Hi Dave Hope that you are keeping well? Just to advise that I have been running the latest RO RC1 and so far no issues, especially the one I reprted re. the Macrium Rrstore process. So from my perspective...looking good. Regards, Baldrick
I will install this shortly, just wanted to get past Win 10 August cumulative update KB4032188 first. You had identified a possible cause of a BSOD as being a potential conflict with Eldos cbproc driver, maybe used by SparkCognition DeepArmor beta. Will inititially leave DA installed and see if any BSOD recurs.
I have found some incompatibilities with PotPlayer https://potplayer.daum.net/ After opening and cloud 2 or 3 mkv files ransomoff starts to eat the 80% of the CPU and I can no longer open more videos. Closing RansomOff and killing the process fix the issue. @HeiDef
do you know a way to measure it correctly? Process hacker shows a completely different data, than task manager and process explorer
Thanks. We'll take a look to see what's going on. What's your OS/architecture? As for your question about "correct" measurements of IO activity, there really is no one correct value. It depends on how and where the measurement is taken which is why there are different values in different programs.
Hey @guest We weren't able to recreate any CPU issues with RansomOff and PotPlayer. When you had the CPU spike, it sounds like you killed RansomOff before it finished doing whatever it may have been doing. Could you try again and see if the CPU usage eventually goes down? Does it only spike when you start to play multiple files or does a single file cause a spike? And we are assuming that once the files stop playing, the CPU spike goes down? Also, just curious if you exempted Avast?
I will try again in a few days, right now I don't have that computer with me. Regarding Avast, yes it was excluded during the installation.
I block it with EXE Radar and if that is bypassed, Sandboxie will sandbox it. BTW, what is your take on this, is it anything new? https://www.wilderssecurity.com/thr...of-ransomware-infections.395720/#post-2695313
While we obviously haven't tested it, from everything written it doesn't appear to be anything special. It's an application that builds models of file system behavior and then creates copies of files when they are modified. The fact that they call it a file system is probably a bit misleading because it's not replacing NTFS or FAT. With anything that needs "training," it is really only as good as the training data fed into it. They only trained on a subset of ransomware families (and training on a different variant of the same family probably doesn't provide much value as the only differences between variants are likely small changes for obfuscation purposes but the underlying crypto operations are the same). So it's going to fail in the face of something novel or there will be a lot of false positives depending on the sensitivity it's set at. That's true not only for this but any machine learning application that bases its decisions on what it has previously seen. Also, its backup and restore (self-healing) feature is something that RansomOff and other apps already do. If it does get turned into an actual product it will be interesting to see how it performs in the real world on the diverse set of systems found outside of the lab.
OK, thanks for the feedback. But would about their data-set, they said they were willing to share this, would this be of any help to improve RO?
We wouldn't need to get their data set. We could easily collect our own metrics and develop similar models but RO is already very effective with its current methods of detection. We use a combination of techniques to include a little bit of modeling. But to implement at that level would be a lot of effort for likely little to no significant increase in protection.
Based on their paper, their solution has about a 0.977 detection rate against some very common ransomware families. Nothing is going to be 100% against everything all the time but it does seem low. It's still good research and advances the field in malware modeling but it's not going to be the solution that ends ransomware.
No of course it's not bulletproof. But I just wondered if it was anything new, since they got so much press coverage. But I already had a feeling that it's basically the same concept as other anti-ransom tools, so nothing groundbreaking.
I was testing it with RanSim There is no way to block the ransomwares silently? Thank you very much. Greetings.
Thanks. Not currently with the home version. Because false positives do happen every now and again, we want to make sure the user is fully aware of what's going on. The worst thing is for an inexperienced user to have an app not run but not understand why it's happening. The commercial version of RansomOff, which is geared towards businesses, allows for alerts to be silent on the endpoint because it integrates with a RansomOff server. This allows the IT staff to handle the alert for the user. In terms of capabilities, the home and commercial versions are the exact same except for the server support with the commercial version. Besides alert handling, the server allows for full remote control and management of the RansomOff clients. We haven't widely released the commercial version or server yet but hope to soon.
The modeling Ransom0ff employs does seem to have made a pretty strong aggressive step forward working in coordination/tandem with the basics in what little time since first coming on the scene here at Wilders. Gratitude for taking on a whole myriad of individual issues too during it's beta run up to release and making corrections for both better compatibility as well as injecting additional protections etc. I been at this malware battling thing since AdAware and we all know how far back that goes and so nothing to me is been more surprisingly welcome and effective as it's nailing process and especially rolling back attempted changes that ransomware deploys on different many types of files. Also have noticed a huge reduction in ransomware attacks recently likely in part because plenty of vendors have gone super proactive which is also how Ransom0ff is cleverly designed to handle IMO. I have never turned loose such an array in my own testings of this Ransom0ff and come away with such a respect for the manner in which softwares can be tuned to take this stuff on and defeat it!
