RansomOff 4

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    Thanks for the suggestion. RO's core detection methods are really focused on identifying ransomware behaviors (encrypting data). While it does have some mitigations and protections against common malware techniques it's not designed to detect the wide range of things that could be considered malware. So while MalwareOff is a good name, it would give users the wrong idea of the level of protection it's really designed for.
     
  2. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    80
    About this feature"Startup change detection", could you please let user choose allow or block? not only just give a notify and allow it by default!

    by the way, about App Lockdown feature, Could you please add "Program Files (x86)" to exemption list by default(Using Win10 X64 )?
     
  3. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    When you goto the Alerts dialog and select the startup notification alert icon, you can click the 'Delete Startup Item' button to remove the entry. However, we could also add that to the toast notification more easily streamline the action.

    As for App Lockdown, we don't want to automatically exempt large swaths of files because there is some inherent risk with that. It needs to be up to the user to determine how wide or narrow they want their exemptions to be.
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    As a FYI, we pushed an update last night but got a report of a crash this morning so we reverted back to the previous RC1 release (5.2017.190.9480). The crash didn't show up in our testing and we are still waiting on more information about the crash to figure out exactly the issue. But once we figure it out we'll get an update out ASAP.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,384
    Location:
    U.S.A. (South)
    Hey HeiDef. Great Program!

    Out of pure curiosity could you also share that platform where this new update which got pulled crashed on?

    FWIW So far things continue to chug along very nicely on this end with both Windows 8 and Windows 10. Really haven't seen the need to pit it against my zoo again but if new ransomware formulas turn up that might pose a challenge you can be sure to count on a report to help with mods and/or adjustments as necessary for you to address them.

    I don't know about most other forum members but I think HeiDef Defense has extended quite the generosity with this endeavor too.

    What are we to expect with the future plans for this program in the long term from the business end of matters going forward?
     
  6. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    Thanks @EASTER.

    It was a Win10 Pro x64 that crashed after a reboot. RO wasn't listed as the offending driver so not entirely sure yet what the issue is but there is a dump file on the way that will hopefully straighten things out. In the meantime, we decided to reverted back out of caution.

    As for future plans, RO is going to continue to be offered as "free for non-commerical use." We want RO to be used in both home and commercial settings. To better support the commercial side of things, we are building out SMB/enterprise features to support deployments in those environments. This will include things like better integration with existing logging and SIEM solutions, active alerting, and the remote management and control that will be provided through the RansomOff Server.

    As many folks on this board are IT professionals, any suggestions on enterprise level features that you would find useful would be some great feedback as we continue to develop those things.
     
  7. Scyna

    Scyna Registered Member

    Joined:
    Jan 30, 2015
    Posts:
    13
    Has anyone gotten this working flawlessly with Kaspersky 2017? I always have something weird happen when I got ransomoff installed in the system. It would either not start, make discord not start up, have Kaspersky complain that system watcher can't start. If I uninstall ransomoff it works fine. I'm on windows 10 64 bit.
     
  8. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    When you say "it would not start" are you referring to your system, RansomOff and/or Kaspersky?

    Make sure you exempt the Kaspersky products. You can do that during RansomOff's installation. Also you could disable RansomOff's Policy Enforcement once it is loaded. Kaspersky, like most anti-malware, likes to burrow deep (a lot like malware) and some of the protections that Policy Enforcement provides could conflict.
     
  9. Scyna

    Scyna Registered Member

    Joined:
    Jan 30, 2015
    Posts:
    13
    When I said not start I meant ransomoff wouldn't. Ransomoff already exempts kaspersky's folders during the install.

    Update: I turned off policy enforcement and my battlenet launcher kept crashing. I had to uninstall ransomoff to fix it.
     
    Last edited: Jul 20, 2017 at 5:34 PM
  10. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    891
    Location:
    UK
    New version downloaded automatically.
    No changelog on the web site yet though.
     
  11. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,393
    Location:
    South Wales, UK
    Hi All

    Any news on how we get around this 'issues re. Macrium?

    Am having a similar problem when I try to restore an image using the Window PE at boot rather than using that on the recovery CD.

    Regards, Baldrick
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,384
    Location:
    U.S.A. (South)
    Interesting. Thanks. This also is interesting.

    https://www.heidef.com/overwatch.html

    My tightly wound units with Ransom0ff are offline right now while doing some adjustments.
     
    Last edited: Jul 23, 2017 at 4:38 PM
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    Hi Baldrick,

    Does Macrium provide a log or any error messages? If you could send us whatever output it is throwing, it will help figure out what's happening.

    The next update will have some changes with how it handles removable devices which will hopefully mitigate these issues.
     
  14. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    12
    Location:
    LA
    I just have no luck running ransomoff. I installed it again this time on my windows 10 computer but as soon as I did it popped up two command prompt dialog boxes. I restarted my computer but it just froze my whole computer. I could not do anything. I had a heck of a time uninstalling it but I was finally able to delete it. I could understand it not working on one computer but not on two. I really want to use ransomoff but I can't deal with all the problems I'm having with it.
     
  15. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,393
    Location:
    South Wales, UK
    Hi Dave

    Thanks for the reply...hope that you are well?

    Macrium does indeed have a log but it is very Macrium centric in that it only advises of the issue/what caused the problem, in relatively simplistic terms.

    In my case it is reporting that the Windows PE environment that one can create from within Macrium and then use for an on boot recovery without the use of a rescue CD, is apparently misisng, i.e., it looks like RansomOff has at some point in the initiation of the Macrium recovery process; before restarting to boot into the Windows PE environment it has been 'stripped' off the disk. I did check in the various 'quarantine' and recovery areas but nothing was showing.

    To help out I will repeat the whole process again tonight but this time will look to document my styeps somewhat more formally and then report back here, in the hope that will help to track down what needs to be excluded.

    Hope that is acceptable?

    Regards, Baldrick
     
  16. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,393
    Location:
    South Wales, UK
    OK, tried it all again with the parameterisation/setup suggested by cloggy49...but still no dice. The restore attempt failed with the following logged by Macrium:

    Image ID - 7432B886EB426D69
    --------------------------------------------------------------------------------
    Dismounting drives
    --------------------------------------------------------------------------------
    Windows PE boot menu is not installed

    The last element being the salient element methinks.

    However, I also noted the following from RansomOff itself:

    Alert Type: Process Blocked
    Alert Level: Malicious
    Alert DTG: 2017-07-24 20:45:38 UTC

    The following process was blocked from running either because it or the parent process is on the block list.
    Path 'c:\windows\system32\bcdedit.exe'
    SHA-256: '9f3f83d8fd7c5d8b65f81421b0348e67f38adc58d4f020aa6aabc1b56625317c'
    PID: '8492'
    Session: '0'
    Parent Path: 'c:\program files\macrium\reflect\reflectbin.exe'
    Parent PID: '8916'

    Now I am fairly certain that I had the folder 'c:\program files\macrium\reflect\' registered under exmptions. But not bcdedit.exe, existing in the Windows\system32 folder.

    Now asking myself if I need to set that up either under Exemptions or under 'Deny'?

    Any thoughts?

    Regards, Baldrick
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    191
    Location:
    Philadelphia
    One of the more recent additions to our policy enforcement is attempting to regulate the use of bcdedit and vssadmin. These are both used in ransomware attacks so RO tries to determine if their usage is legit. It might be tuned too high as Macrium would have a legitimate purpose to use bcdedit. We'll give it some tweaks to make it a bit more permissive.

    As for the actual issue with WinPE, it's likely due to how RO protects removable devices. Like I said, the next release will have some changes that will hopefully mitigate this problem. I'll send you a PM with a link to the latest build tomorrow so we can test if it fixes things for you.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    I don't have @Baldrick's issue as I have done several restores from the Macrium boot menu with RansomOff installed.

    But I have had issues with scheduled backups (Macrium, Acronis) not running, since v5.2017.198.4233 RC1 (I think). Strangely full backups generally seemed to work, but not differential or incremental. Maybe that could be due to additional protections introduced in this version (vssadmin?, no alerts but maybe something additional needing to be exempted in folder protection), as I did not have that previously. Plus some other problems (like unable to run some programs, Windows message 'would not complete, please retry' or something like that). And the odd undecipherable BSOD.

    I uninstalled RO yesterday on @HeiDef's suggestion, and all scheduled backups ran fine last night. Too early to tell if my other 'funnies' have gone too.

    Btw I have been a reasonably active tester of RO on my secondary machine since the end of April, but have been communicating with @HeiDef via PMs (10 pages now :) ). In retrospect, I regret not having had the conversation here, for our mutual benefit on this thread. But I have other beta software installed (e.g. DeepArmor, so cannot always be sure issues are due to RO).

    I otherwise like RO, and will continue to test and support their efforts. It obviously takes time to 'tune' it, also it has to 'dig deep' and there is the near impossible task of making it compatible with the innumerable softs and combinations out there. :eek:
     
    Last edited: Jul 25, 2017 at 3:50 AM
Loading...