SentinelOne adds feature to restore files hit by ransomware

Discussion in 'other anti-malware software' started by ronjor, Nov 18, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,724
    Location:
    Texas
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The rollback feature leverages built-in capabilities in Microsoft's Windows and Apple's OS X. Both operating systems take snapshots of files on a computer. In Windows, it's known as Volume Shadow Copy Service and on OS X as journaling.

    The technologies are used for restoring systems. The snapshots of the files are kept in a secure area and wouldn't be affected by ransomware if it infected a machine. Gemmell said. SentinelOne is also adding some anti-tampering defenses to make sure the snapshots aren't affected

    From the above, it is obvious the author has no idea how ransomware i.e. CryptoLocker variants work. Most will execute one of the following commands depending on delivery method used to delete all volume shadow copies:

    C:\Windows\syswow64\vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\System32\vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\syswow64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
    C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
    Any anti-exec or HIPS can monitor those commands. Or, just rename vssadmin.exe as bleepingcomputer.com recommends here: http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    This is an enterprise solution. They don't disclose price so it's probably out of the home user range.

    Pete
     
  4. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    331
    They even don't have a public trial version to assess SentinelOne. ;-)
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    LOL, lately you have been on fire, thanks for the interesting posts.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  7. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,438
    They probably put System Restore and Shadow Copies in an encrypted folder.

    Ransomware can only infect what it can see. Even if it encrypts all your files, your Restore snapshots and stored data are still unaffected.

    So in theory, you can go back in time before you were infected. You just will lose more recent work unless you already backed it up before the ransomware hijacked your system.

    SentinelOne offers an interesting approach to thwarting a zero day threat.
     
Loading...