Interesting AntiRansomware freeware

If you look at the VT file detection detail on the .tmp file you submitted, it is identified as the AppCheck installer. However, F-Protect detected a packer in the PE. The sig. F-Protect detected has also been ID in another submission that was seamonkey-2.47.en-US.win64.installer(1).exe.

 

Guys, Guys, Guys...

1). AppCheck is anti-ransomware. If someone codes in some sort of system kill functionality (like on the final modified cerber sample I used in the video) the system can be trashed. But coding ransomware like this kind of defeats the point of ransomware, doesn't it? It's hard to see a ransom message if the computer is unbootable.
(Peter- For which family of ransomware did this happen?)

2). the Temp file- For those that have installed AppCheck please note that since my video AppCheck has had updates, going from 2.0.0.16 to .17, to .18, and today to 2.0.0.19. Guess where the updates get stored? Yes indeed, in the Windows\Temp folder (it will be an 8 MB file). This is what Webroot detected- I believe they call something like this a False positive. Anyone with AC installed can verify this for themselves.

So it's really not so much of why you are using AppCheck, but more of why you use Webroot.

(ps- AppCheck is NOT perfect!!!!)

 

Yeah, I saw the digital signature and acknowledged that it is definitely not a trojan with the use of quotation marks, but still comes off as unusual behaviour in software for me.

You forgot to close the tag on your sarcasm. Bashing software for picking up a false positive of an already unusual behaving software isn't really a reason.

 

Sarcastic? Me?

 

Dear Easter,

Please help me, I am not native Englsh speaking, so I must be writing something wrong. All these types of anti-ransomware are layer two security:

1. Proactive protection: a first line of security called proactive protection which prevents malware from executing

2. Damage control: A second line of defense intended to mitigate or reduce the impact and damage when malware was able to run
for instance MBRfilter (blocks MBR write access), AppCheck (behavioral) and RansomFree (uses honeypot).

3. Disaster recovery: image and data backup and recovery

Regards Kees

 

No matter, your English is always been completely readable and understood (by me anyway). No worries there.

The grey line area is where I may have misunderstood all this regarding FIRST DEFENSE.

There has to be a better way than the old AV line all the time. And is why i'm always interested in what you find in the way of open source/freeware even if just a development test release of sorts.

 

Well Peter's critism for instance is that those second layer protection mechanisms present and position themselves as first layer defenses, which is not the case. RansomFree uses honeypot files which are low in the ASCII table increasing the chance chance that the honey pots are attacked first. But the low to high attacking order can be easily changed, increasing the chance of other data being encrypted first. Lousy marketing does not automatically imply lousy software, IMO (an iron law of Marketing is to "proof your promise")

 

@Windows_Security - Odds Of Getting Infected By Ransomware

The odds of experiencing a ransomware attack are roughly equal to you playing roulette and the ball landing on black (just remember you're playing with your files instead of chips, and if you lose they get encrypted).

Caveats

As mentioned, there are of course plenty of factors that can raise or lower your likelihood of seeing an attempted ransomware attack. It's interesting to note two of the biggest appear to be industry and geography.

- healthcare and financial services both experienced slightly more attacks than average.
- if your organization is based in the U.S. or the U.K. it's more likely you've experienced a ransomware attack.
​

Ref.: https://blog.barkly.com/risk-of-ransomware-attack​

 

A eureka moment at last

 

Interesting conversation!!! Pete, I am assuming that you were testing VS on AutoPilot when the one or two js files were auto allowed... If VS was ON, it should have blocked them, so if this is not the case, please let me know, because I definitely would need to look into this.

BTW, assuming that VS was on AutoPilot, since VoodooAi does not analyze js files (yet), what this means is that the js file was analyzed by the blacklist, and essentially was determined to be clean by most or all of the engines. For example, if you write a .bat file that is simply "ping www.google.com", 54 engines will determine this file to be clean, and there are no positives or false positives. This should be quite unsettling to everyone.

Can you please upload the files to cuckoo so I can take a look? And then if you can just post the ID numbers, that would be cool... I will check it out.

Thank you for testing Pete, I appreciate it!!!

 

Thanks Pete, I got the PM... we should probably discuss this on this thread if that is okay with you. Sure, send me the files and I test all of them (Pete was not exactly sure which file / files it was, so I will just look at all of them).

Here is the thing... if it was an unknown js file, it would have been blocked, even on AutoPilot. But if a script has been determined to be clean by the blacklist, then VS will auto allow the file when it is on AutoPilot. When VS is ON (Smart or Always ON), it should (will) block the file either way, if it is not whitelisted.

I actually never thought there would be a chance that a ransomware script would be determined to be completely clean by that many engines... but if this is the case, we will need to block all non-whitelisted scripts when VS is on AutoPilot (it is a super quick fix). If anyone has ever seen ransomware scripts pass as clean for the 50+ engines, please let me know, and I will change this right away. Actually, when I test scripts with the blacklist, they are almost always unknown, which VS will block, even when it is on AutoPilot. We actually could block all scripts all of the time, but there are some programs, such as Hard Disk Sentinel that call scripts on startup and shutdown... which btw are known and clean to the blacklist.

Either way, I will keep an eye on it, and if we need to start blocking all non-whitelisted scripts when VS is on AutoPilot, we will.

 

Thank you for being open^^^^This helps resolve problems.

 

Sure, thank you guys, I need all the help and insight I can get! There is a chance that Pete found a bypass... and if so, we need to fix it.

 

Sheer FUD. We can just check it by using our social network: when you have not heard of a friend or a friend of a friend being infected EACH month straight last year, the chance is simply below 0.002% read the post

SO simple answer this question: how many times did you hear/read of a friend or friend of a friend being infected in 2016?

 

What else is new: Water is wet: A Nascar racer is a lousy 4x4 off road

This software is about protecting your data as second damage control layer.

 

I never see any posts on Facebook about being infected, other than if someone's Facebook account has been compromised, and they post to say that. But, I highly doubt it is something people would post about. So, I really don't think a lack of posts about being infected equates to a lack of infections.

 

@roger_m

People post about eating a hamburger, which is an event with less personal impact than your photo's being destroyed by ransomware.

 

That is true, there is certainly a stigma attached and people are embarrassed when they are infected, so it is unlikely that they would be posting this on social media.

Here is a pretty good report with a lot of great numbers... especially page 140.

http://download.microsoft.com/downl...ity_Intelligence_Report_Volume_21_English.pdf

BTW, Kees, you are funny "People post about eating a hamburger". What can I say, it is a mad world .

 

@Windows_Security I do agree that the risk of getting infected is greatly overstated. Also, my comment was refrering to infections in general, rather than ransomware specifically. I guess ransomware is something people might post about.