Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska Kiswahili ไทย Türkçe Українська Tiếng Việt 简体中文 中文 (香港) 繁體中文

RanSim: Frequently Asked Questions (FAQ)

Avatar
Orlandria Heggs
Updated
Follow

Frequently Asked Questions

Below are some commonly-asked questions about KnowBe4's RanSim. If you don't see the answer you need, submit a ticket to our support team.

Jump to:

  1. My antivirus flagged MainRunner.exe, Collector.exe, or SimulatorSetup.exe as malicious.
  2. My antivirus did not flag MainRunner.exe or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.
  3. What files are placed on disk and where?
  4. What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?
  5. Is there any collection of system information?
  6. Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?
  7. During the simulation, are there any network connections created, and what for?
  8. What happens if an antivirus on the workstation scans the installation file?
  9. Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behave the same as the scenarios?
  10. What file extension are the test scenarios?
  11. Can I add my own test files (for example, documents or photos) to test with RanSim?
  12. On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?

 

1) Question: My antivirus flagged MainLauncher.exe, Collector.exe, or SimulatorSetup.exe as malicious.

Answer: There is no dangerous code in those files and they should be allowed to run. You can consider them false positives, although they will not be shown in your False Positives count.

If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file.

  • If the MainRunner or Collector files are quarantined before the first scan (after opening the UI), RanSim UI will attempt to recreate them when the scan is started. If quarantined again, you will be informed that at least one of those files are missing and advised to make sure they are allowed to run on the computer.
  • If the MainRunner or Collector files are quarantined during a scan, the scan is canceled. RanSim will try to recreate those files and you will be advised to try a new scan. If the files are blocked again, RanSim will not attempt to recreate the files. Instead, you will be asked to make sure the files are allowed to run and then restart RanSim to perform a new scan.

Back to Top

 

2) Question: My antivirus did not flag MainRunner.exe or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.

Answer: This is a good thing, and exactly what you want your antivirus to do. While the three aforementioned files (MainRunner.exe and SimulatorSetup.exe) should be allowed to run without interference from your antivirus (since they are the framework for the RanSim testing process), if the actual ransomware simulation executables are blocked or quarantined during the RanSim process, this means that if an identical attack were to happen to your users, your antivirus would behave in a similar fashion.

Back to Top


3) Question: What files are placed on disk and where?

Answer: All files are placed in the installation folder, c:\KB4\Varsim  or  %systemdrive%\KB4\Varsim, as described in the Operational Aspects paragraph from above. The simulators do not process files outside the MainTests folder. When RanSim is uninstalled, the installation folder is removed completely from the system.

Back to Top

 

4) Question: What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?

Answer: Apart from the entries managed by the msinstaller itself, there is a custom key-- HKEY_CURRENT_USER\SOFTWARE\KnowBe4 Ran Simulator--which is removed after RanSim is uninstalled.

Back to Top

 

5) Question: Is there any collection of system information?

Answer: The only thing that is collected is the number of accessible files present on local disks only and having certain extensions that might be attacked by real ransomware, as described in the Operational Aspects section in the Product Manual. This information is presented in the pie chart after the check process is complete.

 Back to Top

 

6) Question: Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?

Answer: Yes, in the Logs directory there are a few .csv files with internal information. RanSim does not log information into the Windows Event Log.

Back to Top

 

7) Question: During the simulation, are there any network connections created and what for?

Answer: There is one scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key. Obviously, in the vast majority of the cases this port is closed as there is no http listener attached to it, but if someone wanted to create such a listener, they could get the encryption key from the simulator.

 Back to Top

 

8) Question: What happens if antivirus on the workstation scans the installation file?

Answer: Some antivirus products may flag the installation file as malicious. If this happens, you should add the installation file to your antivirus's whitelist and attempt to install RanSim again. Most antivirus engines that we have tested do not report any problem.

Back to Top

 

9) Question: Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios?

Answer: Yes, they do behave the same, with minor differences. For example, the encryption keys and algorithms we use are different in RanSim. You can found more information about these Test Scenarios here.

Back to Top

 

10) Question: What file extension are the test scenarios?

Answer: The test scenario executables have a .cxp file extension.

Back to Top

 

11) Question: Can I add my own test files (for example, documents or photos) to test with RanSim?

Answer: Yes, you can do this after your first RanSim check by clicking Click here to copy your own test files to the test files folder located above the Check Now button. You will be prompted to select what files you'd like to copy to the %systemdrive%\KB4\Varsim|DataDir\TestFiles folder. You can add up to 50 files (each file's size must be 10 MB or less). After copying the files you'd like to copy, you can run additional RanSim scans on those files. Make sure you copy these files as instructed rather than move them. If you uninstall RanSim in the future, all files in the TestFiles folder will be deleted.

 Back to Top

 

12) Question: On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?

Answer: Executed is a result that refers to the two false-positive scenarios contained in RanSim. If the false-positive scenarios can run without being stopped by your anti-virus, they "executed" successfully and the test passed. If your anti-virus stops the scenarios from running, the test failed. Vulnerable or Not Vulnerable are results that relate to the ransomware and cryptomining scenarios within RanSim.

Back to Top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles