RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi paulderdash

    Thanks for the reply. I am not sure that we do the restore in the same way as I initiate from within Windows, which then reboots automatically as part of the recovery process into the Macrium recovery environment. The initiation from within windows is done by opening Macrium, clicking on the restore tab, selecting the image to restore to & then clicking on the 'Restore image' option under the image selected. If you do not use this method then if you could try it when you next have RO installed the result would indicate if what I am experiencing is a generic issue with Macrium & RO or down to my system only.

    Regards, Baldrick
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Baldrik

    So is your image on your hard drive?

    I have never selected the Marcrium boot option when Windows 10 is booting up. I do my backups by opening Marcruim by icon on desktop, then backing up to a 256 gig USB 3 stick. I also have the stick setup to boot to that from the computer being turned off and restore my image that way. Works every time.
     
  3. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    No boredog

    My repository of images is on an external hard drive. I restore an image either by start Macrium under Windows from the icon on the Desktop, and as I said before clicking on the restore tab, selecting the image to restore to from the list that relates to what is on the external hard drive & then clicking on the 'Restore image' option under the image selected. That then reboots into the Macrium boot feature and automactically runs the restore (that is the same option that you can get to also by taking the Macrium Recovery environment option at boot up and then manually selecting the image you want to restore...both ways work normally and I prefer the first one as I find it quicker.

    However, we are going off topic here and so I suggest that we take this conversation offline if we want to further explore Macrium, etc.

    Regards, Baldrick
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I agree but it is only off topic if it has nothing to do with Ransomoff.
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    True...I have to admit. However, having just tested something for HeiDef related to the issue I am experienceing and the results are looking promising.

    Regards, Baldrick
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    sfc did report 'no integrity violations'.

    I ran a chkdsk /r, then a dism checkhealth which reported the component store was 'repairable', so I ran a dism restorehealth which completed successfully. Subsequent sfc came up clean again. (Not sure why dism shows repairable after a clean sfc, have encountered this before).

    WD Security Center also reported some driver issues after this (one being a driver for my portable backup USB drive). This was not reported before the dism etc., but it could be related to my backup issues.

    Nevertheless, the good news is that my backups last night worked fine again, and the system seems more responsive. So maybe there was a component store problem, which could also possible account for the wierd dumps I sent you @HeiDef. Will need to confirm this over the next days.

    The only thing I still want to test is: whenever scheduled backups have worked (recently) VoodooShield has been disabled. When VS has been on autopilot, I have had issues. Though I think this has just been a coincidence.

    I will take a breather for a few days, then reinstall RO. What is the latest version? The last installer I have is v5.2017.198.4233 RC1.
     
    Last edited: Jul 27, 2017
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We haven't widely released the next build because we were really waiting to see if you got another BSOD without RO installed. But based on the dumps you sent, we did identify a possible interaction with another product on your system. Not definitive by any means and doesn't point to RO directly but it's a thread to pull so I'll send a PM with more details.

    Let's give it a few more days and then when you are ready we can send you the latest. If you don't experience a crash then we'll release it for all.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Their extension white listing is essentially like RO's deceive folder protections where only certain applications are allowed to see the files in the protected folders. They just do it on a system wide scale at the file level. From a management perspective, doing it at that level would require a lot of setup and constant tuning. Identifying all important extensions that need protected and then figuring out which applications need access to that extension at some point would be a difficult task.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,874
    Software for home use should be kept organized with the KISS principle in mind, even with a cost of some protection.

    Overly complex software defeats its intended purpose.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks guys for posting your renewed results as to do with your issues and any others where found.

    For those who will be updating to Win 10 Fall Creator's Update before too very long, I suspect developers of all sorts will likely run into some new or unexpected matters again which will also have them (and us) scurrying to adapt.

    Still all in all, hats off to all windows security software developers who are keeping pace as best they can to address issues and work things out.

    Can't be easy forging compatibility to previous windows systems as well as also having to work to keep end users programs functioning as expected too but somehow they manage. :)
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :thumb:
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks for the feedback. To me it sounds like a very simple solution to tackle ransomware. Of course you should still block code injection/process hollowing, because if you don't, this method is easily bypassed. I guess it shouldn't be that hard to setup, you just assign apps to the most used file formats. But don't get me wrong, I also believe that file system monitoring is very important.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Rasheed

    There is a simple way to tackle ransomware, but it's not the stuff you mentioned. For a clue study Powershell. What it is and what it isn't and how schockly much it can do. You will find the answer in how attacks work.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Not all ransomware uses Powershell, and I already have it blocked. But yes, I know you don't believe in tools like RansomOff and others, because they can't guarantee 100% protection. I have a different view.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Just curious how you have Powershell blocked.
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We just released 5.2017.214.6672 (RC1). This release mainly includes compatibility and performance updates. Specifically, we tweaked the boot time routines for faster system loading and updated how RO protects removable devices which should provide better compatibility with some software.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Good deal.

    Thanks HeiDef.
     
  20. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Can I use it with Sandboxie ?
     
  21. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    There is likely no issue with running them together (although we haven't tested with Sandboxie recently) but depending on how you use Sandboxie, additional protections may not even be necessary. So really depends on your use case.
     
  22. guest

    guest Guest

    what is the difference between file restore settings and file undelete settings? do they work together?
    If I uncheck "enable file backup and restore" does File undelete do something?

    What I don't like about the antiransomware tools in general is that they use more I/O hard disk than a conventional AV like Avast. 7.7 GB read of RansomOff vs 0,8 of Avast after an hour or so.
    The same happens with malwarebyte product.
    In RansomOff I have disabled backup and restore, folder protection (already covered by avast) and App lockdown.
     
    Last edited by a moderator: Aug 2, 2017
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    When RansomOff cleans up after a confirmed attack, it will delete all the files associated with the ransomware. Undelete simply provides the ability to restore any files that were cleaned up. Really designed for researchers who want keep copies of the ransomware and as a safety backup in case something got deleted that maybe should not have.

    Not quite following your second point. Can you explain a little more what you mean by "7.7 GB read of RansomOff?" Where are you getting that number from? Are you noticing a slowdown or other issues because of the I/O?
     
  24. guest

    guest Guest

    From the task manager
    http://imgur.com/a/eaIzA

    I don't notice any slowdown but is hard to tell with a SSD, I just don't like the software that uses a lot of the HDD.
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks.

    Like most of the numbers in Task Manager, it's a bit mis-leading because it doesn't correlate directly to HDD activity. But if you start to notice slowdown (if you keep RO on that is), please let us know. RO doesn't scan files so other than database activity and file copies (which you said you disabled), there really shouldn't be a whole lot of actual HDD activity.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.