Anti-Ransomware Protection
Ransomware often uses legitimate software, that exists across all Windows versions for various destructive operations.
This technique allows ransomware to avoid detection by the antivirus software.
A1RunGuard intercepts the launch of these programs, but instead of completely blocking them, A1RunGuard investigates the command lines of the program and fires the alarm only if a dangerous combination occurs.
Here's an example of the command, used by Sodinokibi Ransomware:
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
The standard Windows "vssadmin.exe" command-line tool removes the backups in the Windows volume shadow using this command:
vssadmin.exe Delete Shadows /All /Quiet
Prevent Ransomware Attacks
A1RunGuard blocks the execution of "vssadmin.exe" only if there is a dangerous combination found in the command line. Otherwise, "vassadmin.exe" will be launched as usual.
In addition, A1RunGuard terminates the parent process, started the "vssadmin."
This can be done by enabling the "Kill the parent process" option in the A1RunGuard anti-malware settings.
There are two ways to complete the "dangerous" commands if it is required
To do that:
- Pause protection for the process;
- Or use the option "Ask for Confirmation to Run when detected Malware."