WinPatrol WAR (formerly WinAntiRansom)

Discussion in 'other anti-malware software' started by haakon, Dec 17, 2015.

  1. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,354
    How about 20% off?

    :thumb:
     
  2. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Sorry, but the test is useless. Any app can achieve that by monitoring certain resources and when app that isn't whitelisted tries to access it, it'll warn you. Same can happen with pretty much any CLEAN app that simply isn't whitelisted.

    The main problem here will be, how to differentiate actual malicious app from non-whitelisted clean app when the popup appears? The answer is, YOU CAN'T. Which means people will end up just clicking "Allow" in the end which in result defeats the whole purpose of such "protection".
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    According to the tester, WAR is using behavior based tech, so it's not only using a whitelist. Do you care to explain what you mean?
     
  4. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    673
    I'm really starting to like this program. After the latest update, the program is running great. Bret is quick to fix any problems. I am going to have to rely on others to test it. I am looking forward to seeing further testing.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    signed up at the forum but never got an e-mail to verify. Wanted to report a problem with whit listing a program called Unhackme.

    UPDATE: JUST TRIED REGISTERING AGAIN AND GET AN ERROR EVERY TIME

    Even though I paid for this program I might have to uninstall it because I hate problems like this.
     
    Last edited: Mar 7, 2016
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,862
    Location:
    UK
    Perhaps try contacting Bret Lowry through Wilders pm's.
     
  7. @RejZoR

    I am like @Rasheed187 also curious what do you mean?

    Ransomware has to pass some easy (using HKCU runonce) and some hard (process hollowing/code injection) to defend gates to succeed in its infection. For ransomware the same applies as for all malware, you don't need to defend all intrusions these types of malware uses. So focussing on a few attack vectors might be an effective approach.

    Look at for instance AppGuard, it "only" applies a few HIPS techniques (a lot less than Spyshelter or Comodo for example):
    a) Run guarded aps in LUA
    b) Set a deny execute on user space for unsigned applications
    c) Monitors private folders for (illegal) access
    d) Monitors memory access (I guess suspicious soft RWX access)
    Ask the users of AppGuard, it is as solid as fort knox

    So Win-anti Ransomware, monitoring "only" some simple to defend events
    a) Suspicious registry access (already part of WinPatrol)
    b) Suspicious windows objects access (behavioral component)
    c) Applying a whitelist
    d) Protecting a specific folder
    As the video's of Cruel Sister demonstrate, this might also be a very effective aproach.

    After a run once entry is created for an executable outside UAC protected folders and vsaadmin is called to delete any existing shadow copies and bcdedit is called to disable recovery and the executable is not in the whitelist how many more clues does it take to suspect this is ransomware? How many legitemate software applications would run such a series of related events? The risk of False Positives is way less than for instance HPMA (which protects the hard to defend intrusions also).

    There is elegance in simplicity IMO.

    Regards Kees
     
    Last edited by a moderator: Mar 8, 2016
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    Wait a minute, then I might have misunderstood Cruel Sister's test. When I say "behavior based", I'm talking about the ability to block processes from modifying files rapidly, by looking at file system operations. If WinAntiRansom is not doing this, then I consider it to be less advanced than HMPA and MBARW. But this doesn't mean it's less effective.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    By now you all must know ReiZor has been banned from Wilders?
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    Yes, I saw his post about AV's, it was amusing but against rules. But I'm not sure why he was banned.
     
  11. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,253
    Seeing as my previous link to his article was removed. I will just say search for his blog on google, you can find an article explaining why he was banned.

    However it's better to stop this conversation here or move it to pm.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    The program shows as registered in the GUI so am guessing it is registered.
    The newest version appears to be xx.365
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Today when trying to install Microsoft Photo Gallery WAR did the old preemptive strike again and stops the install. Once again no program that gets the preemptive strike can be whitelisted. Even though it shows as whitelisted it is not. I have tried to sign up at their forum twice and never can and so have no way of contacting anyone. I am really starting to think buying this software was a big mistake. It must still be in big time beta.
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    No to go off-topic, but his status still says "registered member" and not "banned" which (afaik) is what the status change to when the member is banned.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    Wow, this doesn't sound too good.

    Yes, this is why I was confused.
     
    Last edited: Mar 11, 2016
  17. Jerry666

    Jerry666 Registered Member

    Joined:
    May 28, 2002
    Posts:
    174
    Same here , bought the full package and now not getting much of a response on the site , tried it a few times ans each time it had to be uninstalled because of system freezes and or high cpu use .. Seems it's not ready for prime time , looks promising though . Hope they get things going .
     
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    What’s new in 2016.3.368 (posted March 11th, 2016)
    • Fixed bug that could result in perfectly valid programs/installers getting blocked.
    • Optimized inter-process communication, improving program performance while lowering CPU/Network usage.
     
  19. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    609
    Location:
    U.S. Citizen
    Salutations/Greetings!

    https://www.youtube.com/channel/UC7czj0EMrBm51e2x6OoDxOA
    https://www.youtube.com/watch?v=Z5wICziBBHw

    Maybe, if you post on their YouTube link you get responses back quicker?
    Or bugs fixes that they need to make!
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    New video about WAR:

    https://www.youtube.com/watch?v=equvK65PakY
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    nice video Rasheed. The only issue I had was the blocking of legit programs. Now with the newest version a lot of that has gone away.
     
  22. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Running fine on all three of my pc's
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    I hope Cruelsister will give some more technical info about WAR. She did tell me that she was working together with the developer to minimize false positives.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    It does look like a keep so far. Support is awesome too
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Just wanted to point out she or he is using a Win XP virtual system not a win 10 64 bit.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.