Eset Antivirus/Internet Security with folder protection

[Reza Shamsudin 2]

Hi,

Just a suggestion. In the future Eset version (11,12,13 and so on...). It might useful if Eset team will include the "folder protection" functionality on their Antivirus program.

Avast, Bitdefender, already put the function on their Antivirus if I'm not mistaken. Even Microsoft Windows Defender latest version also included this function.

The main objective is to to protect the folders & the content inside from overwrite by the Viruses, Ransomware (encrypted).

Actually for Advanced IT users, we all can do it manually. But users will always love a simplicity just build-in function & just a few clicks for setup the folder & content protection.

 

[Marcos 5,074]

What if ransomware is injected into an Office process or if it is run as a VBA macro? Do you know know these solutions protect the folder in such case? It's not much difficult to implement a simple protection but it could be relatively easily bypassed. And that is also the reason why we don't use just simple HIPS rules in antiransomware but instead it's a complex HIPS-based system for monitoring suspicious behavior of processes.

[Reza Shamsudin 2]

5 hours ago, Marcos said:

What if ransomware is injected into an Office process or if it is run as a VBA macro? Do you know know these solutions protect the folder in such case? It's not much difficult to implement a simple protection but it could be relatively easily bypassed. And that is also the reason why we don't use just simple HIPS rules in antiransomware but instead it's a complex HIPS-based system for monitoring suspicious behavior of processes.

Can Ransomware injected into an Office process or run as a VBA macro possibly overwrite the folders security settings? What if the setting is "All Deny" Sir?

[Marcos 5,074]

Then nobody would be able to read or modify files in that folder.

[Reza Shamsudin 2]

That's the point for "protected folders & data inside it". A basic concept for read, write, modify on the folders and inside it. I don't know if either Windows Defender, Avast OR Bitdefender using the same basic concept. Here one of the simple tools for protect folder and the content inside Thumb Drive or External Drive from Sordum.

[Reza Shamsudin 2]

This functionality is what I mean need to put in future Eset version. This is taken from Avast website to show you the function and what do I mean in the thread here.

[Marcos 5,074]

Has somebody has tested this feature with ransomware injecting into word.exe or another Office process or with VBA ransomware included in a document to tell how immune it is against encryption in such case?

[Reza Shamsudin 2]

Not yet Sir. But yes we will try to test it later.

But anyway previously I have tested the Cerber Ransomware attack with manual settings on folders by configure the Security & Permission.

Yes it's fail to encrypt the folder because of didn't have the permission to overwrite the folders.

[itman 1,659]

2 hours ago, Reza Shamsudin said:

This functionality is what I mean need to put in future Eset version. This is taken from Avast website to show you the function and what do I mean in the thread here.

The only problem with this approach is it assumes the average PC user has the "technical smarts" to differentiate between a safe and malicious process.

For example, ransomware payload .exe is named the same as well known system or application process. Alert is generated that User\xxxx\AppData\Local\Temp\explorer.exe is attempting file modification activities. Would the average user have the technical knowledge that the legit storage location for explorer.exe is the Windows\System32 directory?

Also ransomware doesn't always perform its encryption activities in the source directory. It can copy files to another directory, encrypt the files there, and delete the original source directory. Or just steal the files by uploading same to its server and then delete the original source directory

Edited July 19, 2017 by itman

[Reza Shamsudin 2]

"For example, ransomware payload .exe is named the same as well known system or application process. Alert is generated that User\xxxx\AppData\Local\Temp\explorer.exe is attempting file modification activities. Would the average user have the technical knowledge that the legit storage location for explorer.exe is C:\Windows\System32 directory?"

Quoted from itman above :

For this one, we (IT Support/IT Technical) will guide them the legit process of explorer.exe will only coming from C:\Windows\explorer.exe directory itman.

Not guide them one by one.

We will use a group platform to give them the correct information, a reminder.

As for example, me myself currently advising  all of the computer users (basic, average, expert computer users) on my Facebook Group : www.facebook.com/groups/cegah.ransomware.malaysia (Prevent Ransomware Malaysia Facebook Group)

This is how I am advising computer users in my country : Malaysia.

 

 

Edited July 19, 2017 by Reza Shamsudin
add: computer users

[Marcos 5,074]

So you would like to ask user to allow access for word.exe or excel.exe if he or she wants to open a document from a protected folder? I was talking about protection from ransomware that injects into legitimate processes so the path to the executable will be standard and the file will have good reputation even if the malware injected in it could do malicious actions, such as encryption.

[itman 1,659]

To follow up on Marcos's above posting, ransomware is increasingly using memory injection methods to run its payload.

To use an example of an Avast folder whitelisted process that also applies to Win 10 is notepad.exe. It runs as a medium integrity process i.e. the same permission as that given to a standard user account logon. Ransomware running under a standard user account privileges can easily memory inject its payload into notepad.exe to perform it's ransomware encryption activities. In this instance, it could only do so against the given logon AppData directories. However escalating privileges by malware in Windows is becoming trivial these days.  So, it is fair to assume that files in all user AppData directories would be encrypted. 

Also do not rely on an AppContainer protected process to mitigate against malware memory based injection. AppContainer is a sandbox like containment mechanism that just basically restricts where file downloads can be written to.  

Edited July 19, 2017 by itman

[peteyt 393]

The problem with whitelisting is the risks that happen when a whitelisted application is compromised. NotPetya for example appears to have been spread because MeDoc a well used Ukrainian program had its update servers hacked and malware hidden into it. I've heard that privilege esculation can also be used so even if filed are set to read only ransomware may be able to get admin access and simply change this. Also denying access might make average users lifes harder

[Marcos 5,074]

Posts pertaining to the HackTool.Patcher potentially unsafe application were moved here: https://forum.eset.com/topic/12637-hacktoolpather-potentially-unsafe-application/