Using Trend Micro AntiRansomware Tool

Support
Solution ID Last Updated
1097042 Date : 2014/04/21 Time:4:49 AM , (PST)


Product/Version Platform
OfficeScan - 10.0, 10.5, 10.6;Titanium AntiVirus + - 2011, Titanium AntiVirus + - 2012, Titanium AntiVirus + - 2013;Titanium Internet Security - 2011, Titanium Internet Security - 2012, Titanium Internet Security - 2013;Titanium Internet Security for Dell - 2011;Titanium Maximum Security - 2011, Titanium Maximum Security - 2012, Titanium Maximum Security - 2013;Titanium Smart Surfing for PC - 2011, Titanium Smart Surfing for PC - 2012;Worry-Free Business Security Standard/Advanced - 8.0, Worry-Free Business Security Standard/Advanced - 7.0;Worry-Free Business Security Standard/Advanced - 9.0;
Windows - XP Home, XP Professional, XP Professional 64-bit, Vista 32-bit, 7 32-bit, 7 64-bit, Vista 64-bit, 8 32-bit, 8 64-bit

Problem Description

The FBI Ransomware has been infecting machines from around the world and is the top Ransomware for five weeks straight now, based from NABU Consumer data.
FBI Ransomware
Recently, a new variant started spreading under the guise of the Royal Canadian Mounted Police.
Royal Canadian Mounted Police

Solution

Trend Micro's standalone solution is the AntiRansomware and received positive feedback from Support Engineers:
  • Tool was able to execute on an infected environment and kill the ransomware process.
  • For ransomware which uses digitally signed process, the tool will not kill the process and instead minimize it.
[ Expand All ]

 

Enhancements of AntiRansomware Tool 

AntiRansomware Tool 2.0 build 10:
  • Fixed issue in ICE Ransomware cleanup
  • Implement process protect mechanism to prevent the tool from being killed by ransomware.
    Note: WinXP x64, Win2003 x64 are not supported by this feature.
  • Less strict terms/rules to determine whether a file is a malware or not. As long as the file in registry autorun key has no digital signature, it will show suspicious. Because of this feature, the user should fix items on AR Tool carefully.
AntiRansomware Tool 2.0 build 11:
  • Samples that only cover a small part of the screen but disables window switching are now detected.
  • Tool is now able to detect the foreground window where cursor is locked.

 

Installing AntiRansomware Tool

  1. Go to Safe mode with Networking.
  2. Download the AntiRansomware Tool and save it to your desktop.
  3. Double-click AR20_build11.exe to run it.
    Note: This tool can be installed on Safe Mode with Networking. Also through USB on Regular Safe Mode and Safe Mode with Command Prompt.
  4. Click Install to start extracting the AntiRansomware tool.
    Note: For Windows XP users, make sure to uncheck Protect my computer and data from unauthorized program activity before running the tool. 
    Uncheck "Protect my computer and data from unauthorized program activity"

 

Using AntiRansomware Tool

  1. Once AntiRansomware has been installed, restart your computer and go to normal mode where the screen is locked by the ransomware.
  2. Trigger the AntiRansomeware Tool by pressing the following keys: Left CTRL + T + I.
    Note: The key press should be done on the client’s keyboard and not from support side (Remote Control/LMI). In some cases, the key press may need to be done more than once.
  3. The screen lock should terminate and the AntiRansomware screen should appear.
    AntiRansomware Tool
     
  4. Click Scan to scan the computer for any ransomware files.
  5. Review and select the threats that you have verified to be malicious then press Clean.
  6. Click Reboot to restart the computer.


Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

 
  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.
 
 

Connect with us on