No matter the level you are at in Information Security you are always dealing with endpoint security. Viruses, malware, cookies, caches, ransomware, admin rights, data transfer, encryption, and the list goes on. The device that users use to access all the critical data is the most over looked security component in an environment. It’s a person’s laptop, who cares? Miss a few patches and have a zero day that gets exposed by a drive by CryptoWall that encrypts their F: drive which happens to be a mapped drive to your 3 terrabyte corporate shared drive and the all the contents get encrypted and held for ransom. After that happens see if you care then.
For more than a decade we have been installing software to monitor those endpoints to detect viruses and malware to stop it before they cause issues. The biggest problem, flaw, hole with the agent based anti-virus tools is that they are not real-time protections. They monitor based on an ever growing catalog of virus signatures. So as long as you stay up-to-date with your virus signatures and the vendor you choose stays on top of making sure their catalog is current you are protected with all viruses known at the time. Anything new that comes out can cause damage until the anti-virus industry finds the virus and builds a signature for it and everyone gets it into their scanners. This delay and lack of focus to regular signature updates allow viruses to continue to exist and propagate for years after release.
Technically speaking computer viruses and malware are different things with malware being more damaging. In my opinion one of the better malware scanners out there is from Malwarebytes and their tool is of the same name. However, it is best practice due to the signature based scanning to use more than one tool to scan and clean a system if you are not going to completely wipe it and rebuild it. Malwarebytes is my first goto. Spybot, CCleaner and a few others are also in my tool box on top of my antivirus client.
Malwarebytes announced a new Anti-Ransomware tool released in beta. Ransomware is the latest in the malware/virus realm that has allowed the hackers to monetize their damage. Ransomware infects your computer, encrypts you files, then notifies you how to make a payment to get the key to release all your files. Unless you have a regular backup, most don’t, your files are gone. Some estimate that this is a multi-million dollar industry. Even the FBI has come out publicly and said that paying these criminals is the direction to take.
Ransomware is easy to understand but hard to beat. It infects the machine, encrypts all files and then demands payment to get the files back. Ransomware works so well that most variants will even remove themselves when the damage is done, knowing you have the choice of either paying the ransomware author to get your files back, or risk losing them forever.
Malwarebytes’ mew anti-ransomware tool may be the first in the evolution that scanners need to take. Moving away from signature based scanning to dynamic, behavior based scanning. This tool may be able to detect the behavior of the infection, no matter how it was created, and stop it before it encrypts anything.
Most of today’s security software simply cannot protect you from ransomware. Ransomware does not act like traditional malware: some are automatically updated every day, and even use polymorphic (shapeshifting!) code to evade detection. This makes it exceedingly hard to detect.
Malwarebytes Anti-Ransomware uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files. It has no shot at encrypting. And it does not rely on signatures or heuristics, so it’s light and completely compatible with antivirus.
I am excited to see how this plays out and if it is in fact a true behavior scanner. Honestly I am not sure how a user would beta test it or would risk a beta test unless they have a lab where they can release variants of ransomware. The Internet will test it thoroughly I’m sure and hopefully will usher in the next level of secure endpoint protection by dumping reliance on pattern matching and move to watching behaviors.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.