Posted by David Harley on April 21, 2016.
Patrick Wardle’s Ransomwhere? takes a generic approach to detecting ransomware in action on a Mac, ‘by detecting untrusted processes that are encrypting your personal files.’ If users believes the detection is a false positive, they can allow the process to continue.
Why, you may wonder, hasn’t anyone thought of that before? At any rate, John Leyden evidently wonders: he remarks that ‘it’s the sort of thing that security software firms ought to be doing, but aren’t’, while Wardle himself remarks that ‘Sadly, existing anti-virus solutions fail to detect new samples, leaving most users completely unprotected.’
Fortunately, they’re both incorrect. There are certainly anti-malware products that use similar heuristics. (In fact, modern anti-malware implements generic techniques, albeit more cautiously than some security products that are entirely generic.) And while security products certainly miss some new ransomware (just as they miss some samples of other kinds of malware – yes, they still exist…), they certainly don’t leave their users ‘completely unprotected’. But that doesn’t mean anyone should be totally reliant on security software, even those magical products that keep telling us that we should be spending our money on them rather than mainstream anti-malware because AV is dead. 🙂
That said, while I haven’t tested Wardle’s utility, it does sound like a good idea. And he is right to suggest that Mac-specific security software often lacks the bells and whistles that may adorn Windows-specific software from the same stable.
David HarleySubmitted in: David Harley |