Well we just tested Xdata with the latest and it worked. Not sure about earlier versions but we are always tweaking the heuristics so it's possible that Evjl's Rain's test conditions just exploited a gap as you mentioned. Can you pass the hashes of the FilecoverFV and ShellLocker you used? We would like to get those in our test cycle as well.
Thanks for the suggestions but the problem is how do we alert until we know for sure that the process is actually ransomware? In the case of Hades, the main executable sounds to be just an orchestrator of sorts whose main focus is launching the actual ransomware payloads. But if it is not performing any ransomware behaviors, it's can't be detected as such. However, RansomOff's cleanup process is supposed to track a ransomware process back to the source so it should be terminating the Hades process and then deleting the file. Again, please pass the hash on that so we can see where the process cleanup is failing.
Absolutely, We have a couple more explainer videos in the queue but just haven't gotten to them yet. Once we work out some of these latest issues we should be able to finish up a video or two.
RansomOff Beta Revisited by cruelsister1 on posted on YouTube! Only miss one! Your thoughts/opinions?
It was a miss due to a programming bug that only appears to impact Win7. As we posted, RansomOff easily stops XData on Win10 so it is not an issue with our underlying detection methods but a simple mistake of not initializing a value properly. But as Peter2150 says, it is one too many so we will make sure to do better next time.
Sure, but it is still beta . And your effort and engagement still make me want to back RO. @Peter2150, I know your views on prevention vs. detection, but check out it's folder protection. Pretty elegant, compared to 'competition'. May be worth considering spinning that off as a small standalone for those who only want that. I haven't played with Lockdown yet.
Run into another issue (but it might be my ignorance). After I added a folder to Folder Protections and want to add a process to be exempted, I get the following error window: I can click on OK and then select the designated program to be added to the Exempted Processes. Why this window? Note that I get the same error window when I want to add a program to the Exempted Software (Add -> Browse and then I get that Window)..
Greetings/Salutations! On updating of RansomOff's do you install over the existing software? And/or do you uninstall and then reinstall? Kind Regards, Moose
I understand the concept. I've been using a program AJCsoft's Active Back for years, and they way it stores the files so far ransware has proven untinterested. But I will look at it.
With earlier betas the previous version had to be uninstalled, but now it is possible to install it over-the-top.
Salutations/Greetings! Just wondering, if you have an uninstall tool/ removal tool just in case there is a problem? Or the best to uninstall? If needed? Kind Regards, Moose
If no problems have been yet experienced with uninstallation by users then how would they approach making a removal tool in case? Since it'd be doing the same as the uninstaller...
Cosmetic issue? When I select the option 'Only allow admin group user to close' and trying to exit RO, I get the following message: Note that I'm an administrator.
I been waiting for someone else to post to that box issue. Also get the exact same one and while cannot add directly to the Browse Desktop because of it, you can or should be able to go the long route drilling down to Desktop from My Computer/ThisPC etc to get around it. Windows 10 x64 (no AU no CU)
Backup, only way to make sure computer was the same as it was. Had to take it off, the only thorough way. No uninstaller can remove all traces.
What could be wrong with this one: This the first time I'm getting these Alerts..and a few times in a few minutes. I've now set it Allow - Add Permanent Exemption..
False alerts sometimes happen with security software. It mistakes a legitimate process as malware behavior. Malware can run like a legitimate process so its not always easy to tell them apart. You may want to set a temporary block to investigate and allow it to run later.