Why didn't Huntress detect a malicious file/activity/ransomware?

Malicious Files and/or Activity

Huntress detects malware by looking for the footholds malware adds to start itself when the system boots or a user logs in. Huntress analyzes persistence mechanisms such as services, scheduled tasks, registry run keys, and other auto-start locations provided by Windows that can be used by malware to establish a foothold. Huntress focuses on finding these malicious footholds, leaving complete system scans, behavioral analysis, and network monitoring to preventive security solutions. The intent of this strategy is to find persistent malware that has slipped past these other solutions.

Since Huntress only looks for footholds, it does not scan every file on the system or monitor running processes.


Ransomware detection was not the intent of Huntress, but occasionally Huntress will identify it as a byproduct of hunting for footholds.

Ransomware typically does its malicious activity and deletes itself, often without creating a foothold. Sometimes ransomware will encrypt a desktop.ini file within a user’s startup folder or place a ransom notice that opens when the user logs in. Huntress will flag these "footholds". Unfortunately, many newer ransomware variants only encrypt document files (PDF, Word, XLS, etc.) and don't drop a ransom notice--this type of ransomware infection would not be seen by Huntress at all.

Still need help? Contact Us Contact Us