RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Its a beta after all. The driver apparently doesn't work well with some systems.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    So glad you raise this. A number of programs I been through over the past few seasons hit the skids because of adversely affecting performance, and I am one those who is very touchie when it comes to the least notice of drag on my machines.

    So I have been testing performance too.

    I not noticed any such friction while testing RansomOff to my total glee I have to say. In fact if there is been any delay in anything it's the Alert Window which I assume is waiting for signal to complete after detecting a malicious action. Same goes for the App Lockdown for me but not so much I even mentioned it until now. I just assume while it's still in beta that there are other users more immediate issues to address as well as the Lab fine tuning the interception and rollback mechanisms before looking at speed tests for the alerts boxes. LoL

    This is on a Windows 10 machine running also alongside and get this, CFW 10 + ERP + AppGuard + Shadow Defender (On-Demand)

    No interference either but I do have the shut off the others to let RansomOff take on the foulware

    If there is any delay it might be on reboot but even that isn't very noticeable for me to make mention of as a concern. This little package is been a powerhouse of sorts if you ask me without draining the battery in the process. I hope it stays that way once all the complaints are answered.
     
  3. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hi @Baldrick

    Thought we got most of those buggers out. Did the BSOD happen before Windows loaded or after? Do you happen to have a memory dump you could share? Or at least, could you provide us with the Event Log entry relating to the BSOD. You can find it at Event Log -> Windows Logs -> System and then you can filter for 'Critical' log messages from the 'Kernel-Power' source. Once you find the message that relates to that crash, if you could please copy the details of the log entry, it will at least get us started to figure out what happened. Thanks.
     
  4. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Hi HeiDef

    Many thanks for the reply.

    The BSOD happened after I saw the Windows 10 logo & then I briefly got sight of the user logon screen wallpaper after which the :( presented itself with the details so far provided.

    I am afraid that I was unable to log into Windows despite all I tried and so rollback my system to a previoulsy taken incremental image. I will therefore see if I can try this again at some point, then log into Safe Mode and see if I can find either the dump or the Event Log entry.

    Not sure when I can do that but will try to sort it out shortly.

    Regards, Baldrick
     
    Last edited: May 30, 2017
  5. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    774
    Location:
    U.S. Citizen
    Real quick this how I get the reboot back normally from BSOD!!
    From the RO Headache!

    Windows 10 CD/DVD
    Fix MBR
    Reboot the PC but it will not start.
    Chance the Boot order, for some reason reserve this order. So chance!
    Reboot the PC but it will not start.
    Go to a system restore and pick a restore point that will work and does not fail.
    Now restart the PC and will boot normally.

    No restore and the above will not work!!!
    Repeat until ti boot up normally!
    Work every time! So far!
    ;)
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    He used Macrium Reflect v7
     
  7. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Lesson is not to test beta software on production machines.

    If you have something for testing, no harm done.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Voodooshield still has a running beta lol
     
  9. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We just want to point out that RansomOff DOES NOT modify the MBR in any sort of way so we are a little unsure what that step means.

    If there was a conflict or install issue with the MBR protection driver, it's a simple as booting to safe mode and removing the registry reference. But again, it's not changing anything with the MBR or boot order.
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Wasn't on a production machine...but the system was still protected by Macrium...out of force of habit...LOL
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    :thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Kind of curious now what else might could be in the pipeline for this nice program as she nears clearing Beta.

    Nothing is a do all catch all but sometimes a few do come pretty close to fielding enough confidence to earn some claim in leading.

    Pesky MBR-MFT infiltrations unfortunately are still real for most systems in operation today which I suppose makes for a delicate balancing act when putting together a safe protection standard to help guard against them.

    Once certain protection configurations have been carefully set (Folders/App Lockdown etc) it's been smooth sailing on this end.

    Really light program all in all. I really didn't expect as much with the added protections/alerts/monitoring and such but so far so good.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    Thanks easter for your performance analysis.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    I hope to post up some graphs at some point and such while those other programs are also active and as well as even the scale of the system AND individually RansomOff, under load of ransomware stress as it goes into it's operations of terminate, capture and file rollbacks etc.

    Less taxing of energy from your good computer is always a plus in any well thought out application.

    I completely understand your concern when that particular element (resource hit/pull) is overlooked for whatever reason.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hey EASTER. Good to hear no problems to report.

    No other major features are planned but we are always expanding and improving the capabilities that do already exist. For example, the next release will have mitigations against things like Shell Locker so you don't have to restart Explorer. Also, we tweaked the full screen detection to do a better job against the lock screen that the WTF ransomware displays. We also are adding new evaluation criteria to better improve our heuristics and decrease the FP rate. Then obviously just making sure it runs smooth without issues.

    We were hoping to have an update already released but with @Baldrick's BSOD report and some possible Windows Update issues reported by @paulderdash, we are trying to identify where these things are occurring. So a few more days at least before the next update.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,436
    Location:
    Under a bushel ...
    Indeed there does seem to be an interaction between RO and KB4020102, on my (secondary) machine anyway.

    See: https://www.wilderssecurity.com/threads/bork-tuesday-any-problems-yet.370217/page-124#post-2679795

    After uninstalling RO prior to running the Windows Update, all went swimmingly. I hope @HeiDef can find something.

    I have for now RO uninstalled, but would like to continue using it if theyf can also introduce export / import settings function, and a disable across reboot, as I have requested.
     
  17. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,603
    Location:
    South Wales, UK
    Won't, unfortunztely have time today to get around to retrying the install/BSOD generation again, but hope to be able to do so tomorrow night...after the day job...;)

    Appreciate that getting detailed feedback is important re. this in terms of your plans, HeiDef, so apologies for the delay.

    Regards, Baldrick
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks Baldrick. And no worries on the delay. Whatever you can get and when will be most helpful.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I saw your video that demonstrated how your ransomware simulator bypassed Emisisoft. Why do you think it failed, do you suspect it doesn't watch for rapid file modification?
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    I am also curious since I believe EAM would have thrown an alert when the .exe started to run asking for the user to allow or deny.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Why would it do that? It would only alert if the AV detects it via signature/heuristics or if the BB detected suspicious behavior. And apparently it did neither.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    Here's Emsisoft's reply to the video over at malwaretips.com: https://malwaretips.com/threads/new...in-emsisoft-products.72095/page-5#post-635999

    It's a legit leak test .exe that is running. Hence, no alert. Oh my, on this test ................

    FYI - EAM's rep checking starts with cert. and hash checking prior to any cloud rep analysis to make a final determination on .exe status prior to any execution.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Well, this would mean that EIS is indeed not watching only for rapid file modification, they watch for multiple violations before blocking the malware. Personally I don't care if it's a leak-test or not, it should simply alert about it.

    OK so that's why you was surprised it didn't block the simulator from running. I wonder what happened.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    EAM/EIS uses a behavior blocker. If you want an alert on everything use a HIPS. Set it to interactive mode and you will indeed, get an alert on everything that attempts to run.
     
    Last edited: Jun 1, 2017
  25. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    774
    Location:
    U.S. Citizen
    Salutations/Greetings!

    Would be more happy to let you over my PC's that BSOD occur and you could upload anything that may help you?

    Kind Regards,
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.