RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    Thanks itman
     
  2. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    223
    Location:
    USA
    Thanks for trying. But I'm concerned with my primary, and basically only, drive. I'll continue to use it as part of a layered approach to security as I don't have any other product specifically targeting ransomware, I'm not aware of any 100% foolproof software that people seem to be demanding of RF, at least nothing I'm willing to pay for.

    So thanks again, even though I never asked that you test it, I just think it should be given a fair shot by whoever does test it.

    Still curious that a competing security software company would have found it much more worthy, but maybe like Cybereason they don't know what they're doing either.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    That is certainly your choice.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    There is an article on Bleepingcomputer that is interesting. Among other things this Ransomware targets. It would ignore honey pots that RansomFree uses. THis is the weakness

     
  5. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    223
    Location:
    USA
    Not if it uses other methods along with honey pots. Good night!
     
  6. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,096
    Location:
    UK


    Fair enough. I just tend to prefer user reviews by demonstration rather than word of mouth, however I will try softwares for myself and disregard others opinions on occasion and try them for myself.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    I am totally for that myself. the harder part is setting up to test malware. That does take some care
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    FIDES has similar functionality, but without a GUI and less "features".
    I can globally deny the read-access to files, and only specific applications have access to files or access to files with a specific extension.
    "Unknown programs" don't have any access.
    But nevertheless SES-RDe seems to be much more advanced.
    It checks the checksum of allowed programs, prevents ransomware from injecting into trusted applications,etc.

    And interesting is, it is able to block the raw-access to the data:
     
  10. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,900
    Location:
    Mexico
    Quite interesting. This what I was looking for if you recall my comments in FIDES thread.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,406
    Location:
    U.S.A.
    The $10 per seat pricing is for existing customers only. Like most endpoint products, suspect there are required minimum licensing purchase requirements. Also might not work standalone but as an add-on to their other security products such as hardware firewall, etc..
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    Actually you can really lock down with Fides. I can prevent only Macrium from accessing my images. But I can also lock down Macrium so nothing can access it. Would mean turning it off for update, but that's not that bad.
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    At least we know now that security products exist, which can block raw-access.
    But it is only available for enterprises.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    I believe Secure Folders could also do this, the problem is that it didn't monitor for code injection, and Win Explorer should normally be trusted, because otherwise it would become very annoying. I believe "raw-access" isn't a big deal, it has been monitored by HIPS for years with the "low level disk access" method.

    Yes, obviously this product is geared to the corporate market, but it's the anti-ransom technique that I'm talking about. Tools like HMPA, AppCheck and RansomFree monitor the file system for rapid file modification, this the last stage of the attack. StormShield uses a more simple method, but just like with FIDES and Secure Folders, it will only work when code injection into trusted apps is monitored.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    It really doesn't matter how much better Storm Shield might be unless you are prepared to buy several 100 seats.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Some of us are quite content with our "cheap seats".
     
  17. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    The problem is, if malware injects into explorer.exe, files can be encrypted. But this hole can be closed with additional software.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Again, I was trying to bring the "Extension White-listing" method to the attention, which isn't new. But in theory it should be quite effective, perhaps other tool developers can also implement this.
     
  19. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    153
    Location:
    Baana
    Recent RansomFree challenge video here... https://www.youtube.com/watch?v=mw-NSNJUZac
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    I am not sure a challenge as a pathetic demo. One folder. But I was curious so I installed it in VM, which had no other active security software. Turned off Fides which was protecting the 2nd hard drive in the VM. The c: drive actually fared pretty well. But the 2nd drive was a total loss. The files in the data folder - encrypted. The folders of malware - encrypted. The Instant Recovery archive - encrypted. The Macrium image files - encrypted.
     
  21. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    153
    Location:
    Baana
    I would reserve the term "pathetic" for the ransomware protection. Your VM test shows the fuller extent of the software failure.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    OK, so RF still doesn't protect multiple partitions? Quite concerning.

    Yes correct. Not only direct code injection, but also process hollowing should be monitored.
     
  23. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,473
    https://www.helpnetsecurity.com/2017/02/13/ransomfree/

     
  24. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    530
    Location:
    Croatia
    Now is working excellent....:argh:

    Clipboard01.jpg Clipboard02.jpg Clipboard03.jpg
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    I'll give it test and see how does with 2 drives.