Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.
Thanks for trying. But I'm concerned with my primary, and basically only, drive. I'll continue to use it as part of a layered approach to security as I don't have any other product specifically targeting ransomware, I'm not aware of any 100% foolproof software that people seem to be demanding of RF, at least nothing I'm willing to pay for.
So thanks again, even though I never asked that you test it, I just think it should be given a fair shot by whoever does test it.
Still curious that a competing security software company would have found it much more worthy, but maybe like Cybereason they don't know what they're doing either.
That is certainly your choice.
There is an article on Bleepingcomputer that is interesting. Among other things this Ransomware targets. It would ignore honey pots that RansomFree uses. THis is the weakness
Not if it uses other methods along with honey pots. Good night!
Fair enough. I just tend to prefer user reviews by demonstration rather than word of mouth, however I will try softwares for myself and disregard others opinions on occasion and try them for myself.
I am totally for that myself. the harder part is setting up to test malware. That does take some care
This is another interesting approach, not exactly new though, it's called "Extension Whitelisting". But in theory it should be effective, especially if stuff like code-injection and process hollowing are also blocked:
FIDES has similar functionality, but without a GUI and less "features".
I can globally deny the read-access to files, and only specific applications have access to files or access to files with a specific extension.
"Unknown programs" don't have any access.
But nevertheless SES-RDe seems to be much more advanced.
It checks the checksum of allowed programs, prevents ransomware from injecting into trusted applications,etc.
And interesting is, it is able to block the raw-access to the data:
Quite interesting. This what I was looking for if you recall my comments in FIDES thread.
The $10 per seat pricing is for existing customers only. Like most endpoint products, suspect there are required minimum licensing purchase requirements. Also might not work standalone but as an add-on to their other security products such as hardware firewall, etc..
Actually you can really lock down with Fides. I can prevent only Macrium from accessing my images. But I can also lock down Macrium so nothing can access it. Would mean turning it off for update, but that's not that bad.
At least we know now that security products exist, which can block raw-access.
But it is only available for enterprises.
I believe Secure Folders could also do this, the problem is that it didn't monitor for code injection, and Win Explorer should normally be trusted, because otherwise it would become very annoying. I believe "raw-access" isn't a big deal, it has been monitored by HIPS for years with the "low level disk access" method.
Yes, obviously this product is geared to the corporate market, but it's the anti-ransom technique that I'm talking about. Tools like HMPA, AppCheck and RansomFree monitor the file system for rapid file modification, this the last stage of the attack. StormShield uses a more simple method, but just like with FIDES and Secure Folders, it will only work when code injection into trusted apps is monitored.
It really doesn't matter how much better Storm Shield might be unless you are prepared to buy several 100 seats.
Some of us are quite content with our "cheap seats".
The problem is, if malware injects into explorer.exe, files can be encrypted. But this hole can be closed with additional software.
Again, I was trying to bring the "Extension White-listing" method to the attention, which isn't new. But in theory it should be quite effective, perhaps other tool developers can also implement this.
Recent RansomFree challenge video here... https://www.youtube.com/watch?v=mw-NSNJUZac
I am not sure a challenge as a pathetic demo. One folder. But I was curious so I installed it in VM, which had no other active security software. Turned off Fides which was protecting the 2nd hard drive in the VM. The c: drive actually fared pretty well. But the 2nd drive was a total loss. The files in the data folder - encrypted. The folders of malware - encrypted. The Instant Recovery archive - encrypted. The Macrium image files - encrypted.
I would reserve the term "pathetic" for the ransomware protection. Your VM test shows the fuller extent of the software failure.
OK, so RF still doesn't protect multiple partitions? Quite concerning.
Yes correct. Not only direct code injection, but also process hollowing should be monitored.
Now is working excellent....
I'll give it test and see how does with 2 drives.
Separate names with a comma.