Interesting AntiRansomware freeware

I wanted to express a big thank you for the members who discovered and tested two freeware Anti-Ransomware solutions which complement each other nicely

- MBRFilter (protects against MBR ransomware)
- AppCheck AntiRansomware (free version protecs does not against MBR ransomware, but protects or partly protects against a lot of other ransomware)

You can find all info on the security forum where publishing and posting of youtube tests is allowed. The Impact on CPU is near zero, so the freebies are very light also.

 

Thanks @Windows_Security

Very interesting indeed. A brochure for Pro version is available:

Code:

https://www.checkmal.com/page/resource/document/?name=document&detail=file_download_document&execute=1&idx=22

 

Is the software available in English? Any test or comparison?

 

Yes it is, download here:

Code:

https://www.checkmal.com/download/AppCheckSetup.exe

 

I have installed it and looks good at least more advanced than RansomFree by Cybereason.

I hope we can see a comparison of these soon

 

thanks for AppCheck AntiRansomware.
it seems protect raw access at least for drive C
can someone test it with winhex in in-place mode?
for me all fail except one time with "wipe securely" option in physical opened disk mode.
however it seems backuped file in C:\Backup(AppCheck)

 

"Click"

 

Hey Pete.

Remember this little beauty back a few systems ago? The ole infamous KillDisk bug?

https://s23.postimg.org/m4n0hn7cr/killdisk_102.jpg

 

Needs an option to allow it to be active after system boot (AppCheck)

 

EIS is for Emsisoft Internet Security? What's "VS" for?

 

@Peter2150,

Peter since you are a veteran member and mod on this forum the "who said so" weight of your posts is high. You are correct about the majority of ransomware being spread through email and phishing probes, but some ransomware some can be delivered by simply visiting a website. Please have a read on this it is not a full list of ransomware, but it also mentions how it is delivered/spread LINK1 and TrendMicro definition LINK2 (so there is more to it than "little click caution and email smarts").

Besides being spread through more means than you mention, In contingency management there is nothing wrong with having: Prevention (1), Damage control (2) and Disaster recovery (3). So I don't understand the "you have no clue on other damage", since it is the rational behind damage control. In security it is a sign of professionalisme to cover those three bases.

My business desktop is protected by UAC/SRP/ACL (1) and I have a quick backup and full NAS backup in place (3). Everyone to his own preference, but I am pleased with those freebies filling in the missing "damage control" in my setup with those FREE, EFFECTIVE and LIGHT programs. That is why I posted the thank you.

Regards Kees

 

Peter has made an important point that there are those that really need no other security addons; a protection environment based around Voodooshield which is both elegant and superb precludes the need for anything else.

Sadly, however, most reading this will be protected by only the traditional "Whatever" AV, which in addition to being susceptible to true zero day malware often have inadequate mechanistic protection and laughable ransomware protection. This is true for both Home users and IT "Pros".

AppCheck (although not at all perfect as indicated in the video) is being developed by those who actually understand ransomware. Finally there is a product that will extend further than the antiquated Group policy protections to stop fortress class ransomware from trashing stuff outside of C:\Users and also has an innate backup routine to catch it when it falls. They are indeed walking the correct path, and I hope soon they'll start running...

 

This alongside CFW and VS = winner winner chicken dinner
@cruelsister
More FZ in vid soundtracks plz

 

I did feature Electric Aunt Jemima.

 

Disclaimer: figures don't lie, but liars figure
Before driving home at New Years day, I have some time to kill and besides wishing you all the best, I wanted to ask you all "how many of you have helped a friend or a 'friend of a friend' to recover from a malware infection in 2016"? The answer to this questions is our sanity check on all the data and reseach thrown at us by the noisy next gen AV's and av-testing industry.

Being called a strawman (I wear that Avatar with pride ) I can mathematically proof my guestimate that even with just an antivirus the real world infection risk is below 0.002%. For all security minded forum members this relatively low risk must be a comforting thought and a good start of the new year.

To proof this guestimate, I use the model of "six degrees of separation". This mathematical model claims that any person in the world can contact any other person in the world with just six intermediates bringing time and distance. For ease of reading I have rounded up figures.

1. Calculate risk percentage based on the people we know
On average every person knows around 150 to 250 people. Due to social media we expand our first ring with the friends of our friends, so this second degree network consists of 22.500 people (with 150x150 people) through 62.500 people (250x250 people). For fun let's calculate the infection risk by using your social network outreach. When malware is as bad as the security industry claims it is, then you should hear that a friend or a friend of friend is infected on a regular basis. The turn around time for (social) network interaction varies between two weeks until a month depending on the hours you are involved in social media activity. Turn around time is the time it takes for an average person to have scanned the time lines of all your friends.

We can assess the real life infection chance by own experience. In the past years I have not heard of any friend or friend of a friend complaining on social media about an infection. Because AV-test, AV-comparatives and MRG publish how many new samples they have collected in a month, i will use a news turnaround time of a month. So when you hear (every) month that a friend or a friend of friend is infected by malware the chance is (simply using the number of people in your network) somewhere between 0.004% (150 people network rings) or 0.002% (250 network ring 1/62.500 = 0.002% rounded).

Conclusion: when you don't hear every month that a friend or a friend of friend is infected, we know for certain (mathematically) that the risk of infection is below 0.002%


2. Sanity check based on AV-testing own data
Let's do a sanity check on this anti FUD low risk guestimate. AV-test, AV-comparatives and MRG publish with their real life tests the number of samples they have collected in a month or in a quarter. On average the number of new malware samples collected is around 150 to 200 per month. For fact checking sake let's assume that each of these new malware samples can be distributed to 10.000 websites each. This means that the number of infected websites which deliver these 150 to 200 malware samples total up to 1.5 to 2 million websites. Now this may seem a lot, but you have to consider that for every 1.5 person in the world there is 1 website (this year we will hit the 1:1 ratio). So these 1.5 to 2 million websites are only 0.04% of the number of websites in the world.

So lets apply the bold statement of security industry that 20 to 40 percent of the websites are infected. Let's apply rule of Pareto that 20% of the websites are responsible for 80% of the page views and assume the top 20% has an infection rate of 20% and the rest of the world an infection rate of 40%. This 0.04% average would be translated in a real world chance: 0.04% (2 million infected websites as percentage of all websites) x 80% (page views of top 20% most visited websites) x 20% (infection % according to security industry) + 0.04% x 20% (page views of rest of the world websites) x 40% (infection rate claim security industry) = 0,01% risk of visiting an infected websited (or website with malvertising/redirect to infected website).

The only real assumption was the replication of each malware sample collected by 10.000. So the risk with a replication factor of 10000 is 0,01% (as calculated above), the risk with a replication factor of 1000 websites is 0.001% with a replication factor of 100.000 websites is 0,1%. Back tracking news items on virus outbreaks, I read that on average every 1.5 year a malware succeeds in mass infection. Which makes a monthly replication factor of 1000 websites more likely with a spike every 18 months to 100.000 websites (of one sample). So when I use this, my guess is that 0,015% infection surface on average is realistic (17 months x 1000 replication and 1 month spike of 100.000 replication averages to 0.015% infection risk). According to RAP and first seen MRG the "proactive" protection provided by Anti-Virus is around 60%. MRG has a average of around 91% in its 360 test on zero days and AV-comparatives 98% (using the average of cluster 2 which is the middle cluster) and AV-tests mentions in its real world test that the industry average on zero days is also 98%. When I use the average of those percentages zero day protection is ((60%+91%+98%+98%)/4) = 0.87%, so zero day infection risk while using an AV is 0,015% x 0,13% = 0,002%

So the sanity check based on information from AV-testing data also result in a real world zero day infection risk of 0.002%

These coincidentally matching figures don't lie, but tell a story (or tale when I am a strawman who just matches up these figures)

Happy new year

 

@Windows_Security

Nice and interesting theory. Yes I haven't heard of anyone in my immediate network of friends, clients or acquaintances being infected lately.

 

Great analysis @Windows_Security. However in regard to this premise "On average the number of new malware samples collected is around 150 to 200 per month," you need to re-calculate based on real world statistics; namely:

The AV-TEST Institute registers over 390,000 new malicious programs every day.

Ref.: https://www.av-test.org/en/statistics/malware/

​

 

Hi dear Kees,
First of all, Happy New Year to you and everyone!
Yes, great analysis. But please allow me a little bit more. Let's look at water and The Netherlands. The chances that big parts of The Netherlands will be overflooded and inundated may be not so very high with all the defences the Dutch have taken (let's not talk now about climate change). But when it happens, in the worst case scenario, the results may be devastating. Let's look at ransomware now. The chances that you may get it, may not be so high. But when your system is infected and you don't have proper backups and decryption tools from sites like "No More Ransom" are unable to decrypt, you may have lost your important documents etc. (not to speak about examples where Hospitals didn't have proper defences and backups).

 

I wonder why this happens so often. Those institutions are run by knowledgeable and smart people in their own areas. Haven't they had visits, lots of proposals of security firms and consultants about the importance of countermeasures/mitigation mechanisms to deal with cyber-attacks? Also the strategy of data backup?

I think many of they are greedy and stingy enough to not contract such services. Now they have to face the consequences of bad decisions.

 

So why do they use 150 to 200 samples per month for real world tests?

AV-test
https://www.av-test.org/en/antivirus/home-windows/
163 samples collected for real world test in October

April https://www.av-test.org/en/antivirus/home-windows/windows-10/april-2016/
164 samples samples collected in April

AV-comparatives
https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_prot_2016b_en.pdf
From July to November 1619 testcases these test cases include url blocking from websites delivering the malware. As you know malware business is seperated in three where some aces develop malware and sell this to exploit kit producers which sell it to scripters and malvertising. So these test cases have some redundancy (remember I took a replication factor of 10000). I have a friend who is working as a malware reverse engineer and he tells me there at maximum 150 to 200 really new or new variants of malware. Until now most malware has an average replication rate of 1000 with a 1.5 year spike of (one sample) spreading at a 100,000 remplication rate.

MRG
https://www.mrg-effitas.com/
The slider promoting the 360 (real world) test mentions 376 samples collected in Q3 2016

Bottem line
I sometimes get some insiders info which I can't always disclose. I have done my homework trying to 'proof' with publical available data what an insiders tells me.

@Peter2150 is right, when you take this statistics into account user error is the cause in 99.998% of the malware infections.

@cruelsister is right that AV only is not enough to be protected against meanest malware, but the chance of encountering one is less than 0.002% when you have just an AV to protect you

 

100% agree, that is why I thanked other members for finding and testing these two damage control freeware anti ransomware freebies. As stated professional contingency management always try to cover the three bases: 1 protection (antivirus plus white-list), 2 damage control (MBR filter plus AppCheck) and 3 disaster recovery (image and data backup). Although we tend to focus on prevention in this forum and all agree on backup, lets not forget the second option: post (malware) execution damage control.

Happy new year to all

 

Economics and physical realities.

Some factors the labs use for sample selection are:

1. Prevalence - how often the malware is being used.
2. Uniqueness - the malware is using infection methods not previously used or detected by existing security solutions. Of note is the prevalence malware authors use code from previous malware strains. Copying previously used code increases the risk of being detected by existing signature analysis.
3. The method the malware is being deployed.

Etc., etc..

In other words, the labs use statistical analysis and probability methods to select what they feel is a representative sample of currently used existing past and present known malware. The methods used and reliability of the former is the foremost factor in evaluating a lab test results.

Of note are outfits like NSS labs that employ honeypot server platforms whose purpose is to test security software over a continuous period of time, usually 90 days, against any "trapped" malware detected during the test period.