RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    New Release (Release Candidate):
    RansomOff v5.2017.190.9480 (RC1) (9 Jul 2017)
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    The first startup is generally the slowest. That's because it's building databases and collecting information. Did you try rebooting a second time to see if it improves?
     
  3. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I restarted my computer but it didn't help. I guess I just need a faster processor.
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RansomOff by itself is very lightweight from a resource perspective. The slowdown occurs because of how it is interacting with other software especially during startup. Because ransomware can load at boot, RO has to perform a number of checks to make sure loaded processes are not malicious. If you have lots of other software loading at boot then that will obviously cause some slowdown because RO is verifying each process. Things becomes quicker during normal operations because RO doesn't have a deluge of new processes all loading at once. Try to exempt things that run at startup and especially make sure to exempt your other security programs, if you didn't do it during installation.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,781
    Location:
    U.S.A. (South)
    Wow. Quite the list if I might say so. Lots of super useful features and well, will take some time for this member to wrap his head around it all.

    Wasn't expecting to be a mechanic today either but that task fell my way by chance and cannot bear to see a damsel in distress. :)

    What a terrific effort and program HeiDef. Thanks as always for your continued attention to users issues especially.

    It's really epic and welcome to find a developer like this hanging in there throughout whatever crops up and goes out their way to remedy what can be fixed for them.
     
  6. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I exempted everything that run at startup but my wifi network icon still freezes with a blue circle. I can't use my internet until the icon stops freezing. This takes forever to unfreeze. When I uninstall ransomoff the icon works fine and I can use my internet. So I don't know how to fix this. Any ideas?
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Can you quantify "forever" please? Also, once it does become unfrozen is system performance still degraded or does it go back to normal. Just curious if this is strictly a bootup problem for you or a total system issue.
     
  8. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    It takes 3 minutes to load the network icon and then everything works fine. Is 3 minutes to load the network icon normal or should it load quicker?
     
  9. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Well if it didn't take 3 minutes before RansomOff then it's not normal. But the network icon is probably a red herring because that's just a UI element for some background service. Could you send us a PM with your start up config? You can run something like Sysinternals Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) to get a list and export. It will help us figure out what might be going on with your system and develop a solution to fix it.
     
  10. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    The file is too big to upload.
     
  11. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    90
    Location:
    The Netherlands
    Creation for a Macrium boot Menu option with Ransomwareoff active fails. Macrium abends with errors during this process.
    I also tried it for Minitools Shadowmaker and although the programs created a boot menu option, I was not able to boot into their restore environment. Minitool did not report any problem during the addition of the boot menu option while Macrium abended during the addition of the boot menu option.
    To be able to successfully create a boot menu option for (at least) both products, RansomwareOff needs to be exited completely. Only then a boot menu option could be created and you can boot in the selected restore environment.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi cloggy

    True of anything that protects the mbr. HMPA will do the same. Have to turn it off.

    Pete
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    Hadn't thought of that. Thanks for the heads up.
     
  14. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    90
    Location:
    The Netherlands
    Thanks....but Minitool was able to create the boot menu option, Macrium got stuck somewhere in the middle of the process to create a bootable rescue media...so was not even touching the MBR.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    And obviously no alerts from RansomOff?

    Could you try it again but this time add the removable drive to the Folder Protections under the 'Deceive' tab? And then exempt either Macrium or Minitools (you'll have to make sure you exempt not just the UI but any associated services as well). If that works without any issues then we have an idea of the root cause.
     
  16. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    90
    Location:
    The Netherlands
    Hi, no Alerfts from RansomOff

    With the USB drive (g:) added to the Decieve tab, it runs fine

    upload_2017-7-12_17-9-52.png

    As soon as I remove it and try to Rebuild the Rescue Environment, it abends again with the following information:

    ImageX Tool for Windows
    Copyright (C) Microsoft Corp. All rights reserved.
    Version: 10.0.10011.16384

    Mounting: [c:\boot\macrium\WA10KFiles\media\sources\boot.wim, 1] -> [c:\boot\macrium\WA10KFiles\mount]...
    [ 0% ] Mounting progress


    Error mounting image.


    The user attempted to mount to a directory that is not empty. This is not
    supported.


    Unmounting the Wim - 12-Jul-17 17:08
    ====================================


    ImageX Tool for Windows
    Copyright (C) Microsoft Corp. All rights reserved.
    Version: 10.0.10011.16384

    Committing: [c:\boot\macrium\WA10KFiles\mount]...

    Unmount Error: Did not find an image mounted to [c:\boot\macrium\WA10KFiles\mount].


    Hope this helps....
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks @cloggy49. Very helpful.
     
  18. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,273
    Location:
    UK
    I have already tried that but no joy.
    thanks anyhow.

    Tried the RC1 and still the same problem (just in case.)
     
    Last edited: Jul 15, 2017
  19. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,273
    Location:
    UK
    Why do i get windows explorer coming up as blocking other windows PID 1888 window notification?

    I would of thought that was excluded automatically?
    I did try to exclude it nevertheless but i couldnt find it in the "C:\Windows\system32\" directory.
     
  20. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,273
    Location:
    UK
    What about RanSim Test?
    Is it too dangerous to run for us hobbyists?
     
  21. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    does ransomoff use bait files?
     
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RanSim is designed test ransomware defenses and doesn't encrypt actual data. So it is a good way to test RansomOff's effectiveness. While it is a legitimate product you should always take precautions, such as running in a VM or using something like Shadow Defender, if you are not fully confident.

    As for the top most window detection notification against Explorer, there could be a variety of reasons so it's hard to say exactly why without understanding more about your system. The top most detection is also a bit sensitive which is why it is not checked by default.
     
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RansomOff uses a variety of detection methods with bait files being one of them.
     
  24. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    @HeiDef,I think you should change the name of RansomOff to MalwareOff,since it's not just an anti-ransom software anymore.
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks for the suggestion. RO's core detection methods are really focused on identifying ransomware behaviors (encrypting data). While it does have some mitigations and protections against common malware techniques it's not designed to detect the wide range of things that could be considered malware. So while MalwareOff is a good name, it would give users the wrong idea of the level of protection it's really designed for.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.