When preparing this article we’ve asked to all the main security firms to explain which technologies or tools they offer for ransomware protection. Common signature-based antiviruses are not enough to be protected as these malware are custom-tailored for every attack and the executable is masked and modified in different ways, so that it always appears as a different version.
You already know the most obvious advice: keep Windows, antivirus and all the main software (including tools like Flash, Java and Adobe Reader which are often an attack medium) up to date.
Let’s see what information we have collected from the security firms that have replied us.

avira

Avast, mostly known for its antivirus, talked with us about DeepScreen: this technology, part of all desktop products since the 2014 version, is based on the sandbox principle. Potential malware is first executed in a sandbox to evaluate its behaviour. According to Avast, malware uses new technologies to escape from this kind of protection, but its engine is continuously updated together with definitions, so it always includes the latest control features to avoid being deceived with a clever trick.

Avira recommends to activate the Cloud-based protection (Avira Protection Cloud -- see the image on the side). This technology sends a fingerprint of suspicious files to the laboratories of this famous security firms to check if it’s an already analyzed executable. If the file is not recognized it’s immediately uploaded online and analyzed. Avira leverages several techniques to overcome the anti-debugging and anti-sandboxing technologies implemented by malware.

 

bd antiransomware

Bitdefender includes in its desktop product line some anti-malware specific technologies: its engine (also with the Antivirus Plus release) can identify when a software quickly (and suspiciously) accesses several files of a computer and blocks it asking the user what to do. This protection can be extended to external disks but not to network shares. A second free and compatible with any antivirus tool is simply called Bitdefender Anti-Ransomware. This tools exclusively protects against Cryptowall, CTB-Locker, Locky and TeslaCrypt but it’s completely free and its installation takes only a few seconds. It’s like a vaccine: it tricks these virus making them believe they're running on an already attacked system. We also suggest the useful Decryption Tool for the Linux Encoder virus (which plagues Linux machines) released by Bitdefender itself.

ESET, the Slovak software house that develops the infamous NOD32 antivirus, told us the protection happens with signatures and with its file reputation system called Live Grid. This component works together with two other tools: Advanced Memory Scanner and Exploit Blocker. The latter checks all the processes looking for behaviours typical of exploits, while the former looks for suspicious behaviours when malware is executing. ESET also suggests to disable the RDP access where it’s not needed and to set email servers to block executable files and to disable the execution of files within the AppData and LocalAppData folders.

Fortinet, the company famous for its Fortigate line, gateways based on physical or virtual appliances to protect networks, suggests to activate the Antivirus/Antimalware and Application Control modules: the arrival of suspicious files or non-authorized applications can be blocked directly on a network level. By activating the Advanced Threat Prevention (ATP), FortiSandbox can analyze the behavior of potentially suspicious files in a controlled area (a sandbox, indeed) and block them in case an an anomalous behaviour.

Kaspersky Labs suggests to activate the Application Control feature of Kaspersky Internet Security to protect from malware that are not filtered with signatures. After an infection, if no updated backup is available, some tools are available at https://noransom.kaspersky.com. Unfortunately there are a few keys and supported cryptoviruses available on this portal, born as a collaboration with the Netherlands' police, still it’s worth a visit.

McAfee -now an Intel property- sent us a detailed report about technologies implemented in their products and that are effective against ransomware. GTI (Global Threat Intelligence) is the technology at the basis of continuous updates related to file reputation. The email gateway by McAfee filters suspicious messages and blocks dangerous links thanks to ClickProtect. VirusScan’s Enterprise line products can not just identify ransomware, but also remove the main ones.

Sophos, an important software house that develops some of the most known and used antiviruses and UTMs, sent us an extremely detailed documentation of the ways of diffusion of ransomware. The conclusions drawn by Sophos are very savvy: a complete protection can arise only from a combination of technologies that fight the different spreading types of these software. The family of technologies that is dedicated to the protection of users from such malware is Sophos HIPS (Host Intrusion Prevention System). This proactive technology controls the behaviour and constantly monitors the system by checking the access to files, renaming operations and accesses to the Windows register. According to each analyzed threat (the document we received deals with Cryptowall, TorrentLocker, TeslaCrypt and CTB-Locker), the Sophos HIPS technology uses specific signatures that analyze the typical behaviours of each ransomware. These signatures don’t require frequent updates because they are generic and not related to the hash of a file, as in the case of traditional antiviruses. Sophos also suggests to block at the gateway level the access to Tor, I2P and other networks that are exploited by this kind of malware.

Symantec, the company behind the infamous Norton Antivirus, explained us that STAR (Security Technology And Response) is at the basis of the protection against ransomware of the Norton product line. This technology includes protection techniques related not just to traditional signatures but also to network traffic analysis, application behaviours and to a reputation system that evaluates the danger risks of a file based on its age, origin and spread. A quick response is fundamental with this kind of technologies, therefore Symantec has a worldwide network of technicians with a coverage of 130 million systems and 240.000 network sensors in more than 200 countries.

Trend Micro is one of the most active security firms in the business world and has released a plenty of documentation regarding ransomware on its blog (http://blog.trendmicro.com). Its Browser Exploit Prevention blocks all the attacks at the browser layer on all endpoints, in particular on the Trend Micro Security, Smart Protection Suite and Worry-Free Business Security product lines. Moreover, its products include a sandbox with an script analysis system that is part of the Deep Discovery technology of Trend Micro itself. This technology directly analyzes the behaviour of applications and takes advantage of an update system that differs from the one of traditional antiviruses which is based on patterns.

Vir.it explained us that the euristic-behavioural technologies included in their antivirus can block a virus when it starts to encrypt files. At the same time the Backup-on-the-fly tools included in the suite protect all the files modified within the last 48 hours with an automated backup system that guarantees that no file can get lost.

Webroot is an antivirus that natively works without any traditional signature by leveraging the Cloud. All the applications are uploaded online and their validity is verified, thus offering a native protection against the threats of ransomware. In addition to that, Webroot leverages a database of information on suspicious IP addresses and harmful URLs and blocks every connection attempt to dangerous sites. The integrated journaling and roll-back features allow to go back in time should some non identified application intervene on the system. If a not identified application is marked as dangerous, Webroot can bring the system to the state previous to its execution.

Continues from: ransomware, secure backups and specific tools

Related: the latest news and how to behave if infected

 

About the Author

Filippo Moriggia

After more than 10 years of experience in the technical journalism with PC Professionale (the italian version of PC Magazine) and other newspapers of Mondadori group, Filippo Moriggia founded GURU advisor, the reference website for IT professionals, system integrators, cloud providers and MSPs. He has a Master of Science in Telecommunications Engineering and works as a independent consultant and contractor for different firms. His main focuses are software, virtualization, servers, cloud, networking and security. He's certified VMware VCA for Data Center Virtualization.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1