Is Ransomware Protection really effective?
Hello I wanted to make sure the Ransomware Protection was indeed protecting me.
As far as I understand, the purpose of this layer is to protect me from a new ransomware that would go undetected.
So I made a small test, and the result is I don't feel confident about the protection in certain conditions.
Based on my test, I suspect that if the malware is not detected by the "Virus Protection" and "DeepGueard" layers, then the "Ransomware Protection" does not prevent my files from being encrypted.
Details of my test follow.
I just want to test the Ransomware Protection layer, not Virus Protection nor DeepGuard (which are doing a good job).
I can just disable Virus Protection, but DeepGuard has to be active in order for the Ransomware Protection to be active as well.
My test conditions:
- Virus Protection disabled
- DeepGuard active but machine offline
- Ransomware Protection active
DeepGuard was very efficient at blocking ransomware in online mode, so I had put the machine offline.
An interesting sample is DeriaLock (found in Endermanch GitHub repo - warning be cautious).
DeriaLock does not reboot the machine to encrypt the files, it's done directly in Windows.
Result is, all the files are actually encrypted, with or without Ransomware Protection.
My concern is that a new ransomware might go through Virus Protection and DeepGuard and successfully encrypt the files.
This is why I fear the Ransomware Protection layer is ineffective in this scenario.