silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Raccine, kills programs wiping Windows shadow volumes
- Thread starter silversurfer
- Start date
- Apr 9, 2020
- 656
Please note that this is not a vaccine. It's a generic ransomware detection with process kill to prevent encryption. It does not remove the ransomware which is fully fine for the scope of a PoC code. I also believe that most AVs do have some detection like this in their software.
What's the difference of vaccine vs detect&kill?
A vaccine is passive. It does not actively remove or kill the malware.
Vaccine works against one specific malware by applying characteristics to the system that persuades the malware to not work (properly) in the first place. E.g. classic vaccines for viruses would apply their infection markers. The virus will "think" the system is already infected and not execute the infection routine. A vaccine for a ransomware might persuade the ransomware that it already encrypted the system.
Generic vaccines are very rare. They are usually specifically against one strain of malware.
Detect & kill is an active protection. It has to run constantly or regularly to work and there must be some non-malware procedure that executes the kill or removal of files.
What's the difference of vaccine vs detect&kill?
A vaccine is passive. It does not actively remove or kill the malware.
Vaccine works against one specific malware by applying characteristics to the system that persuades the malware to not work (properly) in the first place. E.g. classic vaccines for viruses would apply their infection markers. The virus will "think" the system is already infected and not execute the infection routine. A vaccine for a ransomware might persuade the ransomware that it already encrypted the system.
Generic vaccines are very rare. They are usually specifically against one strain of malware.
Detect & kill is an active protection. It has to run constantly or regularly to work and there must be some non-malware procedure that executes the kill or removal of files.
- Dec 23, 2014
- 8,118
The author skipped the possibility of killing explorer.exe in the tree of processes that had invoked vssadmin.exe. When killing explorer.exe the user would lose the Windows taskbar and Desktop. But, it is possible to overcome this issue by adding the code that refreshes the Explorer (kill all instances of the Explorer and run it again on the current user account). I used such a code in H_C some time ago. It is easy on default Admin account and slightly more advanced on SUA.
Last edited:
- Dec 23, 2014
- 8,118
The Raccine will not work for ransomware that uses WMI (without using wmic.exe) to delete shadow copies. This can be done via scripting (PowerShell, Windows Script Host, etc.). Simply, the vssadmin.exe will be a child process of WmiPrvSE and not a child of scripting engine or ransomware executable.
Last edited:
- Apr 9, 2020
- 656
I assume a script or executable trying to use vssadmin will set off most dynamic behavior blockers, right? Might be time to whip up a test....
- Oct 2, 2020
- 439
Do legit apps (like Imaging software) use this technique to delete shadow copies once not needed any more? If yes, then FPs could be expected from this tool.
Acronis definitely does this by default.
- Apr 9, 2020
- 656
Out of my experience from writing AV signatures: If shadow volume deletion is the only thing you check for, FPs are almost certain. You always need some context to it to determine that it is ransomware.
Yeah I think trying to do this statically is going to be a nightmare. This is a good candidate for a dynamic detection combined with a cloud reputation (whitelist) lookup.
- Jan 28, 2018
- 2,463
I found out about this software on Softpedia yesterday.
www.softpedia.com
Download ShadowGuard
Download ShadowGuard 1.0.1 - A simple software utility that can block unauthorized attempts to erase File Shadow Copies of files on your computer, which is usually done by ransomware
www.softpedia.com
- Apr 13, 2013
- 3,142
As Andy F. notes above this thingy won't do anything to prevent malware which act more elegantly by the use of Windows Management Instrumentation from killing shadow copies (and a Fun Fact- things like ESET and Avast are equally oblivious).
- Jul 27, 2015
- 5,459
Release Raccine 0.9.0 · Neo23x0/Raccine
Logging to Windows Eventlog by @JohnLaTwC Sigma rule
github.com
I can say the same from my experience, basing your detection on one single criteria is you, begging for trouble
Nader
New Member
- Oct 20, 2020
- 1
- Dec 12, 2013
- 541
Do you remember CryptoPrevent? It's already abandoned but still to get here (portable)I found out about this software on Softpedia yesterday.
Download ShadowGuard
Download ShadowGuard 1.0.1 - A simple software utility that can block unauthorized attempts to erase File Shadow Copies of files on your computer, which is usually done by ransomware
Download CryptoPrevent - MajorGeeks
ShadowGuard is developed by the same person
CryptoPrevent, ShadowExplorer, and VSSADMIN
ShadowExplorer (www.shadowexplorer.com) is an awesome application which I’ve used as a PC Technician many times in the past. It is used to provide a graphical ‘front-end’ interfa…
www.d7xtech.com
New App: ShadowGuard
ShadowGuard is a new app designed to detect when malware or ransomware is attempting to delete File Shadow Copies and take action. Typically ransomware will attempt to delete Shadow Copies of your…
www.d7xtech.com
ShadowGuard
Compatibility: Windows 10. Although officially unsupported, it will work on older versions of Windows back to Windows XP. ShadowGuard is also compatible for use with either CryptoPrevent or Lockdo…
www.d7xtech.com
Similar threads
-
- Question
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
