RansomOff 4

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,493
    My inviroment includes Marcrium, SD and Virtual box. Was going to tell you that the Version of windows I installed in VB was Corporate and not Home like I mentioned before and I deleted the first VM, then added the same Corporate VM back and it gives 90 more days of use.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,498
    Location:
    The Netherlands
    Thanks, I already suspected this was possible, but I've read so many articles that I didn't know what to think anymore LOL. But it seems like you don't even need DoublePulsar, or perhaps I'm completely misunderstanding.

    But either way, it's clear that this malicious thread inside lsass.exe is apparently capable of running the ransomware payload completely in-memory so without ever dropping it to disk. No wonder that a lot of advanced tools will fail to protect, but it's clear they need to step up their game. Would be cool if RO could tackle it though.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,455
    Location:
    U.S.A. (South)
    Cool :)

    Have fun also seeing which of those set a higher order on jumping up "first" to intercept via alert and such.

    I'm still pleasantly amazed how quickly Ransom0ff jumped up at a couple of safe apps that I know to be 100% innocent but after the Virlock execution, penetrated and recoded them to call out like it did. Very clever try but the Ransom0ff ALERT prompt clearly made that extinction.

    Extraordinary! So my thanks boredog for making mention of that baddie
     
  4. madirish

    madirish Registered Member

    Joined:
    Oct 14, 2006
    Posts:
    3
    Location:
    USA
    Just wanted to say Thanks for RansomOff and all the devs and all their hard work ! Running VS (Pro),Malwarebytes 3.1.2 (lifetime premium),WinDefender and current beta RansomOff-no problems or conflics.Job well done folks!!
     
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Great to hear! Thanks.
     
  6. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    573
    Location:
    Phoenix, AZ
    Installed this app yesterday to try it out. Upon completion of installation it asked to add all installed security programs to its exempt files. But after reboot one or more Avast shields failed to activate, MBAE service failed to load, System Explore took forever to load. I rebooted again, with the same result, along with another issue of not having network access. After removing the app system returned to normal.
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Thanks for the report. Did you reciprocate with the multiple AV's on your system to exempt RansomOff? It is a two way street when dealing with security software.

    We've tested with Avast in the past and had issues with it. Haven't tested with more recent RO versions but will test out again to see if it's still causing issues.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,197
    Location:
    The etherlands
    I don't run Avast, but FWIW I have no issue with RO and System Explorer, or (only) Exploit Protection ticked as part of MB3 (as opposed to MBAE standalone), which runs a single Malwarebytes service.
     
  9. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    I'm having a problem running MS Office 365 apps when RO is installed. I get a pop-up from Office saying the program was unable to start. No pop-up from RO. I uninstalled RO and Office worked fine. Reinstalled RO and got same error. I'm running latest beta of RO 5.2017.156.2734 on Windows 10 Home 64 bit. Anyone else seeing this?

    Edit: Forgot to say Office 365 is the click to run version.
     
    Last edited: Jun 11, 2017
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,455
    Location:
    U.S.A. (South)
    FWIW I get something somewhat similar depending on exactly what desktop program I happen to be using at the time.

    I do a lot of desktop portables and some of those don't/won't open up (undoubtedly on-top window setting by default) (and also connected with AppData/Temp (as usual) so my guess (and that's all it is) is that Ransom0ff is protecting against this on some of them.

    I often do get an alert on windows taking focus (that's an easy switch 0ff)

    But when a window doesn't come up for me I simply uncheck from Ransom0ff's context menu ransomware protection which also incidentally disables Folder Protection and the program(s) opens normally again.
     
  11. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    507
    Location:
    U.S. Citizen
    Greetings/Salutations,

    Just wondering if you test RO with F-Secure Safe? And give feedback?


    Kind Regards,
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,455
    Location:
    U.S.A. (South)
    My bad. Duh. Been too busy hammering with ransomware lately to use what's included that let's those certain programs open.

    REMEDY: Simply Add to Ransom0ff EXEMPTIONS either file/folder.

    I need a rewire myself sometimes.
     
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    We've never had issues with Office in our testing. We've never tested with Click To Run but that shouldn't make a difference.

    Can you copy the exact error message that Office gives you? That might help us understand what might be going on.
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    As EASTER mentioned, folder protection relies on the ransomware protection to be enabled. If you turn off ransomware protection, it turns off folder protection. But turning off folder protection does not turn off ransomware protection.

    Also, portable type apps are more difficult to judge as EASTER also mentioned. They exhibit characteristics of malware and you can't just rely on digital signatures because, while rare, there are malware samples that have a valid signature. So RO is more likely to apply a bit more protection to these programs which could cause compatibility issues. It's something we are constantly working on to make better.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    We never have tested with F-Secure. Are you currently using F-Secure or just curious?
     
  16. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    I did try adding Office folder to exemptions, didn't work. It's kind of pointless to have ransom protection if you have to turn it off to be able to run common office apps.
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    You probably already uninstalled RO but if not, if you could do us a favor it'd help out immensely.

    First disable all your other security software (based on your signature AppGuard, Comodo and Zemana) but keep RO enabled. Then run Office. If it doesn't work then that's an issue. If it does, then start enabling the other solutions one at a time trying Office between each enable. If something fails after you re-enable another solution then there is a compatibility issue between RO and that solution. Because by themselves, RO and Office get along fine.
     
  18. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Ok, I did further testing. I uninstalled all my other security apps (AppGuard, Comodo and Zemana), Office apps were still not starting. I installed the previous beta of RO (5.2017.144.10111) Office loaded fine even with all the other security apps. So it looks like a change made in the latest beta is causing the problem. Hope this helps.
     
  19. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Definitely does. Thanks!
     
  20. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    507
    Location:
    U.S. Citizen
    Moose World said:
    Greetings/Salutations,

    Just wondering if you test RO with F-Secure Safe? And give feedback?


    Kind Regards,

    We never have tested with F-Secure. Are you currently using F-Secure or just curious?


    Yes! I am using F-Secure Safe! And I remove Zemana AntiMalware!!!

    Also, I am pretty sure that I remove Eldos Callbackfilter in which was causing
    major headaches with RO. Anybody else have any suggestions? For removal of Eldos? I use Freefixer to delete 3 entries.

    I will try to reinstall RO very shorty. After you test F-Secure
    Safe!!!!:geek: Along with Eassos System Restore, if you would be so kind!

     
    Last edited: Jun 12, 2017
  21. DreamsandVisions

    DreamsandVisions Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    28
    Location:
    Germany
    Last edited by a moderator: Jun 14, 2017
  22. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Hey Dreams,

    The first image is with the top-most window detection turned on. As you can see RO alerts that a window is blocking the screen and gives you options to terminate, unblock or minimize.

    After turning top-most detection off, the ransomware crashed shortly after showing the message but didn't touch any files yet. This was on a Win10 x64 VM.

    Windows 10 x64-2017-06-14-16-44-37.png Windows 10 x64-2017-06-14-16-47-04.png
     
  24. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    501
    Location:
    Croatia
    This is very nice, only this po-up message is not very clear to me :oops:.
    Will this "Unblock" stop Ransomware window or RansomOff window (same for "Minimize")?
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    219
    Location:
    Philadelphia
    Unblock simply makes the window not top-most anymore which means you'll be able to access the desktop or other programs. One caveat to this is that some ransomware sets the top-most flag in a loop so even if it gets unset it will quickly get reset. The minimize button simply minimizes the window to the taskbar so you can again, access the desktop or other windows. Like the top-most flag, ransomware can also constantly set the maximized flag which would negate the minimization. In cases of ransomware, terminating is obviously the solution. At the point you see the popup, the process is suspended so no encryption is occurring.