App Review RansomOff Kills a RAT

[cruelsister]

Note that for this video the HIPS setting was at default. Also the result should be viewed as specific for this type of malware; although the utility of the HIPS protection does extend to other things (like Worms) no further assumptions should be made.

But enough of that! A Halloween Party beckons me- the one night of the year where I can Tart myself up and get away with it...

 

[Syafiq]

Nice video, @cruelsister ! I'm surprised that RansomOff can kills a RAT. I will try using RansomOff for a while

 

[Sunshine-boy]

High-quality product:notworthy:Thanks for the test.
I'm wondering why avast did nothing!good job Avast you made things harder.

 

[Handsome Recluse]

Now I want something that counters those further assumptions.
Something kills Ransomoff

 

[Sunshine-boy]

How can I make sure that I don't have one of them on my harddrive?

 

[HarborFront]

How can I make sure that I don't have one of them on my harddrive?

AV/AM software and some freeware can detect and remove RATS because it is a trojan malware

 

[Atlas147]

Interesting find, but I wonder how sensitive is ransomoff towards everything. If it detects every ddl install for every program I am going to install or update on my system then it would be completely useless because it would be throwing FPs for everything.

 

[Lightning_Brian]

Does this great software have a major impact on your system thus far? Such as RAM usage, CPU usage, hard disk usage? I have read some reviews saying that it can spike CPU usage and RAM usage at times, but this is normal to every product. I'm interested to see if there are prolonged spikes or not. Any insight would be greatly appreciated. I'm hoping to give this software a try in a virtual machine environment.

Once again, thanks for posting the great videos!

 

[shmu26]

FYI
A week ago I went to the Heilig RansomOff website, downloaded the version that was being featured (RC) and it totally borked my system, because the drivers are not co-signed by Microsoft, so on Windows 10 you must disable secure boot, or your computer simply won't boot.

I don't know what installation files you people are using, or what version of Windows you are installing it on, but be careful. The dev told me that he would mod the installation file to check the system for this potential problem, I don't know for sure if he did that quite yet. I am hoping he did...

If, during installation, Windows gives you a warning about unsigned drivers, you must uninstall the program immediately, before you reboot, or else say hello to your system image restore CD. Actually, you could also opt to disable secure boot, if you so wish.

 

[Windows_Security]

I see HeiligDefense has a "smart" lockdown option.. You can automatically enable and disable LockDown mode when an application starts or ends. It is not the same as VoodooShield's smartlock and not the same as AppGuard's user space lock, but it is a sort of cross-over achieving something similar, by adding a deny-execute layer when you start internet facing programs (or programs running scripts) as in the example below.

Use this Notification scheme when you normally install software in UAC protected folders (Windows and Program Files). When you use portable software, it is probably better to get a notification when unsigned software starts.

Click on the set processes button and add the vulnarabe aps you would like to block from starting programs from user space.

 

[Windows_Security]

Another tip is to use the Folders option to limit access to certain folders. I have allowed Syncbackfree access to my Quick backup for mail and documents (and block all others write/delete access).

Protecting your backup folders with RansomOff adds a second layer. You can set backup/restore cleanup interval to match your backup behaviour. Default RansoOff keeps them for a day, I run a data backup at night to my NAS, so default matches my data backup process. Ransomware threat forced me to disconnect continueos backup to NAS during day-time

 

[Windows_Security]

P.S. I have disabled MBR protection, not because it does not work, but as a golden rule: I do not play with the MBR when I test drive Beta or Relase candidates programs.

@Lightning_Brian
Not much system impact, see startup delay of Chrome timed with AppTimer. RansomOff does a lot more than RansomFree (which only guards the canary files). When you update/edit large files the backup feature probably will have some impact (show some spikes).

C:\Program Files\Chromium\chrome.exe - 5 executions Vanilla Windows 7 + RansomFree
0.4834
0.1714
0.1555
0.1869
0.1708

C:\Program Files\Chromium\chrome.exe - 5 executions Vanilla Windows 7 + RansomOff
0.6861
0.2182
0.2334
0.2252
0.2334

 

[HeiDef]

Thanks for the nice video @cruelsister.

@Hanmin147 Valid point but each HIPS item can be individually configured. So if you want to be notified on every dll write, you can be. But if not, through the settings and exemptions and internal logic, alerts should be minimized. I'm sure it's something we will be tweaking though based on user feedback.

@Lightning_Brian RAM usage is pretty negligible on any decent system. @Windows_Security is correct on the HDD impact with file backups but those settings can be tweaked. Big spikes in system activity may cause HDD usage to spike because of RO writing to its databases but because RO doesn't scan files its normal HDD usage is low. CPU usage may be a bit heavier with the new UI because of the WPF framework but a decent GPU can mitigate that although in a VM you may not get that benefit.

@shmu26 Not all Windows 10 w/ secure boot has the issue but only more recent updates (1607+). Either way, we are getting the drivers cross signed for this release so there shouldn't be any boot issues in the future.

 

[HarborFront]

Thanks for the nice video @cruelsister.

@Hanmin147 Valid point but each HIPS item can be individually configured. So if you want to be notified on every dll write, you can be. But if not, through the settings and exemptions and internal logic, alerts should be minimized. I'm sure it's something we will be tweaking though based on user feedback.

@Lightning_Brian RAM usage is pretty negligible on any decent system. @Windows_Security is correct on the HDD impact with file backups but those settings can be tweaked. Big spikes in system activity may cause HDD usage to spike because of RO writing to its databases but because RO doesn't scan files its normal HDD usage is low. CPU usage may be a bit heavier with the new UI because of the WPF framework but a decent GPU can mitigate that although in a VM you may not get that benefit.

@shmu26 Not all Windows 10 w/ secure boot has the issue but only more recent updates (1607+). Either way, we are getting the drivers cross signed for this release so there shouldn't be any boot issues in the future.

Quickly! Make my day for a sig-less setup

 

[Lightning_Brian]

@HeiDef Thanks for explaining that to me. I didn't want to believe the RAM, CPU spikes that I was hearing from other testers. Some people were reporting a lot higher results and others were reporting no significant impact. In other words, the monitoring has been all over the place.

@Windows_Security thanks for posting your timings. I believe the small increase is just that - small. I would say for the most part the small increase will be hardly noticeable for most computer systems.

I'm excited about this software! This will help to stop ransomware in its tracks! I must say the potential for corporate use is very high as well. After showing this great software to a lot of people everyone commented on how this software is going to be a major game changer. Your company is going to turn the tides on the "bad guys" that want to do grave harm.

Keep up the great work! I'm excited to see future releases of this great software and the evolution of the software development.

 

[Av Gurus]

I see HeiligDefense has a "smart" lockdown option.. You can automatically enable and disable LockDown mode when an application starts or ends. It is not the same as VoodooShield's smartlock and not the same as AppGuard's user space lock, but it is a sort of cross-over achieving something similar, by adding a deny-execute layer when you start internet facing programs (or programs running scripts) as in the example below.

Use this Notification scheme when you normally install software in UAC protected folders (Windows and Program Files). When you use portable software, it is probably better to get a notification when unsigned software starts.

View attachment 171187

Click on the set processes button and add the vulnarabe aps you would like to block from starting programs from user space.

View attachment 171188

So simple & smart

THANK YOU

 

[_CyberGhosT_]

Loved it, caught it on YT and gave feedback.
Good idea, just needs some time to mature properly.
I have keys for AppCheck @ WAR so not really looking for "the next best thing" in Ransomware prevention, the
config I run is a Rat Killer by nature, but RansomOff is making strides in the right direction.
I can't help but wonder had RansomOff hit at a time when the "Ransomware" scare was young where it would be now,
there are 4 or 5 solutions that hit that mark and are doing very well right now.

 

[Sunshine-boy]

AV/AM software

Bu Avast is also Antivirus/AM and according to their website its next-gen thing xd
Learn About Next-Gen Cyber Security from Avast
EDITED MY POST.

 

[HarborFront]

Bu Avast is also Antivirus/AM and according to their website its next-gen thing xd
Learn About Next-Gen Cyber Security from Avast
EDITED MY POST.

If I'm not wrong Avast downloads signatures for offline on-demand scanning

I would like to go sig-less

 

[Windows_Security]

@HeiDef

Question 1: Lockdown mentiones explicitely mentions processes. Does it also blocks DLL's?

Question 2: I see Cruel Sister uses the new GUI, can we download the new version (since this RC won't make it to the market in its current GUI outift)?

Regards

Kees