RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    One more message till 20000.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :D
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    When I get time I will check to see if the service is starting. It took quite a long time for it to connect to the service the first time I rebooted to finalize the installation; not nearly as long the other 2 reboots.

    Well, maybe I will see Memory Sentry used in a Corporate, Educational, and/or Government environment some day. Best of wishes!
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Come on Dave. You might can release Memory Sentry in some limited form? and give us always hungry techies a taste of that power defense potential as well? :D

    Just joking but you likely already know what highly attractive attention that would mean to drop that beauty onto even a lite distribution share for us.

    I bet it is rock solid addition that is more than well worth it's market setting/cost your team is set for it. All the best and thanks for wetting our appetite with it. R0 is clearly already shown to been one of the most comprehensive anti-ransomware programs ever to come forward and if it's any indication of the potential that Memory Sentry sports, i'm sure it's a well guarded and looked after product addition you guys are pleased with so for. :thumb:
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I had an ouch moment today. If my system is up and running then everything is fine, But if you need to reboot a lot it's bad. Typically the system would come half way up and halt. I would let it sit as much as 10 minutes and nothing. I'd get the menu open and turn on the HIPS and finally the pop ups would fire off, and as I allowed stuff the system would come up. But the thing is once they are allowed the should stop the system again and they are. That is a flaw. Finally I went to uninstall but you have to shut down RO, and it took some serious hunting to figure out where that was.

    A shame.

    Dave, I'll do anything I can to help you with this including a remote to my system if it would help.

    Pete
     
  6. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    628
    Location:
    Terre Haute, IN
    Does anyone else experience difficulty with the RansomOff icon disappearing? After initially requiring assistance in finding the icon, I noticed when rebooting it disappeared. Seemed to appear fine for two or three days, upon initial startup, until yesterday when it didn't appear when I I turned the system on. So this morning when it failed to appear when I turned the system on I properly uninstalled the program, downloaded version 1.2018.3.22, and installed it. Once installed I clicked on the icon and it responded indicating it was connecting. After waiting quite a while for it to do something and it didn't I was able to exit the program. Any suggestions or recommendations? Most likely it is just me but it is very aggravating. I am beginning to believe this program is not for me. I haven't attempted to click on the icon again as I am afraid it will again freeze attempting to complete the connection. As always I would appreciate all replies and would thank you in advance.

    John
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Seems to be the same issue that Paul is having. I think RO is closing/crashing and the icon disappearing and the stuck "connecting" window is just an artifact of that. Will you just check your task manager the next time it disappears or gets stuck at "connecting" to see if the service "HDRansomOffSvc.exe" and agent "HDROAgent.exe" are both still running? And if you are able to, disable self-protection (under the Options window). That way, next time it has issues an entry in the Event Log and/or a dump should be created. Hopefully one of those will help point to what's going on.
     
  8. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    628
    Location:
    Terre Haute, IN
    HeiDef, I am so sorry but I just don't have the expertise or self-confidence to do what is necessary to pursue this further. So for now I am going to delete the program. Again, I wish I could be of help.
     
  9. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    No worries. I'd be more than happy to walk you through the steps if you'd like to learn a few things. But otherwise, hopefully we can figure out this issue and get a fix out.
     
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We just released v5.2018.301.6900. The primary change has to do with support for non-English path and file names. Before, the folder protections would only work with English characters but now should work with international characters as well.
     
  11. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    My small feedback.

    Interface needs work , seems quite confusing and non intuitive.I like the HIPS feature.
    Sometimes it doesnt seem to load under Windows 7 ,randomly .Maybe there is some conflict with Kaspersky Free in spite of setting exclusions in both or maybe conflicts with Jetico 2 that i am using along.I am also using Sandboxie.
    The loading takes to much , to see the Alerts it requires some minutes after boot , i am using a FX 6300 based machine so CPU power or memory bandwidth is not an issue.

    Uninstallation is harder under Windows 7 than in Windows 10.
    In Windows 10 if i disable the ransom protection form the interface and close the process via Task Manager i am able to uninstall.
    In Windows 7 to uninstall , it needs for the self protection to be disabled and the service itself to be disabled.
    So make it uninstall easily , if the user intends to do so and harder for 3-rd parties to disable it.

    It seems to be catching the hidden driver of BattleEye anticheat :)
     
  12. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Salutations/ Greetings!

    https://www.youtube.com/watch?v=mtLkdEUr7eA

    Opinions and your thoughts... Or suggestions....
    Look like a little tuning needed at the very end...
     
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks for the feedback. Boot time is a known problem for some systems but we'll take a look at the uninstall issues you mentioned.
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We'll have to figure out what the issue is and, like you said, do some tuning. On a related note, the author of that video decided to email us saying how RO is a terrible product because it didn't stop 100% of the threats that were tested. Can't please everyone I guess.
     
  15. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    512
    Location:
    Bulgaria
    RansomOff did incredible job. It failed on the the last sample (Cainxpii ransomware - aka Hitler 2) which don't encrypt files but delete them instead and mess with the system settings. As for the programs being blank he could fix the issues this way => youtube.com/watch?v=7aAF3L6vqOc

    ReyEye also have similar behavior (create zero-byte files named as the original files and delete the original files). Maybe you can add some rules to prevent this from happening.

    But in my opinion RansomOff did a good job.
     
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks. We'll definitely get a sample of those and see what tweaks need to be made.
     
  17. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Greetings/Salutations:geek:
    Post # 1065.

    Love your RansomOff!!!!

    You always listen and make chances that are needed
    .:thumb:
    Let us know after you all the get fine tuning/tweaks out of the way.
    Looking forward to the update/release. Do you have a time period
    the update/release, ect...?;)


    Kind regards,

    Moose
     
  18. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    512
    Location:
    Bulgaria
    Btw I meant RedEye (not ReyEye). :)

    More info about RedEye here:

    bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html

    Appcheck failed there as well because RedEye method is not regarded as encryption and not monitored => youtube.com/watch?v=hp5rXUhfbt0
     
  19. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks Moose.

    We have a few other things to fix as well. But hopefully by the end of the month we should have an update out.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  21. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    @HeiDef
    Thanks for keep improving RansomOff.

    I would like to report a strange incident which is bothering me. I currently run MBAM Pro, VoodooShield Pro, MCShield and RansomOff alongside in my Windows 10 Pro 64 bit PC. I installed the latest build of RansomOff (RansomOff.5.2018.339.6492.x64.exe) on the 9th of this month.

    I have Windows Subsystem for Linux (Ubuntu) installed in my PC for some coding.

    I ran the 'ls' command in one folder and some ghost files show up! I dug deep in Windows settings to find any hidden files in that folder and unable to find any. In fact even a newly created folder contains such ghost files, of different names.

    2018-12-11_133325.jpg

    I suspected malware infection and ran scans with Malwarebytes and a few portable scanners like Emsisoft, Avira and ESET, but none reported any detections.

    I then thought that these could be caused by the complex products like RansomOff or VoodooShield, so I shut off both from tray and checked again. Bingo! This time 'ls' report didn't show those ghost files. I then turned on only VoodooShield and again no trace of ghost files! I rebooted my PC and checked again. Ghost files show off and when I turned off RansomOff, they again vanished!
    2018-12-11_133650.jpg
    What is going on? Is this a conflict of sorts or intentional by RansomOff ?
    (I have excluded the folders of each in each others settings.)

    I seriously liking the new RansomOff and would hate to remove it again for such thing. But my coding will get affected if I don't!
     
    Last edited: Dec 11, 2018
  22. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    Some error with latest version :

    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
    Event ID 0

    Failed to process session change. System.NullReferenceException: Object reference not set to an instance of an object.
    at HDRansomOffSvc.Main.OnSessionChange(SessionChangeDescription cd)
    at System.ServiceProcess.ServiceBase.DeferredSessionChange(Int32 eventType, Int32 sessionId)
    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    But:

    Aplication reports says : Service started successfully.

    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    I ve had a strange interesting situation some weeks ago with the previous version (301.6900) , version that i ve reported about here.

    After uninstalling it , some days after , something strange happened in the Firefox browser (not related to the software itself of course), in spite of using no script and such.Have no ideea what site i might have opened , I didn t saw it coming anyway. :)
    Suddenly Google reported that my browser had botlike behaviour and stooped allowing me to do anything.
    After restarting connection , browser and such i have discovered that my keyboard would not output any character.
    It was working in another PC , other keyboard tested was also not working.The mouse was perfectly fine.
    The system itself was a dual boot , with W7 on both.

    Seeing that the keyboard was useless , keep in mind the mouse was perfectly fine , i ve switched to the back-up W7 and guess what , same problem even though it worked previously.Safe Mode as well , no keyboard working , even though the keyboard had the nice looking red led-ed look , so not power related.
    The system had Jetico 2 that reported some userini.exe activity as rejected at the time of the issue.VoodooShield free with ON setting , Sandboxie and KeyScrambler free were installed.

    I have decided to reinstall Ransomoff on the suspect Windows system to see what happens and suddenly the keyboard started working again o_O!!! Wow! Really looks like something went thru , from the sandboxed browser and infected maybe the MBR on the fly , some fileless thing ? And Ransomoff reinstall restored the protection from some registry leftovers , from the previous installations ? :)

    I would say this software gets the job done , but still needs some tweaking , bug fixing and compatibility work.

    Last version is very similar to the 301.6900 as desktop behaviour.On one install it gets along with the security software and on another, with the same security , it takes minutes to load :)
    Both have the error logged as posted.Windows 7 is brand new now.
     
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Those are from RO. We haven't tested RO against the Linux sub-system yet but I'm honestly surprised effects are showing up. For now, the best thing to do is add the Bash shell to the exemptions list. That should prevent RO from showing the files. We'll have to start testing with WSL. Thanks for pointing this out!
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Not sure what RO may have done but glad it worked out for you. And thanks for posting the error. We'll look into it and hopefully get it fixed.
     
  25. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Hi,
    Thanks for your reply.

    Exemption of the bash file, as well as the entire 'CanonicalGroupLimited.UbuntuonWindows' package folder does not help in this case. Hopefully a solution will come out when you start testing WSL.

    Interested to know what those ghost files are for! :eek:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.