Hmm... It seems the crux of the problem mainly lies with WD's delayed response more so than with SA+'s fast action. ... @cruelsister is a highly-respected security professional in ALL aspects of malware prevention. I suggest you read some of her posts here at Wilders & MalwareTips -- HERE, for example.
SA+ automatically updated to 6.5.0 on my computer. Smooth update but fairly large. I removed SA+'s new entries to the trusted certificate list. I keep that list very very short because there is an increasing amount of malware with seemingly valid certificates.
I was able to bypass secureaplus easily with a ransomware sample *virus total results removed as per policy https://www.wilderssecurity.com/thr...otti-virus-total-results.180057/#post-1040840 If the file has no digital signature or if it doesn't match why even allow it to run shouldnt it be submitted first? Its a exe and UAV says unsupported format
The screenshot that you posted, showing SA+'s alert about this exe, gave you the opportunity to select, "Trust" OR "Don't Trust." Evidently you selected "Trust" or else SA+ would have blocked this exe, right? So, it was YOU who by-passed SA+, wasn't it? The fact that the user of a security app is able to bypass his securty apps is a given. So your statement, "I was able to bypass secureaplus easily..." is correct. If you are seeking a security app that will always work in spite of user errors, I wish you Good Luck.
Seems that way. And the button to not trust it was highlighted too. Meaning that not even automatic mode would've allowed it. I do wish though that automatic mode would automatically upload unknown files to the UAV before ever being auto-allowed, reguardless of digital signatures or a rating from APEX. I also think that APEX's way of reading out its ratings should be more like a percentage scale like all of the other M.L.A.I engines do. This is why I password lock the settings and leave it in silent mode whenever a friend, or a little one uses my PC. I do the same thing with voodooshield.
If by "try it" you mean "try SecureAPlus" (SA+), I assure you that SA+ is not hyper. In fact, it is quite simple to use, plus it is a combination anti-exe, whitelist, antivirus -- a very powerful security triad.
If you're going to use Voodoo and SA+ together, there's a command line you need to allow SA+ to do. It's started by SA+'s instance of 7z dot exe and it opens conhost dot exe. Voodoo will block it and that will prevent SA+ from being able to update APEX and it will also prevent any full system scan results from coming back. SA+ packs up the new hashes and files into a 7z archive with a command line. TLDR: When you first install SA+ on a system with voodooshield, you'll need to allow SA+ to do a command line starting with the version of 7 Zip in SA+'s folder going to conhost. Then set SA+ to only allow by name and thumbprint. Password protect the settings and leave SA+ in silent mode. Voodoo also has the ability to lock its UI down to prevent someone from allowing something. Between those two, there's not much of anything that can get past that setup. Oh! You'll want to do some scans with some free tools to make sure your system is clean before installing SA+ Emsisoft Emergency Kit: Update it. custom scan, Enable scanning for rootkits, the memory, malware traces, PUPs, archive files, email files and NTFS data streams add all of your harddrives to the items to be scanned, let the scan complete. HitmanPro: the free version will at least notify you if there's something to worry about so do a "default scan" with it. Malwarebytes free edition: Settings (the little cog wheel)>Security>scan options Enable all four of those options. update the database, do a scan with it. Just the regular scan that you can start from the front page of the UI
Sorry to burst your bubble there buddy but ransomware was allowed to encrypt the files on the VM and SA came in later with that alert, files were encrypted at that point and then it doesn't matter whether i pick allow or block... so in theory this is a "bypass" and i can share the sample with you if you are that much in doubt. You blindly assumed that i chose to "allow" it on the system. I am not going to tell you otherwise that the product stopped it when it clearly didn't and unlike you i dont assume! So GoodLuck !
Your initial post did not contain that information. So --- PLEASE post your findings at the SecureA+ forum. That forum is sponsored by SA+ and is monitored by SA+ technical personnel. I'm sure they will be happy to analyze your sample and adjust SA+ to deal with it. Since you say that your VM's files were encrypted BEFORE SA+ popped an alert, that means that SA+'s executables were also encrypted BEFORE the alert was made. I hope you do provide that sample to SA+' s personnel. I am very curious to see how SA+'s encrypted executables were able to function and pop alerts while in an encrypted state. Or perhaps the malware was selective and avoided encrypting security apps while encrypting everything else. AMAZING!!!
Hidden Tear (written in .NET) is one of the ransomware families that does NOT encrypt executables (system files,exe etc). There are plenty that will go after every system extension but not this varient so yes pretty AMAZING
Interesting! This contest between malware & security apps is somewhat like a chess match. Have you found any AV or security app that DOES block Hidden Tear? ESET? WiseVector? Kaspersky? VoodooShield? Do you actually use SA+? If so, Pro or free? Do you recommend running an anti-ransomeware app alongside of SA+? If so, which? Did you post this issue on the SA+ forum, as I suggested? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By the way -- I image my system disk 3-4 times weekly to a separate drive, & retain images 2 months. Ergo, SA+ and Sphinx Firewall are all the real-time security I need.
Of course there are other programs that will block it (it was well detected during the time of tests) but it can be vice versa as well ! Kaspersky and Voodoo do great but that's doesn't mean i haven't managed to get something past KAV's system watcher (ryuk and erica ransomware varients). I am on SA free and i have posted in their forums. Bitdefender free has impressed me as well and i would say it tends to do a better job than kaspersky free because of active virus control but again that's subjective given that i haven't tested it long enough. Voodoo shield is a great application indeed and does a fine job and blocking anything unknown or bad so it isn't exactly under the same spectrum. WiseVector StopX is nice too i just haven't found anything that actually gets past it and its one application that i am debating on installing on a real machine myself one day. I am not sure where i am with SA currently i was considering it as a alternative to using kasperky or BD free but i guess i need to give it a re-think and maybe the program could use some improvements as well (running it in interactive mode) or updates from the devs to make more tough to get through in automatic mode. Its a matter of statistic, anything can be bypassed but the question i ask is "how statistically effective is program X to program Y" and we go by that
