Does Avast protect me from Wannacry?

[stibi]

To you, encrypting seems a normal behavior?

Sometimes YES.
Who decides wheather encrypting is wanted or not?

[Asyn]

Who decides wheather encrypting is wanted or not?

Best case scenario, the user.

[REDACTED]

John, what you clearly don't understand is that it is not possible to create a detection if the method the malware is using is not known.
If it was, diseases like aids, cholera etc would not be able to infect people.

It seems it is possible , for others:

https://www.bitdefender.com/media/html/business/wannacry/?icid=footer_ransomware_attack

"Bitdefender Machine Learning models, available in all editions of Bitdefender GravityZone, are designed specifically to catch never before seen attacks at pre-execution stage."

[Asyn]

So did Avast, see Reply #9.

[Eddy]

are designed specifically to catch never before seen attacks at pre-execution stage

There is a very good reason why they don't say "catch ALL never before...".
It is simply not possible to do so.

On a note :
Bitdefender added detection for WannaCry AFTER it was discovered and so did all other anti-malware I have checked.

Avast says :

Behavior Shield comes standard in all versions of Avast 2017, protecting you from zero-second threats, ransomware and other malicious programs

All other major av developers/vendors say something similar, but non is saying "ALL".

[Pondus]

John, what you clearly don't understand is that it is not possible to create a detection if the method the malware is using is not known.
If it was, diseases like aids, cholera etc would not be able to infect people.

It seems it is possible , for others:

https://www.bitdefender.com/media/html/business/wannacry/?icid=footer_ransomware_attack

"Bitdefender Machine Learning models, available in all editions of Bitdefender GravityZone, are designed specifically to catch never before seen attacks at pre-execution stage."

They blocked the exploit attempt, not detecting the actual malicious file, this was added later when they got samples

so several layerers of protection
1. Your AV vendor have added detection for the exploit
2. You have installed the patch from MS and closed the security hole
3. Your AV vendor add detection for the malicious file(s) as they are found

What is more important, Bitdefender Hypervisor Introspection was able to prevent the exploit of the vulnerability long before it was disclosed and patched by Microsoft.

Symantec also (and others)

Symantec customers have been protected from WannaCry prior to its emergence. Symantec Secure Endpoint Protection (SEP) and Norton have blocked any attempt to exploit the vulnerability used by WannaCry since April 24, before WannaCry first appeared.

https://www.symantec.com/outbreak/?id=wannacry
https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99

What protection all those infected machines had, i dont think that info is posted anywhere ... or?

[RedFan]

I think people with Windows XP are the most vulnerable, because they don't have the latest patch from MS update.
Now MS wil patch xp to protect more xp users.

[DavidR]

I think people with Windows XP are the most vulnerable, because they don't have the latest patch from MS update.
Now MS wil patch xp to protect more xp users.

MS have already release a patch of OSes which are no longer supported, this includes XP, Vista and Win 8.0.

[Asyn]

Any antivirus company can add detection "after", when the threat is known.

Behavior shield did in fact detect it before that. Cheers.

-> http://weblog.av-comparatives.org/proactive-protection-wannacry-ransomware/

[chris..]

Where XP users can see if the MS patch instaled .... since - I think - their browser (IE8) is out-of-date (Path history down)?  ? KB number ?

Was a patch already been released before for Posready xp users?

Also , I read that a new large-scale cyber attack was under way : "Adylkuzz"
I did not find it in avast VPS history until now. Any news ?

[REDACTED]

Funny thing, on each and every antivirus forum we ask this question the answer is the same "Yeas, our antivirus will protect you against Wannacry", yet 100000 pc were infected...

John,
Your question is based on an assumption that the PC's were infected inspite of having AV software installed & also that without having seen the 'attack vector' before that AV software could catch it.
All AV software works on the basis of 'Known Attack vectors' which can be coded for or known methods that can be caught via any Heuristic based methods.
All the AV vendors will by now be able to detect and catch 'Wannacry' because samples have been caught and examined.
NO AV software will protect you 100% from all possible attacks.
The point of using AV & Anti-malware is to cover as many as you can (get as close to 100% as you can) but you still need to use common sense (that is not so common !!!).
This means you ensure you have good backups of your data that you verify work on a regular basis. (This is the final fallback if your AV & Anti-malware should fail.)
You do not open e-mails or documents or run software from sources that you cannot have confidence in.
If you know that you are going to open/run unknown docs/software, you do it on a machine that is isolated from the network/internet, so that it cannot 'run amok' via your network connection.

Ideally, if you are knowingly running suspect software or accessing suspect files you would do this in a VM (Virtual machine) that is isolated from everything and running on a controlled 'virtual / internal' network that is NOT connected to anything you cannot 'wipe and rebuild' if need be. [remember that VM's are not 100% safe as there are exploits that can 'break out' of VM's.] 

Everyone should learn from the 'Wannacry' events that regular backups and regular testing of those backups is essential.
Do not assume that your backups are working ....... check the backups that you create, are accessible, complete and you can get ALL your files back when you try to restore.
Follow a proper backup schedule with multiple copies of your backups kept and make sure that they are kept in multiple safe locations.
(Remember that Viruses etc are not the only risk, if there is a fire or flood would you lose your backups as well. !!!)

 

[mchain]

Thank you Ruby-Tuesday,

It should also be pointed out that significant number of systems affected were non-Microsoft systems, or otherwise known as cracked or illegal Windows systems.  Not talking about obsolete or out-of-support systems here.

So there was never the possibility of getting and applying the Windows security patch which is key to preventing the SMB exploit used by the worm module in WannaCry.  Hence the number of infected systems was higher than it otherwise might have been had all systems attacked been legal; the onus then would've been on the operators for not applying the Microsoft patch deployed March 2017...  As it was, some legal systems never were patched in March as they should have been.

Thought that should be pointed out.

As always patch patch patch.  If you can't get a patch in time, find a workaround.

[alicia.rose]

Some years ago an Avast Überevangelist Malware Removal Expert advised me to install CryptoPrevent as well.

This I did and I've had it ever since on my computer.

It was good to see: "The best thing about (the new Avast Behavior Shield) is that it has proven to be especially powerful against ransomware. Although ransomware samples evolve and morph rapidly, they still exhibit specific behaviors that can be identified. Behavior Shield is capable of detecting and stopping new ransomware variants that haven’t been seen before – something that’s been inherently difficult using other protection mechanisms."

https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

Do I still need to use CryptoPrevent as well?

"Over 98% of All WannaCry Victims Were Using Windows 7"

https://www.bleepingcomputer.com/news/security/over-98-percent-of-all-wannacry-victims-were-using-windows-7/

?

chris05 - The recently released Microsoft custom patch for XP SP3 x86 is KB4012598

Can be seen after installation in Control Panel / Add or Remove Programs / Check 'Show updates'.

[DavidR]

Some years ago an Avast Überevangelist Malware Removal Expert advised me to install CryptoPrevent as well.

This I did and I've had it ever since on my computer.
<snip>

That sounds like essexboy, though it gould also be Andrey,pro, but like all security software it has to be up to date to get the full benefit/protection. Whilst I don't use CryptoPrevent, the latest version is 8.0.3.7 I believe dated  05/16/2017.

Depending on how long ago this advice was given, it could precede when the additional protection against ransomeware was included in avast.

[Eddy]

Bleeping computer is wrong.
15% of the infected systems was/is using Windows 10.