AppCheck by CheckMal

Discussion in 'other anti-malware software' started by Mr.X, Jan 16, 2017.

  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Glad I saw this discussion!

    1). An issue that was found in the previous build has been resolved in the current one. This really wasn't that much of an issue anyway as it concerned a ransomware strain modified by yours truly, and even so the problem was not encryption but more of a system trashing on remediation. But as I said all is smooth sailing now.

    2). Mood- when testing AC I do use a license precisely due to the lack of MBR/MFT protection that you note.
     
  2. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Thanks CS for the heads up :thumb:
     
  3. guest

    guest Guest

    Ok, good to know :thumb:
     
  4. guest

    guest Guest

    AppCheck v2.1.9.1 Released (2 Nov. 2017)
    Website
    Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  5. guest

    guest Guest

    AppCheck v2.1.10.1 Released (4 Nov. 2017)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Totally forget about this, so it won't protect against ransomware that is trying to modify the MBR. Will perhaps try to combine it with RansomFree, not that I'm a high risk user or anything. :D
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Mind you, @mood said MBR protection is missing when using FREE version. As soon as you switch to PRO, MBR is protected. You can still disable it manually though.
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Does AC auto update to new version, or do you have to find out about a new version yourself.
     
  9. guest

    guest Guest

    You are using a HIPS, and it should be able to protect against modifications of the MBR ("low-level disk access")
    Btw.: RansomFree is also protecting the MBR (Edit: #390: Are you SURE about that (hint)? / #349: I guess we'll have to see this weekend...)
    Edit 2: The new version of AppCheck is able to protect the MBR
    The free version of AppCheck should update itself automatically
    "AppCheck Options - General - [X] Use Auto Update". But i'm not sure in what interval it is checking for updates.
    Updates for AppCheck Pro are delayed by 24 hours:
     
    Last edited by a moderator: Nov 8, 2017
  10. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
  11. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Are you SURE about that (hint)?

    Also about the new version of AppCheck- note that AutoBackup is still part of the Paid and not the Free version. This is of EXTREME IMPORTANCE as the innate mechanistic detection of AppCheck still does not fly to the same heights as something like RansomOff.
     
    Last edited: Nov 8, 2017
  12. guest

    guest Guest

    #389
    Nice, with AppCheck v2.2.0.1 they have added protection of the MBR
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  14. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have auto update but still waiting for the 2.2 update to get here.
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I have Network Drive Protection disabled on two machines. Both machines networked and sharing folders.

    Are those network shares still protected?
     
  16. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I am still waiting for V2.2 to auto update.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    If you get impatient, just download and install over the top. :).
     
  18. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I added my pictures for auto backup but it does not seem to be working according to the event log.
     
  19. guest

    guest Guest

    AppCheck v2.2.1.2 Released (10 Nov. 2017)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, but some extra protection would be nice, and now it has been added to the freeware version luckily. BTW, perhaps you have already answered this, but I still don't get what the "Protective Shelter" and "File Destruction Behavior Detection" options are for? Why would they give an option to turn them off, and what benefit does it give?
     
  21. guest

    guest Guest

    Protective Shelter
    If enabled, files which are about to be modified or before they will be "damaged" from Ransomware will be copied to the Backup(AppCheck) folder. Files in this folder are protected from modification else Ransomware could easily encrypt these files too :)

    It is an additional protection layer, but if you don't want this protection because AppCheck is sometimes copying files to this folder and it slowly fills up the partition it can be disabled.
    (or change this option: "Delete files in Ransom Shelter" [7] days old" and select a lower value)

    But after disabling the Protective Shelter, AppCheck isn't utilizing the folder Backup(AppCheck) for automatic recovery anymore.
    File Destruction Behavior Detection
    This could be somehow related to the "CARB"-engine. If enabled, it will monitor "File Destruction activity".
    I'm not sure what would happen this option is disabled, but i think it is still protecting but without monitoring of specific "file destructions attacks".
     
  22. guest

    guest Guest

    AppCheck v2.2.2.1 Released (14 Nov. 2017)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the info. I think these settings are a bit confusing, if it's really important for protection, then you shouldn't be able to disable it. After enabling it, I haven't noticed any extra CPU or drive usage. And apparently "Protective Shelter" is not tied to auto-backup? Very unclear if it's a must have feature. For example, HMPA will always auto-recover modified files.
     
  24. guest

    guest Guest

    Just leave it all enabled and you are fully protected :)

    I'm sure that if you disable the Protective Shelter, it can happen that files cannot be restored.
    For example:
    The ransomware itself will be terminated but what about the files which were encrypted before the ransomware was terminated by AppCheck? There is no backup in the Protective Shelter to restore these files :cautious:
    If you are using the Pro version with the Auto Backup feature you still have access to a backup (only if the affected folder has been previously added to the Backup sources), but not in the free version with a disabled Protective Shelter.

    Auto-Backup is a dedicated Pro-feature and is not related to the Protective Shelter.
    Auto Backup = folder <AutoBackup(AppCheck)>
    Ransomware Protective Shelter = folder <Backup (AppCheck)>
    And clicking on "Empty Ransom Shelter" is deleting files in the Protective Shelter, the folder <AutoBackup(AppCheck)> is unaffected.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    @mood

    I already knew all this, but thanks for putting it in an easier way, as usual. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.