A1RunGuard - Monitored Processes

Ransomware often uses legitimate software, that exists across all Windows versions for various destructive operations.

This technique allows ransomware to avoid detection by the antivirus software.

A1RunGuard intercepts the launch of these programs, but instead of completely blocking them, A1RunGuard investigates the command lines of the program and fires the alarm only if a dangerous combination occurs.

A1RunGuard blocks the execution of the process only if there is a dangerous combination found in the command line.

List of Monitored Processes

VSSADMIN.EXE

Vssadmin.exe - Volume Shadow Copy Service Admin.

Vssadmin.exe is an internal Windows utility that can delete volume shadow copies. Deleting the volume shadow copies prevents restoring the deleted files from the shadow backup store.

Example:
vssadmin.exe Delete Shadows /All /Quiet

BCDEDIT.EXE

BCDEdit is a command-line tool for managing Boot Configuration Data (BCD).

Ransomware uses BCDEdit to disable the Automatic Startup Repair feature.

Example:
bcdedit /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

WBADMIN.EXE

Wbadmin.exe is a command-line utility that allows to back up and restore volumes, files, folders, and applications.

Example:
wbadmin DELETE SYSTEMSTATEBACKUP

WMIC.EXE

WMIC.EXE is a command-line utility Windows Management Instrumentation (WMI).

Example:
wmic.exe SHADOWCOPY /nointeractive

POWERSHELL.EXE

POWERSHELL.EXE is a command-line task automation and configuration management tool.

Example:
Get-WmiObject Win32_Shadowcopy | ForEach-Object $_.Delete();

WEVTUTIL.EXE

WEVTUTIL.EXE is command-line tool for managing the Windows event logs.

Example:
wevtutil clear-log application
wevtutil clear-log security
wevtutil clear-log setup
wevtutil clear-log system

DISKSHADOW.EXE

DISKSHADOW.EXE is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

In addition, DISKSHADOW.EXE includes the interactive command interpreter and script mode, supporting the EXEC command.

Example:
diskshadow.exe /s c:\test\diskshadow.txt
diskshadow.exe delete shadows all

FSUTIL.EXE

FSUTIL.EXE is a Microsoft utility for managing file systems, reparse points, and dismounting a volume.

Example:
fsutil usn deletejournal /D C:

MSDT.EXE

MSDT.EXE.EXE is Microsoft's Diagnostic Troubleshooting Wizard. MSDT allows code execution. This vulnerability is known as "Follina."

Example:
location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc)/.exe\"";

How A1Runguard protects against "Revil" Ransomware

Need Help?

  1. Read Docs.
  2. Knowledge Base.
  3. Frequently Asked Questions.
  4. Contact Support.
}