RansomOff 4

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    I installed RC 1 but it brings my computer to a crawl at windows startup. I would like to use ramsonoff but it just takes way too long to load everthing at startup. I have windows 7, 4gb of ram, and AMD E-300 Processor.
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,297
    New Release (Release Candidate):
    RansomOff v5.2017.190.9480 (RC1) (9 Jul 2017)
     
  3. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    The first startup is generally the slowest. That's because it's building databases and collecting information. Did you try rebooting a second time to see if it improves?
     
  4. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    I restarted my computer but it didn't help. I guess I just need a faster processor.
     
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    RansomOff by itself is very lightweight from a resource perspective. The slowdown occurs because of how it is interacting with other software especially during startup. Because ransomware can load at boot, RO has to perform a number of checks to make sure loaded processes are not malicious. If you have lots of other software loading at boot then that will obviously cause some slowdown because RO is verifying each process. Things becomes quicker during normal operations because RO doesn't have a deluge of new processes all loading at once. Try to exempt things that run at startup and especially make sure to exempt your other security programs, if you didn't do it during installation.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,391
    Location:
    U.S.A. (South)
    Wow. Quite the list if I might say so. Lots of super useful features and well, will take some time for this member to wrap his head around it all.

    Wasn't expecting to be a mechanic today either but that task fell my way by chance and cannot bear to see a damsel in distress. :)

    What a terrific effort and program HeiDef. Thanks as always for your continued attention to users issues especially.

    It's really epic and welcome to find a developer like this hanging in there throughout whatever crops up and goes out their way to remedy what can be fixed for them.
     
  7. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    I exempted everything that run at startup but my wifi network icon still freezes with a blue circle. I can't use my internet until the icon stops freezing. This takes forever to unfreeze. When I uninstall ransomoff the icon works fine and I can use my internet. So I don't know how to fix this. Any ideas?
     
  8. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    Can you quantify "forever" please? Also, once it does become unfrozen is system performance still degraded or does it go back to normal. Just curious if this is strictly a bootup problem for you or a total system issue.
     
  9. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    It takes 3 minutes to load the network icon and then everything works fine. Is 3 minutes to load the network icon normal or should it load quicker?
     
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    Well if it didn't take 3 minutes before RansomOff then it's not normal. But the network icon is probably a red herring because that's just a UI element for some background service. Could you send us a PM with your start up config? You can run something like Sysinternals Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) to get a list and export. It will help us figure out what might be going on with your system and develop a solution to fix it.
     
  11. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    The file is too big to upload.
     
  12. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    79
    Location:
    The Netherlands
    Creation for a Macrium boot Menu option with Ransomwareoff active fails. Macrium abends with errors during this process.
    I also tried it for Minitools Shadowmaker and although the programs created a boot menu option, I was not able to boot into their restore environment. Minitool did not report any problem during the addition of the boot menu option while Macrium abended during the addition of the boot menu option.
    To be able to successfully create a boot menu option for (at least) both products, RansomwareOff needs to be exited completely. Only then a boot menu option could be created and you can boot in the selected restore environment.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,669
    Hi cloggy

    True of anything that protects the mbr. HMPA will do the same. Have to turn it off.

    Pete
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,922
    Location:
    Cape Town, South Africa
    Hadn't thought of that. Thanks for the heads up.
     
  15. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    79
    Location:
    The Netherlands
    Thanks....but Minitool was able to create the boot menu option, Macrium got stuck somewhere in the middle of the process to create a bootable rescue media...so was not even touching the MBR.
     
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    And obviously no alerts from RansomOff?

    Could you try it again but this time add the removable drive to the Folder Protections under the 'Deceive' tab? And then exempt either Macrium or Minitools (you'll have to make sure you exempt not just the UI but any associated services as well). If that works without any issues then we have an idea of the root cause.
     
  17. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    79
    Location:
    The Netherlands
    Hi, no Alerfts from RansomOff

    With the USB drive (g:) added to the Decieve tab, it runs fine

    upload_2017-7-12_17-9-52.png

    As soon as I remove it and try to Rebuild the Rescue Environment, it abends again with the following information:

    ImageX Tool for Windows
    Copyright (C) Microsoft Corp. All rights reserved.
    Version: 10.0.10011.16384

    Mounting: [c:\boot\macrium\WA10KFiles\media\sources\boot.wim, 1] -> [c:\boot\macrium\WA10KFiles\mount]...
    [ 0% ] Mounting progress


    Error mounting image.


    The user attempted to mount to a directory that is not empty. This is not
    supported.


    Unmounting the Wim - 12-Jul-17 17:08
    ====================================


    ImageX Tool for Windows
    Copyright (C) Microsoft Corp. All rights reserved.
    Version: 10.0.10011.16384

    Committing: [c:\boot\macrium\WA10KFiles\mount]...

    Unmount Error: Did not find an image mounted to [c:\boot\macrium\WA10KFiles\mount].


    Hope this helps....
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    Thanks @cloggy49. Very helpful.
     
  19. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    892
    Location:
    UK
    I have already tried that but no joy.
    thanks anyhow.

    Tried the RC1 and still the same problem (just in case.)
     
    Last edited: Jul 15, 2017
  20. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    892
    Location:
    UK
    Why do i get windows explorer coming up as blocking other windows PID 1888 window notification?

    I would of thought that was excluded automatically?
    I did try to exclude it nevertheless but i couldnt find it in the "C:\Windows\system32\" directory.
     
  21. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    892
    Location:
    UK
    What about RanSim Test?
    Is it too dangerous to run for us hobbyists?
     
  22. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    13
    Location:
    LA
    does ransomoff use bait files?
     
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    RanSim is designed test ransomware defenses and doesn't encrypt actual data. So it is a good way to test RansomOff's effectiveness. While it is a legitimate product you should always take precautions, such as running in a VM or using something like Shadow Defender, if you are not fully confident.

    As for the top most window detection notification against Explorer, there could be a variety of reasons so it's hard to say exactly why without understanding more about your system. The top most detection is also a bit sensitive which is why it is not checked by default.
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    194
    Location:
    Philadelphia
    RansomOff uses a variety of detection methods with bait files being one of them.
     
  25. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    81
    @HeiDef,I think you should change the name of RansomOff to MalwareOff,since it's not just an anti-ransom software anymore.
     
Loading...