RansomOff 4

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. ufakai75

    ufakai75 Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    173
    Tried that before the full restore, didn't help. RansomOff isn't for my machine. Bitdefender and MBAM premium will do for me as both have anti-ransom. Thanks for your input.
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    Sorry you had issues but like @cloggy49 said, there is no reason to restore anything.

    The files you saw weren't real. It's one of the many protection mechanisms that RansomOff uses to confuse and identify ransomware. For some reason, RansomOff had an issue validating your Explorer instance which is why you happened to see the phantom files. The most likely reason is because of other security software on your machine which is why RO asks for you to exempt these programs during install. But once RO is turned off, the "files" go away so if you have issues that's all you need to do. Again, doing a system restore is not necessary.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,365
    Location:
    U.S.A. (South)
    HeiDef-Thanks for this particular explanation.

    Was pulling my hair out trying to track down all over the system why I was getting similar phantoms in a certain directory out of nowhere.

    It just happened to be one of the test units and I was under the now mistaken impression that one of those tricky variants had found some way to escape where their kept.
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    Making sure you never see them is one of the trickier pieces of RansomOff. It's one of the heuristics we are constantly tweaking to make sure it's as unobtrusive, yet effective, as possible.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,365
    Location:
    U.S.A. (South)
    Well whatever it is under the hood from that aspect of the program so far is worked like a charm over here.

    I've thrown everything collected including the kitchen sink locally at it in the form of ransomwares and even a file infector or two and it prevented as well as auto-restored in some amazing rapid fashion with stunning success.

    For as much as a Beta class to progress in the manner it has to date and on a fairly reasonable progress schedule for updates, it's really tight and obvious to this member anyway that a lot of thought w/much effort went into the workings of it.

    Also it's a shame where some experience collisions between security apps that unnerve them, understandably so, but this is one of those apps that once compatibility is achieved both ways, can help serve as a balanced approach for the prevention of just what it was designed for IMHO.

    The integrated anticipation gradient or formula, (tired of the word algorithm) if you will, is a welcome approach to taking up these tasks.

    The lab team must be acrobatic conscious judging from the unique sensitivity level you can't help but seriously take note of among the others.
     
  6. ufakai75

    ufakai75 Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    173
    The RO wouldn't turn off. Nothing would function at all except for going to boot with esc button. Using my built in factory restore was only option as per HP. RO may be great for others and that's great for them. I'll stay with BD and MBAM PREMIUM. Thanks for everyone's replies.
     
  7. ufakai75

    ufakai75 Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    173
    Good way to look at it.
     
  8. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,276
    A Release Candidate is coming soon:
    RansomOff_RC1.png
     
  9. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    Installed the 5.2017.156.2764 latest version and while its runing nicely alongside opfw9.3 winpatrol MSe zemana antimalware, hitman pro.alert I am getting regular floppy disk access.

    Yes i have a floppy disk drive attached to the internal motherboard header.
    Ransomoff polls it quite often say about every 2 minutes.

    Its a bit distracting have a burst of grinding and has only happened since i installed ransomoff.

    So does anyone have a floppy drive installed and experiences this?

    Running Windows 7 Home premium 64bit
     
    Last edited: Jul 8, 2017
  10. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    Is there a test program like you get with hitmanpro.alert to see the alert when something bad is happening?
     
  11. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    Can't say we've tested against a floppy drive so obviously never experienced this. RansomOff doesn't poll anything directly but instead reacts to operations caused by other programs. So what's likely happening is whatever software you are using to access the floppy is polling and then RO responds as necessary. If you know the program that is doing any operations on the floppy, try adding an exemption.
     
  12. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    There is no test program like that but you can check out the documentation which shows what the alert screen looks like.
     
  13. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    If you are talking about the very latest attack, it was not targeting the MBR but going after the MFT.
    http://www.bbc.com/news/technology-40530316
    What is a MFT?
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx
    What is a MBR?
    https://technet.microsoft.com/en-us/library/cc976786.aspx

    This is for those that confuse the two or think they are one in the same.
     
  14. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    I dont know what program is accessing the floppy only that the grinding has started since i installed Ransomoff.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,365
    Location:
    U.S.A. (South)
    I haven't used or even seen a floppy drive since windows 98SE +XP.

    Have you tried HeiDef's suggestion of adding it to Ransomoff's EXEMPTIONS list and see if that activity stops or not?

    There likely is some simple way to separate what you been experiencing from either the program itself or the floppy drive unit.
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    If the floppy drive is not being used anymore, why not just unhook it's power?
     
  17. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    There is no where in the settings to exclude a device unless i am missing something.
     
  18. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    I tend to store my passwords in plain text on it and have the floppy ejected until i need it. :)
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,365
    Location:
    U.S.A. (South)
    Good deal. So it's another component that simply serves a useful purpose for you. :)

    Ransomoff protects against ransomwares ON ALL DRIVES. So we need to find you an alternative way to silence what your hearing as activity on it even when not in use?

    HeiDef can probably offer you how best to try to go about relieving your concern on that. Did the Exemptions of the floppy drive letter not solve?

    What I might suggest, and please note, I am only drawing on some straws here now, can you try to under folder protections to Add that drive letter as a separate folder. You can test this with a different floppy than the one that you depend on. Access your Ransomoff tray menu icon, select Folders, and then Configure which should bring up the 2 boxes where the top one you select that drive as a folder, but also remember you'll need to add ie: a Nirsoft or any safe executable single app to the lower section so that the settings will take hold. After that just eject that floppy and see if you still are getting the same activity.

    I know that seems like a stretch and may be blowing in the wind but also it might. Windows is finicky sometimes especially when introducing real time protection solutions like this and some others.

     
  20. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    As you noted, there is no way to exempt a drive. However, as @EASTER said, you can use the folder protections which should provide the same effect. You'll want to use the 'Deceive' tab. Once you add the drive and at least one exempted process and close the window, the folder protections will kick in and it should prevent any RO interference with the drive. When you need to access the drive you can use what ever process you exempted (probably notepad makes the most sense in your case) or you can simply disable the protection from the context menu.
     
  21. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    I did try that but unfortunately it still grinds the floppy drive.
     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    Have you installed any drive monitoring program lately?
     
  23. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    890
    Location:
    UK
    I do have hdsentinel but that has been installed for a long time.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,289
    I just remember reading a guy had the same problem and it turned out to be his drive monitoring program.
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    189
    Location:
    Philadelphia
    Try exempting hdsentinal, if you haven't already, to see if that stops the grinding.
     
Loading...