Hey Pete. RansomOff does not modify the MBR. The protection is implemented in an upper disk filter. You have to reboot because of how Windows operates the drive stack. Upper disk filters cannot be added or removed dynamically, say like a file filter. When you untick MBR protection on HMPA, it doesn't remove the filter but simply sets a flag internally in their driver saying "we are now ignoring all requests, just pass this on through to the next driver." The driver is still loaded but just not engaged. When you untick MBR in RO, we stop the driver from loading into the device stack in the first place. Hope that makes sense.
@paulderdash , I have 5.2017.144.10111 running with the Tray Icon visible. Shortly after I reboot the system this morning due to the automatic upgrade from the previous version, I ran into a .net error and the tray icon disappeared. I had to reboot the system in order to make the Tray Icon visible again. Since then I performed several tests/changing a lot of options, but the error did not occur anymore. So far, the system is running fine with App Lockdown enabled (new Process execution - Exempt Windows process enabled) and all other Protection options enabled including MBR protection. With regards to a possible slow down of reboot: I haven't noticed any difference with RO installed and the time it was not installed...maybe I'm the lucky one this time..grin
It does make sense and it's a relief. But question.. if it can be done with out a reboot, why not do it that way. If I had to reboot every time I needed to do that... Pete
It's about completely removing the driver from the disk stack. If there are compatibility issues, just doing what HMPA does won't solve them. You have to prevent the driver from loading in the first place and you can only do that at boot time.
Hi @DreamsandVisions Could you please goto your Event Viewer (right click Start Menu -> Event Viewer) and then expand the 'Applications and Services Logs.' There you will see 'Heilig Defense' and when you select that you should see some messages. Please let us know if you see any error type messages. Additionally, if you goto the 'Windows Logs' on the left and then 'Application' here you'll be able to find indications if the service crashed (again will be marked with the error icon). If you see anything like that relating to RO, please let us know. Could you also open your Services window (Control Panel ->Admin Tasks->Services) and just verify that 'Heilig Defense RansomOff' is set for Automatic loading? The service crashing is the only thing we can think of at this time for your issue. Because if it installed properly and you rebooted then there's no reason it should not be running.
OK thanks @cloggy49 . I did a clean install and it appears to be working fine now. Just need to redo my settings. I have unticked the auto-update as that seemed to be the problem in my case. Also I would prefer the control of manual updates (in case they don't work, it is still beta).
It is the same with MBR Filter which is also an upper disk filter. After installing or deinstalling it you have to reboot.
@paulderdash : I have Auto update RansomOff enabled w/o problems. Disabling and enabling again doesn't make any difference. The Tray Icon just remains.
Thank you for letting me know which steps to take I wouldn't have known to take these From what I've seen, I could think of RO conflicting with AVG TuneUp Utilities (being part of my AVG Ultimate (v17.4.3014 (build 17.3.3482.0)) installation, detects some of it's service as Ransomware attack (FP of course), and tries to restore it?!? Here is the information you requested (no service running, same issues as described before, performed a fresh installation after fully removing RO just to make sure): Spoiler: Installer log Spoiler: Event Viewer - Applications and Services Logs Spoiler: Event Viewer - Windows Logs - Application Spoiler: Control Panel - Admin Tasks - Services Let me know if you need further logs. I will be happy to provide! Thank you for your assistance
I tried launching the service via "Services", first time leads to AVG DeepScreen monitoring it for 15 seconds, giving a clean rating after 15 seconds and starting it. Runs for a minute (to be seen in TaskManager, but not in Tray), then autoterminates (crashes). On rerun, no AVG action, but still stays only for a minute. I tried launching the RO service via Services, which led to AVG DeepScreen monitoring it for 15 seconds, giving a clean rating. From now on, I can see RO service in TaskManager, but crashes after about a minute. No tray icon. Spoiler: Running Service Spoiler: Event Viewer - Applications and Services Logs
Thank you very much! As we thought, it looks like the service crashed although in a way we've never seen before. So that will be a good fix. And as you said, looks like RO had a FP with AVG. We've had lots of issues with AVG in the past and not just with RansomOff. We have another product for a couple of clients who use AVG and it's always been a struggle from both sides. AVG blocks and alerts on our software while our software causes issues for AVG. But that's why we added the exemption step during installation. Did the RansomOff installer pick up the installed AVG software? The best thing to do is exempt the folder and RO won't bother with them anymore.
Yes, it suggested both WD and AVG to be excluded (it showed their paths and some red / orange balls next to 'em), let me quickly reinstall to show all entries picked up automatically by RO. It scans them once the entries to exclude are confirmed. I tried running RO service as described above with AVG completely turned off, nothing changes, service keeps crashing. AVG did indeed pick up a earlier installer as "unknown / seldom" after triggering DeepScreen and sent it to the lab, but it took not long to get the clean rating. This and the last installer were just picked up by DeepScreen and let trough 15 sec later. As for the domain question, no. I'm currently using mobile internet to access the web as I'm not at home yet, but the issues appeared on my home WiFi, too. I'm using VPN (ExpressVPN) while malware testing in ShadowDefender environment, but both are currently off (SD would flush the system on reboot). Spoiler: Crash Logs (AVG turned off completely) Spoiler: Excluded folders (3rd party security software) - as suggested
@HeiDef these are the screenshots related to the crash of HDRansomOffUi.exe. Spoiler: Screenshots EDIT - UPDATE Reporting back: UI is working like a charm now, cannot spot any errors in the event viewer logs anymore. Let me check some recent samples now to see whether my issues are solved Spoiler: UI
For everyone else reading the last few posts, we were talking with @DreamsandVisions through PM. His crash and subsequent screenshots helped us identify an issue with the usage of a hard coded English user name "Everyone" which on systems that are not English does not mean the same thing. And when the lookup of that username failed, it caused an exception that lead to a crash. We built a quick fix for @DreamsandVisions to test out and once we made it language neutral, everything appears to be working again. So for anyone else that has a non-English language setting and experienced a crash, this is the reason why. Obviously next update will include this fix.
Can confirm RO is now working fine, however I get this message on almost every RW I tried running (except for ChkDsk.exe, which just runs in memory). Seems as if RO blocks the encryption process. No file was affected, xData RW managed to create a key file to the desktop. The ransomwares are still running in memory, but seem not to work (they would start encryption instantly - can at least confirm for xData, AVG is turned off completely). RO is up and running, with no error messages in Events Viewer. No setting has been changed in RO, tested with default settings, within ShadowDefender protected environment. Spoiler: Screenshots Tested RW: Lightning Crypt Ransomware - https://www.hybrid-analysis.com/sam...24c6cd25bdcebfdaac05706d288?environmentId=100 GlobeImposter - https://www.hybrid-analysis.com/sam...1b6e9a3afcde30b36391fd2df1e?environmentId=100 jaff new - https://www.reverse.it/sample/55730...e11bd1dede755d513fe6b5ac835?environmentId=100 wcry2 - https://www.hybrid-analysis.com/sam...840480439c6e5babe8e080e41aa?environmentId=100 xdata_RW - https://www.hybrid-analysis.com/sam...cbfaef662bf691ffd0080327ab9?environmentId=100 Big big thank you to @HeiDef for helping and replying that fast and not giving up
It's likely a conflict with ShadowDefender. Do you get the same error if you run a non-ransomware process? And do you have a F: mounted?
Sorry for the late reply. I actually had a internet stick mounted via USB, to access the internet - F://. Interesting the malware tried accessing this one instead of C:// (the pictures and documents shown are stored there), D:// or E:// (all are partitions of my SSD / HDD) at all. As for running a non-RW process, SysInternals ProcessExplorer gave no error. I now tried connecting my laptop via my mobile phone internet connection, for that no drive F:// can be triggered. On retry, same outcome minus the F:// error message. Ransomwares are running, one managed to extract all their stuff (WCry2) and xData drops it's stuff to the desktop. Spoiler: Screenshot Maybe someone with a VM can try running these samples with the current version of RO + the two fixed .exe? Note that once I shut down RO, the encryption party begins! Spoiler: Encryption Leaving for bed now, will reply ASAP!
Just a note....previously, when clicking on the EXIT button in RO, the computer would freeze....with the latest beta, all is ok...
Most ransomware will target removables and network shares first before touching the local drives. This is because some products don't protect these devices like a local drive. RansomOff does. And the reason why they didn't get to the other drives is because RO likely has them frozen. We do our testing in VMware but we'll have to give SD a try to see what's going on. RO definitely works so there is some funny interaction happening. RO actually employs concepts similar to SD and that could definitely cause some head bumping.
Please ask Lab Personnel to retest Shell Locker with this version again. In their test (I don't know if it matters or not) but allow test to run in Shadow Mode with SD. Been having problems with when Shell Locker knocks out the screen/taskbar AND ONLY the Alert Notice is RansomOff box to DENY right? Then on explorer restart sometimes encrypted junk files are being loaded up even after explorer restart and RansomOff tray icon knocked out too. On one such test it took 3 to 4 restarts of explorer before RansomOff could finally sweep those off. There must be some way to more quickly regain desktop and or RansomOff to undo those scrap files? Maybe some auto-restart explorer automated so user can avoid having to try to manually find it? Thanks for any consideration.
Thank you for the update @HeiDef! Clever malware and even more clever product I already love it, can't wait to see it's final appearance I could imagine a UI bug (according to other tests I've seen, a warning message appears as soon as RW behavior is detected, and RO waiting for user reaction to the frozen attack), but I can't get the link to the missing alerts in RO log. Sorry for causing so much trouble