RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks Georgi.

    The next update in the chute actually fixes the password issues. We've expanded its use and make sure it's a top most window so it doesn't get stuck behind other windows.

    For the admin issue, is your system language Bulgarian? If it is, it may be a localization issue where the name check for 'Admin' doesn't work properly because it's returning the Bulgarian word for 'Admin.' Just to check if RO is identifying the session properly, can you go to the Heilig Defense folder in C:\ProgramData and open the agent log file named 'roagent(<session id>).log.' It will say whether it thinks the user session is an admin. If it's TRUE, then there's a bug with the checks otherwise it's a problem with the session identification.

    Not entirely sure about the crash. Can you check your Application event logs in Event Viewer (Windows Logs -> Application) and find the log entry for that crash. There should actually be two entries. One will be from .NET Framework and the other will be labeled Application Error. They may provide some clues as to what happened.

    And thanks for highlighting the video. I saw their channel earlier but didn't know they tested RO.
     
    Last edited: Sep 5, 2018
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    No other file references in C:\Program Files? Can you PM me the whole installer output? I'd like to see what the last operation was before it started to rollback.
     
  3. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    249
    Location:
    Bulgaria
    Hi HD,

    Good to know that the Master Password issue is fixed in the next build. :)

    My system is set to English.

    Here are the logs as requested:

    roagent(1).log

    EventViewer Errors.txt

    I can export the entire Application hive if necessary but it contains some sensitive information so for now I exported only the errors related to RO.

    I'm hoping the logs will shed some light on what is going wrong.

    My system is fully patched with the latest Windows Updates including the latest one for the .Net Framework =>

    https://support.microsoft.com/en-us...e-quality-rollups-for-net-framework-3-5-4-5-2

    However to be able to install them I had to use wufuc since MS disabled the updates for Windows 8.1 with Coffee-Lake CPU =>

    https://github.com/zeffy/wufuc

    I don't really need RO at the moment because I have Comodo Firewall (sandbox, HIPS, cloud, etc.) and Kaspersky Free Antivirus 2019 (the latest version includes SystemWatcher, KSN and the Rollback mechanism in case of ransomware - the same things included in Kaspersky Anti-Ransomware for Business 3.0) but I wanted to give it a try. To be honest I even had to uninstall it currently since it caused my system to not responding...I have left the PC turned on for the night (all worked fine when I went to sleep) and when I woke up I found that none of the applications are responding and I was even unable to restart the system normally (and my system is set to automatically close non-responsive programs during restart). Never happened before. I had to use the reset button and I decided to uninstall it for now. Maybe there is a conflict between RO and Comodo/Kaspersky. I included the folders created by the security applications in the RO settings but forgot to include them in the Comodo/Kaspersky settings so that may be the reason for the strange behavior (but I didn't find any clues in the logs that such incompatibility issue exists and didn't receive any warning messages from Kaspersky/Comodo related to RO while I used it).

    When I have more time I will definitely test it again.

    Regards,
    Georgi
     
  4. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    603
    Location:
    U.S. Citizen
    Greeting/Salutations!

    I was wondering if all of drivers are now sign. Within RansomOff Client?
    I am about installing RansomOff again.

    The reason, I am asking is with early versions of RansomOff. I could get
    Windows 10 Home to Boot up/Start. It would not load the drivers
    start and/or boot for me even to uninstall RansomOff?
    Maybe, it had something to do with my second question below. And/or a
    combination of things. The Drivers not being signs and other security software.

    Secondly, are there any conflicts with any other security software? For example,Sandboxie,
    UnHackMe,Voodoo Shield, ect...
    That my keep my computer from booting up and /or starting?

    And my final question, when will the next version of RansomOff Client be available for fall?

    BEST Regards

    Moose
     
    Last edited: Sep 9, 2018
  5. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hi @Moose World

    All the files and drivers are properly signed so there won't be any issue with Windows. For your second question, security software can always conflict but that can be mitigated by using whitelisting for all programs. With RO, you can tell it to explicitly ignore your other security software during installation. As for the next version, we should have it ready for release shortly.
     
  6. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    603
    Location:
    U.S. Citizen
    Greetings/Salutations,


    * Work well with other Security Software.;)

    I remove AppCheck and Kaspersky Anti-ransomware Tool :(
    from computers because of concerns with their security.:doubt:

    RO did well computer solutions test.:thumb:
    https://www.youtube.com/watch?v=1eHqkG86ayU


    Details on how to use correctly and/or examples.
    With below items as follow:

    * Advanced Mode with Heilig Defense RansomOff?
    * Exemptions
    * Blocked Items
    * App Lock-down
    * Backup

    On the next Heilig Defense RansomOff Release/Version.
    Can you install over the existing RO? Or do you need
    to uninstall and then reinstall RO?

    Thoughts, on what backup software to use with RO
    To backup the computer. Just in case the will not
    boot up/start?

    Moose World
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,242
    Location:
    Under a bushel ...
    Moose, my two cents worth ...
    Have you seen?: https://www.ransomoff.com/docs.php
    You can install over the top. I disable self-protection first. (If you uninstall, export your settings first, and reimport). But there is also an auto update setting.
    Macrium Reflect Free? :)

    But I guess you are directing your questions at the dev (Dave) ... he is very responsive and helpful.
     
    Last edited: Sep 15, 2018
  8. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    603
    Location:
    U.S. Citizen
    @paulderdash

    Appreciate your two cents worth!!!;) And individuals, who would like to add details.
    My concern is this Bypassed by Kyrox Ransomware. Wondering if, RO will stop and/or
    detect Kyrox Ransomware?

    https://www.youtube.com/watch?v=ml4ntlCR8-8
    Developed by RoxasDev for test bypassing
    On YouTube RoxasDev

    Moose
     
    Last edited by a moderator: Sep 15, 2018
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,780
    Location:
    U.S.A. (South)
    :thumb:

    Not just RO but it's basic smart practice to keep at least a couple images at the ready, but yes especially when integrating tightly wound mechanism like RO for testings too. Wish I could find just a pinhole of extra time to grab the newest ransomwares to throw at it again, but based on what I seen with my naked eye all those tests before (with the worse of the worse), RO snatched them up and stopped them cold in their tracks. I still CANNOT stress this fascination of mine enough, even when some ransomware snacked on certain file extensions at a breakneck pace, I been totally amazed at RO's rapid reversal process in returning them completely back to original state again, and quickly as in lightning swift. Never have I seen this before in all my many years.

    Some will say "oh it's too late once it gets on your system" and forces scrambled encrypted modifications to files but with this program I highly beg to differ. Didn't have to turn to an image because I wasn't in the least scared after it had already done it's mischief (looked awful-turned them loose on purpose) :eek: RO stopped, reversed, and sweeped up the leftovers like the best vacuum ever made. I repeated tests over and over and over again until there was no more decent (rotten) ransomware left that was of any real risk.

    And I will be frank. This application/program could cost plenty because it is NOW very comprehensive with the additional features added and integrated to strengthen it's capability. Yes some people have seen issues-maybe even some decreased performance but those are likely like my low end machines that only have a limited amount of memory to support the octane this RO delivers in doing what it does best IMHO. :)
     
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hey @Moose World

    To reiterate @paulderdash and @EASTER, having some backup, like Macrium, is just smart business regardless of the protections you have.

    I'll be the first to admit the docs are not the most comprehensive but they definitely should be the first place to look because they do mention a few idiosyncrasies of RO and will help you understand how some of the protections work. And like Paul said, you can install new versions over top or just let it auto update itself.

    Not sure about Kyrox because I don't have a sample (or even a hash to search for), but if it behaves like other ransomware then RO *should* be able to stop it. I'll reach out to the authors (although I don't speak French) and maybe they will pass their sample.
     
  11. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    249
    Location:
    Bulgaria
    Last edited by a moderator: Sep 17, 2018
  12. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    249
    Location:
    Bulgaria
    The new version is out: 5.2018.260.2977 - 18 Sep 2018

     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,780
    Location:
    U.S.A. (South)
    Thank You
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Beat me to it!

    I also updated the documentation a little bit. New images and some new info on a few recent changes.

    We were able to get a sample of Kyrox and RO did stop the encryption before it began. One issue it highlighted though is that the alert window can get stuck behind other windows which in this case meant the Kyrox message blocked RO's alert which made it difficult to perform clean up actions. It was a simple fix though which the newest version has.

    Enjoy!
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,242
    Location:
    Under a bushel ...
    Dave - I am still on (IIRC, a special) build 5.2018.237.3085.

    Under Options > General I have 'Auto update RansomOff' ticked.
    Will it auto-update in time? Or should I update manually?
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,780
    Location:
    U.S.A. (South)
    As far along as this RO has come along, those newbies are simply playing with matches.

    Nice effort to add that squirrel to the list that CAN be stopped cold in it's track and blowed away.
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We should have the update packages uploaded later today so it will eventually auto-update.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,242
    Location:
    Under a bushel ...
    I saw the flashing down arrow in the taskbar icon last night, but wasn't too sure if it was OK to restart, or if the download was still in progress ...

    But I saw it was the same this morning, restarted and it's updated fine. Thanks.
     
  19. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    521
    Location:
    Terre Haute, IN
    I hate to display my ignorance but I am confused. I installed RansomOff on my Windows 10 Laptop but other than seeing it as an installed program when I access Revo Uninstaller Pro, and in the Heilig Defense, LLC directory I see no evidence of it anywhere on my computer. I was expecting to be able to access the program as I would an anti-virus program. As is I have no idea regarding updates or anything else. Is this normal or do I need to do something to see the program. As always I would appreciate all replies and would thank you in advance.
     
  20. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Can you post a screenshot of your system tray, including hidden icons by clicking on an arrow? It should be there....
     
  21. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hi @jpcummins

    If it installed properly, you'll see the icon in the system tray like @siketa mentioned. RO is not like regular a/v. Due to the way the protections are implemented and the tight integration between the driver, service and user-interface, RO is not meant to be opened and closed which is one reason why you don't see any icons on your desktop or start menu. It loads during boot and while you can close it at any point, you'd have to restart it manually via sc.exe (or the Services control panel). However, closing and restarting destroys the state information RO needs to be effective so your protection would be severely reduced.

    Also I would HIGHLY recommend you do not uninstall it using a third party uninstaller. I'm not entirely sure how Revo works, but other uninstallers do not have all the information and if it's done wrong by just deleting files (particularly the MBR protection filter), it could make your system unstable.
     
  22. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    521
    Location:
    Terre Haute, IN
    Thank you both, siketa and HeiDef, I found the RO icon in the hidden icons and my system is being protected. I have no intention to uninstall RO but it is good to know that if I ever do to not use a third-party uninstaller. Again, thank you both very much.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,780
    Location:
    U.S.A. (South)
    If you ever get the time and curious, and just happen to have another system to play with where you would like to watch how effective R0 really is. When you unleash any sample ransomware on it, that's when you can really appreciate the thought and effort that's gone into it's development and how very STRONG it is.

    It's not an AV so use a test PC with no AV, sit your choice of ANY ransomware on the desktop, and when you trip it to run, R0 goes into action lickity split and like a Doberman pincher with teeth doesn't let up until it chews up all the junk processes/dropped files/encrypted files etc. and is amazing watching it do a reversal routine. THAT'S what still blows me away.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,242
    Location:
    Under a bushel ...
    Dave, may be worth adding this to the documentation (if it isn't already)?
     
  25. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Good call. I updated a few other items as well to clarify some things. Also found a few bugs with Folder Protection which were probably introduced a few releases ago when we added some additional features so we'll be releasing an update shortly.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.