BTW, I found this interesting paper, let me know what you think. https://labs.mwrinfosecurity.com/publications/a-behavioural-based-approach-to-ransomware-detection/
I think it's cool as well as generous the developer made a decision to turn what was initially intended to address ransomware proper into nearly an all-in-one prevention machine! The way I see it is that the only thing that cause a disruption in it's intended purpose(s) is good ole micro itself throwing yet another monkey wrench into how these security programs can perform to their maximum. Happens every time unfortunately but some developers are able to pierce through even that and reposition their software to retain rock solid protection against the baddies.
Going back to what I said about the ShieldFS, solutions based on a training set of data will have trouble with new techniques. They do really well against threats that exhibit what they trained against but generally don't do well with things that haven't been seen before. The other issue with behavioral approaches is that there are many ways for malware to accomplish an end state. For this particular solution, they don't mention the features they are looking at or how or what level they monitor for them, but malware is always evolving and the solutions effective feature set today may not be tomorrow.
It's all good. Funny and odd how ransomware attacks (at least on a massive scale) have tapered off to a trickle lately. There are some sharp pencils in the Helig Defense box apparently. I never assaulted a series of my machines with such confidence when applying Ransom0ff to ward them away. In fact i'm rather intrigued at how formidable it met a lot of challenges on this end.
Kind of. Policy Enforcement, as an option, has been removed but the things that PE covered has been rolled under HIPS-Lite. Some other existing settings, such as top-most detection and startup change detection will also be moved under the HIPS control. It was a little disjointed before and with the addition of some new detections it made more sense to create the HIPS-Lite category and bring all these similar settings together.
Actually I would like to see expansion in AutoStart detection. All of the Startup managers that have alerts that I am familiar with look for registry changes in the same old tired places (HKLM\Software\Microsoft\Windows\CurrentVersion\Run). So if something gets plopped in there, no issue- we have an alert. Now a more elegant way to create a reg entry that will also result in Autostarting whatever but will avoid detection by the typical autostart app would be instead to create something in HKCU\Software\Microsoft\Windows\CurrentVersion\Run Just about the only startup app that will detect such an entry (manually and even then only kinda-sorta if the entry was parsed) is the original Autoruns; oddly enough all of the Autorun knockoffs I've tried do not. Anyway, just a thought.
Hey M. Actually funny you mention this. We did expand the start up detection a bit for the upcoming release. While still not as comprehensive as Autoruns, we added some logic that should cover most everything regardless of where it's written. Currently, RO does look at HKLM and HKCU Run\RunOnce along with Services under HKLM as well as a few other esoteric spots. It also does file system start up detection by looking for Start Menu and scheduled task changes. But with the new 'Executable (scripts too!) Drop' detection, there should be pretty good coverage against new start up objects.
Holy Cow. Just looked at the Ransomoff 4 documentation. You guys have been busy beavers. Going to have to start playing.
Pete, I think I know your general view on some anti-ransomware ('You're already infected.'). But you may like RO for the Folder Protection alone, let alone all the other 'stuff'. I think Dave and HD have developed quite formidable multi-faceted protection here, and it can only get better. Great support too. Really looking forward to trying the latest version (with new UI), which is due shortly, maybe wait for that?
@HeiDef Is it possible to have a summary of all the feature included in this SW? When it goes stable, do you plan to have a free version too or only a paid one? Thanks
@paulderdash I already have folder protection, Pumpernickel @imuade Unless I am mistaken it already is free. My plan is to wait for the new version, and then it the VM running and give this puppy a go.
Yes I know, I use that also. But just saying the RO solution is elegant, more granular than Secure Folders for example.