RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    Agree!!!

    Have you guys even got around to working the App Lockdown yet? I wonder if it keeps a running tally per session or maybe in a later version save rules for it because it's one snazzy addition which is another notch up the scale for this sort of special PC protection.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    No, haven't tried Lockdown yet, only secure folders feature, which is great. Have had a few issues, so just letting it bed down for a while. But @cloggy49 has.
     
  3. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    90
    Location:
    The Netherlands
    Hi, I have indeed enabled App Lockdown (new processes - exempt windows) and initially it gives a lot of windows where you can allow or deny the execution of a program. After a day the number of the decision windows almost disappeared. After a reboot, App Lockdown must be enabled manually again but the list of allowed and blocked programs is still there.
    I can understand that it will not be enabled automatically after a reboot to avoid a frozen situation but it would be nice if you can set a parameter indicating how many seconds/minutes after a reboot it will automatically kick in again.
     
    Last edited: May 26, 2017
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Shell Locker is a pretty annoying piece of ransomware but we hope to have a mitigation for it in the next release. The easiest thing is to just restart your computer if you were ever hit with it in a non-testing environment. Just curious though. How are you restarting explorer? Through Task Manager or some other app?
     
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    No worries. Glad you're happy with RO. Once we start playing with SD hopefully it will shed some light on why no alerts are being shown.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Shadow Defender:

    "You will have the same access to the files on the disk but any write action will be virtual. This means that no matter how many worms and spyware you infect your computer with, they will not affect the real system at all because of the virtualization. Once you snap out of this "parallel dimension" every change to the system and the files on the disk will be discarded." http://www.shadowdefender.com/help.html

    Not the same as Virtual Box or VMWare. At least I don't think so. Most use one of those to test Malware. Ester uses SD.
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    That's a good idea. You hit the nail on the head exactly why we made it manually after reboot but we could definitely add a condition like "wait until explorer loads" or something similar to turn it back on again.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    That question raises some interest. One test it was with process explorer, another time was with process hacker.

    In aditional tests acting as a common user and what to do if confronted by it. So yes the panic response would be pull the plug. LoL

    What raised a concern most is the What If, a shell locker (similar) made means to prevent explorer from restarting at all.

    Pleased that the Lab sees enough consideration to qualify this one for particular mitigation which likely will address other similar types as well.

    You guys are doing a phenomenal job with this.
     
  9. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    If its whitelisting, decision screen should be simple and it should allow you to decide whether to allow or deny an application.

    Good security software should be like set and forget and not get in your way until you need it.
     
    Last edited: May 27, 2017
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    While some of that is true to a point and is held up for the most part, ever newer designs/coded ransomware are rewriting what used to be safe basic rules and breaking through what used to count as acceptable enough pc security standards.

    @cruelsister is better expert on just how clever some of these have become but lucky for us she is quick as a cat to catch on to those little buggers.
     
  11. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Exactly what @EASTER said.

    This stuff is not black and white so figuring out when "you need it" is the hardest part of this game.
     
  12. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    774
    Location:
    U.S. Citizen
    Salutations/Greetings!

    Latest:
    Try to install the latest beta version of RO.

    On my Acer Desktop!

    Secure Boot Violation
    Invalid signature detected
    Check Secure Boot Policy in setup.

    Just my luck!:(
     
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hey Moose.

    This is a known issue with Windows 10 right now. Windows 10 with Secure Boot enabled requires WHQL cross-signing in addition to our our digital signature. Because we have been releasing new updates so often, we have not been submitting them to Microsoft for cross signing to make them compatible with Secure Boot. Once we move out of beta, we will start that process. So as of right now, RansomOff won't load on a Windows 10 machine with Secure Boot enabled.
     
  14. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    774
    Location:
    U.S. Citizen
    Hey, HeiDef.

    To make sure that we are the page.
    This is Windows 10 Creators. Strange
    for it to install on 3 of my pcs? And just
    2 pcs that it would not install give a error
    on start ntfs.sys
    With
    Secure Boot Violation
    Invalid signature detected
    Check Secure Boot Policy in setup.

    What would happen if turn Secure Boot off and/or not enabled?
     
  15. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    It probably would run if you turned Secure Boot off in UEFI.

    It might be advisable to wait until RansomOff gets certified for Secure Boot.

    This issue does NOT affect PCs with a legacy BIOS, as they don't have Secure Boot.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    Hang in there Moose. We're pulling for you because we know you are every bit as anxious as the rest of us to get all elements safely in place.

    You are a real champ sticking to the plan.

    NormanF has the right suggestion for you to just go neutral a little while longer until that gets certified and available to apply to it.

    This Developer is already thinking ahead and it's such a relief to have him totally focused for all of us users where issues and corrections are brought right out up front to our attention in a way where we don't have to wait very long like some seem to do.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    I am confused now.

    I am pretty sure I have the default Secure Boot enabled on my Win 10 Pro x64 v1703 15063.332 machine.

    And I have RO 5.2017.144.10111 beta installed and loaded?
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    New installations of Win10 are affected.
    If you did an upgrade to Win10 then you don't have this problem.
     
  19. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    is it light stable software.

    Or is it like 80% of security apps with buggy behaviour and slows down system.

    None of the malware youtubers ever comment on performance overhead of what they testing.
     
  20. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    you got it backwards, security is always best carried out using internal OS configurations. 3rd party software should only be a backup solution not primary.

    In an ideal world windows would be secure enough that there would be no place for 3rd party solutions at all.

    Windows scripting host if its disabled its disabled, no ifs and buts. Whilst a 3rd party software can suffer from bugs, false positives and even fail to correctly analyse. Analysing also tends to have performance overheads as well.

    We already know windows out of the box is inadequate, but there is nothing wrong with reconfiguring it to harden the system.

    I understand where you coming from tho :) You are thinking about less technical users who just want to install something and forget about it, which is what a lot of these security programs are trying to achieve with analysing behaviour etc. I think its an inferior solution but its better than nothing so for less technical users its good.

    I will test this in a VM to measure performance overhead.
     
    Last edited: May 28, 2017
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Chrcol- Although the across the board disabling on script hosts will indeed work for some, one must remember on public boards a more Universal solution should be espoused. Suggesting to a retired person to shut down such engines will certainly work, but telling a teenager just to block the running of all scripts will not serve them well if they happen to stay in the Computer field and enter a Corporate environment where the blocking of all scripts is not an option.

    And although I agree that it would be ideal if the native OS was proof from malicious manipulation, I'm not a Rainbows and Unicorns kind of Girl. Scripting is too valuable of a legitimate tool to be totally blocked by the Windows OS, and the line between malicious and legitimate can be so fine that far too many security solutions ignore them totally- a topic that I have been ranting about for years. But some solutions do a better job than others, and these should be promoted as much as possible; and those that suck at it should be mocked.
     
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Like mood said, the upgrade route is one exception to the rule option.

    According to Microsoft (https://msdn.microsoft.com/en-us/wi...code-signing-policy--windows-vista-and-later-) the three exceptions are:

    • The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
    • Secure Boot is off.
    • Driver was signed with cross-signing certificate issued prior to July 29th 2015.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Thanks for explaining.

    On a side note, I have avoided testing HMPA builds without co-signed drivers, but I suppose this applies there as well?
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Yes, you can install software without co-signed drivers.
     
  25. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Not sure if I have missed something but when I reboot after installing RansomOff.5.2017.144.10111.BETA.x64 I get a BSOD which relates to:

    Stop Code: SYSTEM SERVICE EXCEPTION
    Whatfailed: HDRansomOffDrv.sys

    Obviously an issue with a driver but not sure if this is something known about this build or whether it is something down to my setup under Windows 10 Pro?

    Any thoughts appreciated (especailly if they relate to something I have missed in the thread).

    Regards, Baldrick
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.