App Review RansomOff Kills a RAT

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
HeiDef

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
Windows_Security said:
@HeiDef

Question 1: Lockdown mentiones explicitely mentions processes. Does it also blocks DLL's?

Question 2: I see Cruel Sister uses the new GUI, can we download the new version (since this RC won't make it to the market in its current GUI outift)?

Regards

Kees
Click to expand...

Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.
 
Last edited:
  • Like
Reactions: Sunshine-boy, jeryll, _CyberGhosT_ and 3 others
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
HeiDef said:
Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.
Click to expand...

Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

upload_2017-10-31_17-35-13.png

Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)
 
  • Like
Reactions: HarborFront, Sunshine-boy, Handsome Recluse and 3 others
HeiDef

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
Windows_Security said:
Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

View attachment 171326
Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)
Click to expand...

The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
 
  • Like
Reactions: HarborFront, Sunshine-boy, harlan4096 and 1 other person
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
HeiDef said:
The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
Click to expand...
Great in regard to DLL's

About the scripts, when you could make it an option it would increase useability of the lockdown feature while offering substantial better protection (e.g. exempt scripts from UAC protected folders or exempt signed scripts). I understand your hesitation, it would not be as solid as deny all, but it is still a lot better than no lockdown because of conflicts. I agree conflicts would likely occur in business market (logon and handshake scripts), but please consider.
 
  • Like
Reactions: XhenEd
HeiDef

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
5.2017.306.5218 RC1 is now available for download. The updated UI and the HIPS are the major updates but we also did get the Windows 10 drivers co-signed by Microsoft which will take care of that pesky little secure boot issue. For all those that appreciate RansomOff, enjoy!
 
  • Like
Reactions: Av Gurus, harlan4096, XhenEd and 3 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,141
Hi @HeiDef

You have 'Folder Protection' feature. Can I know is there a limit to the nunber of folders to be protected? Also, how about folders not being protected? Will the latter be protected by RO as well?
 
Last edited:
  • Like
Reactions: Sunshine-boy and _CyberGhosT_
HeiDef

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
HarborFront said:
Hi @HeiDef

You have 'Folder Protection' feature. Can I know is there a limit to the nunber of folders to be proteccted? Also, how about folders not being protected? Will the latter be protected by RO as well?
Click to expand...

RO has had Folder Protection for some time. There is no limit to the number of folders you protect but obviously you have to consider performance issues if you add many folders. The Folder Protection is distinct from the anti-ransom protection. So even if you don't protect folders specifically you'll still be covered by the anti-ransomware coverage.
 
  • Like
Reactions: Av Gurus, harlan4096, HarborFront and 2 others

Similar threads

Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,427
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
How a Well-Regarded Mac App Became a Trojan Horse
Replies
0
Views
1,330
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
R
    • Applause
    • Like
Microsoft is again named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management
Replies
0
Views
527
Microsoft Defender
Rob Lefferts
R

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top