If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
"How to beat ransomwa prevent, don't react"
"How to beat ransomwa prevent, don't react"
https://blog.malwarebytes.com/101/20...nt-dont-react/ Lynn |
#2
|
|||
|
|||
"How to beat ransomwa prevent, don't react"
Lynn McGuire wrote:
"How to beat ransomwa prevent, don't react" https://blog.malwarebytes.com/101/20...nt-dont-react/ While anti-virus and even MalwareBytes' own Anti-Exploit is supposed to help prevent crypto ransomware attacks, seems the obvious solution is to get prompted whenever a process or thread wants to issue calls to the Windows Crypto API. As with firewalls, you could Allow or Block (permnantely or temporarily) a Crypto API call. If an unknown process decided it wanted to encrypt something, you get prompted and can block (disallow) the crypto call. I suspect that is the big crux of how Malwarebytes' Anti-Ransomeware beta software works. Hopefully it includes a database (also hashed to detect any modification) of known OS processes to whitelist those. You can see more info in their forum at: https://forums.malwarebytes.org/foru...nsomware-beta/ While it may be free now, it looks like they are planning to roll it into their Anti-Malware product - their payware version of that. So freeloaders, like me, wanting free security solutions will get to use it while it is beta which helps MalwareBytes test their software and then it will get yanked away when rolled into their flagship product (Anti-Malware, payware version). Since their Anti-Malware freeware product has no on-access (real-time) scanner, any anti-ransomware function would be worthless in having to wait until the user gets around to an on-demand (manually run) scan. So you would need their payware version of MBAM to get their on-access scanner that would then include coverage and heuristics for crypto-based malware. While this sounds great (until their betaware gets rolled into their payware), this focuses on crypto ransomware. I've seen some rogueware that merely renames every file it can find (that is not locked) and then set the Hidden file attribute on it. The malware could also change a Windows policy that prevent access to a volume (other than for the OS). Volumes can also be disabled thus preventing access. Users already know how to do this using Disk Management (diskmgmt.msc) or the command-line version of it (devcon.exe). Permissions can be changed. There are lots of ways to block access to files than just encrypting them. You might want to read the comments to the article mentioned by the OP, along with reading the forum comments. Yes, it is beta but I won't be installing this on my sole home PC. This is something for a test platform. Also, I don't see the point of wasting time of what is freeware now to only later yet yanked away by rolling it inside of their payware. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
"Ransomware Gang Claims Fortune 500 Company Hired Them to Hack theCompetition" | Lynn McGuire[_2_] | Storage (alternative) | 4 | August 21st 16 12:06 AM |
"Ransomware Hit 40 Percent of Businesses in the Last Year" | Lynn McGuire[_2_] | Storage (alternative) | 0 | August 4th 16 07:35 PM |
"Ransomware Visits Backblaze" | Lynn McGuire[_2_] | Storage (alternative) | 4 | March 12th 16 03:49 PM |
USB bootable maker: Diff between "HP Drive Key Boot Utility" and "HP USB Disk Storage Format Tool"? | Jason Stacy | Storage (alternative) | 1 | April 21st 09 01:14 AM |
"true life" vs. "anti-glare" of Vostro 1500: What are the brightness & contrast ratios??? | Thomas G. Marshall | Dell Computers | 1 | April 11th 08 10:47 PM |