Glad I saw this discussion! 1). An issue that was found in the previous build has been resolved in the current one. This really wasn't that much of an issue anyway as it concerned a ransomware strain modified by yours truly, and even so the problem was not encryption but more of a system trashing on remediation. But as I said all is smooth sailing now. 2). Mood- when testing AC I do use a license precisely due to the lack of MBR/MFT protection that you note.
AppCheck v2.1.9.1 Released (2 Nov. 2017) Website Download: https://www.checkmal.com/download/AppCheckSetup.exe
AppCheck v2.1.10.1 Released (4 Nov. 2017) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
Totally forget about this, so it won't protect against ransomware that is trying to modify the MBR. Will perhaps try to combine it with RansomFree, not that I'm a high risk user or anything.
Mind you, @mood said MBR protection is missing when using FREE version. As soon as you switch to PRO, MBR is protected. You can still disable it manually though.
You are using a HIPS, and it should be able to protect against modifications of the MBR ("low-level disk access") Btw.: RansomFree is also protecting the MBR (Edit: #390: Are you SURE about that (hint)? / #349: I guess we'll have to see this weekend...) Edit 2: The new version of AppCheck is able to protect the MBR The free version of AppCheck should update itself automatically "AppCheck Options - General - [X] Use Auto Update". But i'm not sure in what interval it is checking for updates. Updates for AppCheck Pro are delayed by 24 hours:
Version 2.2.0.1 (08. Nov. 2017. UTC 04:00) release notes https://www.checkmal.com/page/support/notice/?detail=read&idx=362&lang=en
Are you SURE about that (hint)? Also about the new version of AppCheck- note that AutoBackup is still part of the Paid and not the Free version. This is of EXTREME IMPORTANCE as the innate mechanistic detection of AppCheck still does not fly to the same heights as something like RansomOff.
I have Network Drive Protection disabled on two machines. Both machines networked and sharing folders. Are those network shares still protected?
AppCheck v2.2.1.2 Released (10 Nov. 2017) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
Yes correct, but some extra protection would be nice, and now it has been added to the freeware version luckily. BTW, perhaps you have already answered this, but I still don't get what the "Protective Shelter" and "File Destruction Behavior Detection" options are for? Why would they give an option to turn them off, and what benefit does it give?
Protective Shelter If enabled, files which are about to be modified or before they will be "damaged" from Ransomware will be copied to the Backup(AppCheck) folder. Files in this folder are protected from modification else Ransomware could easily encrypt these files too It is an additional protection layer, but if you don't want this protection because AppCheck is sometimes copying files to this folder and it slowly fills up the partition it can be disabled. (or change this option: "Delete files in Ransom Shelter" [7] days old" and select a lower value) But after disabling the Protective Shelter, AppCheck isn't utilizing the folder Backup(AppCheck) for automatic recovery anymore. File Destruction Behavior Detection This could be somehow related to the "CARB"-engine. If enabled, it will monitor "File Destruction activity". I'm not sure what would happen this option is disabled, but i think it is still protecting but without monitoring of specific "file destructions attacks".
AppCheck v2.2.2.1 Released (14 Nov. 2017) Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
Thanks for the info. I think these settings are a bit confusing, if it's really important for protection, then you shouldn't be able to disable it. After enabling it, I haven't noticed any extra CPU or drive usage. And apparently "Protective Shelter" is not tied to auto-backup? Very unclear if it's a must have feature. For example, HMPA will always auto-recover modified files.
Just leave it all enabled and you are fully protected I'm sure that if you disable the Protective Shelter, it can happen that files cannot be restored. For example: The ransomware itself will be terminated but what about the files which were encrypted before the ransomware was terminated by AppCheck? There is no backup in the Protective Shelter to restore these files If you are using the Pro version with the Auto Backup feature you still have access to a backup (only if the affected folder has been previously added to the Backup sources), but not in the free version with a disabled Protective Shelter. Auto-Backup is a dedicated Pro-feature and is not related to the Protective Shelter. Auto Backup = folder <AutoBackup(AppCheck)> Ransomware Protective Shelter = folder <Backup (AppCheck)> And clicking on "Empty Ransom Shelter" is deleting files in the Protective Shelter, the folder <AutoBackup(AppCheck)> is unaffected.