Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.
A new antiransomsomware product; https://ransomfree.cybereason.com/
BlackKat, have not seen you around for a while. where you been hiding?
anyway the website is very pretty. have you tried this program out?
Trying it out now. Lightweight but I will leave it to the experts to see how effective it is.
I retired in june myself so have way too much time on my hands now. you most likely don't remember me by my current username but I can tell you I was here in the 90's on dialup even if my original profile show me joining 2002.
I just installed it in shadow defender and will see how it goes. sounds like they managed to get a bunch of funding.
would be nice to see cruelsister test this one out. we tried to get her to test cylance but no go.
"The software gathers usage data across a computer network and cross-checks that activity to discover deviations from the norm. If enough suspicious boxes are checked, Cybereason raises a flag."
I just wonder what they mean by usage data?
Or RejZoR now that he is over at MalwareTips testing antimalware programs recently.
Demo: Cybereason RansomFree blocks ransomware from encrypting files
They seemed to have forgotten that machines can have more then one drive. My VM has to disk drives, with folder of identical files. The c: drive files were protected, but all the e: drive files were encrypted. Tested two samples with same results. Plus it said if there was a warning about encryption that would have to be cleaned manually. They have a long way to go.
Some more info on the team and company on their blog https://www.cybereason.com/our-company/
A comment on this software by Fabian Wosar at the bottom of this article
New software, I'm sure it will develop, I doubt Emsisoft was the perfect faultless AV on first release.
Actually, that comment was more about the common narrative that it is somehow okay if just a few documents are encrypted. A whole bunch of products have this flaw. Yes, if it encrypts some random files, you may get lucky and it hits some files that are useless to you and everything is fine and dandy. But several high-profile families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author and that whole narrative falls apart at that point.
On this I disagree. It was clear to me that they never thought to test on a system with multiple drives. And I totally agree with Fabian. Any system that accepts a few encrypted files is flawed.
Hopefully cruelsister will test it, I'll await her more respected thoughts
From the BleepingComputer link Stapp posted previously:
According to a test performed by Bleeping Computer's Lawrence Abrams, under the hood RansomFree works by creating randomly-named folders throughout the filesystem that act as honeypots.
These folder names start with characters like ~ or ! because they are low on the ASCII table and thus will be scanned first by ransomware.
I am fairly confident that by now ransomware developers have analyzed and identified honeypot file characteristics and are bypassing them.
Club- I have one done, just have to upload it. My apology in advance for the length.
One question for you CS, did you add 2nd drive/partition in your test?
Can't wait to see it.
No- I didn't see the need. Although the first place I would look is outside of the User space (which I've done on occasion); some products (Group Policy based) will only protect Personal Folders while leaving other things in other places wide open to be screwed with. But only if a given product provides perfect protection for Documents. Photos, etc is there a need to look elsewhere (was that a Spoiler Alert?).
In this case you might want to. I always look to all partitions as I have 3 internal drives. So I tested in a VM with 2 drives, 2 identical folders on each one. The C: drive was protected, while the 2nd drive's files were all encrypted. That's a flunk
Cybereason web site clearly states that they not only protect local but also network/shared drives:
Protection From an Array of Ransomware Attacks
RansomFree protects against local encryption as well as the encryption of files on network or shared drives. The encryption of shared files is among the doomsday scenarios an organization can imagine. It takes only one employee on the network to execute ransomware and affect the entire company.
Software appears to be "not ready for prime time" anti-ransomware protection.
Peter- Files getting messed up elsewhere (other than Users) is actually pretty common. But often there is no need to dwell on this as such products must first protect the prime targets of ransomware- and for me the product must prove it could walk before I care to see if it could run (if you catch my drift).
Itman- The company does need to mature in a number of areas. I'm surprised SoftBank threw them the cash in the Series C round last year. They certainly weren't going to get it from us.
Are these honeypots necessarily the same on all computers, or are they randomly created for each installation?
Just tested with Cerber.
Created 2nd partition and add same folder and files inside like the one on the desktop.
Files on Z: drive are encrypted
Appears the company's other products are highly rated as noted here: https://www.cybereason.com/cybereason-earns-perfect-scores-in-sc-magazine-review/
I suspected this freebee anti-ransomware offering is more of a publicity thing to get a lot of free security press for the company. It is probably fair to say as time goes by and with a lot of free debug labor from end users that will ensue, the product will improve. Like I said previously, it just presently is not ready for "prime time" anti-ransomware protection.
well frankly the results I got that djigi confirmed, just tells me it's not yet a product. Everything else I've tested protects all the disks.
I agree. It should protect all disks, not only Documents\Pictures located on C:
Some work is still needed.
Separate names with a comma.