RansomOff 4

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    We just released version 5.2017.139.8295. The installer is ready to download and we'll get the auto-update packages posted shortly.

    In this release we added a new features; app lockdown. Essentially it adds an anti-exe capability to RansomOff so you can control what runs. You can read about it on the documentation page (https://www.ransomoff.com/docs.php). Additionally, there are lots of bug fixes and feature updates based on the feedback from this forum and others. So thank you.

    This update took a bit longer to release than planned only because we wanted to make sure we test against other security solutions and fix any issues we find with compatibility. It took a while, but it appears that RansomOff and KIS now can co-exist together without issues. We also played with MBRFilter for a while and found no negative interactions there. But again, as a word of caution, we still consider this beta (but hopefully not much longer). Enjoy!
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,573
    Changelog:
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,498
    Location:
    The Netherlands
    What the hell, so now it even has an anti-exe ability, you guys are quite quick to develop stuff, very impressive! But I do wonder, don't you think it will become packed with too many features? Perhaps the focus should be only to block ransomware via behavior blocking. To clarify, I'm not being negative, but it's just a thought. About the documentation, I often open images in new tabs, but currently this isn't possible, can this be changed? Not a big deal though.
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    We're done adding new features now ;)

    The way we see it is that folder protection and anti-exe are additional defensive layers against ransomware (and regular malware as well) so we wanted to have these all integrated into one solution so the option is there to increase protection as desired. It wasn't a spur of the moment decision to add it either. We do have a plan. But we are sensitive about the bloatware perception. However, even with the few new things we have added, our memory footprint is still pretty low even for a .NET executable and the features are tied together in a way that makes sense for an anti-ransomware solution.

    We'll see what we can do about the images on the documentation page.
     
  5. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    82
    Location:
    The Netherlands
    Hi,

    How often or when does RansomOff checks if a new version is available? I saw that you had released a new version but even after a reboot, the system kept running the 'old' version.
     
  6. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    We haven't uploaded the packages yet. Still working on putting those together. Should be soon.

    But RansomOff checks at start up and then about every hour for a new version.
     
  7. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    82
    Location:
    The Netherlands
    Ah, that explains why it did not find yet the new version.

    Thanks for the extremely quick response...:)
     
  8. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    500
    Location:
    Croatia
    I like this "Show/Hide Read"
    1.jpg

    App Lockdown doesn't remeber settings...
    Set to "all unsigned procesess" and click OK, then again open settings and it show "All procesess"o_O

    2.jpg 3.jpg
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,498
    Location:
    The Netherlands
    OK I see, this does indeed make sense. Perhaps it's a better idea to alert only about common processes that ransomware often use to delete Win Restore files and to perform process hollowing. Does RO have the ability to spot process hollowing out of the box?
     
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
  11. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Just posted the update packages so if you restart RansomOff or just wait a little, it should update and then notify that a restart is required.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    The underlying question is will it be enough? Possibly but in the security world you can never say never.

    However with the new anti-exe addition I must agree that particular extra layer should prove invaluable.

    For example while testing a certain Hades Locker ransomware last night it somehow managed to stick in the running processes on me.

    Also can you provide where to send Heilig Defense some samples. :cool:
     
  13. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    500
    Location:
    Croatia
    An options to whitelist all running process will be good, or maybe to add folder to whitelist (for Lockdown) - similar to NVTERP.
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    It doesn't look for process hollowing directly but for example, it understands the difference between explorer.exe running during normal bootup and a malicious process attempting to use it to cover its tracks. But also ransomware activity is very distinct from most other file activity so the process that is finally used to perform the encryption doesn't matter much because its ultimately the behaviors that RO is looking at.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    The App Lockdown is tied in with the main exemption list (along with it's own sub-list), but currently doesn't let you add folders, just individual processes. We'll add that to our to-do list as well.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    Bring it on. :)

    You guys wasting no time ramping things up another notch.
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    The easiest would probably be to post hashes so we can just go pull them from our various sources. We will PM you with an address though.
     
  18. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    82
    Location:
    The Netherlands
    Hi, activated App Lockdown but disabled it after about 15 minutes as it made my system very unresponsive. Sometimes it took >5-10 seconds to open an application while with App Lockdown disabled, applications are opened instantaneously.
    Note that it doesn't matter what option I selected for App Lockdown as after re-opening that window, All Processes are selected as already reported bij Djigi
     
    Last edited: May 19, 2017
  19. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Thanks. We'll look into the sluggishness.

    As for the options display, the option you select does get set internally so if you select "All unsigned process," it will only notify on unsigned processes. But as you and Djigi noticed, once you reopen the window it does show it reset back to the "All processes" option. It was a quick fix and next update will resolve it.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    Is the revised corrected package on site now?
     
  21. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    The update packages for 5.2017.139.8295 are online so you should eventually be auto-updated.
     
  22. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    82
    Location:
    The Netherlands
    Hi, it's even worse. After disabling App Lockdown, I even have to terminate RO in order to make the system responsive again. Once terminated, a number of windows started to pop-up that were selected while the App Lockdown option was active but they never became active.
     
  23. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    507
    Location:
    U.S. Citizen
    Just installed so far, so good! Not playing with the App Lockdown. Leaving it alone for now!
    Making sure that everything else is working normally.
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Sorry about that.

    Can you tell us what OS and architecture you are running along with any other security software? We never experienced that in our testing so we want to try to recreate your environment to see what's going on.
     
  25. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    160
    Me too....not enabling App Lockdown yet...but so far running great with EIS, VS Pro, and HMP.Alert. No slowdowns.