBAE? Or better to use one or another?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes but when I tested Appcheck, HMPA wasn't active as it could interfere. NVT ERP doesn't so I leave it on.
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Cyrano- AppCheck is sort of unique as it is actually specific for the encryption process; so I would be surprised if any combo would be an issue.
     
  15. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    131
    Location:
    Spain
    OK, thanks :).
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I also think a small standalone ap that is specifically designed to tackle ransomware comes in very handy. Especially because most HIPS/behavior blockers are not effective when it comes to stopping ransomware. Same goes for a lot of AV's.

    Perhaps you can answer my question about the BB in the EIS thread, that I'm about to ask. I'm posting this because I already asked for info in the RansomFree thread, but you never responded.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In regards to stand-alone ransomware detection, below is an excerpt from a MalwareTech article. This article was written to comment on the dangers of open source ransomware e.g. ShinoLocker. That is, ransomware developed for "educational" or test purposes. Of note in the excerpt is that ransomware is still in "its infancy" so to speak and will evolve in the near future, given its profitability, into far more sophisticated infection methods:

    People don’t seem to realise ransomware is not an anomaly when it comes to functionality, it uses feature like: encryption (SSL, PGP, EFS, bitlocker) and file I/O (every software ever). Detecting ransomware is not about detecting file encryption or mass file modification, it’s about differentiating between legitimate and malicious software, which as it happens is very tricky and there are a lot of edge cases. Not only is there no silver bullet for AVs to stop ransomware (pretty much any idea you can come up with, a malware developer will be able to pick apart in less than 30 seconds), but ransomware is constantly evolving. It’s not like we face the same malware today that we faced in the 80s and antivirus experts have just been sat around smoking weed the whole time, malware is constantly evolving to out manoeuvre antivirus/anti-malware measure and has been for many decades.

    If we look at security measures implemented in the past 16 years to combat rootkits, we’ve got:

    Driver signature enforcement (DSE) – disables the loading of unsigned kernel drivers
    Kernel Patch Protection (KPP) – stops modification to certain kernel areas used by rootkits to hide
    Secure Boot – prevents rootkits modifying the bootloader to bypass KPP and DSE.

    The above are the reason we very rarely see kernel rootkits for more modern Windows operating systems; but ransomware doesn’t need to modify code in ring 0, it doesn’t need to modify the bootloader, nor does it need to persist in the kernel. Since file encryption based ransomware became popular (only in the past few years), proactive defense is essentially back at square one, in fact half of the reason why ransomware is so popular is because it’s not stopped by existing anti-malware defences which have been hardened for decades. Assuming an antivirus vendor was to come up with a technology which stopped 100% of all ransomware, what’s to stop someone writing ransomware which enters the kernel and and does direct disk I/O to bypass the filesystem filter? Due to the fact ransomware only needs to operate in the kernel long enough to encrypt files, KPP and SecureBoot are useless, all that’s needed is a DSE bypass (which is very easy on pre Windows 10 platform). The only reason we don’t see kernel mode ransomware is because currently there’s enough people without antiviruses to make even the most basic ransomware profitable and such time investments non-worthwhile; but, as anti-ransomware spreads and evolves, ransomware will evolve too. It’s also important to also note that a lot of the ransomware infections are home users who are not running antiviruses, so ensuring more of them get infected with ransomware because you believe antiviruses are ineffective is a pretty stupid game plan.


    Ref.: https://www.malwaretech.com/2016/12/open-source-ransomware.html
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have HMPA on my main machine, but I guess this combo (MBRFilter and AppCheck) is otherwise a good free alternative (for the HMPA CryptoGuard component anyway).

    Edit: I suspect HMPA CryptoGuard is more around prevention than post-execution damage control though.
     
    Last edited: Jan 9, 2017
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Why do you need them. Appcheck free doesn't protect the mbr, and HMPA does a fine job of doing so.
     
  20. The 'why do you need them' question, coming from you, the man who has most bases covered double or tripple made me chuckle ;)

    Paul mentions the combo as FREE ALTERNATIVE to HPMA CryptoGuard and MBRfilter protects the MBR
     
    Last edited by a moderator: Jan 9, 2017
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Alternatives are fine, if they are reliable. I've not tried MBRfilter, but I have tried Appcheck, and it failed.
     
  22. In the test of Cruel Sister AppCheck really does a nice job protecting data (even in your test it stopped the ransomware destroying your data) and her test also shows that AppCheck has issues (she lost 17 files in a test). That is why I explained in post 20 that this freeware combo should be used as second layer for data damage control.

    HPMA failed in the past against ransomware to protect the data. Why do you advertise HPMA and attack combo MBRfilter + AppCheck?
     
    Last edited by a moderator: Jan 9, 2017
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Kees

    So we have differing opinions. But at it's heart I am not comfortable with your approach to security and you don't like mine. That's okay, we both post and let the user decide.
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Peter- About the failure- are you taking about that CTBlocker file? That error message from DCOM SPL was the just unusual way the coder chose to have the computer reboot; it also allowed something to be added to Task Scheduler for the malware persistence. But there was not any file encryption involved in it on first run and encryption was also stopped on reboot at Startup.

    It is really important to note that AppCheck is close to a pure anti-ransomware product that does not rely on definitions. The upside here is it really should not interfere with other products and should not generate FP's. The downside is that it is blind to non-encryption routines, as was demonstrated in my video with the final sample which trashes explorer.exe (for God knows what purpose).
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Hence, based on the premise AppCheck is pure anti-ransomware product, it did its job successfully by preventing/reverting file encryption.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.