Under Review

Ability to Detect and Remove Screen Locker Using Key Combination


  • Anonymous
  • 0 replies
Hello,
 
Tested WSA against a screen-lock ransomware.  When screenlock appeared I allowed system to run for a few hours.
 
In this particular case, WSA 8.0.8.53 journalling and rollback did not reverse malware actions and screenlock persisted.
 
Just a suggestion:
 
Incorporate an anti-screenlock feature into WSA that permits the user to disable the screenlock using a key ccombination, e.g. CTRL + ALT + DLT (2X)... or for increased protection, a user-defined combination of keys.
 
Best Regards,
 
HJLBX
 

16 replies

Userlevel 7
Hi HJLBX
 
Just to be very clear here...Community Guidelines prohibit the discussion of private malware testing in the Community, and whilst what you are 'discussing' here is very minor I thought it prudent to advise of this restriction before you go any further...to avoid any future unpleasantness may I suggest that if you believe you have found any issue with the version you refer to that you Open a Support Ticket and advise the Support Team of your finding as screen locking activities should be detected and blocked, and if the 'monitoring' functionality was engaged automatically and did not revert the changes made then they should be made aware of this too so that they can also review this.
 
Should point out that if you engaged the 'monitoring' functionality manually then to get it to work you need to manually disengage it by setting the app/file concerned to 'Block'...to mark it as bad, etc...just thought I would mention it in case you have not picked that up. In terms of your idea...my opinion is that this is unnecessary...WSA should detect and prevent the screen locker initially.
 
Regards, Baldrick
Thanks for the "heads-up" !
 
Report filed with support.
 
Best Regards,
 
HJLBX
Userlevel 7
I am looking at your sample now. Thanks
You are welcome.
 
Best Regards,
 
HJLBX
Userlevel 7
I have tested the file and replied to your ticket. We catch the actual payload of the file you sent in.
Userlevel 7
Hi Roy, nice.
 
I thought that WSA would do this. Just wonder as to what the explanation is for what HJLBX saw, i.e., "journalling and rollback did not reverse malware actions and screenlock persisted."
 
Does that suggest that some screenlocking counter is indeed a good idea/needed?
 
Regards, Baldrick
Userlevel 7
I cant really comment on the setup that the OP used. This malware doesn't have any crypto function just a screen lock asking for cash. Its quite a simple example, you can just open up task manager and kill the .exe. Its a throw back to the FBI malware seen well over a year ago. As for roll-back there really isn't much to roll-back! I haven't given it a ful test yet, I just wanted to make sure we caught it. On my test PC its detected in real-time and doesn't have a chance to execute. Turning off real-time shield to see what it did gave me a bit more info. Looks like Polish to me although I cant be too sure. 
 
Incorporate an anti-screenlock feature
 
Its not a simple as this I am afraid, its not like its calling a windows function to maximise screen function (Like F11 in a browser).
 
 
Userlevel 7
Hi Roy, thanks for that.
 
Very enlightening, and just about as I thought in terms of WSA catching it, and the no need for a specific feature to deal with screen locks.
 
And BTW, a very Happy Easter to you!
 
Regards, Baldrick
On my W8.1 system, once the screen was locked, Task Manager was inaccessible... even using key combo.
 
I tested it before the ransomware file was detected by signature.
 
In other words, before WSA caught the payload.
Userlevel 7
I think that we are verging in the discussion of private malware testing and so if you have further specific information to provide on this that you open a support ticket and present it to the Support Team by that means and not here.Regards, Baldrick
Hello Baldrick,
 
I will limit my comments to generic statements that apply to any screenlocker - as opposed to specific details.
 
Rakenisheu mentions that a screenlocker can be killed using Task Manager.
 
It cannot... as that is the whole premise of a screenlocker.  It denies the user complete access to the Desktop, Run, command line interpreter, and disable keyboard short-cuts to prevent file systemapplication access.
 
It doesn't even matter if the user signs out and signs back into the system as an Administrator as the screen will be locked for all user accounts.
 
Best Regards,
 
HJLBX
Userlevel 7
Rakenisheu mentions that a screenlocker can be killed using Task Manager.It cannot... as that is the whole premise of a screenlocker.I am sorry that's incorrect, not all of these type of malware are created equally. I have dozens of different versions of the FBI alone that all act slightly differently. Some will block taskmanager, some block the run dialogue it depends on the variant. I have been removing and testing them since they first emerged.
Userlevel 7
Hi HJLBX
 
With respect I am not going to debate you on the subject, and certainly not here as this is a feature request forum and not one for such debates anyway, as I know who I would trust to be correct on the topic (and it is not me).
 
May I suggest that if you wish to debate this further then you start a new thread in the appropriate forum (based on the version of WSA that yo are using), reference this thread for context and then go from there. Anyone who thereafter feels like debating this can do so in the appropriate place.
 
Regards, Baldrick
Userlevel 7
Badge +51
@And what?http://malwaretips.com/threads/webroot-no-discussion-of-private-malware-testing-permitted.44419/Close idea)
Userlevel 7
Thank you, Petr
 
Each Community has its own rules and it is incumbent on the members of each Community to respect the rules of the Community they are in.
 
It is a matter of simple courtesy...and if they do not like they they are welcome to leave. Having read the comments over in the other Community I will express no further opinion on them as they are entitled to them.
 
Regards, Baldrick
Hello Baldrck,
 
I am only here to learn about WSA,
 
That's my only goal.
 
Whatever the rules are for this community, then I will follow them.
 
This has gotten out-of-hand and I have no further comments.
 
Best Regards,
 
HJLBX

Reply