AppCheck by CheckMal

Discussion in 'other anti-malware software' started by Mr.X, Jan 16, 2017.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
  2. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    84
    Location:
    Bulgaria
    You're welcome. :) I usually do the same but didn't have the time to download the latest version and I still had the previous one intact. :)
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    Keep doing that for the lazies like me :argh:
     
  4. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    322
    Location:
    Germany
    What tool, except RanSim, you can check the protection of the AppCheck?
    And AppCheck does not protect against double extensions .pdf.exe, .doc.exe, is this correct?
    What is your opinion on the use of SRPPrevent + AppCheck?

    Real Ransomware not offer! :D
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    AppCheck v2.4.8.1 Released (06 Feb. 2018)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  6. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    There is my problem... The folder Backup(AppCheck) is full of randomly ?? chosen files/folders.
    You delete some, one minute after > other files/folders. It can be some firefox settings (less than one meg) or all my .pst files (=mails) : 4 gig!
    Moreover this folder is present on 2 different partitions and one external drive..
    Does anybody understand that ?!
    Thanks.
     
    Last edited: Feb 8, 2018
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    322
    Location:
    Germany
    These are real protected folders, neither folders nor files can be deleted until protection is disabled. Folders are created on each partition of the HDD.
    ScreenShot_62.png
    I think that folders are not created, you can specify a non-existent network path.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    The "Ransomware Protection Shelter" is responsible for copying of files (files which are about to be changed/modified) to the folder: "Backup(AppCheck)"
    Files with such an extension (this also includes .pst):
    Code:
    7z,ai,bmp,cer,crt,csv,der,doc,docx,dwg,eps,gif,hwp,jbw,jpeg,jpg,jtd,key,lic,lnk,mp3,nc,ods,odt,ogg,one,ost,p12,p7b,p7c,pdf,pef,pem,pfx,png,ppt,pptx,psd,pst,ptx,rdp,rtf,srw,tap,tif,tiff,txt,uti,x3f,xls,xlsx,xps,zip
    You can expect this folder on each drive/partition, as soon as files are modified on each partition.

    The good thing is if Ransomware has encrypted files, AppCheck is able to restore files from this folder.
    The "disadvantage" is, files can be expected files in this folder even if the user is modifying files or files are modified by legitimate applications.

    Options - Ransom Guard - "Delete files in Ransom Shelter [7] days old"
    To mitigate a growing folder, the option can be set to "1". Now AppCheck is regularily cleaning files older than 1 day.

    Or:
    To disable backing up of files to the Backup(AppCheck) folder, the following option can be unticked: "Use Ransomware Protective Shelter"
    One security layer is now disabled but AppCheck is still protecting you, and (after you have deleted the folder Backup(AppCheck)) it shouldn't be created anymore.
    "Auto Backup" is a feature of the paid version (folder: AutoBackup(AppCheck)) and doesn't affect the functionality of the Ransom Shelter which is copying files to the folder: "Backup(AppCheck)"
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    FYI: The dll's responsible for the Exploit Guard feature (AppCheck.dll / AppCheck64.dll) are now copied to the Windows folder (they were previously installed into c:\Program Files\CheckMAL\AppCheck\)

    AppCheck v2.4.9.1
    Released (07 Feb. 2018)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
    I guess at the moment they are focusing solely on the new Exploit Guard feature :)
     
  10. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    Thanks for your detailed and extensive answer.
    I am going to untick the 'shelter'.
    edit : Trying a little bit everything, I have -not on purpose- installed Appcheck and Cybereason (ransomfree) on the same virtual machine. Without problem.
     
    Last edited: Feb 7, 2018
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    You're welcome :)

    Exploit Guard is not a beta anymore and is enabled by default (for first time installations):
    AppCheck v2.4.10.1 Released (08 Feb. 2018)
    Website / Download: https://www.checkmal.com/download/AppCheckSetup.exe
     
  12. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    ?! Really?
    For RansomFree by Cybereason it is clear: first you are infected, then the detection. You can expect the corruption of 'some' files.
    CryptoPrevent prevents > no infection at all (hmm.)
    But Appcheck? How does it behave??
     
    Last edited: Feb 8, 2018
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    If AppCheck detects that files are being encrypted in a malicious way, it is terminating the process and is then restoring files from the Ransom Shelter.
    The free version doesn't remove Ransomware from the hard disk after the detection:

    "Automatically remove ransomware after the detection: Enable to automatically remediate(delete) ransomware after the detection. This feature is only available for AppCheck Pro."
     
  14. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    Well..
    AppCheck free, without Protective Shelter (because I've unticked the feature):
    -detects a ransomware after some damage have been done,
    -gives a warning indicating the name of the ransomware .exe file,
    - and has the feature 'exploit guard'.
    Am I approximatively right?
    Thks....
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    Yes, "some damage". It is kind of "reactive" and will terminate Ransomware after damage has been done.
    This can be seen in all videos, but in the end all files are restored successfully.

    With Exploit Guard it gets a proactive feature and can intervene earlier (if the attack is initiated by a protected application)
     
  16. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    are restored with the so-called Protective Shelter, am I right?
    Thks
     
  17. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    In Win10 virtual I have put Wannacry. Both softs are present: AppCheck and RansomFree.
    RansomFree was the first to react! Two seconds later, AppCheck.
    Actually I was afraid to get a sort of 'deadlock' (=same file [the ransomware] accessed -nearly- simultaneously by 2 process. But no, no problem...)
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    Correct :)
     
  19. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    Thks
    Ok, I am going to install AppCheck and RansomFree on my 'real' Windows....
    We shall see the result..LOL
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    [Notice] AppCheck 2.4.10.1 Update " Exploit Guard Official Release
    February 09, 2018
    https://www.checkmal.com/page/support/notice/?detail=read&idx=839
     
  21. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    System perfectly smooth..
    Then a good idea is to perform a disk image.
    Open the proggy, usual settings for the image > run >one millisecond : BSOD
    Hmmmm..
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    Which imaging program?

    I have AppCheck (not RansomFree) and images run without issue, but I do have MBR Protection unchecked, as that is covered by HmP.A.

    Try again with that option unchecked?
     
  23. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    -Good idea...Because it is a good idea (!) and because my imaging prog (Image for Windows, not using VSS) always backups the first track. But, well, it is just reading data, not modifying...
    -I've immediately uninstalled Appcheck. Without Appcheck and with Ransomfree>>Imaging was OK
    -What is HmP.A ??
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    HitmanPro.Alert by SurfRight.

    Did IFW not work with AppCheck still installed and MBR Protection unchecked?
     
  25. myk1

    myk1 Registered Member

    Joined:
    Sep 2, 2012
    Posts:
    70
    Location:
    Belgium
    I hate BSOD's....I stay for the moment with a stable system and I'll try within a few days!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.