Trend Micro RansomBuster will stop Ransomware by protecting sensitive folders

Discussion in 'other anti-malware software' started by clubhouse1, Oct 27, 2017.

  1. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    "RansomBuster is a new free anti-ransomware tool from Trend Micro that will help stop all forms of Ransomware attacks on your Windows computer in its tracks, by providing an additional layer of security. It does so by blocking access by an unauthorized process to your important folders."

    http://www.thewindowsclub.com/trend-micro-ransombuster-stop-ransomware
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting, but I would like to see it in real life action, and why is such a simple program 119MB big?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I watched the installation video. My suspicion is you are downloading the entire Trend Micro installation package less sigs.. You then just install the Controlled Folders feature included within w/o needing a license key. Trend is known to do stuff like this in the past to save on $$$ rather than creating a separate installer for the feature.

    The big question is if this Controlled Folders feature works properly since Win 10's CEU CF does not.

    -EDIT- Also Win 10 CF only works if WD realtime scanning is enabled. Assumed is Trend's ver. will work with any AV/security solution.
     
    Last edited: Oct 29, 2017
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If this is true, then they should be ashamed of themselves. :thumbd:
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I just checked their download site and it definitely does not exist as a separate download there.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    There is also another possibility why the download is so large. You are actual installing the Trend AV engine abet running in a limited capacity. As has been noted about these protected folders apps, there is the issue of fully protecting the allowed processes accessing the protected folders.

    -EDIT-

    Perhaps Trend is including its AI Engine? That indeed would be neat!
    http://blog.trendmicro.com/trend-mi...er-shield-protect-unknown-ransomware-malware/

    When I get a chance, I am going to test out the app. One thing Trend is noted for is running "heavy" on a device.
     
    Last edited: Oct 29, 2017
  7. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    I just installed it and it only protects one folder C:\Users\xxxxx\Documents

    I would like to have a comparison and add those additional folders protected by Windows Controlled Folder Access, if any, to RansomBuster.

    Can't do it because I'm using a 3rd-party AV/AM so can't access. Can someone post the folders protected by Windows Controlled Folder Access, if any?

    Thanks
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    According to the windowsclub article, you can select additional folders to protect. Refer to the article on how to do that.

    As far as folders to protect, I would start with anything associated with your logon id as shown in the below screen shot:

    Protected_Folders.png

    If multiple people use your PC, I would also add corresponding folders associated with their user ids.
     
    Last edited: Oct 30, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Please let us know what Trend actually installed. Curious to know if their AV engine is actually running.
     
  10. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    I got a brief glance of the Windows Controlled Access Folder before I installed a 3rd-party AV/AM. If I'm not wrong there's a list of default folders there.
     
  11. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    I went to Revo Uninstaller Pro and checked. Only RansomBuster was installed.

    Task Manager shows 'Client Session Agent' and 'Platinum User Session Agent'. Not sure what's the latter for.

    It's a program with a simple GUI. The pictures are as shown in post #1
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I really doubt they would give this away for free. It's probably a simple file/folder protection tool.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    This is a bit dated but below are Titanium's 2015 components:
    Understanding behavioural detection of antivirus
    https://www.royalholloway.ac.uk/isg/documents/pdf/technicalreports/2016/computer-weekly-articles/soonchailiangcw.pdf
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    If that is the case, then it will be easily bypassed. Doubt Trend would associate their rep. with such a product.

    Protecting folders is only 50% protection. You also have to protect the processes that have access to those folders.
     
  15. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    You definitely need another anti-ransomware software to protect your system
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    ITMan- RansomBuster is More (and Less) than meets the eye. Definitely needs a video for a full explanation.
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Apparently, only 2 folders are blocked in the free version as tested by someone over at Malwaretips. More than that will require the paid version

    :(
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    There are more issues than that.
     
  19. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    So would the default Windows Controlled Folder Access and other Folder/File locker software like Easy File Locker from

    http://www.xoslab.com/efl.html

    also suffer from the same issues you mentioned?

    Thanks
     
  20. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    No. This is complicated to explain. I did a quick look on how it actually operated and think that I have to malware to demonstrate these points. I'm currently doing a Dog and Pony show elsewhere now but will try to have a video demo if and when I get back.
     
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Maybe you can do a video to show how malware can bypass say Windows Controlled Folder Access, TM's RansomBuster and Easy File Locker from XOSLAB

    Thanks
     
  22. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I MAY have time for RansomBuster.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    There're always "gotcha's" with freebies unfortunately.

    Actually, I don't need a video from @cruelsister. Just a statement it can be easily bypassed. That's enough for me to not consider it.

    In reality, all these type "solutions" are lacking. You are better off just using a HIPS and create your own directory access rules. Then create additional ones to protect any processes accessing them if not already done so.
     
    Last edited: Oct 31, 2017
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In this situation Pumpernickel is designed to handle it. And it does a good job
     
  25. TrendMicro

    TrendMicro Registered Member

    Joined:
    Oct 31, 2017
    Posts:
    3
    Location:
    California
    Hi Everyone,
    Brook from Trend Micro here and I just wanted to reach out and say thank you for trying out RansomBuster and providing feedback. One thing to note is that yes, we did create RansomBuster on the same platform as our Trend Micro Security products. While it does add a bit to the download size, it affords us a lot of flexibility. One thing we are able to do with RansomBuster is block ransomware, even it tries to encrypt files not in the protected folders. We watch for any app or process that attempts to encrypt your files. We halt the process before the first file is encrypted, back it up, and then let the encryption occur. If we detect that ransomware is doing the encryption (usually any process that is encrypting numerous files rapidly) we will halt and kill the process and restore the files. RansomBuster is designed to enhance other security software.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.