search

Neo23x0 / Raccine

A Simple Ransomware Vaccine
The Unlicense
942 stars 123 forks source link

Create exceptions for certain applications #135

Open migmam opened 7 months ago

migmam commented 7 months ago

With Raccine installed, when I launch "Omen Gaming Hub" there is a false positive with the following content:

Yara matches: Rule file: C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar YARA Output: ransomware_command_lines C:\Users\User1\AppData\Local\Temp\RaccineUserContext\Rac1971.tmp

Raccine Context: ChildName="powershell.exe" ChildExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ChildCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile" ChildTimeSinceExeCreation=778 ChildPid=9660 ParentName="OmenCommandCenterBackground.exe" ParentExecutablePath="C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2311.2.0_x64v10z8vjag6ke6\OmenCommandCenterApp\OmenCommandCenterBackground.exe" ParentCommandLine="'C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2311.2.0_x64v10z8vjag6ke6\OmenCommandCenterApp\OmenCommandCenterBackground.exe'" ParentTimeSinceExeCreation=0 ParentPid=7572 GrandParentName="(unavailable)" GrandParentExecutablePath="" GrandParentCommandLine="" GrandParentTimeSinceExeCreation=0 GrandParentPid=8420

Is there any way to create an exception in the gen_ransomware_command_lines.yar to allow the execution of that application?

Permanently commented 4 months ago

Having the same issue with Heroic Launcher, where the following happens:

16/02/2024 12:49:31
Raccine detected malicious activity:
powershell Start-Process "`"C:\Users\User\AppData\Local\Programs\heroic\resources\app.asar.unpacked\build\bin\win32\legendary`"" -Wait -ArgumentList "`"--version`"" -NoNewWindow 

Yara matches:
Rule file: C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
YARA Output: ransomware_command_lines C:\Users\User\AppData\Local\Temp\RaccineUserContext\RacB843.tmp

We need to have some kind of documentation that describes how to put down exemptions. Otherwise, it's one or the other, really. There's the workaround for issue #131, where commit 3b05c1e was put on, but doing that for every program triggering FPs seems impractical.

Edit: Temporary workaround for now is to go to C:\Program Files\Raccine\yara, find the matching .yar file to the false positive, and whack in the false positive paths. In my case:

        $fp2a = "ParentName=\"legendary.exe\""
        $fp2b = "ParentExecutablePath=\"C:\\Users\\"

        ...[at the end of "condition:"]...

        and not all of ($fp*)

This isn't practical either, but like I said, it's a workaround. They're not supposed to be practical. Hopefully a proper fix is put in soon, given that false positives have happened multiple times (albeit, rarely).

Edit: it's starting to interfere with some games I have now, not even including Heroic Launcher which I mentioned above. This is getting ridiculous now. We need an exclusion mechanism in place, or at least a way to disable Raccine for a specific amount of time. Like, "turn off for X minutes/hours", or "disable until I turn it back on".

Edit 2: One thing I forgot to mention is that disabling Raccine's rule update task in Task Scheduler means you won't have to keep updating the files again and again.