JB007

Level 16
Verified

Moonhorse

Level 26
Verified
Content Creator
Hello @upnorth
Is it possible and useful to run HDRO together another AV, ESET for exemple ?
Always possible yes, but not worthy when you have such good antivirus already

It has simple mode, but i would call it advanced since the hips will spam you alot and probably someone whos looking for real simple setup its very confusing

If you are advanced user, youre interested about whats happening on your system and you have time to play with such beast sw as ransomOFF is, go ahead

I dont think its buggy, its just too agressive. You have to create alot rules and have deep insight on options
Also i dont think its memory hog, because it will settle down after some time
And the MBR protection will delay startup time a bit but its not huge deal


Its overkill protection, and doing very well, but theres many more user friendly alternatives to go with
 

upnorth

Level 31
Verified
Trusted
Content Creator
Hello @upnorth
Is it possible and useful to run HDRO together another AV, ESET for exemple ?
Good question and from my personal test on a machine with F-Secure there was zero negative impact but please be aware, that's not conclusive as for example I have no idea how Ransomoff would work along with ESET or any other AV. I consider Ransomoff as an extra security layer but I do recommend read about it here first : RansomOff Documentation and if issues would occur try contact the author @HeiDef with a PM or there support : Heilig Defense

Simple mode or Advance mode can be selected when installing the software but also after and for beginners it's of course recommended to use Simple mode. There's a lot of good information also here : [Heilig Defense] RansomOff - The World's Most Advanced Anti-Ransomware Solution
 

JB007

Level 16
Verified
This software is very buggy and has potential conflicts with other software when I used to use this.

~LDogg
Always possible yes, but not worthy when you have such good antivirus already

It has simple mode, but i would call it advanced since the hips will spam you alot and probably someone whos looking for real simple setup its very confusing

If you are advanced user, youre interested about whats happening on your system and you have time to play with such beast sw as ransomOFF is, go ahead

I dont think its buggy, its just too agressive. You have to create alot rules and have deep insight on options
Also i dont think its memory hog, because it will settle down after some time
And the MBR protection will delay startup time a bit but its not huge deal


Its overkill protection, and doing very well, but theres many more user friendly alternatives to go with
Good question and from my personal test on a machine with F-Secure there was zero negative impact but please be aware, that's not conclusive as for example I have no idea how Ransomoff would work along with ESET or any other AV. I consider Ransomoff as an extra security layer but I do recommend read about it here first : RansomOff Documentation and if issues would occur try contact the author @HeiDef with a PM or there support : Heilig Defense

Simple mode or Advance mode can be selected when installing the software but also after and for beginners it's of course recommended to use Simple mode. There's a lot of good information also here : [Heilig Defense] RansomOff - The World's Most Advanced Anti-Ransomware Solution
Thanks @~LDogg , @Moonhorse and @upnorth for your helpful comments:)
 

LDogg

Level 29
Verified
It's a promising piece of software however, can be slightly bugged with other software present on the system.

~LDogg
 

vertigo

Level 2
I just had an issue with it while testing this and a few other programs (VoodooShield, NVT ERP, SecureAPlus, Exubits Bouncer, and CheckMAL AppCheck) in a VM. I realize that's a lot of potentially conflicting stuff to be running at once, and might be why the problem occurred, but a HIPS alert popped up and was completely unresponsive. I tried launching various interfaces for DRO and disabling HIPS to see if that would cause the popup to close, but every time I reopened them it was still enabled. I finally killed DRO via task manager, but then none of the programs in the collapsed part of the system tray (the popup when clicking the arrow) would respond at that point, so ultimately I had to reset the VM.

Another couple things I've noticed with it: there doesn't seem to be parent-child allowances made, so even when I allow something, I keep getting multiple popups related to it; there's no warning when folder protection is activated (e.g. Windows Defender shows a notification when its protection is triggered, though unfortunately not every time, and it doesn't provide an easy way to add the process as an exception); and the setup of protected folders is a bit confusing. By that I mean that it doesn't provide any explanation for the different categories and, more significantly, there are two ways to select an item, one of which is necessary to act on it with the plus button in the top half, and one which is necessary to act on it in the bottom half, and it took me a few minutes to figure out what was going on with that.

This looks like a promising program, but it doesn't seem stable enough nor does it have sufficient advantages over other options. I still have to test out a lot of programs before deciding, but I'm currently leaning away from using this as part of my setup.
 
  • Like
Reactions: upnorth

vertigo

Level 2
To update my earlier post, I've found that when attempting to disable MBR protection, folders protection, and HIPS-lite via the "Protection Settings" window, it doesn't retain the changes. The other features can be disabled there, and all features can be enabled there (with the possible exception of MBR protection, since I can't find any other way to disable it, which means it can not be disabled, so I can't see if enabling it there is remembered or not). In order to truly disable folders protection and HIPS-lite, it needs to be done in the main interface. So this appears to be a bug.

Another issue I have is with the alerts, which seem much more frequent than other programs, and are often not very helpful, not to mention being difficult to read being tiny text in an area you have to scroll to even read everything. I've basically reached the point that I give up on the app lockdown and HIPS-lite aspect of it, as the popups are relentless and, as mentioned, not even very helpful. Another thing I don't care for is that the features can't be disabled while there's a pop-up open, so when installing a program and getting one pop-up after another, I couldn't just turn it off to get them to stop, but rather had to keep clicking allow or block until I was through all of them.

Another note is that it would be helpful to have some sort of description, in a tooltip or something, explaining what the "perform full cleanup" switch on the HIPS notifications means.

At this point, I may use it for ransomware and MBR protection and possible folder protection, and just leave the other stuff disabled and use other programs for those aspects. But then, considering how buggy it seems to be in my limited use of it so far, and that others have commented on it being buggy as well, I may not. Anyways, hopefully this feedback will be useful to the developers.
 

HeiDef

From HeiDef
Verified
Developer
To update my earlier post, I've found that when attempting to disable MBR protection, folders protection, and HIPS-lite via the "Protection Settings" window, it doesn't retain the changes. The other features can be disabled there, and all features can be enabled there (with the possible exception of MBR protection, since I can't find any other way to disable it, which means it can not be disabled, so I can't see if enabling it there is remembered or not). In order to truly disable folders protection and HIPS-lite, it needs to be done in the main interface. So this appears to be a bug.

Another issue I have is with the alerts, which seem much more frequent than other programs, and are often not very helpful, not to mention being difficult to read being tiny text in an area you have to scroll to even read everything. I've basically reached the point that I give up on the app lockdown and HIPS-lite aspect of it, as the popups are relentless and, as mentioned, not even very helpful. Another thing I don't care for is that the features can't be disabled while there's a pop-up open, so when installing a program and getting one pop-up after another, I couldn't just turn it off to get them to stop, but rather had to keep clicking allow or block until I was through all of them.

Another note is that it would be helpful to have some sort of description, in a tooltip or something, explaining what the "perform full cleanup" switch on the HIPS notifications means.

At this point, I may use it for ransomware and MBR protection and possible folder protection, and just leave the other stuff disabled and use other programs for those aspects. But then, considering how buggy it seems to be in my limited use of it so far, and that others have commented on it being buggy as well, I may not. Anyways, hopefully this feedback will be useful to the developers.

All good feedback. Definitely appreciate you taking the time to test RO and leave the comments.

I'll try to hit most of your points but there are some RTFM aspects as well. First, having all of those security programs running probably will cause an issue. Multiple kernel drivers fighting to figure out what's going on (and admittedly RO is aggressive) is asking for problems. We test RO heavily on our test systems and don't run into many of the issues that get reported. Not to say it's a perfect piece of software but like medicine, undesired interactions can occur.

Parent/child inheritance is dangerous. There are too many ways to maliciously execute a program and the parent is not a very good indicator of something being safe so inheritance is not heavily used in our analysis.

There is a HIPS setting relating to alerts on protected folders in certain circumstances but otherwise they are not meant to alert.

We'll take a look at the settings issue. That is new to us.

RE: alerts. Are you talking about HIPS alerts or actual ransomware alerts? HIPS notifications are meant to alert strictly based on observed behavior. Nothing fancy about it. Certain settings will create many alerts which is by design. If you are getting a lot of ransomware alerts, there are a variety of reasons that may be happening. In most cases, exemptions can be used to easily filter out the triggers.

RO is not signature based so it relies solely on observed behaviors. The default model it uses is based on a normal Windows machine like the kind found in managed environments. MT and Wilders users are not really the normal computer user and consequently, their systems make RO react in strange ways. Layering up on security software, third-party task managers and file browsers, running things portable and sandboxed, etc, etc. It's great from a testing point of view but there is no way that our "normal" modal will work flawlessly. However, the options RO provides means it can be tuned to work very well even in a power user environment.
 

upnorth

Level 31
Verified
Trusted
Content Creator
Just noted it was updated to version 5.2018.339.6492 - 5 Dec 2018.
  • Fixed NOEXECUTE non-English path issue.
  • Improved logic for more thorough clean-up.
  • Added additional clean-up remedy actions to get system back to good state.
Change log : Heilig Defense RansomOff
 

vertigo

Level 2
Thanks for the quick reply. As for the RTFM bit, I completely understand, and figure there is some of that, but I feel that good UI design should all but eliminate the need to do so for most functions. For example, I could undoubtedly take the time to look up certain things, like the full cleanup option, and I would if I was going to use the program long-term (and I still might, though I'm still unsure), but just because I can look in help or do a web search doesn't mean it shouldn't be made immediately and clearly apparent what it does through the interface. And for that matter, AFAICT there's not any help or instructions in the program. So I don't even know what exactly the "ransomware protection" does or what the "backup and restore protection" does and how (or if) it's related to the ransomware protection or how exactly it works. Does it create a backup of everything on the drive(s), or everything in the protected folders, or only certain things (in which case, how does it decide what to backup and when)? These are questions I would love answers to, and could probably find at least some of them by searching the web, but I shouldn't have to hunt them down, they should be readily accessible in the program itself. Don't get me wrong, I realize it's a free program, and don't mean to sound ungrateful, but free or not it would be nice to have that info.

As for inheritance, I understand your point, though I wonder if it could be an option, or perhaps better managed. The fact is, most people are going to get sick of the constant pop-ups and just start clicking allow, or they will be confused by them. The conundrum with security software is that the more a person understands how to use it, the less they actually need it. So to actually protect those that need the protection, it's simply not (IMO) viable to have it pop up so many times. If there were an option to allow inheritance, it would be better than nothing, which is what would happen if/when the protection were just disabled. Also, assuming it were done on a temporary basis, it seems to me it should be fine. That is, if I launch a.exe, which launches process b.exe, after allowing a.exe, it should see that b.exe is not only a child of it, but that it's being launched very soon after allowing it. This is quite different from b.exe occurring as a child some time after the fact. It seems it should be smart enough to see the first instance as safe, being so close in time to allowing a.exe, and the second action as being suspicious.

As for the alerts, I would get a good mix of app lockdown and HIPS-lite alerts whenever running an installer.

This is in a VirtualBox Windows 10 VM with only a dozen or so programs installed, mostly various anti-exe and anti-ransomware programs. Also, while I certainly understand the potential conflicts happening due to this, and that it's practically impossible to make a program completely stable despite all of that, all the other programs have seemed fine, and only this one has had issues. And IMO a program should still be stable, at least as much as possible, even when conflicting with other programs. Maybe it's something unique to RO, but I'd like to think that if all the other programs can operate without issue, it should be able to as well. Granted, there was only the one case of instability, but it was severe enough to cause me to have to reboot, which I hate doing (luckily it was just a VM). And of course, I can't say for sure that it was even RO that caused the problem, but it was the one that was affected. I'm willing to write it off as a fluke at this point, and if RO ends up in the final running I'll set it up for further testing without potential conflicts, but I wanted to mention it.

Basically, at this point, I'm trying to decide between this and/or AppCheck (though maybe I could just run both...), Trend Micro Ransom Buster, and TEMASOFT Ranstop, and there are definitely some things I like, but there are of course things I don't like. I'd say probably the biggest thing is that when it blocks an activity related to a protected folder, it should show a meaningful notification that not only explains exactly what was blocked, but provides an easy way to perform various actions (allow, whitelist, deny, blacklist, with the ability to expand to multiple folders or the whole drive or computer). It's frustrating to have an error pop up that not only doesn't tell you what the problem is, but then requires you (once you realize what it is) to dig through settings and manually add exceptions.
 

vertigo

Level 2
Forgot to mention another thing I've noticed: CPU usage for RO goes from next to nothing (as expected) when minimized to the tray to ~35-45% when the main window is open. This is in a hardware-accelerated VM with four of my 7820x threads assigned to it, so that's a lot of CPU power being used by a program that's supposedly sitting doing nothing.

Edit: it's no longer doing this, though CPU usage does still spike up for a couple seconds whenever I flip one of the tiles in the main interface. So maybe whatever causes that was causing the high usage before, even though it was just sitting untouched.
 
Last edited:

alakazam

Level 5
This software is very buggy and has potential conflicts with other software when I used to use this.

~LDogg
^
I agree. I had a bad experience with this program. It deleted Windows Explorer from the list of active processes for some reason, so I couldn't access my PC until I recreated Windows Explorer in the Task Manager. It also slowed down my PC. I uninstalled it the same day.
 

upnorth

Level 31
Verified
Trusted
Content Creator
Personal I haven't tested RO since I posted this thread, and thats over 8 months now. At that time it worked smooth on one of my machines and the few ransomware samples I ran was nuked flawless. Today I have no idea, but considering not any viewable work in progress, last update 5 Dec 2018 , I wouldn't automatic recommend this tool to anyone. One thing must still be said. When tools like this is tested, try avoid in the beginning have a bunch of other security tools installed at the same time as it many times asking for problem. Just make sure one have that little working backup ( Verified! ) before any tests actually begin.

I'll try send the developer a PM for any possible upcoming news.