If this works, bye-bye third party anti-ransomware software. https://www.bleepingcomputer.com/ne...-revert-the-effects-of-ransomware-infections/ Additional ref.: https://www.blackhat.com/docs/us-17/wednesday/us-17-Continella-ShieldFS-The-Last-Word-In-Ransomware-Resilient-Filesystems.pdf
Question is if it will be a "protected" kernel mode process which would require the use of Win 10's ELAM driver.
Looks like something somewhat similar (albeit additional method) to Ransom0ff to me only deeper embedded maybe?
Don't want to "bust their bubble" on this but all the malware has to do is ensure its driver loads prior to theirs. It could then intercept the loading of the ShieldFS driver. This is an "old APT trick." This is why I mentioned the Win 10 ELAM driver use. Although it is not 100% hackproof from the aforementioned, it at least is the first app driver to load after all device drivers have loaded. The question is if Win 10 supports the loading of multiple ELAM based drivers since some AV software including WD use it? Win 10 might might interpret this as multiple AV realtime protection and block the ShieldFS driver loading.
Actually it sounds a lot like what most behavior based anti-ransom apps are already doing. Perhaps they may have perfected the methods currently being used.
Their website. http://shieldfs.necst.it/ "ShieldFS scans the memory of any process considered as potentially malicious, searching for traces of the typical block cipher key schedules."
No they said in the article Rasheed posted a link to they would be releasing is soon. They can be e-mailed for their dataset.
They patented the concept. Most of these university based projects are sold to a private concern and the university uses the proceeds to fund other university research and like organizational efforts. A lot depends on if the university is private or public. Private ones can do pretty much what they want since taxpayer funding is not a concern.
Also a point posted below made by the developers in regards to incremental backups. That is some important data could be lost in the interval since the last backup: https://threatpost.com/shieldfs-can-detect-ransomware-recover-files/127121/
Don't know it. Perhaps you can fill us in on it. In any case, we'll have to wait until some AV vendor incorporates ShieldFS into their existing solution. I assume this is the segment the developers are targeting.
Pumpernickel(FIDES) is a simple driver. It's purpose is to allow blocking writes to a disk drive. So for example I have 3 internal drives. My c: drive I protect from tampering with hourly backups. But the other 2 are too big to do that so Pumpernickel comes into play. In a black list I block the entire drive so nothing can write to it. Then I white list the imaging program. This means only the imaging program can write to these drives, nothing else can. Period
I wonder if their data-set can be used to improve other products. And why would they share this, I'm guessing they won't sell a commercial version?
Well, Kapersky's blog had a posting on it. So I assume they are exploring if it would something worthwhile to include in their products. Since it's a driver, it couldn't run stand alone but would have to be included in other security software. Appears to me the University researchers would maintain and upgrade the AI algorithms as part of the licensing agreement which would be attractive to AV vendors who don't want to get it that stuff.
As you previously posted about it: The ShieldFS only monitors for crypto primitive activity and only against select file extensions. Plus there is the auto backup capability. Appears to me to be functionally equal to AppCheck but can be incorporated into most AV solutions. Theoretically it could run stand alone I guess like Pumpernickel, but that would limit it to a limited tech support base. There is also the marketing aspects of selling a stand alone driver.
Well, send them an e-mail as noted below. Who knows? They might just give you the driver for free. I assume you will be "on your own" after that however. http://shieldfs.necst.it/
It will be a good product I think but bye to third party solutions? Nope imo As for the self protection, unless they are gonna use the hyper visor for system wide virtualization for KM patching on x64 then theres nothing new to see. They will use the same methods other vendors use like km callbacks. No change there
Go read all they say on the website. Doesn't even protect against petya class ransomware. I suspect a lot wait before the see
