Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What about dedicated Anti-Ransomware products ?


  • Please log in to reply
4 replies to this topic

#1 Slaheddine_Djait

Slaheddine_Djait

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 31 January 2018 - 11:32 AM

What do you think about dedicated Anti-Ransomware products like Malwarebytes Anti-Ransomware Beta, Cybereason RansomFree, ZoneAlarm Anti-Ransomware, Kaspersky Anti-Ransomware, etc ?

Are these products mature enough ? Are they effective ? Can they be recommended for businesses ?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 31 January 2018 - 12:55 PM

You should use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.
 
I keep an updated list of ransomware prevention tools (Post #2) in this topic. Be sure to read the Important Note below the list.

To protect against ransomware, I use the following:CryptoPrevent is a supplemental security tool that writes 4000+ group policy object rules (Software Restriction Policies) into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, %userprofile%, %programdata%, Recycle Bin, Startup Folder) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection.

AppCheck Anti-Ransomware Free runs in the background and reacts when ransomware attempts to make changes to your computer. It includes the following features:
  • Proactive Protection from ransomware and file damaging behavior...it eecognizes file modification and blocks file damage.
  • Ransom Shelter backs up original files in real-time before they get encrypted by ransomware and protect the backup.
  • Self Protection to protect AppCheck related process and files from malware attack.
  • Protection from ransomware modifying both the MBR (Master Boot Record) and the GPT (GUID Partition Table).
  • Exploit Guard provides blocking protection against both known and zero-day exploits against programs which execute malicious code.
NoVirusThanks OSArmor runs in the background and scans the processes for any suspicious activity. It comes preloaded with more than 30 security policies that help in distinguishing between the normal and bad behavior of a process and includes the following features:
  • Basic Anti-Exploit Protection.
  • Block Process Execution.
  • Block System Process.
  • Protect Microsoft Office Applications against exploits.
  • Monitor Applications and block any suspicious process started by these applications
Malwarebytes Anti-Exploit (MBAE) is an action level security application (behavior based) that continuously monitors popular applications, preventing vulnerabilities in software and browsers from being exploited, blocks unknown and known exploit kits, proactively preventing the exploit from installing its payload before it can do damage. More specifically, Malwarebytes Anti-Exploit provides four layers of exploit protection to include protection against Operating System security bypasses, memory caller protection, application hardening, and application behavior protection...meaning it will protect against code execution that uses a certain vulnerability in an application, stop memory calls, sandbox escapes, prevent script-based drive-by downloads, and memory mitigation bypasses. Malwarebytes Anti-Exploit runs in the background as a standard Windows Service providing realtime protection against the malicious action of exploiting software vulnerabilities. Malwarebytes Anti-Exploit blocks the malicious action of exploiting software vulnerabilities, blocks exploits of a software, blocks zero-day exploits that target browser and application vulnerabilities, blocks exploit kits and defends against script-based drive-by download attacks. Malwarebytes Anti-Exploit is primarily for protection against software exploitation...it does not protect against social engineering, the human exploit often resulting from faud, trickery, spam and phishing emails.

Noscript.exe is a simple (but older) stand-alone utility by Symantec which disables the Windows Scripting Host (WSH), preventing all script based programs (including malicious files) from executing automatically on the system. Disabling the WSH can help with stopping Poweliks and similar malware known to download ransomware and other infections.Using Noscript could also cause interference with some legitimate programs keeping them from working properly but you can always quickly and easily revert the changes with the same tool if necessary.
noscript_03.gif

I also use Emsisoft Anti-Malware which includes exploit protection. Emsisoft's Behavior Blocker is effective against unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. With the release of v2017.5, Emsisoft now has a separate Anti-Ransomware module.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 midimusicman79

midimusicman79

  • Members
  • 764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:37 PM

Posted 01 February 2018 - 11:48 AM

Hi, Slaheddine_Djait!

Gradually, as more and more Anti-Virus and Anti-Malware vendors add Anti-Ransomware and Anti-Exploit protection functionalities/modules to their security software, dedicated/stand-alone Anti-Ransomware products may become redundant.

Regards,
midimusicman79

Edited by midimusicman79, 02 February 2018 - 11:37 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#4 SaraDominus

SaraDominus

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:37 PM

Posted 12 February 2018 - 09:15 AM

If ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
 
Even so, there's a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that's a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 12 February 2018 - 01:54 PM

That's why folks need to use an Anti-Exploit program and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only.

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type of encryption used by the malware writers and a variety of other factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time but that too is not a guarantee.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users