Frequently Asked Questions

Below are some commonly-asked questions about KnowBe4's RanSim. If you don't see the answer you need, submit a ticket to our support team.

Jump to:

1. My antivirus flagged Ranstart.exe, Starter.exe, Collector.exe or SimulatorSetup.exe as malicious.
2. My antivirus did not flag Ranstart.exe, Starter.exe, or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.
3. What files are placed on disk and where?
4. What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?
5. Is there any collection of system information?
6. Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?
7. During the simulation, are there any network connections created and what for?
8. What happens if antivirus on the workstation scans the installation file?
9. My RanSim folder is not located under the Local folder. Will this cause an issue?
10. Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios?
11. What file extension are the test scenarios?
12. Can I add my own test files (for example, documents or photos) to test with RanSim?
13. On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?

1) Question: My antivirus flagged Ranstart.exe, Starter.exe, Collector.exe or SimulatorSetup.exe as malicious.

Answer: There is no dangerous code in those files and they should be allowed to run. You can consider them false positives, although they will not be shown in your False Positives count.

If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file.

• If the Starter or Collector files are quarantined before the first scan (after opening the UI), RanSim UI will attempt to recreate them when the scan is started. If quarantined again, you will be informed that at least one of those files are missing and advised to make sure they are allowed to run on the computer.
• If the Starter or Collector files are quarantined during a scan, the scan is canceled. RanSim will try to recreate those files and you will be advised to try a new scan. If the files are blocked again, RanSim will not attempt to recreate the files. Instead, you will be asked to make sure the files are allowed to run and then restart RanSim to perform a new scan.

Back to Top

2) Question: My antivirus did not flag Ranstart.exe, Starter.exe, or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.

Answer: This is a good thing, and exactly what you want your antivirus to do. While the three aforementioned files (Ranstart.exe, Starter.exe, and SimulatorSetup.exe) should be allowed to run without interference from your antivirus (since they are the framework for the RanSim testing process), if the actual ransomware simulation executables are blocked or quarantined during the RanSim process, this means that if an identical attack were to happen to your users, your antivirus would behave in a similar fashion.

Back to Top

3) Question: What files are placed on disk and where?

Answer: All files are placed in the installation folder, C:\Users\[[username]]\AppData\ Local\RSimulator, as described in the Operational Aspects paragraph from above. The simulators do not process files outside the TestFolder folder. When RanSim is uninstalled, the installation folder is removed completely from the system.

Back to Top

4) Question: What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?

Answer: Apart from the entries managed by the msinstaller itself, there is a custom key-- HKEY_CURRENT_USER\Software\RanSim--which is removed after RanSim is uninstalled.

Back to Top

5) Question: Is there any collection of system information?

Answer: The only thing that is collected is the number of accessible files present on local disks only and having certain extensions that might be attacked by real ransomware, as described in the Operational Aspects section in the Product Manual. This information is presented in the pie chart after the check process is complete.

 Back to Top

6) Question: Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?

Answer: Yes, in the Logs directory there are a few .csv files with internal information. RanSim does not log information into the Windows Event Log.

Back to Top

7) Question: During the simulation, are there any network connections created and what for?

Answer: There is one scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key. Obviously, in the vast majority of the cases this port is closed as there is no http listener attached to it, but if someone wanted to create such a listener, they could get the encryption key from the simulator.

 Back to Top

8) Question: What happens if antivirus on the workstation scans the installation file?

Answer: Some antivirus products may flag the installation file as malicious. If this happens, you should add the installation file to your antivirus's whitelist and attempt to install RanSim again. Most antivirus engines that we have tested do not report any problem.

Back to Top

9) Question: My RanSim folder is not located under the Local folder. Will this cause an issue?

Answer: Yes. RanSim can ONLY trigger the Ransomware scenarios if the installation folder is [C]:\Users\[Current User]\appdata\Local\RSimulator. The Local folder must be on the machine with which you are running RanSim.

 Back to Top

10) Question: Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios?

Answer: Yes, they do behave the same, with minor differences. For example, the encryption keys and algorithms we use are different in RanSim. You can found more information about these Test Scenarios here.

Back to Top

11) Question: What file extension are the test scenarios?

Answer: The test scenario executables have a .axt file extension.

Back to Top

12) Question: Can I add my own test files (for example, documents or photos) to test with RanSim?

Answer: Yes, you can do this after your first RanSim check by clicking Click here to copy your own test files to the test files folder located above the Check Now button. You will be prompted to select what files you'd like to copy to the Local\RSimulator\TestFolder\TestFiles folder. You can add up to 50 files (each file's size must be 10 MB or less). After copying the files you'd like to copy, you can run additional RanSim scans on those files. Make sure you copy these files as instructed rather than move them. If you uninstall RanSim in the future, all files in the TestFiles folder will be deleted.

 Back to Top

13) Question: On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?

Answer: Executed is a result that refers to the two false-positive scenarios contained in RanSim. If the false-positive scenarios can run without being stopped by your anti-virus, they "executed" successfully and the test passed. If your anti-virus stops the scenarios from running, the test failed. Vulnerable or Not Vulnerable are results that relate to the ransomware and cryptomining scenarios within RanSim.

Back to Top