WinPatrol WAR (formerly WinAntiRansom)

I have put WAR on my wife's laptop and have warned her she may see a warning. As she doesn't install programmes it will a flying pig. If it does happen she knows to tell me. It would be nice to have software that didn't pop-up, but as a non-expert I suspect this would leave some bases open. The odd inconvenience is fine by me. I am more interested in WAR playing well with other installed security programs, especially AV.

 

In my case its WAR that whitelists IDM ,not me,and the test file runs from IDM.That is a failing of WAR in my view.
Actually Ive just attached the file to my mail program ,and successfully opened the test file from there.So that means if i receive ransomware by email and open it, WAR will allow it because my email client is whitelisted?.Whitelisting must be at the top of the rule chain for this to happen?

 

From what I understand there is no way to remove applications from the whitelisting? I was interested by WAR, but if it's so...

 

There is an option to un-whitelist by setting slide or right clicking and removing data see pic .Ive played a little more and come to the conclusion that maybe the test file is NOT a good example to use at all to test WAR.As I said i n previous posts the test file can be run from my email client which is whitelisted .However i tested real malware in the same way ,and WAR did detect and popup when run from downloads or my email client,with detection number 19 (i dont know what that is).The WAR test file gets detected with number 1 (again i don't know what that is),when run from downloads ,but doesn't get detected when run from whitelisted email client.

 

If by "remove" you mean disable whitelisting, in the Programs window change the applications' whitelist slider from green to grey as ellison64 has shown in post #154.

Otherwise, right click the program and select Remove Data. This removes the application from the Programs list.

 

Then you'll find WAR to be nice.

Verify the default Smart Recognition and Easy Mode settings are On.
Set the Prompt Duration to 0 minutes to disable the prompt.
Set Show taskbar icons... to Off.

Bingo! Boredog's Grandma Mode. Or in your case, Wife Mode.

 

O.K. Thanks @haakon and @ellison64 for the explanation, it's quite clear

 

Looks good. Is the security reduced in taking the human out of the equation? My big security worry is ransomware, even though I have backups. Will WAR automatically catch the ransomware without my intervention?

 

I've been busy reporting an issue to WAR support as well as bugging (get it?) Bret with some questions.

Not is only is his support immediate and detailed, it took him about a day and half to fix an arcane and tricky issue with Windows' UI message pump.

For the renowned expert members of Wilders, here is the latest non-public minor upgrade and patch release of WAR:

https://www.winpatrol.com/downloads/winantiransom-setup-2016.4.418.exe

"This update contains quite a few fixes, one of which is increased reliably during Windows 10 startup.
Other fixes includes fixing bug that resulted in prompts not always being raised reliably.
Issue that resulted in Chrome crashing sometimes.
Improved detections.
This is the unofficial changelog."

 

Yes. And in grandma/wife mode (as previously determined), you'll never know it! Until you poke about the various screens in the WAR GUI, of course. Fortunately, catching the ransomware is automatic whether you want to know or not. One might even go so far in concluding that catching ransomware automatically is The Big Plan.

 

Excellent. I'll be grandma.

 

I asked Bret to review these posts and a fix is in the works. So my thoughts on the apps' whitelists were off the mark.

In the meantime, executing newly downloaded stuff should be opened from a Windows folder.

 

Hi, I want to thank everyone for questioning this behavior and those who pinged me about this thread.
Internal testing has confirmed a bug in WAR, we are working to close it off as quickly as possible.
We've had a few reports we couldn't make complete sense of until we were introduced to this thread, then we realized what was happening.
Working together like this, we will make WinAntiRansom even better.

We had a release we were set to have go live today, but are postponing it in order to get this fix out as soon as possible.

Thank you again for bringing this to our attention.

Bret.

 

Thanks for the heads up

 

Thanks haakon....
On a different note ,any idea what the detection numbers refer to?.I get 1 for test file and 19 for some real malware.Ive looked in help but cant seem to find any references?

 

Ellison they use those for internal purposes as to not give the bad guys any heads up as to the detection.

Haakon : thank you very much for your help!!!

"grandma/wife mode"

Yes that should be an option in the GUI

 

In grandma mode, if you install a trusted program that WAR flags there is no pop-up. Is there a way to install a program in trusted mode, or do you have to stop WAR?

 

Boredog is correct.

FYI: Bret's official statement on those numbers is in post #120.

In addition to 1 and 19, I have 5 and 71. And I don't even know how I did it.

 

We have an updated build available and I had to laugh when I saw the build number, because it is somewhat apropos considering the bug we fixed.

https://www.winpatrol.com/downloads/winantiransom-setup-2016.4.420.exe

We also have an additional/new test file, https://www.winpatrol.com/downloads/test1219.pdf.exe that will be replacing textpad.pdf.exe as our test file soon. Once this bug is confirmed as fixed. Textpad is a valid program we altered for testing, test1219.pdf.exe is a program we wrote from scratch and is a part of our automated testing regime.

I want to thank everyone again for calling this bug to our attention.

Thanks,
Bret.

 

Hiya Bret
I'm not sure its 100% fixed.Although ,I cant run the test file directly from Internet download manager anymore (I now get WAR detection),I can still send the test file to my mail client as an attachment and open it successfully from my mail client .So not sure whats going on there.

 

Hi Ellison,

Thanks for the feedback. I need more data on the your email set-up. What mail client are you using? Did you simply attach the .exe file?
It could simply be an issue with the way we're doing things with that mail client, there are so many it is impossible to test with them all.

Thanks,
Bret.

 

Hello...Yes i right clicked the test file in downloads ,then clicked "send to" B2.exe (my mail client becky internet mail) ,so that i then have essentially mail compose window with the text file as an attachment.I then clicked the attachment from within becky.See pic in previous post.

 

Thanks. This is the first any of us have heard of Becky mail. We'll have to check it out, we've come across some really great software we've never heard of before in this way.
Bret.

 

@ Bret Lowrey

For the "Is Passive" column in the Programs window, what is the purpose/effect of checking (the check box) a program? Thanks.

 

Bret, is there a way you could make the whitelist self-cleaning? The list gets littered with files that no longer exist, such as installers, etc. I've been going in and manually deleting these entries, but it seems like you could have the program automatically scan and remove entries that no longer exist at the same time it looks for new files. Just a suggestion...