Ran it again, this time i allowed it to run. It created some garbage on my desktop, but it doesn't look it is encrypting. The process is running though.
I'm the author of RansomOff so I just wanted to clear a few things up. Also I definitely appreciate the testing feedback good, bad or otherwise.
First as it has been shown, RansomOff is not designed to prevent MBR attacks. As it was pointed out, that's a different type of attack.
Second, this current version of RansomOff does not restore files however that feature will be in a future release. In our full fledged endpoint security product, Correlate, file restoration is available.
Third, RansomOff will not clean your system of any files or artifacts dropped by a piece of ransomware. If you click 'Deny' when you get an alert, RansomOff will terminate the process but won't clean up. If the cleanup is an important feature, it can definitely be added.
Fourth, a lot of ransomware is very buggy and by the way RansomOff interacts with it, there may be cases where you will not receive an alert but the ransomware will just hang. In that hung state, the ransomware isn't able to encrypt files and will require you to kill it via task manager.
Either way, good feedback and valuable information I can add to our site to help clear up any confusion.
@Captain Awesome - The sample you linked to is a downloader from what I can tell, not actual ransomware. RansomOff isn't protecting against regular Trojans.
@WinXPert - What dll's are you missing?
@Amelith - Can you provide some hashes of the sample you tested?
Thanks!You can find all the samples i used in the MT vault (except one).
I can remember two of them exactly, but the Locky variant was in one of the malware packages and i really can't remember in which one.
The two i remember:
Best of luck with RansomOFF! Maybe one day ransomware will disappear because of the efforts of so many people
Well, i said it encrypted some of my files but not all in the case of Matrix, Locky and Start Trek. I'm sure they wouldn't skip encrypting the rest if they would not be stopped, and i had only RansomOFF running on that PC, so must have been RansomOFF, though i had no alerts (like the one i had after the restart).Thanks!
And thanks for the reply. So the Star Trek sample is the same as the Kirk sample shown in our one video (Ransomware Rapid Fire). I also tested against the Matrix sample you reference and RansomOff stops it. But something that Matrix highlights though is that RansomOff, while it kills the offending process, doesn't terminate the whole process tree so it constantly tries to respawn. That'll definitely be added next release. I'm really most curious out the Virlock sample you said that RansomOff did nothing against. The samples I found at:
KernelMode.info • View topic - Win32/VirLock
were all stopped. Either way, RansomOff is currently Beta so there is room for improvement and will only get better thanks to feedback from people like you.
[Quote = "harborfront, post: 612.758, člen: 55987"] Díky za odpověď. Myslíte si, že stačí otestovat aspekt MBR s několika ransomware a zjistit, zda to funguje tedy odstranit MBRFilter a SD dočasně? To bude užitečné
BTW, to přichází s funkcí obnovení souborů?
Ještě jednou díky [/ quote]
If you use vmware so you can determine the test I use only SD for quick tests.
User convenience and preference more than anything. There are users that do not like being blocked from directories or registry keys so it's to allow that control if wanted.So is disabling of self-protection meant for uninstalling of the software? If not, then for what reason(s) to disable it?
Thanks. Still working on trying to figure that one out. Seems to be a Windows 7 issue but I haven't been able to reproduce it yet on any of my test machines or VMs.There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.
Same error message even with EAM off.
Thanks @Evjl's Rain. We'll be rebuilding the MSI's later today with an updated RansomOff version so hopefully once rebuilt it'll fix the installation errors.hello @HeiDef
I still have the problem. I read the microsoft support page but the solution didn't work
I installed .NET 4.5.2 (4.5.51209...) + 4.6.1
Visual C++ 2008, 2012 and 2015
Windows 7 x86 SP1
the problem is, there is no error number so I cannot identify the exact error to search for
my VM only has 3Gb of RAM, I don't want to install windows 10 or test it in my host machine
View attachment 144534