No. RansomOff is not a scanner of any sort. It monitors process behavior only after the application has already executed.
Greetings from the Edge Browser (Win 10) ugh @HeiDef- Just finished installing a 1 Terabyte Spindle HD and going to set this up for a run. My question is in what order if any is a good scenario for RansomOff after clean image install or does that even matter. With this lineup: Nvt-ERP + CFW 10 [sandbox + firewall only] + Shadow Defender [On-Demand Only] I would assume RansomOff "first install" to get a clean put on for that MBR protector and exclude those others within the settings for a good fit. Running this with Legacy Boot right now and want that covered. PS: I will be posting from my Win 8.1 later.
It should work just fine with it. To be extra safe though, do a mutually inclusive exemption between RansomOff and Malwarebytes so neither conflict with one another.
Hey @EASTER It would probably make most sense to install RansomOff last. That way during the installation process you can exempt the other security software right off the bat. The MBR protection shouldn't cause any issues with the listed solutions as none have MBR protection so the ordering there should not matter.
No problem. Doing a burn-in right now with MBR infectors at SD. Going to want to uninstall afterwards and put this beauty to the metal next. I must say HeiDef you guys are really putting a serious effort into this and we really appreciate your own timely interactions to our concerns. To the group-Anyone been strictly hitting at the MBR protection of RansomOff yet with your respective collections? That is if your specifically testing it to that protection. On this end just as well get the rough stuff over first LoL
Next time, if there happens to be a new release with an improvement element which might demand a fresh install you can be sure I will take the straight uninstall route. What happened was ran into an unrelated something/conflict last week where i couldn't get it to uninstall and that's why I manually made the attempt without consulting first. Clear on that now. Does employing (2) upper filters for the same MBR security protection carry some potential for any conflict? An uninformed might think one should be well enough but this is an answer better suited coming from a Developer. Thanks Again, Regards EASTER
It really shouldn't cause any issues. Windows is designed to stack drivers one on top of the other so if you have two upper disk MBR filters loaded, the one loaded on top will get the notification first and perform whatever action it does. If the top filter blocks the MBR write, the filter below it wouldn't be any the wiser. So in theory, there should not be any issues with multiple upper disk MBR filters in place. It comes down to what else that driver may do that can cause issues but not the fact that there are one or more upper disk filters. Hope that makes sense.
To follow back up on this, we have been playing with RO and KIS and there still seems to be some negative interactions at least in our one Win10 x64 VM. What we have been seeing is that components of both products are not loading properly at start up but we haven't been able to pinpoint the exact cause yet. We were planning on releasing a new update today but will probably push it back a little bit to see if we can figure out what the problem is.
Thank you very much, @HeiDef . I'm sure you'll soon figure out what the problem is. Again, thanks a lot for your all you do here at Wilders.
HD- I just took RansomOff for a very quick run and noticed this: 1). The installation process has been streamlined and should no longer present any issues for anyone. 2). AutoStart alerts now for ransomware that attempt such? That was a pleasant surprise, especially as the process was also blocked! 3). The cleaning up of the residual trash after ransomware run is very effective and efficient. In short, you guys done good.
Thanks for the nice words @cruelsister Hopefully we can get some of these last few bugs worked out and drop the beta.
Can't get it working, after re-boot half of my programs load then stuck. Installed the 64bit version Win 7. Wont let me browse to C:\Program Files (x86) to let me exclude security programs, only C:\Program Files. Also I have vrtadmin/MBRFilter installed.
Salutations/Greetings! Latest Beta? https://www.ransomoff.com/ Going to reinstall! Zemana Antimalware is the software that, I have added to my setup. Post: # 108 https://www.wilderssecurity.com/threads/ransomoff-4.393013/page-5 Any additional concerns from Post: # 103 or thoughts? https://malwaretips.com/threads/hei...dvanced-anti-ransomware-solution.69977/page-6 Moose
Sorry for the delay. In prepping this rig I ran into a minor device driver issue but that's another story and solved. 1 Petya, 3 Cerbers and a WannaCry all run within the same session WITH NO OTHER SECURITY APP + WD 0FF/Disabled and my results? Impressive! Especially formidable is the process elimination as well as the reversal technique which is quite innovative as @cruelsister so delightfully expressed. There were a few notices in a couple of alert logs of Error deleting (appeared a duplicate of a previous delete). When traced and drill down to the path (of Error)there was nothing there to look at. No key/value to find so it was indeed deleted. The same with a couple of leftover .tmp files. I will want to repeat this same procedure and make a slower effort to review that closer This was a first brief run though and please add to the fact that I DID NOT add ANY security Software to exemptions but then I didn't run but only RansomOff alone! Active windows were Process Monitor + File Change Alarm which closely monitors C:\ and System Folders for any different file drops or changes/deletes/creates etc. via live scrolling logging of any those movements. There is on occasion a Toast pop up indicating a window is blocking and to minimize or unblock? I assume that has to do with another active window taking Focus? You guys have really ramped up this puppy a notch without a doubt. And I haven't even got around to adding any folders/etc. part yet Will ask questions later.
Hey @Circuit Sorry to hear you are having issues. Can we ask what other security software you are running? The symptoms you mention are similar to what we see with KIS right now. Even if you aren't running KIS, many security solutions use the same techniques so it might be related. MBRFilter is on our list of things to test against. Just haven't gotten to it yet but we'll try to soonest to see if that's causing issues.
Hi @Moose World We'll be releasing another update shortly so you may want to wait a bit until it's released. We obviously don't want you to have a repeat of your last experience and hopefully the soon-to-be release will fix the compatibility issues you experienced before. We haven't tested against Zemana yet but will do some quick tests to see how that interacts and post if we find any problems.
+1 The cleanup error messages could be more descriptive. Due to some quirkiness of the Windows file system, RansomOff attempts to delete all files created by the ransomware even if the ransomware may have deleted it. This is just to make sure the file was actually deleted. When you see the "error deleting file" more times than not it means the file was actually deleted previously. We'll mod the message a bit. The toast popup for window blocking is designed to stop a malicious full screen window from preventing you access to your desktop or other programs. It can be a bit FP prone so that's why it's not checked by default.
Totally Awesome. Thanks HeiDef for the explanation. I get the idea now. Enabled prevents knocking out the desktop and/or if enable FULL SCREEN mode something might go for taskbar instead but a simple Explorer Restart returns it in a flash.
Greetings@HeiDef A new release let me know when? (rough time frame) Additionally, Zemana Anti-Malware running with real-time protection ON! Also, would like to know your finding of MBRFilter? Post: # 220.
Pardon for bringing this back up to the forefront again but I felt that this extra feature/protection is a vitally important enough FACT to again remind others who might come into this thread late and/or jump to only the most recent replies. Thank You @cruelsister for making a point of this early on. Something that even I skipped past about the MFT part. Been burned only once (that was enough) by such a variant before but it was a huge wake-up call and ever since have always looked for such additions to some security product that might seal them both off like RansomOff!