The point of these type of apps, is that they are based on behavioral monitoring, and tools like Zemana use signatures. So these tools are basically an extra layer of protection, in case AV's fail to detect ransomware. But don't expect 100% protection, common sense is also needed.
Exactly. This have been explained repeatedly a lot including this thread. But I was too lazy to reply before Rasheed.
@Mister X Who says that other AVs including zemana (Pandora cloud) doesn't have specific BB rules and heuristics against ransomware? Don't get blind it's just a second opinion AV for ransomware only, and their doesn't make it better by default.
Well I've seen this app to perform quite good. On the other hand, let's see what the developer has to say if he comes to the forum. Let's see what others have to say about the mechanics of this program. I am no expert at all and can't figure out the intrinsic mechanism whatsoever. And believe me I am not a blind believer at all.
I have notice that Appcheck has more I/O writes to the disk than even Windows Defender. Is the most consuming hard disk application besides the browsers of course. Taking into account that I'm not using the backup options I guess is constantly doing copies of modified files on real time just in case these are victim of ransomware.... am I guessing too much?
Yes, it is doing copies, and you're not guessing If you modify a file with an extension which is protected by AppCheck, it is copied to the root-folder Backup(AppCheck). The option "Ransom Shelter" is responsible for this. If "C:\Program Files\Notepad++\readme.txt" is about to be changed (for example after updating the program), it will be copied to: "C:\Backup(AppCheck)\Program Files\Notepad++\readme.txt" The directory structure and the File Owner will be the same, and after 7 days backup files will be auto-cleaned (see settings) You can use the NirSoft utility FolderChangesView to monitor these changes and to see exactly what files/folders are being created or deleted.
That is the problem with ransomware: it perfoms common (file) operations, so heuristics won't work and specific BB rules are hard to define. That is why ApCheck combines replication and backup with BB rules. Ransomware performs ordinary file operations, the only thing that identifies them is mass deletion, update or encryption of files. When you define 'mass' at two files, you probably annoy the user with a lot of false alerts. When you define 'mass' as twelve files or more, you may limit damage but there are always at least 12 files lost. That is why it is a smart move to replicate data (into backup folder) when a file is accessed with update intend, so you may be able to recover those files AFTER an infection. Also considering the fact that AppCheck free replicates data it does an extraordinary job in terms of limited performance impact.
Thanks for the confirmation, I think I will uninstall it soon or later, I don't want that kind of resource consumption in my PC.
This true. I have not seen a significant impact over performance and I have real-time backup every 10 min.
I partially agree, ok it does real time copies of modified files, and this is a unique feature, good for AppCheck but everything else is already part or can be of any AV. Regarding the resource consumption part, probably you won't notice it in a any modern PC, but I don't like the idea of AppCheck being the application with more hard disk writes in my PC.
Well most AV have a file access filter, so like with many new categories of malware, the AVs will soon incorporate it in their software or market it more explicitly (in the past there were specific anti-trojan applications, anti-spyware, anti-rootkit, behavioral blockers, anti-keylogger, anti-exploit, anti-ransomware is just the latest), so in a year or so, you can say "didn't I told you so, nothing special"
If the security solution has a HIPS, you can create an "ask" rule for any write, delete, or low level disk access access to Documents, Music, Pictures, etc. folders. If you are a user that doesn't frequently access those folders, this is an acceptable solution that will block all ransomware. I also would not whitelist any app exclusions to this rule since any app can be highjacked.
I never said that AV's didn't use BB rules, but for example Zemana doesn't. And again, most AV's do not monitor the file system for suspicious ransomware activity. That's why tools like HMPA and AppCheck are so interesting. The only problem is that they often don't offer 100% protection, and that's why some people get skeptical. I believe so far only WinPatrol WAR blocked almost all ransomware samples, but some people complain about the many false positives. But yes, apps like AppCheck and RansomFree are not strictly necessary, but still nice to have. Also, a lot of ransomware can be stopped in an earlier stage, as explained by Fabian Wosar: https://www.wilderssecurity.com/thr...ternet-security-12.388577/page-8#post-2643761 That sounds like a deal-breaker. Do you constantly see this activity? You could test it with this tool: http://www.majorgeeks.com/files/details/harddriveindicator.html
Whatever it is it works against 0day ransomware http://blog.zemana.com/2016/07/zemana-antimalware-proved-to-be-best.html?m=1 You can check it with the windows task manager using the details tab and manually adding new columns with the IO operations. The write IO was constantly changing even with the PC iddle I imagine that when something modify files with protected extensions should be worst. As I said you probably won't notice it, but is there.
Well I've been doing some testing myself. And I have to say Appcheck has been successful. (Zemana has also been highly successful in stopping it along with VS) But their are a couple of caveats. First HMPA has always caught it first. Sometimes with it's crypto module, but a lot with hollow process. Appchecker does save everything, but it can leave the desktop scrambled. In one Cerber sample, there even was the Ransom notification. I am sure this would have been most alarming to most users. The damage mitigation I am using is Macrium Home V6 Another though for you techies. How would Appcheck work if detected by the ransomware. I tested on piece that VS analysis indicated it detected VM machines. And sure enough when it ran it didn't do anything, but VS EIS and Zemana all said the file was bad.
I think it might be useful to note that (as I understand it) appcheck is new and for arguments sake in a "V1" phase, it taken VS, EIS and Zemana several versions to reach where they stand atm..Lets allow appcheck the same room
Great example of what current ransomware is doing. That is delivering one or more additional malware in their payloads. VM aware ransomware will just bypass the encryption activities and install the secondary malware which could be a password stealer, etc.. If you do Internet activities in the VM, you're nailed. Also as far as hollow processing goes, I have only seen where ransomware uses a .dll to create a suspended process and inject its code into that; i.e. all memory based. But is could also go after an existing running process such as explorer.exe and inject the code there.
