WinPatrol WAR (formerly WinAntiRansom)

@Windows_Security

I agree with you but I haven't paid for the products in my signature I have them because I was betatester. I have them installed for the same reason I spend time in this forum, it's like a hobby.
Anyway the last time I suffered an malware infection was with Blaster in win 98. We need less protection and more education

 

Lord Raiden- I totally agree with you that education is needed, however two of the biggest "Best practices" taught to stay safe online may often be totally without value. These two are constantly promoted for a person to evade malware infection:

1). Use a very good AV, keep it updated, and
2). be smart and practice "safe surfing".

The issues here are fairly simple:

1). Using a good, updated AV- As I've noted a bunch of times before, the first truism that any decent Blackhat learns in Malware School is that a well coded malicious file should be assumed to avoid being detected by the best traditional AV for at least 8 hours, and by most of the others for about 24 hours. One will learn how to morph the malware to make it fresh every morning (just like coffee). So a blind reliance on an AV is at best misplaced.

2). Safe Surfing- to demonstrate the fallacy here, one has to consider the most popular current way to serve up malicious stuff (not in any way including email attachments and the like that only the brain-dead will fall for): In the past it was best to acquire ftp credentials from the website to be hacked and recode the page. Now one need not go through that trouble because it is easier to do this through advertising on a website!
Indeed mal-advertising has increased about 500% in the past year and is done so like this:

a. Pay a website to host an ad with an exploit disabled,
b. once the ad is approved, enable the exploit after a week or so.
c. to avoid easy detection, set up the exploit to only infect the tenth, fifteenth, or twentieth user to view the ad.
d. Use SSL redirectors in malvertising chain.
e. Other stuff, but I won't darken your day further.

This technique has been used to deliver malware on sites like The New York Times and The Huffington Post in the past year. Even sweeter is doing this thing on websites like Forbes which REQUIRE that ad blockers be disabled before a user can see the content. Not only will the Blackhat succeed (and did), but she got a really good chuckle in the process (What Fools these Mortals Be). A Safe Surfer would undoubtedly feel secure browsing around the NY Times website. Once again, this feeling would be misplaced.

So is education helpful in avoiding malware? Absolutely- as long as a person is taught the proper things and not urban legends.

 

@cruelsister ans @guest

Sorry to spoil the party . I have a more traditional view on ICT.

Civilation is described in legislation and policies. So like in the real world you can buy a car, but you commit to the laws and legislation which apply on that car and to you when you participate in traffic. So education is important, only like buying a car, you should not need to start from zero in the learning curve. When we buy a PC we have to start from zero and educate ourselves, WHY?

We govern our real world through policies, legislation and human rights. When this works in the real world, why not apply this in the digital world also? In other words: software apply restriction policies and limit user rights (just enough to fit the function). Why does Micrisoft OS-ses don't prevent shoot in the foot errors (like linux and its derivatives as Mac Os and Android). The linux SUDO can be easily mimicked by running as admin using basic user SRP. Every Windows Home version can get Software Restriction Policies with a simple registry hack (as Lucy posted in the past).

Like in the real world, when you develop a car, you need to proof it is safe, otherwise people are not allowed to use it in public. Why don;t we apply this simple rule to software also? So combine SRP with legislation, that only software which can identify itself as safe allowed ring-0 access (Admin rights). Set UAC to alidate administrator signatures and replace Microsoft's stupid "a referral was returned from the server" to one which actually describes what is wrong and Average Joe and Jane are good to go.

 

"a. Pay a website to host an ad with an exploit disabled,
b. once the ad is approved, enable the exploit after a week or so.
c. to avoid easy detection, set up the exploit to only infect the tenth, fifteenth, or twentieth user to view the ad.
d. Use SSL redirectors in malvertising chain.
e. Other stuff, but I won't darken your day further."

I heard about these hacks the other day on the sites you listed plus more.
I see them on torrent sites all the time.

on my windows I still see the fake alerts now and then but no redirects anymore. I tried it using my sisters kubuntu machine yesterday and first time , bang to a porn site lol
I don't have any other security programs installed on her machine and thought it would be ok, WRONG!!!!
and I am no expert at all with Linux stuff. although it has become way more easy for home users to use now.

closest I ever got to black hat was visiting rootkit dot com years ago, back when holy father was still around.

 

These 'Monkey Meat Sandwich Stories' only happen to people who use old browsers without a sandbox (like Firefox for example) or use "safe" and "private" Chrome copies which lag several releases (like Comodo Dragon which also used to disable same origin policy). They all should consider buying WAR+ (to bring this discussion back to the thread topic).

 

wild so we can buy WAR for kubuntu?

not sure what you are trying to say.

I have bought WAR for my system.
are you drinking the expensive booze, not Canadian?

 

@Windows_Security

Thanks to your recommendation about the lifetime special offer, I decided to get this...nearly missed out.

 

Wow! It charges the battery to 100%, too!

 

I had the Surface Book on charging overnight...and had just switched it on this morning.

 

Some Dutch sayings don't translate well in English. A well, lost in translation i guess.

 

I am almost sure that there is a conflict between WAR + and Eset, others could reproduce it too.

I like WAR + but not enought to drop Eset

 

Are those apps in the screenshot all white-listed? If so, I assume it's to prevent false positives?

I do believe that specialized products are often better than AV's, so they are still worth it IMO. It's also a great solution for people who don't want to install bloated AV's.

 

Have just been giving WAR a run out. I discovered that it uses a whitelisting solution and does not prevent potential attacks just by behavioural analysis as I had been led to believe. For example, I was installing AdBlock Plus and Revo Uninstaller and WAR popped up blocking both with its pre-emptive strike, saying that they both showed signs of ransomware behaviour! So if your system is effectively locked down, then it's hardly surprising that it stops ransomware along with all other executable files.

 

cache
yes it does do some preemptive on unknown programs but if they were installed before installing WAR I am thinking they get white listed. you can always remove them in the preemptive strike window. I had it do that to MBAE the other day as well.

 

Thanks boredog. The point I was making is that WAR will block ALL unknown programs so that it is inevitable that it will block ransomware and any other malicious code. It is not as clever as I first thought it was.

 

"Program Recognition
We STRONGLY suggest leaving “Smart Recognition” activated.

Why?

That’s easy. “Smart Recognition” tells WinAntiRansom to utilize our definitions and automatically allow “known good” programs.

Pretty cool, huh?
We’ve done a lot of the work for you, but because we know this is your computer we give you the final say."

 

Smart Recognition was activated. Can't be that smart though it thinks Revo and Adblockplus are ransomware.

 

no it just saw ransomware type activity.

 

Oh there is so so so much more to ransomware than an exploitable executable.

WAR's Artificial Intelligence Engine has demonstrated itself to be extremely clever. Intelligent, in fact.

What you're looking for is All-Knowing Recognition. Let us know when you're found it.

Known good programs will populate WAR's Allow definitions once enough users allow them. And as WAR, this relatively new program, progresses.

As well, the Settings pane describes Smart Recognition as optionally participatory.

I've been using WAR for several months and have had to Allow a bunch of stuff which every one else uses, too. It has also allowed a Big Boatload of known-good stuff I use, too.

By popular acclaim and editorial content, WAR is a leader in the anti-ransomware arena and I just live with the decision making.

Anyhows, after a while WAR becomes accustomed to your system and it quiets down.

Ransomware is the most insidious threat to our systems in history - highly effective "set-it-and-forget-it" and/or automatic full system inclusive protection doesn't exist. If it ever will.

At this juncture, WinAntiRansom is a close as you can get to the bestest there ever be.

Otherwise it could be that WAR is... Not For You.

 

I'm not convinced it is. As I use VooddooShield, I'm not sure that WAR brings anything else to my armoury that I don't already have. As far as I can see, VS will block all this ransomware in the same way.

 

Honestly when I tested WAR on my system (I had it 2 or 3 days) I though it worked like a HIPS due to the amount of decision popups I got (FP?) It was only after I read more carefully this thread when I discovered it had a BB component.

 

"I'm not convinced it is. As I use VooddooShield"

hello? the maker of voodoo shield recommends using them both. read the voodoshield thread dude. cruelsister did tests on both voodoshield and WAR. if not here read malwaretips discussion about the subject.
and do not forget to clear your cache!!!!!!!

read what this site has to say. http://www.ghacks.net/2016/03/30/anti-ransomware-overview/

detected ransomeware by WAR

most, if not all, ransomware

 

I am familiar with VoodooShield and the not-free is stellar and I'd recommend it to anyone I'd consider savvy enough to use it. But it's also not the All-Knowing solution you expected of WAR.

Note that nowhere in their The Concept, How it Works and FAQ pages does the word "ransomware" exist. Well, using the Find function in Mozilla and PDF-XChange Viewer. If effective anti-ransomware was a feature worth exploiting (pun intended) one would think their marketing would have jumped on that by now. Their user guide PDF does show how one may test an unknown in their sandbox, using a ransomware example. A good old school hands-on solution!

And I believe you missed the point: Its AI Engine is the anything else WAR would bring to your armory.

That's all I have to say about this.

 

haakon I agree with you. not sure how big voodoes ai cloud or even WAR clouds ai is but do know how big cylances ai cloud is.
and quietzone is just like deepfreeze. once you reboot all is gone.

 

My view is if we continue the way we are with android and windows operating systems, then malware, ransomware whatever you want to call it will continue to thrive. The reason? both these products are insecure by design.

Android's problem is not so much how the OS is designed and operates but more so how the vast majority of end users of android do not get OS security updates, due to commercial interests of the phone vendors and carriers. e.g. Android always had the capability to use SELINUX but google only recently decided to start using it.

Windows does supply regular security updates but it has the problem the OS itself has very poor foundations from a security perspective, I made a thread on this and was surprised people attacked me for pointing this out. The main problems with windows been run32dll and svchost allowing to act as frontends for malware, and of course even tho microsoft were planning it back in the year 2006, in 2016 windows still does not have users using limited accounts by default. It was the whole reason UAC was developed. UAC was to make developers make their apps not require admin permissions to run, once that got achieved the next step was supposed to be to depreference use of admin accounts but for whatever reason this never happened, possibly related to the bad press vista got on UAC. Instead Microsoft made things even worse by implementing a hard coded whitelist for UAC to satisfy the tech press which has proven to be exploitable.

Its an even sadder situation when one realises microsoft added very good tools within windows, but then locked these tools out to consumers such as applocker, my view is applocker is far more 0 day proof than any commercial product out there. But microsoft have deemed it a enterprise only feature, apparently only enterprise needs good security.

Another big issue I have with the commercial market is its very reactive, not proactive. Note eset introduced ransomware protection in v10 way after ransomware has already plagued the world, why? shouldnt the product already protect against it based on previous claims? Same with other vendors implementing features after the damage is done.

The issues we get with hooks and so forth (recent HMPA issues a good example) is why I believe OS security should be handled by the OS developers, they are in the best position to implement a stable security framework which will always work as they develop that and the rest of the OS.

In the old days a web advert was hosted by the website itself, there was no trust and reliance in a third party. The way it works now is always an accident waiting to happen. Also a bit like how certain webmasters also will use javascript code hosted on a remote server they dont have control over, absolutely crazy. The mind boggles at some of the stuff in place today.