WinPatrol WAR (formerly WinAntiRansom)

Lifetime license for 5 PC's (ending August 1) for under $25 is a good deal (when you buy and quit you will get a 20% discount offering) , considering it brings most of the advantages of Windows Pro to your PC, without the need or knowledge for tweaking Security Policies. On top of that it has a protected folders feature where you can put in important documents (and pictures). Benefit of this nice program is that it has protectress (Cruel Sister) which tests this nifty program quite intensively, so when you would consider to buy it, hurry deal ends at August first.

 

I installed nod32 the other day and computer won't shut down either. nightwalker? did you think it is a problem with war & eset? I think when I tried to uninstall it failed that too for some reason.

 

Anyone?

 

You have answered your own question.

 

if you believe microsoft fine , I sure don't , seen and have had to fix to many computers that depend on defender as it's only line of defence .

 

I don' use defender for obvious reasons but the point is if even Microsoft's AV is supposedly preventing Petya, Cerber, ZCryptor.A, Locky.A etc what about the better AV's? I use Kapersky and not surprisingly they state their AV covers those I mentioned and I guess several more. I'm just wonder for those people on here who are presumably much more security aware than the average person and hopefully less prone to doing something they shouldn't in terms of getting a bad virus, do they really need a specific anti ransomware app?

 

I think the point is that whilst many AVs may detect and then remove ransomware, the question you need to ask is WHEN they detect it. Once file encryption has started, even if your AV stops the ransomware and then removes it, you will still have some encrypted files.

Anti-ransomware programs like this one claim to be pro-active and prevent attacks before any damage has been done.

I do agree with your last point, that Wilders users who are obviously far more security aware than the average user are a) far more likely to have heard of programs like these and b) far less likely to need them because they use their computers sensibly!

 

Is that really correct? Surely an AV that claims protection it means full protection, not partial? Also they don't claim to fix the problem post payload as surely the damage is already done? This is is quote from Kapersky re Petya:

The best way is to protect yourself proactively using a good security solution. Kaspersky Internet Security won’t get the spam emails through, so you probably won’t even see the email containing the link to Petya. Even if Petya somehow sneaks in, it would be detected as Trojan-Ransom.Win32.Petr and Kaspersky Internet Security would block all its activities. And so would all the other our anti-virus solutions.

 

Well I guess you can believe all the AV advertising hype if you wish but the Kaspersky quote does not say WHEN it would block all Petya's activities.

You may wish to checkout some of Cruel Sister's excellent videos on this topic if you haven't already done so.

 

Thanks a lot guys, got my license just in time!

 

For a person that relies on traditional (definition based) AV protection adding something that supplements this security solution is very wise. The reason for this is readily apparent once you consider that in addition to knowing that a definition is in place, we also really need to know what was the Time-to-detection (T2D) for this particular malware.

Let's consider the link that Beastman has given us for the detection of Petya by Microsoft: Note that their initial alert was from 3-28-16. But when did Petya first get detected by anything? 3-23-16. So for a period of 5 days a person using Microsoft was susceptible to this particular malware. Obviously a third party application not dependent on definitions (like WAR) would have been of use during this time period.

And if you will allow some further musings on T2D, one of the first things that one learns at Blackhat U. is that it should be assumed that malware given wide distribution will have its first detection a 8 hours (note that it can be months or years for targeted malware or for finely crafted, small footprint stuff like RATs to be detected). So a proper measure of the efficacy of any AV should also include a time parameter in addition to the presence of a definition to stop the malware. For instance, a major AV test site may have products A, B, and C all listed at 100%; but an additional T2D breakdown may have product A at 100% at 8 hours, whereas products B and C may only be 100% at 24 hours. Of course you will never see such testings as it would be quite difficult and testing organizations tend to try to impress with the number of samples instead of the quality of the results.

To conclude- if you are among those that feel the T2D lag is of no consequence, then keep using the AV only. But is you are concerned, at the very least the addition of a T2D agnostic security application should be given serious thought.

 

Cruelsister have you ever ran testing on a hardened system that uses no third party security software? as you seem to only primarily test third party security software.

e.g. a locked down applocker/srp limited user account system, UAC set to max, and dll injection blocked by the OS settings, as well as EFS disabled in the OS.

 

No I haven't. Such a setup, aside being too complex for most to initiate, would have to be tested over the range of Windows versions and would also yield too many variables. True hardening of a system is a real pain to set up and may inhibit normal computing.

Just a few points, though: About UAC- Totally ignoring that the vast majority of Windows users will blindly hit OK at any UAC prompt as well as the majority of malware not needing to trigger UAC, malware can be constructed to sidestep UAC to attain whatever malicious goal is needed (flowcharting helps). UAC does have its good points, but I've done a number of videos that enumerate its failures.

AppLocker- seems to be strong on theory, but much hardening must be done to prevent things like Powerliks, Macros, reflective injection techniques, and Metasploit Reverse Shell attacks. Then there's the issue of how to handle drops into C:\Windows and what to do with various rundll32 cuties.

dll injection blocking- aside from many legitimate applications using dll injection, there are so many different techniques that anything other than some extremely involved ring0 coding would be pointless.

LUA- this is not a realistic method of protection. I'm not going to bother to discuss why, but unless a person has a number of different accounts to do different things blind trust in LUA will end in tears.

encryption- Bart has opened the door to a pretty nifty method of ransom independent of any native Windows protection routines.

So in short, making a video about these things would be quite involved to script as well as being far too difficult for my simple mind.

 

Thank you! I had a huge discussion about this subject earlier this year.

But can you perhaps reply to this (see link), I wonder if WAR is truly behavior based:

https://www.wilderssecurity.com/threads/winantiransom-plus-thread.382364/page-13#post-2605724

 

Hi Rasheed! Although I'm in contact with Ruiware from time to time, I never asked (nor was told) the precise mechanism by which WAR protects. We can, however, surmise some things. If you haven't seen it, give a quick peek at www@youtube@com/watch?v=WnPCjVxphIY

I tried to include in the test set a number of new variants which are primarily seen on the second malware line. So we can note that as there was no network connection a Cloud detection system can be ruled out; further there were quite a few seconds variance in time to detection among the samples, so a straight definition based detection is unlikely. Finally the last sample (Locky2) was only a few hours old, and I know for a fact they didn't yet have the Bart or CtyptXXX samples. So for me this totally rules out dumb detection. Also, I must admit that I took especial care in selecting the ransomware that was in this test, so the results are a good deal more impressive than may at first appear.

Finally I must say I was impressed by the Bart detection as this ransomware does not actually encrypt anything- it compresses the files individually and password protects the archives. This mechanism will bypass the protection routines of the competitors.

(ps- Windows_Security- Protectress? I'm really growing fond of that one!)

 

Thanks for the feedback, so according to you it's definitely also watching for suspicious file system activities, combined with other parameters. I watched the "WINPATROL ENTERPRISE versus 30 Recent Ransomware" video and I was quite impressed. I still need to watch the other video you linked to.

 

It's still possible to buy lifetime licenses?

 

Sorry, not using it and not related to it, just have seen video's Cruel Sister and considered a nice program fit for purpose

 

no worries was just curious

I dont think your mind is so simple tho as you clearly are very talented with the customising of the rats and so forth

 

It's "game over" for NEW lifetime licenses.

 

Your welcome, may I request a song tittle for (next) Voodoo Shield: Voodoo people of the Prodigy, but please use the pendulum remix (not the original one), compliments on your choice and selection of samples.

Please keep on posting test videos

 

Well taking into account that sooner than later ransomware will be business as usual for av companies and the hype will be over it wouldn't be a stregic purchase for a lifetime license.

 

@guest,

In early AV-days file infectors and polymorphic viri were common, then code emulation was introduced. Avast returned from its tracks to use hardware virtualisation, so I am afraid we are stuck with ransomeare for some time in future (at least two and possibly three years from now).

 

I have survived to all the hypes at the beginning everything was a virus, then malware, rootkits, exploits, mbr malware, mim attacks, phising, banking malware... , now everyone is talking about ransomware like we did in the past with the other stuff. In a year or so it will be over and we will have something new.

HPA, zemana antilogger, MBAE, SS... and a lot of tech part of the AV is here because all those hypes soon anti ransomware will be common and effective in many products

 

@guest

How many times has WSA protected you in the years you are using it? How many times has MBAE blocked an exploit? Why have you bought them, while Windows Defender and EMET provide protection against simular threats? So you felt probably more secure using third party (even when WSA/MBAE did stop a threat, Defender/EMET could have stopped them also).

Protection is about products and processes, security is a state of mind. Therefor (third party) security industry has to continuously emphasis on new threats and features to feed this state of mind and continue license sales. We can not blame AV industry for that, it are the black hat hackers which discover new to ways make money with malware.

The anomaly of ransomware and current state of AV technology (gap between code emulation and hardware virtualization), will be the reason why ransomware will dominate the security news for at least two and maybe three years IMO, so we have different opinions on the time frame, not on the hype, hope, help, horror life cycle of (new) malware types.

Regards Kees