HeiDef

From HeiDef
Verified
Developer

Thanks again @cruelsister for identifying issues with RansomOff. We tried to re-create your test with the samples we could find based on the names in the video. Couldn't find a Pocrimcrypt sample and the RAA we found didn't seem to do anything other than open a Word doc but Revenge and CTBLocker helped to identify a few gaps in coverage that we now fixed.
 

cruelsister

Level 37
Verified
Trusted
Content Creator
I think I may see the issue between our findings. When I started to make videos, I made a decision to stay with the predominant Windows OS (currently 7) AND use the lowest common denominator version of it, that being 32 bit.

And I will bet that you used 64 bit (the uninstall process in 32 bit gives away an issue). If you wish to check, forget about the malware and just run Seamonkey (and should the Honeypots remain in this version?).

M
 

cruelsister

Level 37
Verified
Trusted
Content Creator
This is really odd, then (I'm using build 7576). Once again. not even considering malware, when Seamonkey is opened it will be held by RansomOff for about 30 seconds before the alert popup comes up. On uninstall there is a message within the uninstall box "there were errors removing all RamsomOff components". I tried this with both RansomOff on, and with RansomOff exited. By first exiting RansomOff, the uninstalling all goes fine; leaving RansomOff active and then going into the uninstall routine upon reboot Ransomoff is still active on the system.

If I have a chance this weekend I'll set up a new Windows 7 system and also try it on Windows 10. But for now, loft Party time...
 

HeiDef

From HeiDef
Verified
Developer
The uninstall error message could be more descriptive. And there are two issues really.

First, if you try to uninstall with RansomOff running, the self protection features will prevent the uninstall program from removing the various files and registry entries associated with RansomOff. So it will throw that message.

If you uninstall with RansomOff closed, basically the drivers can't be removed from the stack until reboot. So the uninstall was technically successful in removing references to RansomOff even though the drivers will remain in memory until reboot. We'll work on making it more clear. Thanks for the tip.

After some more investigation it does look like SeaMonkey can still throw an alert. We'd be remiss to say that RansomOff will never cause a false positive. That's part of the reason we built in an exemption list. You make the point in your video about decreasing heuristics for "legitimate" software but the name of this whole game is trying to identify "legitimate" software vs malicious. What's really legit and what's not? If it was that easy then malware wouldn't be a problem. So we'll keep tweaking the detection heuristics to decrease any false positives but no algorithm will ever be perfect.
 
Last edited:

cruelsister

Level 37
Verified
Trusted
Content Creator
Just to clarify the issues, please check your PM. Hope you like Michael Doucet.
 
Top