WinPatrol WAR (formerly WinAntiRansom)

Discussion in 'other anti-malware software' started by haakon, Dec 17, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What is it supposed to do? Does it simulate ransomware?
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    That was taken from their fast start guide on page 11.

    Just click on fast start guide on top left of page. https://www.winpatrol.com/mydownloads/

    Feature Testing
    PreEmptive Strike:
    To test PreEmptive Strike:  Please download the following file and save it to disk: https://www.winpatrol.com/downloads/textpad.pdf.exe  The program textpad is perfectly safe, but we’ve renamed it to mimic something done by both ransomware and malware to trick you into running their program. They use extensions like .doc.exe, .xls.exe, .pdf.exe and many more, leveraging the fact that Microsoft hides file extensions by default. By doing so, they hope to trick you into thinking the file is a valid data file, rather than a malicious program.  Once downloaded, open WinAntiRansom Explorer and open the PreEmptive Strike page.  Now, double-click on the test executable you downloaded to run it. You may receive a dialog like below, please click Run.

    I guess I am trying to say on my system when I click on the textpad file and it shows the tree options I mentioned, if I click run I get not protection, the textpad program opens but since it is an exe it can open thje file. When I however click of the test file from my programs folder, it kicks up a warning tha is was stopped. and shows in the log file.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_03 Apr. 02 12.22.jpg Let me do pictures may then it is more understandable. This is what shows in IE when you click on the download file.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_04 Apr. 02 12.23.jpg Clicking run opens textpad.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_05 Apr. 02 12.25.jpg Now clicking on the EXE that was downloaded to my downloads folder gives me the warning pop up.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I guess I am trying to say shouldn't the exe be blocked when you click run also?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It does the same on my system, but I don't understand what this test is supposed to prove.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    It was explained by them in my post # 77
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually that doesn't answer my question. What is so special about being able to block this file, if it's not even simulating anything malicious? Is it about the misleading file name?
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I think that is correct. I appears like using a known file name to mask malware.

    There is a lot of people that don't change the MS setting to see file extensions and hidden files. And so to them it just looks like a Pdf file?
     
    Last edited: Apr 3, 2016
  11. haakon

    haakon Guest

    @ rasheed187: there is no need for another "I don't understand" or "I don't get it" or "I wonder" Reply. These are evident in advance.

    Having WinAntiRansom up and running on my primary and very busy Windows 7 x64 system for almost a week, I've had some time to dig under the hood a bit.

    WAR injects a kernel driver CGKDarkWatcher.sys into System only. This sets it apart from other solutions having multiple targeted application profiles, some using injections, i.e. MBAE with its widely distributed mbae64/32.sys.

    WAR_TrayApp.exe, WARgk.exe and WARSvc.exe are the running processes. WARExplorer.exe renders the GUI. With a full array of proprietary libraries, there is one particular stand-out: Ruiware.WAR.Arsenal.dll.

    Dark Watcher and its Arsenal in an act of WAR. How :cool: is that?

    WARSvc connects occasionally with winpatrol.com via nicely ciphered HTTPS to gather up a few KB of data probably feeding the Smart Recognition feature "where definitions are used to make Allow determination." Judging from the small-scale data exchange, this don't conform to a detection signature/definition support construct. There is no other connectivity unless one evokes a Virus Total submission. That is, no cloud dependence.

    04/04 EDIT: Regarding the data update to some local files, here's what Bret related to me via email upon my inquiry as to WAR's protection relative to timely update in the event of network issues, etc.:
    Actually, if those files fall behind, WAR is more likely to block something good* than to let something bad get by.
    The WAR engine is behavior based and leverages those files, plus a few other things in determining when to block a new process, but they are more for giving leeway to known good than known bad like the AV companies do.
    In fact, the video showing WAR blocking Petya was made before we ever got a sample of that in our lab. It is effective against most malware, as well as Ransomware and really good at detecting zero day threats.


    * Note that in the event of blocks, the user can always whitelist manually.

    WinAntiRansom - so far, so good. Very good.
     
    Last edited by a moderator: Apr 4, 2016
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_06 Apr. 03 15.38.jpg I am getting a lot of GREP.DAT preemptive actions from the program. If I look that up online it seems to deal with current date in log files. Anybody else seeing this? Malware like action (5) Also WGET.DAt seems to be originating from Russia. iN THE PROGRAMS TAB SAYS does not exist. Even though these are in the Preemtive action tab, I never got a popup for them.
     
    Last edited: Apr 3, 2016
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't get it, did I ask for all this info about WAR? Interesting reply though, but I'm more interested in the techniques that WAR is using to protect against ransomware. Too bad that cruelsister is not that active in this thread.

    It's a bit strange if you ask me. It doesn't show the true power of WAR.
     
  14. haakon

    haakon Guest

    For Wilders members ONLY. Shhhhhhhh. Don't tell anyone!

    WAR 2016.3.395 is in final testing. "It gives the ability to stop/start protection, create up to 10 safezones and updates our detection engine to make it more effective while reducing false positives." Special thanks to Bret for the info.
     
  15. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Great news regarding the update.

    I just removed 38 items from the program list that, "does not exist". I am hoping someday that these programs will be automatically removed. Most of them were in temp folder.
     
  16. haakon

    haakon Guest

    Well, any anti-whatever should deal with TEMP activity in the file system and it would be nice to have them purged as necessary. But then there's Sysinternals' stuff that write to TEMP (procexp64.exe, RAMMap64.exe, etc.) that I'm not wanting removed.

    The entries are, of course, harmless but they do clutter up the UI. Fortunately, one can filter on the bunch, shift-select 'em all and Remove Data in one swoop.

    The continued development is encouraging and I'm looking forward to a serviceable and beneficial future. As well as a profitable one for Ruiware.
     
  17. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    849
    Location:
    Melbourne, Australia
    Why can't I set a SD card as a safzone? Why is it 'special'? It has nothing on it.

    Aren't office files protected whether they are in a safezone or not?
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I like the song!!!!

    I wonder were those the default settings that blocked it in video number three?
     
  20. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    I've seen a video in Youtube, an ransomware bypassed WAR. WAR is good, but not rock solid.
     
  21. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Do you know where I can get the latest beta version?
     
  22. haakon

    haakon Guest

    WAR was final released in December 2015 and to the best of my recollection there was never a public beta.
     
  23. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Some users would state that the official release was a beta :rolleyes::isay:
     
  24. haakon

    haakon Guest

    :argh: That could be a legitimate perception. But I can't say as I started using it with the March 11 release on two of my production Windows 7 systems. Where they're doing just peachy keen.
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_08 Apr. 09 10.37.jpg it not only create a lot of Do Not Exist entries but on my system it creates an entry for the same program and white lists it.
    I think these entries are due to Windows Defender trying to run a scheduled scan and either completing or not completing. I new folder is created each time in the temp dir with a different GUID number.
     
    Last edited: Apr 9, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.