Ransomware and WSA in general.

Discussion in 'Prevx Releases' started by Esse, Sep 23, 2013.

Thread Status:
Not open for further replies.
  1. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    I remember last year we had a thread here regarding ransomware, I think it was Biozfear who did a test.
    The question was if you are locked out of safe mode and what WSA would do with the monitor/rollback feature.
    How is this working today?
    Even if I cant reach my desktop and are locked out from the system, will WSA still monitor and clean the computer after the "cloud" reaches its verdict that this file is malicious?
    Or does these kind of malware and others break WSA:s connection to the cloud preventing it from making a decision?
    With the new variants of crypto ransomware, were your computer and mapped drives becomes encrypted and no other way to fix it but to pay up, I find this scary to say the least.
    I think WSA would block outgoing traffic generated by a malware like this (preventing it from communicating with it "mother server" so to speak) but I would like to hear Joes opinion on this?

    /E
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA will reverse any changes from malware which encrypts your data. There have been infections which have tried to block us from connecting to the cloud, but WSA has numerous methods of finding its way out beneath them and I actually haven't seen any instance of something blocking WSA in several years. If for some reason we aren't detecting a threat, just marking it as bad locally will allow it to be undone automatically.

    One of the more recent ransomware infections deviated from the normal method and instead of encrypting data, it just locked you out of your PC. We released a generic update for this - rather than rely on any detection or blocking, we're just locking down the system to prevent anything from taking over.

    Let me know if you have any questions!
     
  3. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    I have found that having Hitmanpro Kickstart on USB is good at dealing with ransomware infected machine. I have been infected a handful of times whilst running different AVs eg Norton, McAfee etc.

    Interested to hear how WSA deals, but IME not many AVs are capable of neutralising these threats (maybe KIS and BD are exceptions).
     
  4. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Thanks Joe!

    Regarding your comment above, I understand that I locally can deem a file bad and it will reverse.
    But if I cant get in and do that manual (my desktop is locked), will WSA automatically do this by itself if I just leave the computer on and online as soon as the threat is detected in the cloud database?

    /E
     
  5. sturgess

    sturgess Registered Member

    Joined:
    Aug 24, 2011
    Posts:
    158
    Hi silverfox99, do you know where or how you were infected ?
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes exactly (and, in any event, the latest builds of WSA will prevent your computer from being locked, so you wouldn't run into this scenario).
     
  7. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    The effectiveness of Webroot against ransomware seems to be a popular topic both here and at the Webroot forum.

    PrevxHelp....How about creating and posting an instructional video that shows Webroot in action against some of the recent ransomware variants that are causing so much concern?
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree - I think that would be a very good idea. I'll pass it on to our marketing team :thumb:
     
  9. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    If they actually make a video, I surely look forward to it. Since as we know it's not always easy to explain this and that with words and letters only, and WSA is no exception :cool:
     
    Last edited: Sep 23, 2013
  10. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Yup action speaks louder than words.:thumb:
     
  11. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Great idea!

    /E
     
  12. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Great news!

    Thanks Joe :D

    /E
     
  13. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Not that this issue have to do with ransomware in general but I am to lazy starting a new thread :cool:

    When I get infected by a unknown file I was under the impression that this file were monitored and NOT allowed to connect to internet?

    If you take a look at the attached popup windows from WSA you will see what I have to call a double message.
    It basically tells me to block the request, but in the same time it is allowing the connection in xxx seconds?
    What is up with this?
    A user might not be in place in front of the computer when this happens, resulting in an "auto allow".

    o_O

    /E
     

    Attached Files:

  14. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Regarding ransomware, I have a WM running WSA, that now is under the influence of a locked screen of some kind, I cannot do anything.
    Lets see how long it will take for WSA to deal with this problem.

    /E
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Defaulting to allow exists only within the firewall, and only for that one connection. If we defaulted to block, we'd end up breaking a lot of software which updates in the background.
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you PM me with your keycode and let me know what version of WSA you're using?
     
  17. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    I am using a trial version Joe, and I do not know the key code (if there were any to the trial version? And the malware wont let me in) I think it is the Internet Security version.
    Maybe I can try to find the malware file in question if that could help?

    /E
     
  18. james246

    james246 Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    80
    Any reason as to why this Ransomware had such an adverse impact ? I thought WSA blocked this type of malware from locking the computer, or at the very least after a relatively short time would automatically roll back the machine to a clean state.
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, it does, we just added in the logic to block it proactively so that the wait time for detection be added wouldn't be required.
     
  20. james246

    james246 Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    80
    It is great to hear that WSA would have reversed the problem in due course anyway.
     
  21. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    When will this logic be available? I had the FBI virus today. Easily removed by task manager but would be better if proactive detection was available.
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It should already be active. If you still ran into it and it wasn't blocked, could you please send a sample to my username at gmail.com so that I can take a look? We haven't found any samples that get through the current measures.

    Thanks!
     
  23. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    I had something similar happen to me yesterday. In my case, the ransomware warning message popped up in my browser window (Google Chrome), and it locked just the browser: I could not close the the tab containing the message, and when I tried closing the browser, it would not close either. So, my screen had the ransomware warning, but it was being displayed just in a locked browser window.

    I had to start Task Manager, go to the Applications tab and manually shut down Chrome. That got rid of the ransomware warning message and my computer ran perfectly afterward with no apparent damage being done.

    I don't believe this is the same type of ransomware being discussed in this thread. Webroot is guarding against the type which locks you out of your entire computer and not just your browser.
     
    Last edited by a moderator: Oct 2, 2013
  24. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Your Gmail should have the files from me now also Joe.

    Still locked out here and just 5 days to go on the Trial :p

    /E
     
  25. james246

    james246 Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    80
    Ransomware has locked out Esse's computer for sometime now (5 days since oeiginally posted on the forum).

    Two questions -
    1(why did the ransomware get through in the first place ?
    and
    2) Why has the journaling feature not worked to automatically reverse it.
     
Thread Status:
Not open for further replies.