DKech

Now I will briefly outline the situation that happened in the test. For some very rare programs, special uninstallers have been written, which, if run in the folder of this program, correctly remove this specific program. But if the same uninstaller is run outside the folder of this program, then it literally deletes EVERYTHING from the hard disk (programs, documents, even some system files). Samples of this uninstaller were sent to the EsET laboratory a year ago, and after analyzing the program, analysts recognized it as malicious, creating a signature Win32/KillFiles.NJT trojan. But apparently later the signature was removed, and now this program and similar antivirus does not consider it dangerous, hence the result in the test. In fact, these are of course legitimate programs, and if they are launched in the folder of a specific program that they must delete, then they only delete it correctly, but they can be dangerous if they are not launched in the program folder, therefore, they absolutely fall under the POTENTIALLY DANGEROUS category. their actions in such cases cause irreparable damage to the system and the user's files, and a complete reinstallation of the system and restoration of the user's personal files are required.

Not all ransomware is configured to bypass this. Some kind of flimsy argument. This is the same as saying that you don't need to insert a lock into the door, since the robber has the ability to open the lock with his own key.

Description: Rules for HIPS on default settings Detail: I propose to add to HIPS on the default setting (in automatic, smart modes) several pre-written rules to protect important parts of the operating system - startup, host file, some policies. User Sergey Tversky has already posted some registry keys that could be written to the rules by developers and by default, so that there was a request (alert) to the user from HIPS for any changes in these keys and files. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath And protect the hosts file. For corporate users of the business version, there is such a package of rules. Not all of it is needed by home users, but some of it is clearly not superfluous to anyone.

Description: Protecting document folders Detail: Implementation of protection of user folders and files by the type of folder protection in Windows Defender. Now, in order to obtain such protection, the user must independently create a special rule in the HIPS, which is far from being possible for everyone. If the antivirus implements a similar "one-click" folder protection mechanism (just move the switch of this function to the Enabled position and specify the folders required to protect), then it will be very convenient and within the power of any user. This function can be considered as an additional measure of protection against unknown ransomware.