- Apr 13, 2013
- 3,147
Ransom Buster by Trend Micro
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- May 8, 2017
- 536
Wow, another great video ! Thank you @cruelsister for testing RansomBuster 
Interesting test.
I would've thought they'd be protecting the files in the chosen directories from kernel-mode via a file system mini-filter device driver (and maybe they do), but what concerns me is how the last sample managed to evade the protection mechanism and affect the files, should that indeed be how the protection mechanism is enforced. Potentially an issue with their filtering, because the IRP_MJ_CREATE is still going to have to pass through the registered callback routines before the handle access to the file is granted to the caller, and IRP_MJ_WRITE is still going to pass through the registered callback routines before the write operation is successfully completed. Maybe they only block/enforce a notification for processes they deem "suspicious", and default-allow for processes they don't believe are up to mischief. Hmm.
Thanks for testing it out, nice review. @cruelsister
I would've thought they'd be protecting the files in the chosen directories from kernel-mode via a file system mini-filter device driver (and maybe they do), but what concerns me is how the last sample managed to evade the protection mechanism and affect the files, should that indeed be how the protection mechanism is enforced. Potentially an issue with their filtering, because the IRP_MJ_CREATE is still going to have to pass through the registered callback routines before the handle access to the file is granted to the caller, and IRP_MJ_WRITE is still going to pass through the registered callback routines before the write operation is successfully completed. Maybe they only block/enforce a notification for processes they deem "suspicious", and default-allow for processes they don't believe are up to mischief. Hmm.
Thanks for testing it out, nice review. @cruelsister
- Dec 23, 2014
- 8,131
Ransom Buster allows by default the access to protected folders for some popular applications. So, it can be defeated by exploiting one of those applications (Explorer, CMD, MS Office, etc.) . I managed to delete the file from the protected folder using:Interesting test.
...
Maybe they only block/enforce a notification for processes they deem "suspicious", and default-allow for processes they don't believe are up to mischief. Hmm.
Thanks for testing it out, nice review. @cruelsister
cmd /k del c:\Users\Admin\Documents\readme.txt
The above is blocked when using for example WD Controlled folder access feature.
- Dec 29, 2014
- 1,711
Using Easy File Locker. Anyone ever tested it against ransomware? I don't allow Explorer to write to the drives, but it would be helpful to know if applications are generally exploitable this way. I have a few I allow which I could just elminate and unprotect when necessary...
- Dec 23, 2014
- 8,131
Easy File Locker can be also defeated by any malware that can install a driver to get the low-level disk access.
- Dec 23, 2014
- 8,131
There is no good solution for protecting your folders except making backups on the external drive or applying default-deny security. I think that protecting the data disk with Shadow Defender could be also a strong protection. When the malware is already running in the system, there are so many ways to destroy/compromise your data in folders, that it is very hard to protect them.
What you say is 100% factual
Shadow Defender is great but if you get infected then it's game over. Even if your data isn't changed after a reboot, data could still be ex-filtrated too! People forget this all the time...
The best way is to not get infected in the first place... Just don't run the damn download unless you're sure it's clean, don't click that damn e-mail if it isn't expected... Ignore that click-bait title on the advertisement!
Lock down the system or use a good AV with good dynamic capabilities and focus on cyber-security research/learning and always keep your guard up...
If you're in an MMA match would you put your arms down and leave your chin and hips vulnerable? NO! So don't let your guard down on a PC connected to the internet because you'll get the equivalent of an IRL MMA match knock-out when you find out all your files have been encrypted.
All these folder protection utilities will never be full-proof just like everything else in this world. Like Andy said about trusted processes, it's a real flaw. Controlled Folder Access in Windows Defender? Well explorer.exe is standard rights so it is going to be a walk in the park to hijack a thread with NtSetContextThread and get that shell-code executed. Once you're in, well... explorer.exe is granted access to touch those documents, game over!
There's so many ways to do one thing in Windows and other OS environment's, but Windows was never originally designed to be secure. When the win2k kernel was introduced, it was about usability and it was something people hadn't experienced yet. Only the recent years Microsoft have tried to focus on security more but it's too late because many critical components were insecure by default, and it takes an enormous amount of work to improve security without ruining functionality or spending huge amounts of resources without causing compatibility issues with previous software for previous OS versions.
IMO focus on file encryption detection approaches for ransomware prevention, store sensitive documents on external storage not left plugged into the machine and always have a backup available.
Last edited by a moderator:
Interesting comments. Has anyone verified that they are true for Excubits Pumpernickel. I've subjected my VM which has two drives against a lot of malware, and nothing has been able to touch the drive protected by pumpernickel.
Any process trusted by Pumpernickel, as long as you can inject code into that trusted process, then you can evade the whole file-system operations restrictions. Pumpernickel driver uses FltRegisterFilter kernel-mode callback but it will allow programs granted access on the list, so target one of those and you're in.
It can become a bit complicated if the trusted processes are only elevated ones though and the attacker only has standard rights, but explorer.exe is not elevated and Pumpernickel will allow explorer.exe (by default at least? AFAIK) because otherwise the user cannot browse the files themselves. Which makes explorer.exe a good vulnerable target for standard rights malware.
However a lot of malware in the wild targeting home users is simply crap and not very sophisticated. You have exceptions every now and then (usually with a break-out which has good spreading capabilities) but the chances of malware adapting to bypass Pumpernickel any-time soon is small.
Attackers know they can do bare minimal or just use a crappy ransomware sample from a Ransomware-As-A-Service from the dark web to generate income, because it'll do the job. They don't necessarily care about going to great lengths anymore.
6 years ago you'd be finding time-consumed for development rootkits using some undocumented technique to get the unsigned driver loaded, now you just find 20 minute ransomware built in C# using copy-pasted code or some PowerShell script.
Last edited by a moderator:
- Dec 23, 2014
- 8,131
Yea!
That is the advantage of the backup on the external USB drive, when it is connected only when making the backups. And, when this drive is additionally protected by Shadow Defender, then the malware cannot encrypt the whole drive and can possibly encrypt only the files that one will commit.
But this is a solution only for the paranoid users.
Explorer.exe is indeed blocked from the appropriate drives. I use another less well known file manager to work with files on those drives. That way I can browse the files. I haven't gone that far, but I could also actually protect the folder of that fle manager.
I Since I blocked the whole drive, nothing was automatically whitelisted
I Since I blocked the whole drive, nothing was automatically whitelisted
- Feb 22, 2013
- 451
- Dec 23, 2014
- 8,131
From some posts (2016 year) it follows, that Pumpernickel (Fides) could not protect folders against the malware which has got low-level disk access. You can ask @WildByDesign if this changed with the newer versions of Pumpernickel (Fides).
- Dec 29, 2014
- 1,711
@Andy Ful...any idea how running for all users as Admin might affect the depth of folder protection with this application? I understand that if malware gets privileged access to the disk it can make changes. Just would like to know if anyone knows how far EFL can be configured to go with protection...
- Dec 23, 2014
- 8,131
Normally, applications running with Administrative rights cannot access folders protected by EFL. They have to exploit something in the kernel or install a custom kernel driver allowing low-level disk access. So, the common malware running in the user-mode (elevated or not) will not defeat EFL protection.
I performed a simple test and protected my Music folder (Access, Write, Delete, Visibility = disabled). Next, I ran Total Commander with system rights using RunAsSystem utility (www.qwerty.lab). The protected folder was not accessible. Next, I ran PowerTool 1.8 and was able to delete the files from protected Documents folder.
- Dec 29, 2014
- 1,711
Awesome information thanks @Andy Ful.
I was changing some applications so that they could run as administrator on a test PC here and I was thinking of protecting their folders with EFL. That's why I asked what would happen if I allowed EFL to run for all users as admin. Comodo Programs Manager requires UAC elevation, along with some other apps (Revo/Paragon etc.) that can delete or change files.
So, no matter whatever in SUA would try to bypass EFL it would first have to pass through a UAC prompt to bypass EFL. I assume this is unless of course (I suppose) some running application with admin rights has been exploited....maybe something Windows? Most of it would bring a UAC prompt I think but I guess there could be a bypass of UAC utilized.
Seems like EFL in SUA is pretty decent protection as long as the user is careful and as long as initiated malware cannot bypass UAC...the apparent weak link in Windows 7 at least...
I was changing some applications so that they could run as administrator on a test PC here and I was thinking of protecting their folders with EFL. That's why I asked what would happen if I allowed EFL to run for all users as admin. Comodo Programs Manager requires UAC elevation, along with some other apps (Revo/Paragon etc.) that can delete or change files.
So, no matter whatever in SUA would try to bypass EFL it would first have to pass through a UAC prompt to bypass EFL. I assume this is unless of course (I suppose) some running application with admin rights has been exploited....maybe something Windows? Most of it would bring a UAC prompt I think but I guess there could be a bypass of UAC utilized.
Seems like EFL in SUA is pretty decent protection as long as the user is careful and as long as initiated malware cannot bypass UAC...the apparent weak link in Windows 7 at least...
- Dec 23, 2014
- 8,131
SUA is pretty good on Windows 7, too. In theory, it can be bypassed when someone elevates an application and the malware is already lurking in the background. There was @cruelsister's video on NotPetya that bypassed SUA on Windows 7, but the mechanism is unclear. But generally, the real danger is when using an Admin account.
Similar threads
