Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.
Its a beta after all. The driver apparently doesn't work well with some systems.
So glad you raise this. A number of programs I been through over the past few seasons hit the skids because of adversely affecting performance, and I am one those who is very touchie when it comes to the least notice of drag on my machines.
So I have been testing performance too.
I not noticed any such friction while testing RansomOff to my total glee I have to say. In fact if there is been any delay in anything it's the Alert Window which I assume is waiting for signal to complete after detecting a malicious action. Same goes for the App Lockdown for me but not so much I even mentioned it until now. I just assume while it's still in beta that there are other users more immediate issues to address as well as the Lab fine tuning the interception and rollback mechanisms before looking at speed tests for the alerts boxes. LoL
This is on a Windows 10 machine running also alongside and get this, CFW 10 + ERP + AppGuard + Shadow Defender (On-Demand)
No interference either but I do have the shut off the others to let RansomOff take on the foulware
If there is any delay it might be on reboot but even that isn't very noticeable for me to make mention of as a concern. This little package is been a powerhouse of sorts if you ask me without draining the battery in the process. I hope it stays that way once all the complaints are answered.
Thought we got most of those buggers out. Did the BSOD happen before Windows loaded or after? Do you happen to have a memory dump you could share? Or at least, could you provide us with the Event Log entry relating to the BSOD. You can find it at Event Log -> Windows Logs -> System and then you can filter for 'Critical' log messages from the 'Kernel-Power' source. Once you find the message that relates to that crash, if you could please copy the details of the log entry, it will at least get us started to figure out what happened. Thanks.
Many thanks for the reply.
The BSOD happened after I saw the Windows 10 logo & then I briefly got sight of the user logon screen wallpaper after which the presented itself with the details so far provided.
I am afraid that I was unable to log into Windows despite all I tried and so rollback my system to a previoulsy taken incremental image. I will therefore see if I can try this again at some point, then log into Safe Mode and see if I can find either the dump or the Event Log entry.
Not sure when I can do that but will try to sort it out shortly.
Real quick this how I get the reboot back normally from BSOD!!
From the RO Headache!
Windows 10 CD/DVD
Reboot the PC but it will not start.
Chance the Boot order, for some reason reserve this order. So chance!
Reboot the PC but it will not start.
Go to a system restore and pick a restore point that will work and does not fail.
Now restart the PC and will boot normally.
No restore and the above will not work!!!
Repeat until ti boot up normally!
Work every time! So far!
He used Macrium Reflect v7
Lesson is not to test beta software on production machines.
If you have something for testing, no harm done.
Voodooshield still has a running beta lol
We just want to point out that RansomOff DOES NOT modify the MBR in any sort of way so we are a little unsure what that step means.
If there was a conflict or install issue with the MBR protection driver, it's a simple as booting to safe mode and removing the registry reference. But again, it's not changing anything with the MBR or boot order.
Wasn't on a production machine...but the system was still protected by Macrium...out of force of habit...LOL
Kind of curious now what else might could be in the pipeline for this nice program as she nears clearing Beta.
Nothing is a do all catch all but sometimes a few do come pretty close to fielding enough confidence to earn some claim in leading.
Pesky MBR-MFT infiltrations unfortunately are still real for most systems in operation today which I suppose makes for a delicate balancing act when putting together a safe protection standard to help guard against them.
Once certain protection configurations have been carefully set (Folders/App Lockdown etc) it's been smooth sailing on this end.
Really light program all in all. I really didn't expect as much with the added protections/alerts/monitoring and such but so far so good.
Thanks easter for your performance analysis.
I hope to post up some graphs at some point and such while those other programs are also active and as well as even the scale of the system AND individually RansomOff, under load of ransomware stress as it goes into it's operations of terminate, capture and file rollbacks etc.
Less taxing of energy from your good computer is always a plus in any well thought out application.
I completely understand your concern when that particular element (resource hit/pull) is overlooked for whatever reason.
Hey EASTER. Good to hear no problems to report.
No other major features are planned but we are always expanding and improving the capabilities that do already exist. For example, the next release will have mitigations against things like Shell Locker so you don't have to restart Explorer. Also, we tweaked the full screen detection to do a better job against the lock screen that the WTF ransomware displays. We also are adding new evaluation criteria to better improve our heuristics and decrease the FP rate. Then obviously just making sure it runs smooth without issues.
We were hoping to have an update already released but with @Baldrick's BSOD report and some possible Windows Update issues reported by @paulderdash, we are trying to identify where these things are occurring. So a few more days at least before the next update.
Indeed there does seem to be an interaction between RO and KB4020102, on my (secondary) machine anyway.
After uninstalling RO prior to running the Windows Update, all went swimmingly. I hope @HeiDef can find something.
I have for now RO uninstalled, but would like to continue using it if theyf can also introduce export / import settings function, and a disable across reboot, as I have requested.
Won't, unfortunztely have time today to get around to retrying the install/BSOD generation again, but hope to be able to do so tomorrow night...after the day job...
Appreciate that getting detailed feedback is important re. this in terms of your plans, HeiDef, so apologies for the delay.
Thanks Baldrick. And no worries on the delay. Whatever you can get and when will be most helpful.
I saw your video that demonstrated how your ransomware simulator bypassed Emisisoft. Why do you think it failed, do you suspect it doesn't watch for rapid file modification?
I am also curious since I believe EAM would have thrown an alert when the .exe started to run asking for the user to allow or deny.
Why would it do that? It would only alert if the AV detects it via signature/heuristics or if the BB detected suspicious behavior. And apparently it did neither.
Here's Emsisoft's reply to the video over at malwaretips.com: https://malwaretips.com/threads/new...in-emsisoft-products.72095/page-5#post-635999
It's a legit leak test .exe that is running. Hence, no alert. Oh my, on this test ................
FYI - EAM's rep checking starts with cert. and hash checking prior to any cloud rep analysis to make a final determination on .exe status prior to any execution.
Well, this would mean that EIS is indeed not watching only for rapid file modification, they watch for multiple violations before blocking the malware. Personally I don't care if it's a leak-test or not, it should simply alert about it.
OK so that's why you was surprised it didn't block the simulator from running. I wonder what happened.
EAM/EIS uses a behavior blocker. If you want an alert on everything use a HIPS. Set it to interactive mode and you will indeed, get an alert on everything that attempts to run.
Would be more happy to let you over my PC's that BSOD occur and you could upload anything that may help you?