RansomFree by Cybereason

Thanks for trying. But I'm concerned with my primary, and basically only, drive. I'll continue to use it as part of a layered approach to security as I don't have any other product specifically targeting ransomware, I'm not aware of any 100% foolproof software that people seem to be demanding of RF, at least nothing I'm willing to pay for.

So thanks again, even though I never asked that you test it, I just think it should be given a fair shot by whoever does test it.

Still curious that a competing security software company would have found it much more worthy, but maybe like Cybereason they don't know what they're doing either.

 

Not if it uses other methods along with honey pots. Good night!

 

Fair enough. I just tend to prefer user reviews by demonstration rather than word of mouth, however I will try softwares for myself and disregard others opinions on occasion and try them for myself.

 

This is another interesting approach, not exactly new though, it's called "Extension Whitelisting". But in theory it should be effective, especially if stuff like code-injection and process hollowing are also blocked:

https://www.matrixgp.com/ses-rde/
http://www.computerworld.com/article/3134604/security/can-you-really-stop-ransomware.html

 

FIDES has similar functionality, but without a GUI and less "features".
I can globally deny the read-access to files, and only specific applications have access to files or access to files with a specific extension.
"Unknown programs" don't have any access.
But nevertheless SES-RDe seems to be much more advanced.
It checks the checksum of allowed programs, prevents ransomware from injecting into trusted applications,etc.

And interesting is, it is able to block the raw-access to the data:

 

Quite interesting. This what I was looking for if you recall my comments in FIDES thread.

 

The $10 per seat pricing is for existing customers only. Like most endpoint products, suspect there are required minimum licensing purchase requirements. Also might not work standalone but as an add-on to their other security products such as hardware firewall, etc..

 

At least we know now that security products exist, which can block raw-access.
But it is only available for enterprises.

 

I believe Secure Folders could also do this, the problem is that it didn't monitor for code injection, and Win Explorer should normally be trusted, because otherwise it would become very annoying. I believe "raw-access" isn't a big deal, it has been monitored by HIPS for years with the "low level disk access" method.

Yes, obviously this product is geared to the corporate market, but it's the anti-ransom technique that I'm talking about. Tools like HMPA, AppCheck and RansomFree monitor the file system for rapid file modification, this the last stage of the attack. StormShield uses a more simple method, but just like with FIDES and Secure Folders, it will only work when code injection into trusted apps is monitored.

 

Some of us are quite content with our "cheap seats".

 

The problem is, if malware injects into explorer.exe, files can be encrypted. But this hole can be closed with additional software.

 

Again, I was trying to bring the "Extension White-listing" method to the attention, which isn't new. But in theory it should be quite effective, perhaps other tool developers can also implement this.

 

Recent RansomFree challenge video here... https://www.youtube.com/watch?v=mw-NSNJUZac

 

I would reserve the term "pathetic" for the ransomware protection. Your VM test shows the fuller extent of the software failure.

 

OK, so RF still doesn't protect multiple partitions? Quite concerning.

Yes correct. Not only direct code injection, but also process hollowing should be monitored.

 

https://www.helpnetsecurity.com/2017/02/13/ransomfree/

 

Now is working excellent....

 

The encrypted files were jpg?