Why didn't Huntress detect/block a malicious file/activity/ransomware?

Prevention

Huntress is not a preventive security solution. Huntress was created to find malware that has slipped past preventive products and established a foothold on the host.

Malicious Files and/or Activity

Huntress detects malware by looking for the footholds malware adds to start itself when the system boots or a user logs in. Huntress analyzes persistence mechanisms such as services, scheduled tasks, registry run keys, and other auto-start locations provided by Windows that can be used by malware to establish a foothold. Huntress focuses on finding these malicious footholds, leaving complete system scans, behavioral analysis, and network monitoring to preventive security solutions. The intent of this strategy is to find persistent malware that has slipped past these other solutions.

Since Huntress only looks for footholds, it does not scan every file on the system or monitor running processes.

Ransomware

Ransomware detection was never the intent of Huntress. Occasionally Huntress will identify a ransomware infection as a byproduct of hunting for footholds, but we don't advertise ransomware detection as a feature of Huntress.

Ransomware typically does its malicious activity and deletes itself, often without creating a foothold. Sometimes ransomware will encrypt a desktop.ini file within a user’s startup folder or place a ransom notice that opens when the user logs in. Huntress will flag these "footholds". However, many newer ransomware variants only encrypt data files (PDF, Word, XLS, etc.) and don't drop a ransom notice--this type of ransomware infection would not be seen by Huntress at all.

Still need help? Contact Us Contact Us