RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    About this feature"Startup change detection", could you please let user choose allow or block? not only just give a notify and allow it by default!

    by the way, about App Lockdown feature, Could you please add "Program Files (x86)" to exemption list by default(Using Win10 X64 )?
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    When you goto the Alerts dialog and select the startup notification alert icon, you can click the 'Delete Startup Item' button to remove the entry. However, we could also add that to the toast notification more easily streamline the action.

    As for App Lockdown, we don't want to automatically exempt large swaths of files because there is some inherent risk with that. It needs to be up to the user to determine how wide or narrow they want their exemptions to be.
     
  3. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    As a FYI, we pushed an update last night but got a report of a crash this morning so we reverted back to the previous RC1 release (5.2017.190.9480). The crash didn't show up in our testing and we are still waiting on more information about the crash to figure out exactly the issue. But once we figure it out we'll get an update out ASAP.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hey HeiDef. Great Program!

    Out of pure curiosity could you also share that platform where this new update which got pulled crashed on?

    FWIW So far things continue to chug along very nicely on this end with both Windows 8 and Windows 10. Really haven't seen the need to pit it against my zoo again but if new ransomware formulas turn up that might pose a challenge you can be sure to count on a report to help with mods and/or adjustments as necessary for you to address them.

    I don't know about most other forum members but I think HeiDef Defense has extended quite the generosity with this endeavor too.

    What are we to expect with the future plans for this program in the long term from the business end of matters going forward?
     
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks @EASTER.

    It was a Win10 Pro x64 that crashed after a reboot. RO wasn't listed as the offending driver so not entirely sure yet what the issue is but there is a dump file on the way that will hopefully straighten things out. In the meantime, we decided to reverted back out of caution.

    As for future plans, RO is going to continue to be offered as "free for non-commerical use." We want RO to be used in both home and commercial settings. To better support the commercial side of things, we are building out SMB/enterprise features to support deployments in those environments. This will include things like better integration with existing logging and SIEM solutions, active alerting, and the remote management and control that will be provided through the RansomOff Server.

    As many folks on this board are IT professionals, any suggestions on enterprise level features that you would find useful would be some great feedback as we continue to develop those things.
     
  6. Scyna

    Scyna Registered Member

    Joined:
    Jan 30, 2015
    Posts:
    17
    Has anyone gotten this working flawlessly with Kaspersky 2017? I always have something weird happen when I got ransomoff installed in the system. It would either not start, make discord not start up, have Kaspersky complain that system watcher can't start. If I uninstall ransomoff it works fine. I'm on windows 10 64 bit.
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    When you say "it would not start" are you referring to your system, RansomOff and/or Kaspersky?

    Make sure you exempt the Kaspersky products. You can do that during RansomOff's installation. Also you could disable RansomOff's Policy Enforcement once it is loaded. Kaspersky, like most anti-malware, likes to burrow deep (a lot like malware) and some of the protections that Policy Enforcement provides could conflict.
     
  8. Scyna

    Scyna Registered Member

    Joined:
    Jan 30, 2015
    Posts:
    17
    When I said not start I meant ransomoff wouldn't. Ransomoff already exempts kaspersky's folders during the install.

    Update: I turned off policy enforcement and my battlenet launcher kept crashing. I had to uninstall ransomoff to fix it.
     
    Last edited: Jul 20, 2017
  9. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    New version downloaded automatically.
    No changelog on the web site yet though.
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi All

    Any news on how we get around this 'issues re. Macrium?

    Am having a similar problem when I try to restore an image using the Window PE at boot rather than using that on the recovery CD.

    Regards, Baldrick
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Interesting. Thanks. This also is interesting.

    https://www.heidef.com/overwatch.html

    My tightly wound units with Ransom0ff are offline right now while doing some adjustments.
     
    Last edited: Jul 23, 2017
  12. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hi Baldrick,

    Does Macrium provide a log or any error messages? If you could send us whatever output it is throwing, it will help figure out what's happening.

    The next update will have some changes with how it handles removable devices which will hopefully mitigate these issues.
     
  13. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I just have no luck running ransomoff. I installed it again this time on my windows 10 computer but as soon as I did it popped up two command prompt dialog boxes. I restarted my computer but it just froze my whole computer. I could not do anything. I had a heck of a time uninstalling it but I was finally able to delete it. I could understand it not working on one computer but not on two. I really want to use ransomoff but I can't deal with all the problems I'm having with it.
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi Dave

    Thanks for the reply...hope that you are well?

    Macrium does indeed have a log but it is very Macrium centric in that it only advises of the issue/what caused the problem, in relatively simplistic terms.

    In my case it is reporting that the Windows PE environment that one can create from within Macrium and then use for an on boot recovery without the use of a rescue CD, is apparently misisng, i.e., it looks like RansomOff has at some point in the initiation of the Macrium recovery process; before restarting to boot into the Windows PE environment it has been 'stripped' off the disk. I did check in the various 'quarantine' and recovery areas but nothing was showing.

    To help out I will repeat the whole process again tonight but this time will look to document my styeps somewhat more formally and then report back here, in the hope that will help to track down what needs to be excluded.

    Hope that is acceptable?

    Regards, Baldrick
     
  15. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    OK, tried it all again with the parameterisation/setup suggested by cloggy49...but still no dice. The restore attempt failed with the following logged by Macrium:

    Image ID - 7432B886EB426D69
    --------------------------------------------------------------------------------
    Dismounting drives
    --------------------------------------------------------------------------------
    Windows PE boot menu is not installed

    The last element being the salient element methinks.

    However, I also noted the following from RansomOff itself:

    Alert Type: Process Blocked
    Alert Level: Malicious
    Alert DTG: 2017-07-24 20:45:38 UTC

    The following process was blocked from running either because it or the parent process is on the block list.
    Path 'c:\windows\system32\bcdedit.exe'
    SHA-256: '9f3f83d8fd7c5d8b65f81421b0348e67f38adc58d4f020aa6aabc1b56625317c'
    PID: '8492'
    Session: '0'
    Parent Path: 'c:\program files\macrium\reflect\reflectbin.exe'
    Parent PID: '8916'

    Now I am fairly certain that I had the folder 'c:\program files\macrium\reflect\' registered under exmptions. But not bcdedit.exe, existing in the Windows\system32 folder.

    Now asking myself if I need to set that up either under Exemptions or under 'Deny'?

    Any thoughts?

    Regards, Baldrick
     
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    One of the more recent additions to our policy enforcement is attempting to regulate the use of bcdedit and vssadmin. These are both used in ransomware attacks so RO tries to determine if their usage is legit. It might be tuned too high as Macrium would have a legitimate purpose to use bcdedit. We'll give it some tweaks to make it a bit more permissive.

    As for the actual issue with WinPE, it's likely due to how RO protects removable devices. Like I said, the next release will have some changes that will hopefully mitigate this problem. I'll send you a PM with a link to the latest build tomorrow so we can test if it fixes things for you.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I don't have @Baldrick's issue as I have done several restores from the Macrium boot menu with RansomOff installed.

    But I have had issues with scheduled backups (Macrium, Acronis) not running, since v5.2017.198.4233 RC1 (I think). Strangely full backups generally seemed to work, but not differential or incremental. Maybe that could be due to additional protections introduced in this version (vssadmin?, no alerts but maybe something additional needing to be exempted in folder protection), as I did not have that previously. Plus some other problems (like unable to run some programs, Windows message 'would not complete, please retry' or something like that). And the odd undecipherable BSOD.

    I uninstalled RO yesterday on @HeiDef's suggestion, and all scheduled backups ran fine last night. Too early to tell if my other 'funnies' have gone too.

    Btw I have been a reasonably active tester of RO on my secondary machine since the end of April, but have been communicating with @HeiDef via PMs (10 pages now :) ). In retrospect, I regret not having had the conversation here, for our mutual benefit on this thread. But I have other beta software installed (e.g. DeepArmor, so cannot always be sure issues are due to RO).

    I otherwise like RO, and will continue to test and support their efforts. It obviously takes time to 'tune' it, also it has to 'dig deep' and there is the near impossible task of making it compatible with the innumerable softs and combinations out there. :eek:
     
    Last edited: Jul 25, 2017
  18. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi Dave

    Many thanks for the detailed response. Glad to see that RansomOff is being tuned to take into account such vectors...and I certainly would not want to do anything that reduces the efficacity of RansomOff's protection capabilities. Is there therefore not a means by which Macrium can be exempted? I did try that and am wondering if I just did not exempt the right bits or all the bits required. Is there any mileage there?

    Happy to try out the latest build...as always...and will certainly look to do that ASAP after installing it. :)

    Many thanks once again for the fast response and great support. :thumb:

    Regards, Baldrick
     
  19. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi paulderdash

    I am intrigued when you say "I have done several restores from the Macrium boot menu with RansomOff installed" as I am not quite sure what you are referring too. If I might digress somewhat I usually initiate the restore proc ess from within Macrium, which should then set up the requirements and then reboot automatically into the Macrium Recovery environment, and proceed to undertake the restore. What happens is that prior to getting to the point where Macrium reboots it flashes up a message saying that the Rescue CD version of the Recovery environment must be used...effectively indicating that the one on disk has gone walkabout...or been abducted...:eek:

    So, if you have done the above and not suffered the same result as me would you be able to advise as to how you have configured RansomOff in relation to Macrium?

    Many thanks in anticipation of any pointers you are able to provide.

    Regards, Baldrick
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hi Baldrick

    I have done restores in the same manner as you describe, but generally I do it this way: I (re)start the machine and when it gets to the (Macrium) boot screen, I select the Macrium environment, then select the image I want to restore. That has been working fine. I am not sure if I have done a restore as you describe recently, while using RO, and if that message occurred for me, in that case.

    Apologies if I misunderstood your exact problem.

    I currently don't have RO installed, as I had a number of issues, described above, else I would test it now.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @HeiDef An update: my scheduled (Macrium) differential and (Acronis) incremental backups again did not run last night with RO uninstalled (unlike the previous night), so that issue is not due to RO.
    Same for the sporadic issue where I get 'The operation could not be completed. A retry should be performed', which also occurs in Task Scheduler for the Macrium differential backup task with a code 0x800704D5. Hope it's not a Windows corruption.
    So I will have to dig deeper, and apologies if I mistakenly cast aspersions on RO!

    No more BSODs (yet) though.
     
    Last edited: Jul 26, 2017
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If RO has any credential protection that problably is the problem. It's locking the SAM file which stores all the credentials and that causes several imaging programs to fial if you run them in windows.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Could be, but currently RO is uninstalled and I am still experiencing the issue. Unless the SAM file is now corrupted ...
    In the meanwhile am trying sfc, chkdsk, etc.
    If all else fails I will image restore to before I think this started.
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks for the update @paulderdash. While it's unfortunate that something else is going on with your system, it's good to know that RO isn't the root cause in this case.

    RO doesn't touch actual files, especially system files, but you may want to give "sfc /scannow" a go to see if any of your system components have been corrupted somehow.
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RO doesn't have any credential specific protection.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.