App Review More Fun with Ransomware Part 2

Davidov · Mar 20, 2016

Test xvirus firewall against ransomware pls .-).I want to know at what level firewall function of anti ransomware.TNX

Evgeny · Mar 20, 2016

I am using Appguard, really like the program power, with my current av (now its KIS2016 patch b again)

Malfhas · Mar 20, 2016

Evgeny said:
I am using Appguard, really like the program power, with my current av (now its KIS2016 patch b again)

I hear more and more about this software.

It is used for what. It's like the Whitelist system SecureAPlus? Combined with a sandbox if I understand?

I did not find a trial version for a test of this software.

Otherwise good video, I love your tests on ransomware!

enaph · Mar 20, 2016

Malfhas said:
I hear more and more about this software.

It is used for what. It's like the Whitelist system SecureAPlus? Combined with a sandbox if I understand?

I did not find a trial version for a test of this software.

Otherwise good video, I love your tests on ransomware!

Here you can find installation package and user guide:
AppGuard | Personal

done · Mar 21, 2016

As an experienced user I don't use anti virus at all, I do file recovery and a lot of file transfer through the network and any AV will slow me down. I never connect USB without checking it first, I download only known files. I trust myself. until now
My main laptop with important files use ESET and that was my luck.
I would never ever think about this before and I don't think anyone of you would.
Happy bought few USB drive from ebay for the windows 10 upgrade I need a lot of them for my work and I need 5 Languages so I'll need 10 stick. the prices on ebay are low 5 dollars for 32 gig.
I connected the usb for testing and guess what one of them has auto run virus which was blocked by ESET.
You'll never know how or when it'll bite you. even buying new USB is risky. I've always asked myself how can they afford them self to sell an item for 4 dollars including shipping the shipping probably costs more. I guess I've got my answer.

Davidov · Mar 22, 2016

done said:
As an experienced user I don't use anti virus at all, I do file recovery and a lot of file transfer through the network and any AV will slow me down. I never connect USB without checking it first, I download only known files. I trust myself. until now
My main laptop with important files use ESET and that was my luck.
I would never ever think about this before and I don't think anyone of you would.
Happy bought few USB drive from ebay for the windows 10 upgrade I need a lot of them for my work and I need 5 Languages so I'll need 10 stick. the prices on ebay are low 5 dollars for 32 gig.
I connected the usb for testing and guess what one of them has auto run virus which was blocked by ESET.
You'll never know how or when it'll bite you. even buying new USB is risky. I've always asked myself how can they afford them self to sell an item for 4 dollars including shipping the shipping probably costs more. I guess I've got my answer.

I had the same problem with a mobile phone for 60$.Reportedly picked the wrong vendor software.

jamescv7 · Mar 22, 2016

@yesnoo: Well if we look it very closely, those ransomware create messy parts to make files unreadable and cannot load any programs so with virtualization can revert everything to a normal state.

Deleted member 2913 · Mar 22, 2016

jamescv7 said:
@yesnoo: Well if we look it very closely, those ransomware create messy parts to make files unreadable and cannot load any programs so with virtualization can revert everything to a normal state.

Dont Ransomware encrypt files related to the software like AX64, Rollback, etc...?

jamescv7 · Mar 22, 2016

@yesnoo: According to some users especially on 'Wilders', those software can handle nasty samples like ransomware efficiently. Yes they encrypt executable files however you will notice that many antivirus does not shutdown easily from its manipulation.

Deleted member 2913 · Mar 23, 2016

jamescv7 said:
@yesnoo: According to some users especially on 'Wilders', those software can handle nasty samples like ransomware efficiently. Yes they encrypt executable files however you will notice that many antivirus does not shutdown easily from its manipulation.

I meant ransomware will not encrypt AX64 or Rollback files? If it will then restore will be possible?
Or ransomware cannot encrypt AX64 or Rollback files?

cruelsister · Mar 23, 2016

Snapshot applications like Rollback and AX64 are intrinsically protected from encryption by ransomware. In way of explanation, let's say you use Rollback and create a snapshot. When you install a program (or run ransomware) no changes are made to your actual system; Rollback, being integrated into your OS, will re-direct something that tries to write something to the disk to an empty sector of the disk. Windows is then "fooled" into thinking that system changes were made when nothing of the sort have occurred.

In short, anything you run on a Snapshot protected system (ransomware, trojans, legit applications, whatever) is actually being run in a virtual environment and can't touch anything that actually exists. Look at it like a sandboxing program that sandboxes everything all the time automatically.

Hope that was clear (but doubt that it was...).

Deleted member 2913 · Mar 23, 2016

Got the point but yes dont understand it completely.

The virtualization part. It felt like you are talking about Shadow Defender & like light virtualization software & not snapshot program.

cruelsister · Mar 23, 2016

A snapshot program is virtualization. Once you install it and make your first snapshot all subsequent things that you do on your computer will be made in a virtual environment and not on the actual system.

When you want to revert to a previous stare all the Snapshot application will do is delete the snapshot- this is unlike an Imaging program where stuff has to be replaced on the drive. The upside to a Snapshot (vs Imaging software) is that they are small (only changes are saved) and can be reverted quickly (just a deletion of the changes need to be done). The downside is that if your drive fails you are screwed.

Deleted member 2913 · Mar 23, 2016

Got it completely now.

Thanxx for the info.

Dirk41 · Mar 23, 2016

cruelsister said:
Cyber- I actually was just sent a Tesla4 file this morning by a former colleague. It is curious that the files (Doc, Photos, etc) retain their original file extension while still being encrypted. So far I just infected a few machines for giggles and really don't see it as any great advance. Although I'm sure the usual suspects will call this THE WORST THING EVER personally I'll take a Tesla any day over a Winlocky..

i everyone, i am absolutely not an expert, just reading out of curiosity..i read on an italian website that now to distinguish crypted files, you have to look the header of the file.

done · Mar 23, 2016

cruelsister said:
A snapshot program is virtualization. Once you install it and make your first snapshot all subsequent things that you do on your computer will be made in a virtual environment and not on the actual system.

When you want to revert to a previous stare all the Snapshot application will do is delete the snapshot- this is unlike an Imaging program where stuff has to be replaced on the drive. The upside to a Snapshot (vs Imaging software) is that they are small (only changes are saved) and can be reverted quickly (just a deletion of the changes need to be done). The downside is that if your drive fails you are screwed.

With all the respect to you (and there is a lot) sandbox isn't the best soloution for everyone and why? space it is eating a lot of space. i tested comodo with ransomware it saved all the changes made by the virus, I ran away from space. so if you do not have double space from the operating system thats not the best solution
Kind regards

cruelsister · Mar 24, 2016

Done- the use of Comodo Firewall (or any sandbox) should have about zero impact on disk space. Unlike snapshot applications, very little is actually virtualized- and what is can be found in the VTRoot directory which can be totally flushed by sandbox reset or on a reboot.Nothing will otherwise be saved.

I certainly agree with you that you have to be conscious of disk space (I lose sleep at 50%!), but CF isn't the issue. As a suggestion, why not try a program called Treesize. It informs you of what exactly is taking up space on the drives.

Disk Space Manager software at its best: TreeSize Professional

woodrowbone · Mar 25, 2016

@ CS,
Does your setup off Comodo Firewall still stand with new version, and would that setup save the user in this case also?

/W

Rishi · Mar 25, 2016

What a nasty surprise here in this video

Thanks for testing this cruelsister, great videos as always, yes I agree virtualization, HIPS, whitelisting and layered security( router level, dns, browsing,download,AM or AR supplementary) can block what the core program may not detect.

cruelsister · Mar 25, 2016

Wood- There is no difference in the setup as this build can be considered a minor release.

Search

Search

App Review More Fun with Ransomware Part 2

Davidov

Level 10

Evgeny

Level 7

Malfhas

Level 3

enaph

Level 30

done

Level 5

Davidov

Level 10

jamescv7

Level 85

Deleted member 2913

jamescv7

Level 85

Deleted member 2913

cruelsister

Level 43

Deleted member 2913

cruelsister

Level 43

Deleted member 2913

Dirk41

Level 17

done

Level 5

cruelsister

Level 43

woodrowbone

Level 10

Rishi

Level 19

cruelsister

Level 43

You may also like...