Section: New Software and Platforms


Data-aware Defense

Keyword: Ransomware

Functional Description: DaD is a ransomware countermeasure based on a file system minifilter driver. It is a proof of concept and in its present condition cannot be used as a replacement of the existing antivirus solutions. DaD detects randomness of the data by monitoring the write operations on the file system. We monitor all the userland threads, and also the whole file system (i.e., not restricted to Documents). It blocks the threads that exceed a specific threshold. The malicious thread is not killed, we only block its next I/O operations.

  • Participants: Aurélien Palisse and Jean-Louis Lanet

  • Contact: Aurélien Palisse