CheckMAL Anti-Ransomware PRO - a Review (updated: 23.12.2017)

Discussion in 'Reviews and Tests' started by Der.Reisende, Nov 14, 2017.

  1. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Dear reader, welcome to my AppCheck Anti-Ransomware Pro review. I hope you brought some time, as this one will go into detail. Enjoy!

    ================================================================================
    Official website: (English)
    Status: Stable (reviewed version: v2.2.1.2)
    Name of Software/Product: AppCheck Anti-Ransomware Pro

    Support:
    https://checkmal.zendesk.com/hc/en-us/requests/new/ (plain web form, with captcha against spamming)

    You will also find the developer of the product (Mr. Ikko Yi) on the main Security forums like as MT and Wilders. Feel free to PM him, to my experience, he answers quite fast.
    ==================================================================================

    Act I: Technical overview

    Advantages (features being Pro only highlighted in RED):
    + also Free version available for personal use (with some features being Pro only however, see below)
    + System impact is low
    + constantly improving additional features
    + fast reaction on new ransomware techniques
    + MBR Protection (in Free version since v2.2.0.1)
    + Auto-Backup and Auto-Restore of damaged files, Auto-Cleanup damaged files (customize folders in Pro Version only)
    + Network drive protection

    + low priced, currently high discounts available from CheckMAL shop (PayPal-Support)
    + fully compatible to most Standalone-AV-products
    + offline protection

    Disadvantages:
    - no protection against screenlockers (blocks only file encryption ransomware)
    - some of the samples were able to bypass AppCheck AR Pro
    - sometimes leftovers after intercepted ransomware
    - sometimes not all files were restored (danger of data loss)
    - predefined protected file extensions (list can only be altered in Pro Version)
    7z,ai,bmp,cer,crt,csv,der,doc,docx,dwg,eps,gif,hwp,jbw,jpeg,jpg,jtd,key,lic,lnk,mp3,nc,ods,odt,ogg,one,p12,p7b,p7c,pdf,pef,pem,pfx,png,ppt,pptx,psd,ptx,rdp,rtf,srw,tap,tif,tiff,txt,uti,x3f,xls,xlsx,xps,zip

    Bottom Line:

    In the following review, I will try to provide an unbiased review of above mentioned, Anti-Ransomware solution, whose free version I’ve been using for some months now, as an additional layer alongside my primary AV. Please take my review with a grain of salt, other users might not come across the issues I had or weight Pro’s and Con’s other than I do. My review will focus on the ease of use of the product and the test against a limited amount of recent ransomware samples pulled from Hybrid Analysis.

    This review is not meant to cover every possible setting in the product, but shall give a recommended, most of the time proven setup oriented on everyday use (of course, Malware testing was done and should only be done in an contained environment!).

    Feel free to add your opinion / to make me aware of possible errors in the review.

    I will also not recommend an Anti-Malware (Anti-Virus) solution to run alongside this firewall, as this is a most personal decision. Users need to weight up level of protection (the more aggressive, the more false positives (FP) can occur), system impact, ease of use and the price. Every solution has it’s drawbacks.

    As always: Be sure to always have some external backup, not connected to your machine permanently!

    Protection: 4,5 / 5
    Usability: 5 / 5
    User Interface: 5 / 5
    CPU/RAM/Storage: Low Usage
    Performance: Low Impact
    Overall Rating: Very Good 4,8 / 5

    ==================================================================================

    Act II: Technical overview - Let's get in detail

    Homepage
    Technically well done, not cluttered homepage. I love it!
    As most of it is self explaining, let me just show you some screenshots, of the important sections.
    FAQ.PNG Changelog.PNG Purchase.PNG Support.PNG Video Demonstration.PNG

    Resource Usage
    Totally lightweight! While writing these lines and with Cent Browser running ~ 10 MB of RAM.
    TaskManager.PNG

    GUI / Components
    The GUI is very well done, with just a handful, but all useful settings.

    As it’s kinda self-explaining, let me just show you screenshots of the software.
    GUI1.PNG GUI2.PNG GUI3.PNG GUI4.PNG

    ==================================================================================

    Act III: The real life experience report

    Disclaimer I:
    My experiences are solely based on the stock settings of AppCheck Anti-Ransomware Pro. All other security softwares (like Windows Defender), have been shut down. There are no tweaks like Controlled folder access set to Windows 10 v1709 b16299.19 (Home).

    DO NOT EXPECT AppCheck Anti-Ransomware Pro TO NOT FAIL ON SPECIFIC SAMPLES, IT’S A CAT-AND-MOUSE GAME WITH THE BLACKHATS! See certain examples in the review!

    Therefore, I appeal to every user to have a external backup, not only in case your main security product and or AppCheck Anti-Ransomware Pro and it's components fail to protect your data, but also due to a physical error which might lead to data loss!

    Disclaimer II:
    Due to the small number of samples used in this tests, you should take results with a grain of salt. I encourage you to compare these results with others and take informed decisions on what security products to use.

    ================================================================================

    Samples:
    https://www.hybrid-analysis.com/sam...ad796f4eb15962b74fb2e55fe47?environmentId=100 - Shade.exe
    Shade.PNG

    https://www.hybrid-analysis.com/sam...1f8a9583258982878d3b7377c6e?environmentId=100 - GlobeImposter.exe
    Globe.PNG

    https://www.hybrid-analysis.com/sam...08ae1c348b25970b94c650b33d4?environmentId=100 - locky.exe
    Locky.PNG

    https://www.hybrid-analysis.com/sam...d7355d3a419feb7d7c671312347?environmentId=100 - xRatLocker.exe
    xRatLocker.PNG

    https://www.hybrid-analysis.com/sam...6859938061ad388ae97c172830d?environmentId=100 - Sigma.exe
    Sigma.PNG

    https://www.hybrid-analysis.com/sam...e874bd3f06247a957588fa00498?environmentId=100 - BTCWare.exe
    BTCWare1.PNG BTCWare2.PNG

    https://www.hybrid-analysis.com/sam...7601949196f1d03bacc3f655bc0?environmentId=100 - Wannacry.exe
    wannacry.PNG wannacry2.PNG wannacry3.PNG

    https://www.hybrid-analysis.com/sam...6410d9307d0d0ce73534d63bee8?environmentId=100 - Purge.exe
    Purge.PNG

    https://www.hybrid-analysis.com/sam...ddc2ce0d935fa8545651ce5ab09?environmentId=100 - Ordinypt.exe
    Ordinypt.PNG Ordinypt2.PNG Ordinypt3.PNG Ordinypt4.PNG

    https://www.hybrid-analysis.com/sam...525d6d5c9028c873c4421bf6f98?environmentId=100 - Gibon.exe
    gibon1.PNG gibon2.PNG

    https://www.hybrid-analysis.com/sam...9f4c30d97e5e4b1552565d596e9?environmentId=100 - BTCArena.exe
    BTCArena.PNG

    https://www.hybrid-analysis.com/sam...daa0875ed8496fcbb97a558d0da?environmentId=100 - badrabbit.exe
    badrabbit.PNG

    https://www.hybrid-analysis.com/sam...5a31853b259379708a9e892ec75?environmentId=100 - Magniber.exe
    Magniber.PNG

    https://www.hybrid-analysis.com/sam...dc1198a8184310da419de62916d?environmentId=100 - Waffle.exe
    waffle.PNG

    https://www.reverse.it/sample/b264f...6b5b75bdcc87104f9f410683363?environmentId=100 - Matrix.exe
    Matrix.PNG

    https://www.hybrid-analysis.com/sam...0b3a10132f408d30f7903e8e02d?environmentId=100 - Hermes21.exe
    Hermes1.PNG Hermes2.PNG

    https://www.hybrid-analysis.com/sam...3bee61b01a7d880123ec0a78557?environmentId=100 - Vortex.exe
    vortex.PNG

    https://www.hybrid-analysis.com/sam...bf284e6af244c653db3487fea65?environmentId=100 - Crbr.exe
    cerber.PNG

    https://www.hybrid-analysis.com/sam...ca2492a6455fe4d69f557b448ce?environmentId=100 - Sage20.exe
    Sage.PNG sage2.PNG sage3.PNG

    Update 03.12.2017 (v2.2.4.1):
    https://www.hybrid-analysis.com/sam...d3c397aa28128ed05a27e1eb6ac?environmentId=100
    before.PNG run_scarab1.PNG run_scarab1_1.PNG run_scarab1_2.PNG run_scarab1_3.PNG run_scarab1_4.PNG

    https://www.hybrid-analysis.com/sam...783efad4ab0793e64d119c04172?environmentId=100
    before.PNG wdie1.PNG wdie1_1.PNG wdie1_2.PNG

    https://www.hybrid-analysis.com/sam...4d20c5d573a96a5bba2d5ecc5eb?environmentId=100
    run.PNG run1_1.PNG

    https://www.hybrid-analysis.com/sam...0dbc2f7816141d747fe83e3050a?environmentId=100
    AppCheck.PNG

    https://www.hybrid-analysis.com/sam...76323b95edf5cc7ecb68e69ac53?environmentId=100
    update.PNG desktop.PNG files.PNG

    https://www.hybrid-analysis.com/sam...eabc8c5a82a242c1a0fa2227704?environmentId=100
    update.PNG files.PNG encrypted.PNG

    If you are interested in video demonstrations of way more ransomware, be sure to check out:
    https://www.checkmal.com/page/resource/video/
    ==================================================================================

    Act IV: Contacting Support
    Report.PNG

    Update 25.11.2017 (Staff reply and retest with v2.2.4.1):

    1. Sigma Ransomware: Detected

    - Files remain following path is Tor Client related file which doesn't
    have malicious activity.

    "C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>\Data

    "C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>\Tor

    - Also Registry remains for run automatically at boot, however this
    doesn't work because target file "taskwgr.exe" is already removed.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    - chrome = Rundll32.exe SHELL32.DLL,ShellExec_RunDLL
    "C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>\taskwgr.exe"

    2. Ordinypt Ransomware: In the consideration.

    - Ordinypt Ransowamre doesn't encrypt the file. Instead it deletes the
    original file first, than write to 14 digit random named file, meant
    to be destruction of data, which doesn't meet to our detection policy.
    We are currently in consideration for the detection.

    3. CRBR Encryptor Ransomware : Detected

    - We confirmed that the detection of CRBR Ransomware as well as Cerber
    which is former ransomware.

    4. Sage Ransomware: Couldn't find the behavior.

    - We confirmed that the AppCheck detects Sage Ransowamre initial
    version, 2.0, 2.2 and even recent version which involves explorer.exe.

    For samples that you have tested, we couldn't detect the encryption
    behavior due to the automatic shutdown of itself. So far we haven't
    heard the Sage ransomware detection had issue.

    Ikko Yi / General-Manager

    My findings on retest (v2.2.4.1):

    Regarding statements #3 (CRBR Encryptor Ransomware) and #4 (Sage Ransomware):

    CRBR encryptor did change the background and dropped ransom notes, but was unable to encrypt a single file on the tested system. It did run in memory for about 2 minutes before it autoterminated. No AutoRun entry was set.
    As the same behavior has been tracked on a non-protected system (F-Secure SAFE, xVirus Firewall Pro, Windows Defender and CheckMAL AppCheck Anti-Ransomware were disabled), this test has to be excluded from rating.
    Another CRBR sample showed the same behavior, meaning that no file was harmed.
    Please see screenshots for the sample stated in the original review above:
    before.PNG after.PNG files_safe.PNG

    SAGE Ransomware:
    On a test conducted today (25.11.2017), I was able to confirm the statement by Mr. Ikko, that the ransomware indeed autoterminated once run. Therefore, also this sample is excluded from rating.
    I cannot track down the reason the file stopped working on retest. Please refer to the original test to see that the sample did indeed work on the tested v2.2.1.2, it was able to set an AutoRun. As I cannot confirm that some kind of Boot time protection would have intercepted it on reboot (tests are conducted in ShadowDefender software environment, meaning any change to the system being reset on reboot), the initial test has been rated "MISS".

    No screenshots, as the file autoterminated instantly.

    I excuse for the inconveniences that might have caused.

    To further test CheckMAL AppCheck Anti-Ransomware Pro protection abilities, above test has been extended by #WannaDie and #Scarab Ransomware samples, which are also to be found in the MTAC section for further analysis.
    Tests were conducted with latest v2.2.4.1.
    Update 23.12.2017: #Retis and #GlobeImposter (new release) ransomware, conducted on latest v2.2.5.1 (by this time, v2.2.7.1 was not released for Pro customers).
    ==================================================================================

    For me, AppCheck Anti-Ransomware is a must have, even in the free version, which is available for personal use, paying not even a penny. It will dramatically improve your level of security, against the ever-evolving amount of ransomware being brought up every day. If you like the product, you might think about purchasing the Pro upgrade in order to support the developer. I’ll continue using the product in combination with an AntiVirus / AntiMalware solution and xVirus Firewall Pro, using AppCheck AntiRansomware Free as an additional, third layer against ransomware threats.

    However, this is not a sales review but a diary of a use in hands-on malware testing, give it a try and decide whether it fits your needs :)

    If you find errors, or just want to give feedback on this review, I warmly invite you to do so!

    *****
    Thank you for reading!
    *****
     
    grr, kram7750, revC0de and 5 others like this.
  2. Google Adsense

  3. RGiskardR

    RGiskardR Malware Tester Silver Member

    Amazing review! :great: very well exposed! :clap:
     
    grr, kram7750, revC0de and 3 others like this.
  4. jasonX

    jasonX Giveaways Moderator Staff Member

    GREAT!!!!

    Thank you very much Der.Reisende!!!

    The developer has been notified! YOU DID GREAT MAN! I LIKE IT!

    :thanx::great::win:


    MTAC TEAM YOU ROCK!

    [​IMG]
     
    daljeet, grr, kram7750 and 6 others like this.
  5. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Glad you like it, thank you for reading :)

    Thank you so much for your support and for forwarding it!
    They seem to be impressed, now that they gave 5 more licenses to win!
    Great job @jasonX!
     
    daljeet, grr, kram7750 and 5 others like this.
  6. daljeet

    daljeet Senior Member Known Member

    Well written review Der.Reisende
    Awesome MBR protection for free version also :thanx:
    :wide:
     
    grr, kram7750, silversurfer and 3 others like this.
  7. jat_forcee

    jat_forcee Member

    It would be great if AppCheck CheckMal publish or share this review through their media channels.
     
    daljeet, grr, kram7750 and 4 others like this.
  8. jasonX

    jasonX Giveaways Moderator Staff Member

    Developer has been informed and I also stated that they can link this review to their site. We had the same idea there ;)
     
    daljeet, grr, kram7750 and 6 others like this.
  9. Trim

    Trim MTAC Moderator Staff Member

    Awesome review, this is a very good and efficient product in my opinion, keep up the great work @Der.Reisende ! :great: it's important that also the free version has the MBR protection!
     
    daljeet, grr, kram7750 and 5 others like this.
  10. revC0de

    revC0de MTAC Moderator Staff Member

    daljeet, grr, jat_forcee and 5 others like this.
  11. grr

    grr Board Enthusiast Silver Member Known Member

    Nice review @Der.Reisende

    I never thought of getting any ransomware protection, so might give it a thought.
     
  12. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Thank you guys, makes me glad you liked the review :)

    Thank you @jasonX for informing the dev!
    They replied soon, and the actually picked up the statements on missed samples!
    Two samples needed a retest, so the test has been updated.
    I also added tests for two new samples :)

    The thread has been updated and the developer is informed!
     
    revC0de, Trim, grr and 4 others like this.
  13. jasonX

    jasonX Giveaways Moderator Staff Member

    Thanks for the amendements! You the man Der.Reisende!
     
    revC0de, Trim, Der.Reisende and 4 others like this.
  14. grr

    grr Board Enthusiast Silver Member Known Member

Share This Page