- Apr 13, 2013
- 3,224
A RansomOff Quickie
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Mar 27, 2017
- 94
Thanks for the test and review @cruelsister
Could you please post the hashes of the samples you used? The one that caused the BSOD is of most interest. Thanks again.
Could you please post the hashes of the samples you used? The one that caused the BSOD is of most interest. Thanks again.
- Mar 27, 2017
- 94
Thanks again @cruelsister for identifying issues with RansomOff. We tried to re-create your test with the samples we could find based on the names in the video. Couldn't find a Pocrimcrypt sample and the RAA we found didn't seem to do anything other than open a Word doc but Revenge and CTBLocker helped to identify a few gaps in coverage that we now fixed.
- Apr 13, 2013
- 3,224
I think I may see the issue between our findings. When I started to make videos, I made a decision to stay with the predominant Windows OS (currently 7) AND use the lowest common denominator version of it, that being 32 bit.
And I will bet that you used 64 bit (the uninstall process in 32 bit gives away an issue). If you wish to check, forget about the malware and just run Seamonkey (and should the Honeypots remain in this version?).
M
And I will bet that you used 64 bit (the uninstall process in 32 bit gives away an issue). If you wish to check, forget about the malware and just run Seamonkey (and should the Honeypots remain in this version?).
M
- Mar 27, 2017
- 94
That's a 32-bit Win7 VM in our response video. Like it mentioned, we fixed some issues based on your video so the setup is the same. Just a new RansomOff build.
What issue are you having with the uninstall?
What issue are you having with the uninstall?
- Apr 13, 2013
- 3,224
This is really odd, then (I'm using build 7576). Once again. not even considering malware, when Seamonkey is opened it will be held by RansomOff for about 30 seconds before the alert popup comes up. On uninstall there is a message within the uninstall box "there were errors removing all RamsomOff components". I tried this with both RansomOff on, and with RansomOff exited. By first exiting RansomOff, the uninstalling all goes fine; leaving RansomOff active and then going into the uninstall routine upon reboot Ransomoff is still active on the system.
If I have a chance this weekend I'll set up a new Win7 system and also try it on Win10. But for now, loft Party time...
If I have a chance this weekend I'll set up a new Win7 system and also try it on Win10. But for now, loft Party time...
- Mar 27, 2017
- 94
The uninstall error message could be more descriptive. And there are two issues really.
First, if you try to uninstall with RansomOff running, the self protection features will prevent the uninstall program from removing the various files and registry entries associated with RansomOff. So it will throw that message.
If you uninstall with RansomOff closed, basically the drivers can't be removed from the stack until reboot. So the uninstall was technically successful in removing references to RansomOff even though the drivers will remain in memory until reboot. We'll work on making it more clear. Thanks for the tip.
After some more investigation it does look like SeaMonkey can still throw an alert. We'd be remiss to say that RansomOff will never cause a false positive. That's part of the reason we built in an exemption list. You make the point in your video about decreasing heuristics for "legitimate" software but the name of this whole game is trying to identify "legitimate" software vs malicious. What's really legit and what's not? If it was that easy then malware wouldn't be a problem. So we'll keep tweaking the detection heuristics to decrease any false positives but no algorithm will ever be perfect.
First, if you try to uninstall with RansomOff running, the self protection features will prevent the uninstall program from removing the various files and registry entries associated with RansomOff. So it will throw that message.
If you uninstall with RansomOff closed, basically the drivers can't be removed from the stack until reboot. So the uninstall was technically successful in removing references to RansomOff even though the drivers will remain in memory until reboot. We'll work on making it more clear. Thanks for the tip.
After some more investigation it does look like SeaMonkey can still throw an alert. We'd be remiss to say that RansomOff will never cause a false positive. That's part of the reason we built in an exemption list. You make the point in your video about decreasing heuristics for "legitimate" software but the name of this whole game is trying to identify "legitimate" software vs malicious. What's really legit and what's not? If it was that easy then malware wouldn't be a problem. So we'll keep tweaking the detection heuristics to decrease any false positives but no algorithm will ever be perfect.
Last edited:
- Apr 13, 2013
- 3,224
Just to clarify the issues, please check your PM. Hope you like Michael Doucet.
- Apr 13, 2013
- 3,224
Similar threads
