We just released version 5.2017.139.8295. The installer is ready to download and we'll get the auto-update packages posted shortly. In this release we added a new features; app lockdown. Essentially it adds an anti-exe capability to RansomOff so you can control what runs. You can read about it on the documentation page (https://www.ransomoff.com/docs.php). Additionally, there are lots of bug fixes and feature updates based on the feedback from this forum and others. So thank you. This update took a bit longer to release than planned only because we wanted to make sure we test against other security solutions and fix any issues we find with compatibility. It took a while, but it appears that RansomOff and KIS now can co-exist together without issues. We also played with MBRFilter for a while and found no negative interactions there. But again, as a word of caution, we still consider this beta (but hopefully not much longer). Enjoy!
What the hell, so now it even has an anti-exe ability, you guys are quite quick to develop stuff, very impressive! But I do wonder, don't you think it will become packed with too many features? Perhaps the focus should be only to block ransomware via behavior blocking. To clarify, I'm not being negative, but it's just a thought. About the documentation, I often open images in new tabs, but currently this isn't possible, can this be changed? Not a big deal though.
We're done adding new features now The way we see it is that folder protection and anti-exe are additional defensive layers against ransomware (and regular malware as well) so we wanted to have these all integrated into one solution so the option is there to increase protection as desired. It wasn't a spur of the moment decision to add it either. We do have a plan. But we are sensitive about the bloatware perception. However, even with the few new things we have added, our memory footprint is still pretty low even for a .NET executable and the features are tied together in a way that makes sense for an anti-ransomware solution. We'll see what we can do about the images on the documentation page.
Hi, How often or when does RansomOff checks if a new version is available? I saw that you had released a new version but even after a reboot, the system kept running the 'old' version.
We haven't uploaded the packages yet. Still working on putting those together. Should be soon. But RansomOff checks at start up and then about every hour for a new version.
Ah, that explains why it did not find yet the new version. Thanks for the extremely quick response...
I like this "Show/Hide Read" App Lockdown doesn't remeber settings... Set to "all unsigned procesess" and click OK, then again open settings and it show "All procesess"
OK I see, this does indeed make sense. Perhaps it's a better idea to alert only about common processes that ransomware often use to delete Win Restore files and to perform process hollowing. Does RO have the ability to spot process hollowing out of the box?
Just posted the update packages so if you restart RansomOff or just wait a little, it should update and then notify that a restart is required.
The underlying question is will it be enough? Possibly but in the security world you can never say never. However with the new anti-exe addition I must agree that particular extra layer should prove invaluable. For example while testing a certain Hades Locker ransomware last night it somehow managed to stick in the running processes on me. Also can you provide where to send Heilig Defense some samples.
An options to whitelist all running process will be good, or maybe to add folder to whitelist (for Lockdown) - similar to NVTERP.
It doesn't look for process hollowing directly but for example, it understands the difference between explorer.exe running during normal bootup and a malicious process attempting to use it to cover its tracks. But also ransomware activity is very distinct from most other file activity so the process that is finally used to perform the encryption doesn't matter much because its ultimately the behaviors that RO is looking at.
The App Lockdown is tied in with the main exemption list (along with it's own sub-list), but currently doesn't let you add folders, just individual processes. We'll add that to our to-do list as well.
The easiest would probably be to post hashes so we can just go pull them from our various sources. We will PM you with an address though.
Hi, activated App Lockdown but disabled it after about 15 minutes as it made my system very unresponsive. Sometimes it took >5-10 seconds to open an application while with App Lockdown disabled, applications are opened instantaneously. Note that it doesn't matter what option I selected for App Lockdown as after re-opening that window, All Processes are selected as already reported bij Djigi
Thanks. We'll look into the sluggishness. As for the options display, the option you select does get set internally so if you select "All unsigned process," it will only notify on unsigned processes. But as you and Djigi noticed, once you reopen the window it does show it reset back to the "All processes" option. It was a quick fix and next update will resolve it.
Hi, it's even worse. After disabling App Lockdown, I even have to terminate RO in order to make the system responsive again. Once terminated, a number of windows started to pop-up that were selected while the App Lockdown option was active but they never became active.
Just installed so far, so good! Not playing with the App Lockdown. Leaving it alone for now! Making sure that everything else is working normally.
Sorry about that. Can you tell us what OS and architecture you are running along with any other security software? We never experienced that in our testing so we want to try to recreate your environment to see what's going on.
Me too....not enabling App Lockdown yet...but so far running great with EIS, VS Pro, and HMP.Alert. No slowdowns.
