RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hey Pete.

    RansomOff does not modify the MBR. The protection is implemented in an upper disk filter. You have to reboot because of how Windows operates the drive stack. Upper disk filters cannot be added or removed dynamically, say like a file filter. When you untick MBR protection on HMPA, it doesn't remove the filter but simply sets a flag internally in their driver saying "we are now ignoring all requests, just pass this on through to the next driver." The driver is still loaded but just not engaged. When you untick MBR in RO, we stop the driver from loading into the device stack in the first place. Hope that makes sense.
     
  2. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    93
    Location:
    The Netherlands
    @paulderdash , I have 5.2017.144.10111 running with the Tray Icon visible. Shortly after I reboot the system this morning due to the automatic upgrade from the previous version, I ran into a .net error and the tray icon disappeared. I had to reboot the system in order to make the Tray Icon visible again. Since then I performed several tests/changing a lot of options, but the error did not occur anymore. So far, the system is running fine with App Lockdown enabled (new Process execution - Exempt Windows process enabled) and all other Protection options enabled including MBR protection.

    With regards to a possible slow down of reboot: I haven't noticed any difference with RO installed and the time it was not installed...maybe I'm the lucky one this time..grin
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It does make sense and it's a relief. But question.. if it can be done with out a reboot, why not do it that way. If I had to reboot every time I needed to do that...

    Pete
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    It's about completely removing the driver from the disk stack. If there are compatibility issues, just doing what HMPA does won't solve them. You have to prevent the driver from loading in the first place and you can only do that at boot time.
     
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hi @DreamsandVisions

    Could you please goto your Event Viewer (right click Start Menu -> Event Viewer) and then expand the 'Applications and Services Logs.' There you will see 'Heilig Defense' and when you select that you should see some messages. Please let us know if you see any error type messages. Additionally, if you goto the 'Windows Logs' on the left and then 'Application' here you'll be able to find indications if the service crashed (again will be marked with the error icon). If you see anything like that relating to RO, please let us know. Could you also open your Services window (Control Panel ->Admin Tasks->Services) and just verify that 'Heilig Defense RansomOff' is set for Automatic loading?

    The service crashing is the only thing we can think of at this time for your issue. Because if it installed properly and you rebooted then there's no reason it should not be running.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    OK thanks @cloggy49 . I did a clean install and it appears to be working fine now. Just need to redo my settings.

    I have unticked the auto-update as that seemed to be the problem in my case. Also I would prefer the control of manual updates (in case they don't work, it is still beta). :)
     
  7. guest

    guest Guest

    It is the same with MBR Filter which is also an upper disk filter.
    After installing or deinstalling it you have to reboot.
     
  8. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    93
    Location:
    The Netherlands
    @paulderdash : I have Auto update RansomOff enabled w/o problems. Disabling and enabling again doesn't make any difference. The Tray Icon just remains.
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    OK. The last auto-update seemed to hang on my machine. Must be my config.
     
  10. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Thank you for letting me know which steps to take :) I wouldn't have known to take these ;)
    From what I've seen, I could think of RO conflicting with AVG TuneUp Utilities (being part of my AVG Ultimate (v17.4.3014 (build 17.3.3482.0)) installation, detects some of it's service as Ransomware attack (FP of course), and tries to restore it?!?

    Here is the information you requested (no service running, same issues as described before, performed a fresh installation after fully removing RO just to make sure):
    install.PNG
    error.PNG error2.PNG
    events.PNG events_detail.PNG events_detail2.PNG events_detail2_1.PNG events_detail3.PNG events_detail3_1.PNG
    services.PNG

    Let me know if you need further logs. I will be happy to provide!
    Thank you for your assistance :)
     
  11. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    I tried launching the service via "Services", first time leads to AVG DeepScreen monitoring it for 15 seconds, giving a clean rating after 15 seconds and starting it.
    Runs for a minute (to be seen in TaskManager, but not in Tray), then autoterminates (crashes). On rerun, no AVG action, but still stays only for a minute.

    I tried launching the RO service via Services, which led to AVG DeepScreen monitoring it for 15 seconds, giving a clean rating. From now on, I can see RO service in TaskManager, but crashes after about a minute. No tray icon.
    run1.PNG run1_1.PNG
    error3.PNG error3_1.PNG error3_2.PNG
     
  12. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thank you very much! As we thought, it looks like the service crashed although in a way we've never seen before. So that will be a good fix.

    And as you said, looks like RO had a FP with AVG. We've had lots of issues with AVG in the past and not just with RansomOff. We have another product for a couple of clients who use AVG and it's always been a struggle from both sides. AVG blocks and alerts on our software while our software causes issues for AVG. But that's why we added the exemption step during installation. Did the RansomOff installer pick up the installed AVG software? The best thing to do is exempt the folder and RO won't bother with them anymore.
     
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Are you attached to a domain?
     
  14. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Yes, it suggested both WD and AVG to be excluded (it showed their paths and some red / orange balls next to 'em), let me quickly reinstall to show all entries picked up automatically by RO. It scans them once the entries to exclude are confirmed.

    I tried running RO service as described above with AVG completely turned off, nothing changes, service keeps crashing.
    AVG did indeed pick up a earlier installer as "unknown / seldom" after triggering DeepScreen and sent it to the lab, but it took not long to get the clean rating.
    This and the last installer were just picked up by DeepScreen and let trough 15 sec later.

    As for the domain question, no.
    I'm currently using mobile internet to access the web as I'm not at home yet, but the issues appeared on my home WiFi, too.
    I'm using VPN (ExpressVPN) while malware testing in ShadowDefender environment, but both are currently off (SD would flush the system on reboot).

    log1.PNG log2.PNG log3.PNG log4.PNG log5.PNG
    exclusion1.PNG exclusion2.PNG
     
    Last edited: May 25, 2017
  15. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    @HeiDef these are the screenshots related to the crash of HDRansomOffUi.exe.
    TM.PNG TM_crash.PNG UI_crash.PNG UI_crash2.PNG UI_crash3.PNG

    EDIT - UPDATE

    Reporting back:
    UI is working like a charm now, cannot spot any errors in the event viewer logs anymore.
    Let me check some recent samples now to see whether my issues are solved :)
    UI.PNG
     
    Last edited: May 25, 2017
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    For everyone else reading the last few posts, we were talking with @DreamsandVisions through PM. His crash and subsequent screenshots helped us identify an issue with the usage of a hard coded English user name "Everyone" which on systems that are not English does not mean the same thing. And when the lookup of that username failed, it caused an exception that lead to a crash. We built a quick fix for @DreamsandVisions to test out and once we made it language neutral, everything appears to be working again. So for anyone else that has a non-English language setting and experienced a crash, this is the reason why. Obviously next update will include this fix.
     
  17. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Can confirm RO is now working fine, however I get this message on almost every RW I tried running (except for ChkDsk.exe, which just runs in memory). Seems as if RO blocks the encryption process.
    No file was affected, xData RW managed to create a key file to the desktop.
    The ransomwares are still running in memory, but seem not to work (they would start encryption instantly - can at least confirm for xData, AVG is turned off completely).
    RO is up and running, with no error messages in Events Viewer.
    No setting has been changed in RO, tested with default settings, within ShadowDefender protected environment.

    run.PNG files1.PNG files2.PNG alerts.PNG

    Tested RW:
    Lightning Crypt Ransomware - https://www.hybrid-analysis.com/sam...24c6cd25bdcebfdaac05706d288?environmentId=100
    GlobeImposter - https://www.hybrid-analysis.com/sam...1b6e9a3afcde30b36391fd2df1e?environmentId=100
    jaff new - https://www.reverse.it/sample/55730...e11bd1dede755d513fe6b5ac835?environmentId=100
    wcry2 - https://www.hybrid-analysis.com/sam...840480439c6e5babe8e080e41aa?environmentId=100
    xdata_RW - https://www.hybrid-analysis.com/sam...cbfaef662bf691ffd0080327ab9?environmentId=100

    Big big thank you to @HeiDef for helping and replying that fast and not giving up :)
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    It's likely a conflict with ShadowDefender. Do you get the same error if you run a non-ransomware process? And do you have a F: mounted?
     
  19. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Sorry for the late reply.
    I actually had a internet stick mounted via USB, to access the internet - F://. Interesting the malware tried accessing this one instead of C:// (the pictures and documents shown are stored there), D:// or E:// (all are partitions of my SSD / HDD) at all.
    As for running a non-RW process, SysInternals ProcessExplorer gave no error.

    I now tried connecting my laptop via my mobile phone internet connection, for that no drive F:// can be triggered.
    On retry, same outcome minus the F:// error message.
    Ransomwares are running, one managed to extract all their stuff (WCry2) and xData drops it's stuff to the desktop.
    upload_2017-5-25_23-1-0.png

    Maybe someone with a VM can try running these samples with the current version of RO + the two fixed .exe?

    Note that once I shut down RO, the encryption party begins!
    upload_2017-5-25_23-3-31.png

    Leaving for bed now, will reply ASAP!
     
  20. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    195
    Just a note....previously, when clicking on the EXIT button in RO, the computer would freeze....with the latest beta, all is ok...
     
  21. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    +1

    That's good to hear.
     
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Most ransomware will target removables and network shares first before touching the local drives. This is because some products don't protect these devices like a local drive. RansomOff does. And the reason why they didn't get to the other drives is because RO likely has them frozen.

    We do our testing in VMware but we'll have to give SD a try to see what's going on. RO definitely works so there is some funny interaction happening. RO actually employs concepts similar to SD and that could definitely cause some head bumping.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Please ask Lab Personnel to retest Shell Locker with this version again.

    In their test (I don't know if it matters or not) but allow test to run in Shadow Mode with SD.

    Been having problems with when Shell Locker knocks out the screen/taskbar AND ONLY the Alert Notice is RansomOff box to DENY right?

    Then on explorer restart sometimes encrypted junk files are being loaded up even after explorer restart and RansomOff tray icon knocked out too.

    On one such test it took 3 to 4 restarts of explorer before RansomOff could finally sweep those off.

    There must be some way to more quickly regain desktop and or RansomOff to undo those scrap files?

    Maybe some auto-restart explorer automated so user can avoid having to try to manually find it?

    Thanks for any consideration.
     
  24. Der.Reisende

    Der.Reisende Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    51
    Location:
    Germany
    Thank you for the update @HeiDef!

    Clever malware and even more clever product :) I already love it, can't wait to see it's final appearance :)
    I could imagine a UI bug (according to other tests I've seen, a warning message appears as soon as RW behavior is detected, and RO waiting for user reaction to the frozen attack), but I can't get the link to the missing alerts in RO log.

    Sorry for causing so much trouble :D
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    These guys thrive on trouble :). It can only make RO a better product.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.