RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    When does it do an auto update
     
  3. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    First you have to have auto-update enabled. It will still check for updates if disabled but just won't do the actual update, just notify. Otherwise it does a check on start and then will periodically check every hour or so.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, I'v'e looked. Where do you enable auto update. Haven't found it yet.

    Never mind, found it. Could have bitten me. It's on
     
  5. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    634
    Location:
    USA--Colorado
    I just started following this thread. I admit that I have not gone back through 42 pages of posts. But, I have a couple questions: 1) is this software primarily for business or personal/home use? I guess I haven't heard too often of personal or the average home user getting hit with ransomware? 2) do you really need this software if all of your browsing is done within Sandboxie? 3) I do use Outlook 365 for my email which is not Sandboxed. (I've never been able to figure out how to get Outlook 365 to work sandboxed.) I assume that this software could be very helpful in this case?
    Thank you.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    Someone else, indeed Dave himself, could give you a much more comprehensive answer but ...
    1) It is free (so far), so I would guess primarily home use? 2) My primary requirement is for the folder protection it offers; I use it to protect external USB backup folders from anything but legit apps (Macrium, Bvckup 2, etc). In this regard, it offers the functionalitity of Secure Folders (but better i.e. folder / app combination), more like Excubits' Pumpernickel (FIDES) with a GUI. But it has an impressive array of other functions (besides Ransomware protection obviously, also App lockdown (anti-exe), HIPS-Lite, both of which can be turned Off/On and customised) - well worth checking out (after taking an image of course, :)). Recommended.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would also add my recommendation. I've wanted to use it for while, but my machine wasn't happy with it. Now with few minor changes I've made plus a major one Dave made it's on my machine and it's happy.
     
  8. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RO was derived from a different product of ours that's meant for business. While RO has some enterprise features, like the server compatibility, it really is meant for home use. Ransomware is a terrible thing so we wanted to get something out to help stop it.

    I've known folks that have been hit with ransomware on personal systems. But everyone's mileage will vary. Obviously habits play a big part in your risk. Browsers themselves all utilize sandbox technology but there have been sandbox escapes. And browser sandboxes don't do anything if you download malicious software accidentally or on purpose (remember when CCleaner was compromised?). Adding an additional sandbox layer like Sandboxie doesn't hurt but again may not always stop everything, inadvertent or otherwise.

    Like Paul mentioned, RO has a number of other features that can add to your defense in depth. The more layers the better but it comes down to what you're comfortable with. RO provides a lot of flexibility to get to the right balance and could be configured to provide protection to 365.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I have never used Ransomoff, but it looks appealing. I think that Memory Sentry Combined with Ransomoff would make a great product.

    I read that Ransomoff has some memory protection in it to protect against fileless malware. I assume that is a mitigation feature taken from Memory Sentry. Is Memory Sentry close to having an alpha release, or has that already occurred?

    From what I have read Ransomoff is something I would be interested in testing soon. I espcially like it's use of HIPS since i'm a big fan of HIPS when it is done correctly. I'm a little busy with school right now, but maybe soon I can do some beta testing if needed.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,727
    Location:
    U.S.A. (South)
    Best of luck. It's a, how should I say it, @Cutting_Edgetech ransomware + multi-defensive program that blows 'em out of the water IMHO.
    Been absent testing many of these recents BUT downloaded the latest release yesterday and that puppy is going onto one of my Windows 10 units since I want to try to at least like Win 10 a little. On Windows 8.1 this program R0-knock the socks out of so many ransomwares samples I laid on it bare bones. Heck, the additional features is icing on the cake like the Lite HIPS + Anti-Exe etc.

    Think you will be just as impressed and definitely even without testing, your good machine will be solidly sealed from ransomwares of any sort for certain. This thing is dangerous to ransomwares :D
     
  11. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    744
    Location:
    U.S. Citizen
    Salutations/Greetings!!!

    Feedback on RO:

    Happen from time to time.

    When I start the computer up after, it been sitting over night.
    Something RO will not load/start. Icon will disappear! Below is what
    come up the desktop/screen.

    Could not load necessary the shared resources(0x2),
    RansomOff agend cannot continue


    I check all updates on security software. ect...
    Then when,I restart the computer the second time after it been sitting
    for awhile about 5 minutes. RO will load/start.

    Also, under View Alerts in RO, here what it said,

    HIPS Lite Notifications
    Windows Start Up Change (Registry) alert recorded at 2018 Sep 3014:49:5
    22


    Windows 10 Home Edition
    Memory install 8.00 GB
    64 Bits OS

    Install Security Software on PC's

    * Cyclance
    * Heilig Defense RansomOff
    * Sandboxie
    * UnHackMe
    * Voodoo Shield
    * Windows Defender

    Any suggestions on how to correct this to keep it from happening?
    In the future?

    Under Advance Mode:

    For now, I am going to turning off HIPS Lite! When, I am not
    using the PC's. But when, I am would using the computer, I
    will turn it back ON!

    There maybe a very little problem with Sandboxie with HIPS Lite.
    Ummm! Not sure!



    Kind regards,
     
    Last edited: Sep 30, 2018
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    I also had similar, with and without that message, on more than one version, but never isolated the problem with the dev.

    However, I have never had it since unchecking 'Enable self-protection' in Options. You can try that?

    Though I also have Sandboxie, so you may be onto something there. :cautious:
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I thought I would give Ransomoff a try tonight. Upon rebooting to complete Ransomoff installation my machine began to freeze. I ignored it because it did not freeze for long at first, but my machine was noticeably running much slower than before (applications were taking a long time to launch). After browsing online for about 5 minutes my browser froze, and stopped responding. My browser never recovered. It was just stuck frozen on the screen. I tried accessing Ransomoff tray icon settings, and it informed me that it was connecting to the service (this went on for about 6-8 seconds before connecting). I'm not sure if this is expected behavior, or something is causing the service to crash. I never checked to see if it was actually running or not. I have attached a screen shot of the prompt informing that it was connecting to the service. Is this expected behavior? Shortly after that Windows stopped responding, and after waiting for about 15 minutes it was not showing any sign of recovering so I did a hard shut down.

    I rebooted a couple of times, and tried doing simple task like surfing the web, and each time Windows began freezing, and each time it took 2-3 minutes before Windows began responding again. Applications that were already open before the freeze began stopped responding as well (browsers, pdf reader, and flashcard app). At least I did not have to do a hard shut down again, but I did not use Ransomoff long after that because i'm swamped with school work.

    I'm using Windows 10 x64 Pro version 1709. I think the problem was due to an application conflict with either Eset, AppGuard, or Malwarebytes Anti-Exploit. I believe it was most likely AppGuard, or maybe MBAE. I did not have any time for testing, but I though I would report my experience. I will have to try it without AppGuard, and MBAE next time to see what happens.
     

    Attached Files:

  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    FWIW I do have RO installed (without issues so far) alongside AppGuard Solo v6.1.1.370 beta, but AppGuard is 'Off' at the moment and not customised, as I haven't had time to start customising and testing yet.
     
  15. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    744
    Location:
    U.S. Citizen
    Greetings/Salutations!:geek:

    @paulderdash appreciate the feedback! I will give it a shot!
    @Cutting_Edgetech " rebooted a couple of times, and tried doing simple task like surfing the web, and each time Windows began freezing, and each time it took 2-3 minutes before Windows began responding again. Applications that were already open before the freeze began stopped responding as well (browsers)

    I only have been experiences this with various BROWSERS. For example, Brave and Mozilla FirefoxThis only happen if you go to use RO before letting it set there for a few minutes.
    Key is to let your PC sit for a few minutes then start using your PC.
    Currently, using Puffin Browser for window and it seem to be working very well.

    Keep the feedback coming everyone.;)

    Again, thanks!:)

    @HeiDef, I will my eyes on Event Viewer! Like and Eagle!!!
     
    Last edited: Oct 1, 2018
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    There is nothing in RO based on Memory Sentry. And we don't have a plan to release Memory Sentry for consumer use at this time.

    For your other issues, the first reboot after installation is always the longest but in your case, it does seem as if something went wrong. It would not be surprising if there is a conflict with some other security app. If their driver or service loads before RO and they block operations that RO needs then it would easily cause problems. It sounds like the service wasn't able to load properly which made things stuck (hence the freezes). When you have some time for more testing, I'd be curious to know if the service actually was still running when you experienced the freezes. If you could also check your Event Viewer for any signs of crashes that'd be helpful as well.
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Like Paul said, he's been experiencing that same icon disappear issue and we haven't been able to identify the cause yet. It's something we are still working on but is difficult because we can't replicate on our test systems. We test with a few other security apps but nothing to the degree that some users use to lock their systems down. So, a conflict with other app (where RO is not able to perform an action it needs) is the likely cause but we haven't been able to figure out specifically what that is.

    You can toggle individual HIPS settings on or off. The start-up change message most of the time is just informational. RO evaluates the change and it will either notify if it thinks it should or just note that a change occurred.
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    That might be a good piece of software to start testing against a little deeper. Maybe you can send me a message with how you have it configured so we can replicate your environment to some degree.
     
  19. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    During boot up, RO has to evaluate each process to make sure nothing funny is going on. Based on system speed and the number of processes that load, and the fact that RO itself also has to load and compete for resources during boot, it can take some time to fully complete. That's why you'll have apps that appear to not load right away or freeze because RO has essentially suspended them while the behavior is analyzed. We use a number of heuristics to make this go quicker but a lot of things can throw it off because RO doesn't want to let something slip through the cracks. We are constantly tweaking and looking for efficiencies but given the way that RO evaluates programs, there are somethings we just can't loosen without sacrificing its effectiveness.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    Dave - on that machine Sandboxie IIRC has no special configurations, all standard settings, only set to Program Start>Force firefox.exe.

    But here is my Sandboxie.ini config. anyway ...
    Code:
    [GlobalSettings]
    
    Template=WindowsRasMan
    Template=HitmanProAlert
    Template=WindowsLive
    Template=a2AntiMalware
    Template=OfficeLicensing
    Template=OfficeClickToRun
    Template=RoboForm
    ActivationPrompt=n
    ForceDisableSeconds=30
    
    [DefaultBox]
    
    ConfigLevel=7
    AutoRecover=y
    BlockNetworkFiles=y
    Template=Firefox_Bookmarks_DirectAccess
    Template=Firefox_Force
    Template=qWave
    Template=WindowsFontCache
    Template=BlockPorts
    Template=LingerPrograms
    Template=Chrome_Phishing_DirectAccess
    Template=Firefox_Phishing_DirectAccess
    Template=AutoRecoverIgnore
    RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
    RecoverFolder=%Personal%
    RecoverFolder=%Favorites%
    RecoverFolder=%Desktop%
    BorderColor=#00FFFF,ttl
    Enabled=y
    AutoDelete=y
    NeverDelete=n
    
    [UserSettings_087A01B3]
    
    SbieCtrl_UserName=paul
    SbieCtrl_NextUpdateCheck=1538570617
    SbieCtrl_UpdateCheckNotify=n
    SbieCtrl_ShowWelcome=n
    SbieCtrl_AutoApplySettings=n
    SbieCtrl_WindowCoords=1,1,798,564
    SbieCtrl_ActiveView=40021
    SbieCtrl_BoxExpandedView=,
    SbieCtrl_ProcessViewColumnWidths=250,70,300
    
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I haven't seen any issues between Appguard,SBIE and RO. I have noticed sometime going in and out of ShadowDefender RO seems to loose it settings. Will monitor.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,727
    Location:
    U.S.A. (South)
    Ransomware in particular is extremely-instantly aggressive in order to (just like some past file infector viruses) power it's way inside and unleash a torrential cascade of encrypting etc. R0 in my experience does an excellent preemptive suspension sweep to ensure integrity that files/processes loaded are not jumping onto channels or unloading into other files (ransomware behavior) issues to skirt around basic security programs they no doubt scouted ahead of time and have a fairly good idea how to circumvent-bypass those etc.

    I not seen issues on this end but I will agree R0 adds something of a reasonable short delay on first start, if some call it that, while it clears that preliminary level and sets up normal monitoring as all other drivers-services-processes are acceptably safe.

    There have been posts where users expressed concerns that their machine experienced some problem after first install. So did mine, but just like some other softwares, after continuous use (unless a real conflict is taken place between apps) I notice R0 settles in nicely and previous hiccups or whatever smooth out.

    It's a beast this R0, and rightfully so, and well formed to take on and block with a vengeance what's become the most notorious of PC intrusions ever seen in modern times. Some machines just might not be able to handle over layering with multiple security programs and therein conflicts will be enevitable IMO.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Dave I have a question. i have auto update on, but it hasn't updated. Probably because it was block at initial install. I have downloaded the new version so should I install over the top, or uninstall and then install?

    Thanks,

    Pete
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    You can install over top. Just shutdown RO first.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Dave
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.