How to protect from ransomware?

[Rroff]

We use Cylance Next-Gen AV that can detect Zero-day viruses/ Ransomware alike.

https://www.cylance.com/en_us/products/our-products/protect.html

I purposely downloaded WanaCry to my VM running an unpatched Win 7, and tried to execute it. Cylance wouldn't event let me access it as it deleted as soon as I downloaded it.

I'd be cautious running the dropper in a VM though you sound like you know what you are doing - it has significant capabilities that could potentially escape a sandboxed environment if attention wasn't paid to making sure it has no access to any kind of networking functionality, etc.

 

[Rroff]

Wow just updated a Windows 7 machine - found updates in under 10 seconds, updated and done in under 20 minutes - last time I tried that system it was still sorting through updates 6+ hours later when I killed it off.

I'm guessing it would have been bad publicity given recent events if it was even like the slightly less crippled speeds it was running at more recently let alone the totally stalled state it was in for awhile hah bet once this has blown over it goes back to slow for older OS.

 

[V F]

The slowdowns cleared up after Windows 10 was no longer being sent to Windows 7 users and the removal of the GMX tool update Microsoft sent out.

 

[Rroff]

Never seen it particularly speedy though - done 2 machines now that zipped though it in under 20 minutes when before it would have been lucky to complete in 2 hours even after they stopped pushing Windows 10, etc.

 

[jpaul]

Cylance detects and blocks malware before it can affect your computer. Cylance uses a mathematical approach to malware identification, using machine learning techniques instead of reactive signatures, trust-based systems or sandboxes.

The Cylance Agent doesn’t require continuous cloud connectivity or continual signature updates, and works in both open and isolated networks

Looking beyond the advertising blurb

I am Jon Miller, Cylance Chief Research Officer & hacker type guy... we use AI to stop bad guys from doing bad things. Ask Me Anything!
...

Our AI Model is updated about every 6 months. In the case that we need to adjust the AI Model within the 6 months, we can address a false a number of ways. 1. We can push an update to the AI Model called Centroids. A centroid is the mathematical center of a cluster of data geometric shape. We can create a negative Centroid that excludes the detection of a cluster of file features 2. The customer can add a file hash to their Global Trust list 3. The customer can add a digital signature to their Global Trust list Centroids are rare however.

trevor79 4 points 3 months ago

Centro

So how is this "centroid" somehow different from old AV signatures?

bwall9809 2 points 3 months ago

Centroids are just a temporary patch, not a permanent solution. Misses are included in the training for the next model.

DanB1aze 5 points 3 months ago

Sounds like any other security product. Reactively detect missed malware by signature, release more generic heuristic in a day/week. Release retrained AI Model in next update.

........
It seems like every other AV vendor now has static analysis powered by machine learning. CrowdStrike, Symantec, Trend Micro, McAfee, Palo Alto, SentinelOne, all claim to have the same thing you have. They are also willing to be tested by 3rd parties. You mentioned you are working with NSS Labs but the security industry knows they are a pay-to-play type of test house. The more paid for private tests you do with them, the better your public test results will be.

My question is if everyone has the same type of machine learning as you, and you aren't willing to participate in objective 3rd party testing, how are you actually different?

......

Can you elaborate on the feud with Sophos?

https://blogs.sophos.com/2016/06/29/thoughts-on-comparative-testing/#more-31647

lol - if the Monty Pythons were going to rewrite the cheese shop sketch for Antivirus, this reddit thread could be the start.

.. was even better than this wannacrypt blog that suggests private keys could be onboard on host computers

 

[Rroff]

.. was even better than this wannacrypt blog that suggests private keys could be onboard on host computers

Two possible mentions of private key that make sense there - one I believe its part of the "you can decrypt some files for free" bit where they don't care if the user manages to reverse engineer decryption its just a marketing trick to make people think there is a chance they can recover all their files (whether they can or not is another matter) it also uses an internal local private/public pair as part of its operation separate to the actual encryption of the files.

 

[warren_1979]

Is just running MSE valid anymore? Is this an arms race?

 

[ubersonic]

Is just running MSE valid anymore? Is this an arms race?

Yeah it's fine, been running it since Windows 2000 and never had an issue, it's quite good (especially of an AV/ASW built into the O/S). Be warned though most antivirus can't protect against a worm that remote exploits an O/S flaw (though still good to have).

 

[jpaul]

just arrived in mbox - see what the NHS should have bought.

Spoiler

I assume the attached pdf in the email is ok to open ?

 

[Destination]

Might be wrong but I think bitdefender were trying to change their email protection models as 'plugin' for corporate clients.
They wanted £1 per mailbox per month iirc.
Good luck with that bill NHS.

 

[Rannoch]

Pen and paper.

 

[Selekt0r]

Easy - use backup software which a) provides full versioning and b) uses proprietary network protocols to transfer the data to the backup destination (i.e. not Windows shared drives).

I use Crashplan to backup everything of value from my multiple family PCs/laptops to my home server. None of the PCs or laptops can access the home server via windows networking/shared drives so even if one of them gets infected they can't reach the backups on the home server to encrypt them. No cost for this option (apart from the home server/storage) as Crashplan only charge for the cloud storage option.

If files on a PC/laptop were to get encrypted then they would be backed up, but as they would be different they would be stored as new versions and would not overwrite the previous (good) versions, which could easily be restored (after a wipe/reinstall of the PC/laptop of course).

If (in the really worst case) the home server also got infected somehow then I could get my files back from the further backup on Crashplan's cloud storage platform. OK I do pay for that, but for the princely sum of $12.50 per month for unlimited storage for up to 10 PCs I think it's worth it!.

Having a decent antivirus package installed as well obviously makes sense too...

 

[Raumarik]

^^ Also a big fan of Crashplan although I have two local backups as well which I refresh every few months, mostly family photos etc so nothing vital but sentimental value.

I also have applications whitelisting enabled on my home PCs. Easy to disable when you want to run something but sits harmlessly protecting otherwise, that's in addition to Windows Defender and malwarebytes.

 

[jpaul]

I use Crashplan to backup everything of value from my multiple family PCs/laptops to my home server. None of the PCs or laptops can access the home server via windows

^^ Also a big fan of Crashplan although I have two local backups

so educate me -
do you have mirrors of the discs too to ensure that the OS and all tools/config can all be restored (this is half the battle - no ?)
what kind of broadband upload speed do you need for crashplan ? since it is incremental I guess you do not need so much.
(when I started using esata connection for backup disc connection at 6Gbs this is what really enabled quick disk mirroring for me, but this is 200x faster than a 30Mb/s broadband upload, say.
Also If I was being dligent I think I should make 50GB blue-ray copies of important little-changing sentimental data )

 

[Raumarik]

Depends on priorities, I personally couldn't care less if OS/apps needs reinstalled, since I have a very low chance of ever being infected anyway due to the precautions I take (almost entirely my own PC, everything up to date, whitelisted apps, malwarebytes, windows defender and a health does of common sense when browsing). "half the battle"? ? no, that should be preventing infection to begin with, not mopping up afterwards.

Crashplan backs up daily and has version control. Initial backup can take weeks and it's hardly the fastest to restore - but it has saved me a lot of messing about in the past due to hard drive failures.

My local backups are all macrium reflect based plus manual folder copying of my most important stuff to encrypted drives. OS restore though would always be a low priority for me, it's an easy job should I ever need to. I'm far more concerned about my photographs, video editing projects etc.

FYI I have 850Gb backed up on it but I see it as an additional backup, not my main one - which is always local even if it's less frequent as I can restore from local and then restore changes from that from Crashplan later, drastically reducing restoration time but ensuring it's bang up to date.

 

[stockhausen]

<SNIP>
No cost for this option (apart from the home server/storage) as Crashplan only charge for the cloud storage option.
<SNIP>

Am I reading this correctly? Are you saying that if you use a local server, Crashplan is free?
That is certainly not obvious on their website.

 

[mattyg]

Easy - use backup software which a) provides full versioning and b) uses proprietary network protocols to transfer the data to the backup destination (i.e. not Windows shared drives).

I use Crashplan to backup everything of value from my multiple family PCs/laptops to my home server. None of the PCs or laptops can access the home server via windows networking/shared drives so even if one of them gets infected they can't reach the backups on the home server to encrypt them. No cost for this option (apart from the home server/storage) as Crashplan only charge for the cloud storage option.

If files on a PC/laptop were to get encrypted then they would be backed up, but as they would be different they would be stored as new versions and would not overwrite the previous (good) versions, which could easily be restored (after a wipe/reinstall of the PC/laptop of course).

If (in the really worst case) the home server also got infected somehow then I could get my files back from the further backup on Crashplan's cloud storage platform. OK I do pay for that, but for the princely sum of $12.50 per month for unlimited storage for up to 10 PCs I think it's worth it!.

Having a decent antivirus package installed as well obviously makes sense too...

Fantastic!!

Don't suppose you have the time to do a right up of how thats all set up for us Noobs.

I have a spare server(Cheap PC bough from OC that I used to use as a server) that I no longer use. And some spare drives that I could Raid for more storage or buy a couple more to use.

 

[Selekt0r]

Am I reading this correctly? Are you saying that if you use a local server, Crashplan is free?
That is certainly not obvious on their website.

Yes, 100% - There are a few minor restrictions in functionality (e.g. backup frequency limited to daily, only a single 'backup set'). See https://www.crashplan.com/en-us/features/compare/

 

[stockhausen]

Yes, 100% - There are a few minor restrictions in functionality (e.g. backup frequency limited to daily, only a single 'backup set'). See https://www.crashplan.com/en-us/features/compare/

Many thanks for that, I will certainly take a look,

As a matter of interest, you also said "Having a decent antivirus package installed as well obviously makes sense too...". What anti-virus software would you recommend? Personally, I use Kaspersky.

 

[Selekt0r]

Kaspersky is fine. I have been using ESET for a while but am currently evaluating Bitdefender.

*edit* av-comparatives is a great resource to know just how well the various antivirus packages deal with the latest threats. They do monthly reports which compare performance https://www.av-comparatives.org/dynamic-tests/