Silent, deadly and constantly evolving, ransomware is never far from the headlines. You might expect McAfee to want to boast about its McAfee Ransomware Interceptor, then, but instead it’s buried deep in the security company’s website.
The likely explanation is that Interceptor is a ‘pilot’, more of an experimental tool than a fully supported product. The website warns you that it might have issues, which could be a concern for a low-level tool with such an important task.
McAfee provides few details on how the program works, other than it “leverages heuristics and machine learning” to identify threats, rather than using simple signatures.
That sounds like the behaviour monitoring approach used by other tools, which in theory should allow the program to block even brand new threats. But a glance at the website shows this doesn’t always work, as for example McAfee had to issue an Interceptor update in May 2017 before the program would properly detect WannaCry.
No anti-ransomware tool offers a 100% guarantee, of course, and failing to detect one malware strain doesn’t tell us how Interceptor will perform against others. We would have to download and install the program to find out more.
McAfee Ransomware Interceptor is free for anyone to use, with no registration or other hassles. Visit the website, choose the 32 or 64-bit version, read the licence and you can download the program with a click.
The installer is an exceptionally small 3.3MB. This expands to take around 15MB of hard drive space post-setup, but that’s still relatively compact, and McAfee’s three background processes took barely 6MB of RAM between them. That’s less than a tenth of the requirement of some competitors.
Interceptor’s processes and files are well protected from attack. Malware might try to disable it by closing processes, deleting files or Registry keys, but well-chosen security settings make this extremely difficult.
The program has no real interface beyond a single system tray icon, which contains just three management tools. We could toggle protection on and off, whitelist a trusted program to prevent it being blocked in future, or view a system log to see what Interceptor has done.
The whitelisting feature came in useful almost immediately, as Interceptor falsely raised an alert about IObit Uninstaller. That’s a very safe, legitimate and not even faintly ransomware-like program, so flagging it makes us wonder about Interceptor’s accuracy. But it also tells us that Interceptor is doing much more than looking for file encryption actions, and although that means more false alarms, it could also block threats that other anti-ransomware tools ignore.
Testing behaviour-based anti-ransomware software is always difficult. Their value is in the claim that they can detect malware which doesn’t exist yet, but that’s hard to assess unless you have very wide access to the very latest threats.
We started with a simpler approach, testing Interceptor against Cerber, a known ransomware strain. The results were excellent, with Interceptor blocking the Cerber process before it could encrypt a single file, and displaying an alert. That’s no surprise – we would expect McAfee to have designed Interceptor to look for threats like Cerber – but it does show the program is offering some useful protection.
Next, we turned to RanSim, an interesting ransomware simulator. This runs various tests using different types of ransomware-like behaviour, and tells you which have been blocked. The report in this test was very easy to read, but that wasn’t good news: McAfee Ransomware Interceptor hadn’t blocked anything at all.
Finally, we launched RanTest, a very simple simulator of our own. It’s far more basic than RanSim, but as it’s never been released, we know it’s something that McAfee Ransomware Interceptor won’t have seen before. We don’t know if that made a difference, but RanTest was allowed to run to completion, encrypting all 6,611 target files in our test tree.
We need to interpret these results with care. RanSim may use ransomware-like actions, but it only worked on its own sample files, leaving ours untouched. Interceptor arguably made the right decision by allowing it to run.
We think RanTest is probably the more significant failure, as it was able to encrypt thousands of real files on our test system. It’s not real ransomware and only spidered through a single test tree, so it’s possible the program didn’t meet Interceptor’s threshold for detection. But other anti-ransomware tools generally block RanTest right away, and on balance we think Interceptor should have done the same.
Ransomware Interceptor is user-friendly, impressively lightweight and had no trouble blocking ransomware like Cerber, but its less impressive results against our simulated attacks are slightly troubling. That said, it’s still a ‘pilot’ product and may well see improvements in the future.