Author Topic: [Wish] Anti-Ransomware Protection feature (idea)  (Read 10794 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9412
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
[Wish] Anti-Ransomware Protection feature (idea)
« on: October 16, 2016, 09:41:45 AM »
I've got this idea while replying to some other thread on this forum.

avast! has the functionality ALREADY built in, but avast! team isn't using it for reasons absolutely unknown to me.

We know ransomware encrypts files like images and music and forces user to pay for it to unlock.

This could easily be solved by a generic, but highly effective method entirely separate from the regular detection signatures.

All we need for this is:
- HIPS component (which we already have)
- Extensive whitelist (which we already have in Hardened Mode (Aggressive))
- Exclusions menu (to give advanced users some control)

HIPS would track what app tries to access other file for write access and allow or prevent it depending on the status on the whitelist.

If program unrecognized by the whitelist tries to write access .jpg file anywhere on the system disk, it should be blocked and popup presented to the user.

If program is verified by the whitelist, it is allowed to modify the .jpg file silently, meaning nothing would really change for the users.

This way only signature required to be processed and updated is the usual whitelist that avast! already has and maintains and the blacklist of extensions to be protected which could be easily updated via VPS at any time.

avast! team literally just has to chain existing features together to get this functionality and add extra exclusion tab next to existing ones for File System, Hardened Moe and CyberCapture. We could have had anti-ransomware protection months if not a year ago and yet for some reason we don't. Why not?

Why is this not already implemented in avast! ?
Visit my webpage Angry Sheep Blog

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76016
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #1 on: October 16, 2016, 10:32:20 AM »
One of the devs said they're working on it, but that was several months ago... :-\
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Staticguy

  • Super Poster
  • ***
  • Posts: 1427
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #2 on: October 16, 2016, 11:22:01 AM »
In one of the article I have read that when Avast and AVG finally is ONE company, that article also mentioned that Avast will provide protection from ransomware and other features and functions. My best guess is that end of this year/early next year Avast and AVG will have a new brand name (not confirmed yet) they will start having those features
DELL Inspiron 15" 7000 Gaming, Windows 10 Home Version 21H1 (OS Build 19043.1237), Trend Micro Maximum Security 2021 (17.0.1333), Avast SecureLine VPN (5.12.5655), Windows Firewall, Unchecky 1.2

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3740
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #3 on: October 16, 2016, 12:03:09 PM »
I am not entirely sure, but I beleve Avast is also using Ransomware blocklists from https://ransomwaretracker.abuse.ch/blocklist

Greetz, Red.
OS: Win 10 / iOS 17 / Debian 12 / Tails 6
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9412
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #4 on: October 16, 2016, 02:11:23 PM »
One of the devs said they're working on it, but that was several months ago... :-\

Considering everything is already in avast!, this could be done in 1 month time tops. Like a year ago...
Visit my webpage Angry Sheep Blog

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3740
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #5 on: October 16, 2016, 03:47:41 PM »
Btw. what is the current status of the HIPS ?
And why is it, as far as I know, still not properly documented by Avast ?

Even some months ago, there was a lot of confusion about it in this topic https://forum.avast.com/index.php?topic=188972.0
See in particular the posts from David and Asyn.

Greetz, Red.
OS: Win 10 / iOS 17 / Debian 12 / Tails 6
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline Be Secure

  • Long Time Avast User(10years.....) Security Enthusiast.
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1908
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #6 on: October 17, 2016, 05:56:34 AM »
Or avast and AVG together makes a dedicated expert team on Ransomware analyst and protection.It is not too hard. :) what say?
« Last Edit: October 17, 2016, 05:58:08 AM by Be Secure »
PC- Windows10 EDU 64Bit,avast! free 21.1.2449,uBlock Origin,NVT_OSA,GoogleChrome(64bit),CCleaner,Unchecky,ZAM Free,Shadow Defender.
Security Enthusiast

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9412
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #7 on: October 17, 2016, 12:11:48 PM »
Lets just say that's around a year or year and a half too late...
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #8 on: October 17, 2016, 11:45:23 PM »
Fully agree RejZoR.
Other antiransomwares relay on blocking executables being launched from certain folders, some of them have absolutely no configuration.
There are tons of articles in Avast Blog covering ransomwares blocked by Avast but, indeed, a special protection could make me drop the free  CryptoPrevent.
I could be that other Avast users (at least the advanced ones) will have a dedicated protection against ransomwares.
Thanks for raising this point.
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9412
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #9 on: October 18, 2016, 12:30:23 AM »
avast! isn't striving for that as much as we'd hope for. If ransomware is on the rise now, make sure you add effective method to prevent that asap. Even if it's not 100%, dramatically decreasing those chances is a very desired thing. What good is adding this 1-2 years into the ransomware frenzy? It's pointless and you let down all the users in the meanwhile. The thing is, most other companies that matter have this covered in one or another way. Not avast! for some reason. And it has been like this for quite a while. I have no idea why.

I mean, anyone remembers how certain companies brute forced malware stored in encrypted ZIP archives as e-mail attachments? Or how they went as far to make AV capable of OCR reading the passwords from attached images to unlock those archives? That's dedication I have yet to see from avast!.

I'm just surprised they skipped this capability even though 90% of it is already there, it's just not forming a complete, connected functionality. With all the engineers at avast! and no one even came up with this idea, I don't know...
Visit my webpage Angry Sheep Blog

REDACTED

  • Guest
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #10 on: October 18, 2016, 01:01:50 AM »
Long overdue need it had to be done. Proactive protection in Avast is easily bypassed a ransomware.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #11 on: October 18, 2016, 07:07:14 PM »
New ransom sample, AVG got it but not avast

First submission 2016-10-16 00:12:11 UTC ( 2 days, 16 hours ago )
https://virustotal.com/en/file/85da17f723f971c4256752ecaf5e94b1838fe8df190ad5920b1ab4de467a7473/analysis/1476809991/


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89641
  • No support PMs thanks
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #12 on: October 18, 2016, 07:20:54 PM »
New ransom sample, AVG got it but not avast

First submission 2016-10-16 00:12:11 UTC ( 2 days, 16 hours ago )
https://virustotal.com/en/file/85da17f723f971c4256752ecaf5e94b1838fe8df190ad5920b1ab4de467a7473/analysis/1476809991/

The few that did detect anything have a wide variety of detection names. Trend with Ransom_HDDCRYPTOR.F detection is very close, AVG with FileCryptor.NAI is close. The rest are very generic and appear very wide of the mark (for ransomware).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.870) UI 1.0.818/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #13 on: October 18, 2016, 07:33:29 PM »
TrendMicro is always quick with new ransomware, they seem to have a high priority on it, i guess bc they have lots of business customers
They also have one of the best info blogs about ransomware


Anyway, this is the message that popped up on the screen to the one that found the sample above and found out the hard way

“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”


« Last Edit: October 18, 2016, 07:38:37 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89641
  • No support PMs thanks
Re: [Wish] Anti-Ransomware Protection feature (idea)
« Reply #14 on: October 18, 2016, 08:53:18 PM »
TrendMicro is always quick with new ransomware, they seem to have a high priority on it, i guess bc they have lots of business customers
They also have one of the best info blogs about ransomware


Anyway, this is the message that popped up on the screen to the one that found the sample above and found out the hard way

“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123152”

For me, ransomware and other serious malware/infections really do need the user to have a robust backup and recovery strategy. Relying 100% on your AV and or other malware tools could well come unstuck in the early days of a new variant.

The only real way is hard disk imaging software run at least once a week (and keeping at lease 3 generations of the drive imaging, I keep 6), one that can be restored outside of windows, essentially wiping out the malware infection should you ever get hit.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.870) UI 1.0.818/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security