It's a false alert. The .exe is Microsoft signed and is exactly the same as on my other PC. So I allow it to run...
That does make sense, but if it's easy to block process hollowing, then why not? HMPA also offers this feature, which in theory should stop certain ransomware in an early stage, no need to wait before they start with the encryption part. OK I see, so basically it doesn't matter which process is doing the encrypting, as long as they act abnormally, RO will spot it. The reason why I mentioned this is because I assumed that by not "auto-trusting" explorer and svchost, it might give false positive. But apparently RO is smart enough. BTW, I do wonder about if there will always be some files that might get encrypted, like is the case with RansomFree?
Right. As long as you do not delete the uninstaller, then that is the removal tool. To @Circuit's point, if you want all traces such as logs and temp file then a back up image is really the only way in most cases. However, if you just don't want it to run anymore and are OK with residual files that don't do anything then the regular uninstall process is best. The worst thing you can do though is manually delete files, especially drivers, as that can cause system instability.
It appears that way but without knowing a bunch of other details, it's difficult to say. The fact that a file is signed is not the only indicator we use to determine maliciousness and as others have mentioned with process hollowing, it doesn't really matter what the executable image is. Can you display the process tree of that explorer instance? Do you have any third-party extensions loaded? Were you performing file operations when it occurred or did it just happen? RO has a pretty low FP rate and we've never gotten one for explorer ourselves so we are interested to know some more details.
Is it save to assume that RO is now compatible with Kaspersky Internet Security or are there still some issues that need to be ironed out?
Agreed, don't know how many times had to re-format, testing software until I got a third party backup. MS restore is useless.
I removed explorer.exe from the Exempted Software and see what I can collect next time it pops up again. BTW, what do you mean with third-party extensions loaded?
We tested the two together for a while and no issues came up. However, our test machines probably aren't put to the same use as regular users so it's hard to know fully how things will react over a longer period. RansomOff does create a system restore point before installing so if you do find any compatibility issues then as long as you can boot to safe mode, you can restore back to before RO was installed.
Explorer can be extended just like a browser with different capabilities. They are called shell extensions. They are mostly visible when you right click on a file and you get new menu options. But they can do much more than that and integrate deeper into explorer depending on what the capability is. And because they are just DLL's loaded by explorer, any activity they do may be attributed back to explorer itself.
Thanks, @HeiDef . I will give RO a try later this month. I'll report back if any issues/incompatibilities crop up.
Ahh.. got it. I do have installed Classic Shell and one of the options is: Toolbar and status bar for Windows Explorer. ,
Interesting. I also use Classic Shell, so it's probably a good idea to add it to the list of RO exceptions.
Just stopping back and reading the different posts. What backup software do you individuals suggest that you can use with Windows 10 Creators? That you can use if the PC will not boot? Or to make a backup image? And can in work in safe mode? Just a couple of suggestion, because I would like not to get onto another topic! Thank's, Everyone! Kind Regards, Moose
Found a strange phenomenon: I'm testing Macrium Reflect and have enabled the Duplicate option to be used in VBS. With this option enabled, Macrium Reflect invokes RoboCopy after completion of the backup to copy the backup file to my NAS server. If I do not add RoboCopy to the Exempted Software list, Robocopy is invoked, immediately start using 100% of the CPU but nothing is copied. I discovered this as my CPU (2 cores/4 threads) was spiking to 100% used by 4 x RoboCopy and none of the backup files of the previous Macrium runs were copied from my 2nd HDD to my Synology NAS server. I've resolved it by adding RoboCopy to the Exempted Software but I wonder if other Macrium users, who also use the Duplicate option (VBScript), have seen the same problem.
You're really doing some good testing! So RansomOff applies the highest level of protection to scripts and just by reading your description it's pretty clear that RoboCopy is getting tied up in RO's web. Glad that exempting RoboCopy was enough but in case it isn't, you can also exempt specific scripts if you know what is being invoked. We've played with Macrium a bit (seems to be pretty popular with Wilders and MT members), but we'll do some more and try out this RoboCopy feature.
We just posted version 5.2017.142.4703. This fixes a number of issues reported on this board as well as fixing the Xdata issue identified by @cruelsister and @EvjlsRain over on MT (always remember to initialize your variables!). We made some improvements to the App Lockdown so hopefully it resolves the problems reported by @cloggy49 The one thing we did not fix this release was the error message that both @cloggy49 and @EASTER mentioned when browsing for files through the exemption form. We are able to recreate it and have a fix but do not understand the root cause yet so we don't want to push the fix until we know the underlying reason in case the fix causes any other problems.
Good move to let the newest improvements run course first. The issue @cloggy49 and I experience still allows to apply exceptions but necessitates to reach them from a different level.
Just updated to the new version and saw that the Exempted Software - Exemptions list is empty so the previous list was not carried over after the update. Did some testing with App Lockdown (you added even more functionality) and first impression is that it is now working OK but I'll do some further testing later today (for now I'm going to enjoy the beautiful summer weather.....)
It's a bit like Secure Folders, but with the ability to allow processes per folder. Pumpernickel / FIDES may allow more granular control, but has no UI (not that it's difficult to master).
@HeiDef On restart after update of this version I get BSOD 'Page fault in nonpaged area', faulting driver is HDRansomOffDrv.sys. Restarting again or shutting down, no difference. I can't get to the minidump info before it BSODs. I am restoring last night's image now and will probably have to uninstall RO unless I can solve this. Or should I try and download and install over the top? I kinda hope I am not the only one having this problem . Edit: If I uninstall will I lose my settings? It may be an idea to allow for manual control of updates i.e. switch off auto-update? Edit 2: I uninstalled RO after restoring an image, and BSOD is gone. Incidentally, the uninstall took a very long time. Maybe it's just my machine, but be prepared to be patient when uninstalling.
Confirmed the same from testing App Lockdown. Excellent addition! And yet another Game Changer Been up all night throwing the kitchen sink at this. @HeiDef- Some innovative technology and just plain good thought is gone into this because it certainly contains some uniqueness behind the scenes. Initially just to be safe the plan was to run this version with SD but at the last minute (and from the past runs decided against it) so took my chances. NOTE: Had to turn off App Lockdown to test after a couple runs. It's STRONG! too. There's a backup image available if need be, but RansomOff exceeded expectations (once again) plus I discovered something which I thought was a miss last time. Cerber Shell Locker on my Windows 10 knocks out the background every time leaving only RansomOff alert box to press DENY right? You may remember my mention from an earlier testing to a simple explorer restart to regain the desktop/icons/files back, however shell locker leaves a flood of scrambled junk files (again) on the desktop either (created or copied) because all valid files are accounted for. Last time I was much too quick to reboot after seeing that mess but this time what I noticed is that if you wait a few moments RansomOff goes to work and sweeps up those junk files too and Presto! all gone. This was another very impressive display against an even more aggressive collection deployed this time with quite excellent results so far. Good Night every one. Was a very busy and productive extended period of pushing the envelope with RansomOff taking care of business.
Interesting stuff. I've had the BSOD problem from day one and still do. This is in a VM, but it has all my security software on board. I've attempted getting the minidump. Might try in safe mode.
Hi Guys- just wanted to show appreciation to a Developer who works through the weekend to take care of arcane issues presented by Geeks Like Us. It is rare and should be coveted.
We played with the Shell Locker sample you sent our way. While RO stops the encryption, it does succeed in hiding the taskbar (although the start menu button is still visible). Simple fix is to just kill explorer from the task manager and restart it. But as you noticed, it can take a few seconds to clean up everything depending on how much the ransomware dropped. Either way, glad RO is still meeting your expectations.
