RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The good part with this is that the MBR protection kicked in when running some tests.
    I totally forgot that since it was a good long while since even using my Windows 10 machine, that it was installed to Legacy MBR-based partition table.

    HeiDef-With a GPT UEFI i assume that particular feature of RansomOff has no bearing of coming into play.

    Keep up the good work in the Lab with the improvements.
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Hey @EASTER.

    RansomOff's MBR protection protects the first 512 bytes of a disk which is where the MBR always resides whether you are using GPT or not. GPT disks still have a MBR-like structure for backwards compatibility purposes and while it's not a real MBR, the space is still reserved. It's important to have this byte area protected regardless because threats like Petya do not attempt to distinguish what type of boot record you are using. In fact, it will completely trash a GPT disk because it will overwrite important data areas that are not important with a MBR disk. So while GPT disks do provide more protection that MBR (and that's probably just a matter of time kind of thing), some threats do not bother to identify one way or the other and just assume MBR.

    What utility were you using that caused the alert to pop?
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Exactly what I been reading up on today.

    You must been reading my mind after the post.

    Brushing up on that particular potential critical issue raised my awareness which is openly published in some articles that point out to that very thing which is some of those don't bother with ID but scratch code to that area which in turn still can disrupt a GPT.

    Thanks for the timely reply and insight and by the way how is the next release coming along for you guys?

    As you might guess many of us are anxiously if not cautiously looking forward to those ever increasing improvements.
     
  4. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Next release is coming along well. Hopefully by the end of this week it'll be ready. There are two big additions which is why this one is taking a bit longer; cloud integration to share threat intel and a Secure Folders like capability to add additional protections to particularly sensitive locations.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    The solution was to remove the certificate that RO had added.

    The certificate was added to make sure our drivers, which are signed by certificates issued by DigiCert, can be installed properly without any confirmation popups or validation errors. This is necessary on systems that may not have all or the latest CA certificates installed. Part of the issue is that is was installed in the Intermediate CA folder but it is actually a Root CA certificate. While it appears that doesn't matter for validating signed drivers, it causes issues with SSL validation.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    Just coincidentally, for info, turning from off to on Secure Folders protection on my external USB drive just triggered a ransomware warning :). I have allowed / whitelisted it.
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    What Secure Folder program are you using @paulderdash? The one by SubiSoft or the one by Promosoft or possibly another?
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    OT question: Is there anything wrong with SecureFolders's Promosoft driver?
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    FWIW Have onboard Secure Folders 1.0.0.9 here which uses MiniFilter srvtcp.sys
     
    Last edited: May 10, 2017
  10. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks @EASTER. There are a few programs called Secure Folders with different ones doing different things so just curious which one he was running that got the alert.

    Has RO given you an alert from SF?
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    HeiDef- I did a manual uninstall of RansomOff because I fear there was a clash of titans.

    As it stands and if can be of any help, Appguard + CFW 10 are also in place. I don't concern over Comodo as much but feel like Appguard's MBR filter might have bumped up with RansonOff's OR the Cerber I threw at the system might have fudged something causing RansonOff to hang up on me when trying to uninstall normally.

    It wasn't until booting into Safe Mode and pulling out the driver that upon bootup I got this BSOD INACCESSIBLE_BOOT_DEVICE

    Waiting on the next release to install fresh again.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What MBR filter in Appguard are you talking about. I don't believe there is one.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I though it guards the MBR too? No?

    I don't know if it even has a filter or the way it works, if it does cover MBR but RansomOff most certainly does because I had to drill my way down to remove it on safe mode.

    After that on reboot is when the INACCESSIBLE_BOOT_DEVICE screen greeted. I suppose a quick MBR Repair would have cleared it up but I restored a good image to return it back at square one all fresh and tidy again.
     
  14. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    496
    Location:
    Bulgaria
    You probably mean MBRFilter (but this is a third-party tool) and not related to Appguard.

    https://malwaretips.com/threads/anyone-using-mbrfilter.67925/

    When uninstalled incorrectly you will get INACCESSIBLE_BOOT_DEVICE.

    Only the MBRFilter value should be removed from the the following key => HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318/UpperFilters and not the PartMgr or the whole key or the system will be rendered unbootable.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Well that explains what I experienced right to a T.

    Thanks for the generous clarifying on that one.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    @HeiDef I am using the (discontinued) Promosoft Secure Folders on that machine.
     
  17. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    496
    Location:
    Bulgaria
    You're welcome. :)
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    If you also delete the driver file but leave the registry value intact that @doesntmatter mentioned, you'll also get the INACCESSIBLE_BOOT_DEVICE error. That's true with any upper disk filter and not just RansomOff's MBR driver. That's why manually uninstalling by just deleting files can cause problems.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    So my little quick fix was incomplete and the system had something to fuss about.

    Got it. Thanks
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    NEVER manually delete files.

    Always use the provided uninstaller and make sure you have backups in case something goes wrong.
     
  21. mWave

    mWave Guest

    Does RansomOff rely on a driver or user-mode API hooking to prevent modification to the physical drive (PhysicalDrive0)?
     
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    RansomOff uses an upper filter disk driver for MBR protection.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    New release update yet?

    We're anxious to see what new improvements you guys have been busy working on in that Lab.
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We will probably release it later tonight or early tomorrow. We are holding off on the cloud integration for a bit so the big change in this release will be the Secure Folders like capability. We'll be sure to post a note once we release it.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    You guys excel at responding to our Q's and taking necessary steps seriously to better this program every release and so my sincere thanks on behalf of everyone.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.