App Review RansomOff Kills a RAT

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
@HeiDef

Question 1: Lockdown mentiones explicitely mentions processes. Does it also blocks DLL's?

Question 2: I see Cruel Sister uses the new GUI, can we download the new version (since this RC won't make it to the market in its current GUI outift)?

Regards

Kees

Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Hi Kees.

1) Kind of. The soon-to-be-released version looks at command lines so something like rundll32.exe <dll> will show the DLL in the notification. Same thing with scripts. If you run powershell.exe <script> then the script file will be evaluated. But RO doesn't block DLL's from loading into a process. That would just cause the process to crash.

2) CS and a few other folks were given a pre-release to play with and provide some early feedback. It will soon be available for all very soon as we are finishing up testing.

Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

upload_2017-10-31_17-35-13.png

Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)
 

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
Thanks,

Would be great when the notification could be adopted to these extra options, so user does not have to determine whether it is a safe DLL (already installed in Windows or Programs Files folder) or script is not run from 'unsafe' user folders ( 'safe' folders are where normal programs install DLL's like Windows & Program Files)

View attachment 171326
Technically above picture is incorrect because radio buttons suggest exclusive selection (but it is just to get the idea)

The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
The same rules already apply for DLL's as they do for processes so they will be exempted if they match the selected criteria. I'm a bit more hesitant though to extend it to scripts in the same way.
Great in regard to DLL's

About the scripts, when you could make it an option it would increase useability of the lockdown feature while offering substantial better protection (e.g. exempt scripts from UAC protected folders or exempt signed scripts). I understand your hesitation, it would not be as solid as deny all, but it is still a lot better than no lockdown because of conflicts. I agree conflicts would likely occur in business market (logon and handshake scripts), but please consider.
 
  • Like
Reactions: XhenEd

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
5.2017.306.5218 RC1 is now available for download. The updated UI and the HIPS are the major updates but we also did get the Windows 10 drivers co-signed by Microsoft which will take care of that pesky little secure boot issue. For all those that appreciate RansomOff, enjoy!
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi @HeiDef

You have 'Folder Protection' feature. Can I know is there a limit to the nunber of folders to be protected? Also, how about folders not being protected? Will the latter be protected by RO as well?
 
Last edited:

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
Hi @HeiDef

You have 'Folder Protection' feature. Can I know is there a limit to the nunber of folders to be proteccted? Also, how about folders not being protected? Will the latter be protected by RO as well?

RO has had Folder Protection for some time. There is no limit to the number of folders you protect but obviously you have to consider performance issues if you add many folders. The Folder Protection is distinct from the anti-ransom protection. So even if you don't protect folders specifically you'll still be covered by the anti-ransomware coverage.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top