Malwarebytes Anti-Ransomware Beta

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Jan 25, 2016.

  1. haakon

    haakon Guest

    Instead just think of them in a nutshell as the tradition brought to the region by the pre-christian Rus Northmen. ;)
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,886
    Location:
    North Carolina, USA
    Hello,

    Malwarebytes Anti-Ransomware BETA 8, version 0.9.17.661, has just been released.
    Announcement and download link: New version - BETA 8 - now available!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I will wait for some feedback, and perhaps I will give it a try. Looks like they have fixed a lot. BTW, I'm still waiting to hear from ZeroVulnLabs and DecrypterFixer about why MBARW is more advanced compared to other tools like WAR.
     
  4. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    530
    Location:
    Croatia
    Cruelsister test is on youtube...not so good results for MBARW

    Malwarebytes Anti Ransomware Beta 8 https://www.youtube.com/watch?v=NeDrsiflQt0
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    What the hell, I wonder how this is possible.
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    We detected a bug post release which is causing this. The team is already working on it. Btw in the case of the detection but ransom notice being dropped in the Desktop, this is normal as ARW does not prevent (yet) the ransom notice or Desktop background change. Our priority for now is to prevent file encryption.

    Also it seems the VM only has a few documents, which is a less than ideal way to test an anti-ransomware technology that is behavior based (rather than static policy-based).
     
    Last edited: Sep 19, 2016
  7. Although true, you can't ask CS to do a regression test (that is your job), it is a 'cursory' pen test as you challenged her to do (so better :blink: )
     
  8. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    817
    So your program will detect the encryption mid way if i have lots of files and will stop it so i don't lose all my files? Will it restore those encrypted?
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    OK, so it was a caused by a serious bug. You would think that your own developers would have spotted this, before the release!

    To be honest, I would be happy if it could save most of my files. If such a tool could spot the attack in its early phase, and gives an option to block the process from modifying files, that would already be quite good.
     
  10. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    817
    What if the one file encrypted is the one you want then. You just had a useless protection based on luck.
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Our objective is to prevent all file encryption, and eventually add a feature to recover the ones that got encrypted (as well as restore the system changes like desktop background and ransom notices). It is still beta and is under heavy development, so please be patient with us. We have some other cool new projects going on at the same time so our "speed" is suffering a bit.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Good point, but important files can also be protected with file/folder protection tools. And I rather have a behavioral monitoring tool that is able to notify me about a file encryption attack 100% of the time, even with some lost data.

    Sounds good to me.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    We await your first product to test
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,106
    It's not that easy.
    If you monitor "the same routine", they simply change their behaviour/routine.
    :thumb:
    I'm curious, too.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I'm afraid you both missed the point. I was more or less trying to figure out why tools like HMPA and MBARW sometimes get bypassed. Is it because they try to stop encryption in the last phase of the attack? Perhaps developers can explain this.

    Just read about the way ransomware works, it's not magic. They all do the same, instead of directly encrypting files, they try to bypass HIPS with process hollowing, and they perform some other stuff to make it harder to recover files. So what if you simply block this, isn't that already enough?
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,106
    Is it enough to block these things? Maybe.
    But if a new ransomware-variant comes out, sometimes "better/improved" detection-routines are needed:
    HMPA: "CryptoGuard v4.5 improves detection for ransomware doing partial encryption."
    MBARW: "New ransomware variants of DMA Locker, CryptoXXX and CryptoJoker are now detected"
    ...

    Edit: one of the main reasons:
     
    Last edited: Sep 26, 2016
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,582
    Location:
    USA
    I believe AV/AS tools get bypassed because the malware coders find new attack vectors.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I was specifically talking about anti-ransomware tools. Even HIPS sometimes get bypassed when new techniques are discovered by malware writers, like new code injection methods for example.

    Correct, but there aren't that many techniques that ransomware can use, that's why they perform the same routine. I believe tools like HMPA and MBARW will probably only monitor the second part of the attack, they purely try to prevent massive file modification, by monitoring the file system. But in theory you can already stop them in an earlier phase. If you block code-injection/process hollowing, outbound network access and the running of vssadmin.exe and bcdedit.exe, you probably have already neutralized most ransomware.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,106
    "in theory" ;)
    HMP.A can block code-injection/process hollowing, but i don't know if MBARW is able to do it too.
    Some variants doesn't even need to connect to the outside before they begin to encrypt files.
    If they were "Anti-Executables" then they could block it earlier.
    Blocking the second part of the attack can be sufficient as long as the attack is identified "in time".
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I say "in theory", because I don't do malware testing anymore. So I can't know for sure how ransomware exactly works, but I think it's safe to say that if you block certain routines in stage one, they will fail to work correctly. So in theory HMPA should already tackle certain ransomware variants when it blocks process hollowing. But like I said, I believe that HMPA and MBARW are more focused on behavioral monitoring of suspicious writes to the file system.
     
  22. fmon

    fmon Registered Member

    Joined:
    May 5, 2013
    Posts:
    1,163
    Where is Rasheed Antiransomware 0.01 beta? :D
     
  23. haakon

    haakon Guest

    Everyone already knew that 7930 of your posts ago. :argh:
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Couldn't you come up with a better name? :D

    https://www.wilderssecurity.com/threads/malwarebytes-anti-ransomware-beta.383333/page-12#post-2620520

    I actually explained in this topic how ransomware works (stage 1 and stage 2), but I can't know for sure how security tools try to tackle them, and why they sometimes fail. Please do some reading first before you come up with dumb and unfounded statements. :D

    But please do enlighten us, since you seem to be the malware expert. Can you perhaps tell me how WAR manages to stop ransomware, because the developers of MBARW think their approach is much more advanced. Can you tell me a bit more about the AI, or is it comparable to a "pimped up" anti-exe tool?
     
  25. EvjlsRain

    EvjlsRain Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    31
    Hi everyone, I would like to ask: is this tool still updated and equivalent to the antiransomware module on MB3 or not?
    The reason why I ask is when I tested MB3 with many ransomwares, it catched 100% (signatures) but when I disabled all modules and just left antiransomware protection on, it didn't catch any of the ransomwares, 0% efficacy

    thank you
     
Loading...