AppCheck v2.4.8.1 Released (06 Feb. 2018) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
There is my problem... The folder Backup(AppCheck) is full of randomly ?? chosen files/folders. You delete some, one minute after > other files/folders. It can be some firefox settings (less than one meg) or all my .pst files (=mails) : 4 gig! Moreover this folder is present on 2 different partitions and one external drive.. Does anybody understand that ?! Thanks.
These are real protected folders, neither folders nor files can be deleted until protection is disabled. Folders are created on each partition of the HDD. I think that folders are not created, you can specify a non-existent network path.
The "Ransomware Protection Shelter" is responsible for copying of files (files which are about to be changed/modified) to the folder: "Backup(AppCheck)" Files with such an extension (this also includes .pst): Code: 7z,ai,bmp,cer,crt,csv,der,doc,docx,dwg,eps,gif,hwp,jbw,jpeg,jpg,jtd,key,lic,lnk,mp3,nc,ods,odt,ogg,one,ost,p12,p7b,p7c,pdf,pef,pem,pfx,png,ppt,pptx,psd,pst,ptx,rdp,rtf,srw,tap,tif,tiff,txt,uti,x3f,xls,xlsx,xps,zip You can expect this folder on each drive/partition, as soon as files are modified on each partition. The good thing is if Ransomware has encrypted files, AppCheck is able to restore files from this folder. The "disadvantage" is, files can be expected files in this folder even if the user is modifying files or files are modified by legitimate applications. Options - Ransom Guard - "Delete files in Ransom Shelter [7] days old" To mitigate a growing folder, the option can be set to "1". Now AppCheck is regularily cleaning files older than 1 day. Or: To disable backing up of files to the Backup(AppCheck) folder, the following option can be unticked: "Use Ransomware Protective Shelter" One security layer is now disabled but AppCheck is still protecting you, and (after you have deleted the folder Backup(AppCheck)) it shouldn't be created anymore. "Auto Backup" is a feature of the paid version (folder: AutoBackup(AppCheck)) and doesn't affect the functionality of the Ransom Shelter which is copying files to the folder: "Backup(AppCheck)"
FYI: The dll's responsible for the Exploit Guard feature (AppCheck.dll / AppCheck64.dll) are now copied to the Windows folder (they were previously installed into c:\Program Files\CheckMAL\AppCheck\) AppCheck v2.4.9.1 Released (07 Feb. 2018) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe I guess at the moment they are focusing solely on the new Exploit Guard feature
Thanks for your detailed and extensive answer. I am going to untick the 'shelter'. edit : Trying a little bit everything, I have -not on purpose- installed Appcheck and Cybereason (ransomfree) on the same virtual machine. Without problem.
You're welcome Exploit Guard is not a beta anymore and is enabled by default (for first time installations): AppCheck v2.4.10.1 Released (08 Feb. 2018) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
?! Really? For RansomFree by Cybereason it is clear: first you are infected, then the detection. You can expect the corruption of 'some' files. CryptoPrevent prevents > no infection at all (hmm.) But Appcheck? How does it behave??
If AppCheck detects that files are being encrypted in a malicious way, it is terminating the process and is then restoring files from the Ransom Shelter. The free version doesn't remove Ransomware from the hard disk after the detection: "Automatically remove ransomware after the detection: Enable to automatically remediate(delete) ransomware after the detection. This feature is only available for AppCheck Pro."
Well.. AppCheck free, without Protective Shelter (because I've unticked the feature): -detects a ransomware after some damage have been done, -gives a warning indicating the name of the ransomware .exe file, - and has the feature 'exploit guard'. Am I approximatively right? Thks....
Yes, "some damage". It is kind of "reactive" and will terminate Ransomware after damage has been done. This can be seen in all videos, but in the end all files are restored successfully. With Exploit Guard it gets a proactive feature and can intervene earlier (if the attack is initiated by a protected application)
In Win10 virtual I have put Wannacry. Both softs are present: AppCheck and RansomFree. RansomFree was the first to react! Two seconds later, AppCheck. Actually I was afraid to get a sort of 'deadlock' (=same file [the ransomware] accessed -nearly- simultaneously by 2 process. But no, no problem...)
Thks Ok, I am going to install AppCheck and RansomFree on my 'real' Windows.... We shall see the result..LOL
[Notice] AppCheck 2.4.10.1 Update " Exploit Guard Official Release February 09, 2018 https://www.checkmal.com/page/support/notice/?detail=read&idx=839
System perfectly smooth.. Then a good idea is to perform a disk image. Open the proggy, usual settings for the image > run >one millisecond : BSOD Hmmmm..
Which imaging program? I have AppCheck (not RansomFree) and images run without issue, but I do have MBR Protection unchecked, as that is covered by HmP.A. Try again with that option unchecked?
-Good idea...Because it is a good idea (!) and because my imaging prog (Image for Windows, not using VSS) always backups the first track. But, well, it is just reading data, not modifying... -I've immediately uninstalled Appcheck. Without Appcheck and with Ransomfree>>Imaging was OK -What is HmP.A ??
HitmanPro.Alert by SurfRight. Did IFW not work with AppCheck still installed and MBR Protection unchecked?
If it now fails then it is not because of AppCheck but because of running two Ransomware defenses at the same time. a) Only RansomFree is installed = OK b) AppCheck + Ransomfree = BSOD (while imaging) - (Appcheck MBR protection is disabled = OK) c) Only AppCheck is installed = (?) Try to verify c) If c) doesn't fail (no BSOD while imaging) then only one program should be installed, not both at the same time.
The 2 apps work different ways, I think. Ransomfree waits patiently an attack of the traps it has put on the drives. Then it starts reacting. Appcheck? it is different (though I do not know exactly how). That is why I think/thought that both apps can (could) coexist on the same machine. Anyway: now I have both installed, and Appcheck MBR protection is disabled. IFW has worked flawlessly. We shall see whether this peaceful coexistence persists....
