Video RansomOff Kills a RAT

HeiDef

From HeiDef
Developer
Joined
Mar 27, 2017
Messages
87
#21
@HeiDef

Question 1: Lockdown mentiones explicitely mentions processes. Does it also blocks DLL's?

Question 2: I see Cruel Sister uses the new GUI, can we download the new version (since this RC won't make it to the market in its current GUI outift)?

Regards

Kees
Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.
 
Last edited:

Windows_Security

Level 16
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
761
OS
Windows 7
#22
Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.
Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

upload_2017-10-31_17-35-13.png

Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)
 

HeiDef

From HeiDef
Developer
Joined
Mar 27, 2017
Messages
87
#23
Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

View attachment 171326
Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)
The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
 

Windows_Security

Level 16
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
761
OS
Windows 7
#24
The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
Great in regard to DLL's

About the scripts, when you could make it an option it would increase useability of the lockdown feature while offering substantial better protection (e.g. exempt scripts from UAC protected folders or exempt signed scripts). I understand your hesitation, it would not be as solid as deny all, but it is still a lot better than no lockdown because of conflicts. I agree conflicts would likely occur in business market (logon and handshake scripts), but please consider.
 
Likes: XhenEd

HeiDef

From HeiDef
Developer
Joined
Mar 27, 2017
Messages
87
#25
5.2017.306.5218 RC1 is now available for download. The updated UI and the HIPS are the major updates but we also did get the Windows 10 drivers co-signed by Microsoft which will take care of that pesky little secure boot issue. For all those that appreciate RansomOff, enjoy!
 

HeiDef

From HeiDef
Developer
Joined
Mar 27, 2017
Messages
87
#27
Hi @HeiDef

You have 'Folder Protection' feature. Can I know is there a limit to the nunber of folders to be proteccted? Also, how about folders not being protected? Will the latter be protected by RO as well?
RO has had Folder Protection for some time. There is no limit to the number of folders you protect but obviously you have to consider performance issues if you add many folders. The Folder Protection is distinct from the anti-ransom protection. So even if you don't protect folders specifically you'll still be covered by the anti-ransomware coverage.
 

Similar Threads

Similar Threads