Comments on: How it’s done right: Emsisoft’s Behavior Blocker vs. 20 crypto ransomware families https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/ Straight-talking security advice from the Malware Experts Fri, 18 Nov 2022 12:19:29 +0000 hourly 1 By: Michael Martin https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-614974 Wed, 18 May 2016 00:11:00 +0000 http://blog.emsisoft.com/?p=20646#comment-614974 The examples given show that the ransomware programs (cryptofortress.exe and ZeroLocker.exe) were trying to run from Sarah’s desktop. In other words, they were already installed there. Should not Emsisoft Anti-malware have prevented that from happening in the first place?

]]>
By: dqdb@rtws https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-491067 Sun, 03 Jan 2016 10:36:00 +0000 http://blog.emsisoft.com/?p=20646#comment-491067 In reply to Christian.

Maybe it would be a solution to extend BB to perform some basic format tests for popular file formats on write operations? For example when a process tries to write at position 0 to a JPEG file and written data doesn’t start with SOI, then BB should generate an alert, or PDF files should start with %PDF and end with %%EOF and so on.

I’ve been thinking of this for a while, but I don’t know that this is a viable option or it requires too much CPU and IO resources, and I have little knowledge about FSD filters (and even less free time) for a proof-of-concept implementation.

]]>
By: Christian https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-491045 Mon, 28 Dec 2015 22:32:00 +0000 http://blog.emsisoft.com/?p=20646#comment-491045 In reply to Mitchell Earl.

No, the behavior is always monitored locally, which means if the ransomware is executed on the server it is being detected but if it is executed on a client that just happen to have access to a folder remotely on a server, it isn’t. Therefore you should never rely on server side protection only but also install behavior blocking on all your clients that have access to the server.

Background: If ransomware encrypts files, it means it just edits existing files. A file write operation is not a malicious action though and therefore can’t be used as a trigger to alert. The behavior blocker monitors not just the file write action but also takes into account plenty of meta properties of the actual executable program that does the action, to come up with an alert.

]]>
By: Mitchell Earl https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-491044 Mon, 28 Dec 2015 21:38:00 +0000 http://blog.emsisoft.com/?p=20646#comment-491044 Can Emsisoft Anti-Malware for Server prevent an infected workstation from encrypting it’s mapped drives? Since the executable never resides on the server itself, I’m curious if it would detect file level activity and be able to halt it.

]]>
By: Preston Mitchell https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-491041 Sat, 26 Dec 2015 02:45:00 +0000 http://blog.emsisoft.com/?p=20646#comment-491041 FREE FULL LICENSE For Emsisoft Anti-Malware (for 203 days)
This is my 5th year of using Emsisoft Internet Security. Today–on Christmas, a virus utterly destroyed Emsisoft, KILLING both Emsisoft Anti-Malware and its Online Armor firewall. Emsisoft was not just crippled but fatally corrupted by the virus. FORTUNATELY, my PC was barely saved by a FREE online scanner called HerdProtect…which quickly quarantined the virus and saved my Windows from being permanently damaged. HOW SAD THAT A FREE SOFTWARE PERFORMED BETTER THAN EMSISOFT. THEN I had to use Revo Uninstaller to uninstall Emsisoft’s CORPSE, because the DEAD Emsisoft was unable to uninstall itself. If anybody wants to use the remainder of my PAID Emsisoft license, which expires in 203 days, here is the license number: BEX-BAK-BEN-682 BUT BE WARNED…USE EMSISOFT AT YOUR OWN RISK…least you spend Christmas repairing your PC after Emsisoft FAILS to PROTECT your PC!

]]>
By: David Sucesso https://www.emsisoft.com/en/blog/20646/how-its-done-right-emsisofts-behavior-blocker-vs-20-crypto-ransomware-families/#comment-491038 Fri, 25 Dec 2015 21:25:00 +0000 http://blog.emsisoft.com/?p=20646#comment-491038 thats a cool video. thanks

]]>