App Review Emsisoft vs cmdRansomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Petrovic

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,357
20,489
6,278
Somewhere In nowhere
Content source
https://support.emsisoft.com/topic/30216-emsisoft-vs-cmdransomware/


Emsisoft vs cmdRansomware

cmdRansomware Discovered

Petrovic found a new ransomware called cmdRansomware that utilizes a batch files and GPG to encrypt a computer. When encrypting it will append the .ransomware extension to encrypted files and drop a ransom note named cmdRansomware.txt.
DtPhgsxWoAEG8wf[1].jpg
Click to expand...

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More
 
  • Like
Reactions: Solarquest, upnorth, oldschool and 14 others
spaceoctopus said:
Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.
Click to expand...

Same thing with Qihoo 360 QVME engine. In the past, it is the best against unknown threats. Nowadays, it is a let down.
 
  • Like
Reactions: Andrew999, show-Zi, spaceoctopus and 2 others
spaceoctopus said:
Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.
Click to expand...

I think it just goes to show that any product can miss malware, regardless of what features it may have (ie BB, Ai, etc..). There's no magical silver bullet that will protect you from every single piece of malware. It's still very much a cat and mouse game. Secuirty products get an edge for a while, hackers develop malware to get around them. Its a never ending cycle that will always continue.
 
  • Like
Reactions: DDE_Server, BoraMurdar, upnorth and 9 others
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
 
  • Like
Reactions: DDE_Server, bayasdev, Andy Ful and 17 others
Fabian Wosar said:
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
Click to expand...
Lol, i really hope this year means 2018 and not 2019 :p
 
Last edited:
  • Like
Reactions: DDE_Server

You may also like...