Frequently Asked Questions
Below are some commonly-asked questions about KnowBe4's RanSim. If you don't see the answer you need, submit a ticket to our support team.
- My antivirus flagged MainRunner.exe, Collector.exe, or SimulatorSetup.exe as malicious.
- My antivirus did not flag MainRunner.exe or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.
- Windows Security flagged the ransim.zip file as malicious and will not allow me to open the file.
- What files are placed on disk and where?
- What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?
- Is there any collection of system information?
- Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?
- During the simulation, are there any network connections created, and what for?
- What happens if an antivirus on the workstation scans the installation file?
- Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behave the same as the scenarios?
- What file extension are the test scenarios?
- Can I add my own test files (for example, documents or photos) to test with RanSim?
- On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?
1) Question: My antivirus flagged MainRunner.exe, Collector.exe, or SimulatorSetup.exe as malicious.
Answer: There is no dangerous code in those files and they should be allowed to run. You can consider them false positives, although they will not be shown in your False Positives count.
If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file.
- If the MainRunner or Collector files are quarantined before the first scan (after opening the UI), RanSim UI will attempt to recreate them when the scan is started. If quarantined again, you will be informed that at least one of those files are missing and advised to make sure they are allowed to run on the computer.
- If the MainRunner or Collector files are quarantined during a scan, the scan is canceled. RanSim will try to recreate those files and you will be advised to try a new scan. If the files are blocked again, RanSim will not attempt to recreate the files. Instead, you will be asked to make sure the files are allowed to run and then restart RanSim to perform a new scan.
2) Question: My antivirus did not flag MainRunner.exe or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.
Answer: This is a good thing, and exactly what you want your antivirus to do. While the three aforementioned files (MainRunner.exe and SimulatorSetup.exe) should be allowed to run without interference from your antivirus (since they are the framework for the RanSim testing process), if the actual ransomware simulation executables are blocked or quarantined during the RanSim process, this means that if an identical attack were to happen to your users, your antivirus would behave in a similar fashion.
3) Question: Windows Security flagged the ransim.zip file as malicious and will not allow me to open the file.
Answer: To allow your device to open this file, you can add an exclusion to your Windows Security settings. For more information, see Microsoft's Add an exclusion to Windows Security support documentation.
4) Question: What files are placed on disk and where?
Answer: All files are placed in the installation folder, c:\KB4\Varsim or %systemdrive%\KB4\Varsim, as described in the Operational Aspects paragraph from above. The simulators do not process files outside the MainTests folder. When RanSim is uninstalled, the installation folder is removed completely from the system.
4) Question: What registry keys are created and wherein the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?
Answer: Apart from the entries managed by the msinstaller itself, there is a custom key-- HKEY_CURRENT_USER\SOFTWARE\KnowBe4 Ran Simulator--which is removed after RanSim is uninstalled.
5) Question: Is there any collection of system information?
Answer: The only thing that is collected is the number of accessible files present on local disks only and having certain extensions that might be attacked by real ransomware, as described in the Operational Aspects section in the Product Manual. This information is presented in the pie chart after the check process is complete.
6) Question: Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?
Answer: Yes, in the Logs directory there are a few .csv files with internal information. RanSim does not log information into the Windows Event Log.
7) Question: During the simulation, are there any network connections created and what for?
Answer: There is one scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key. Obviously, in the vast majority of the cases this port is closed as there is no http listener attached to it, but if someone wanted to create such a listener, they could get the encryption key from the simulator.
8) Question: What happens if antivirus on the workstation scans the installation file?
Answer: Some antivirus products may flag the installation file as malicious. If this happens, you should add the installation file to your antivirus's whitelist and attempt to install RanSim again. Most antivirus engines that we have tested do not report any problem.
9) Question: Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios?
Answer: Yes, they do behave the same, with minor differences. For example, the encryption keys and algorithms we use are different in RanSim. You can found more information about these Test Scenarios here.
10) Question: What file extension are the test scenarios?
Answer: The test scenario executables have a .cxp file extension.
11) Question: Can I add my own test files (for example, documents or photos) to test with RanSim?
Answer: Yes, you can do this after your first RanSim check by clicking Click here to copy your own test files to the test files folder located above the Check Now button. You will be prompted to select what files you'd like to copy to the %systemdrive%\KB4\Varsim|DataDir\TestFiles folder. You can add up to 50 files (each file's size must be 10 MB or less). After copying the files you'd like to copy, you can run additional RanSim scans on those files. Make sure you copy these files as instructed rather than move them. If you uninstall RanSim in the future, all files in the TestFiles folder will be deleted.
12) Question: On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?
Answer: Executed is a result that refers to the two false-positive scenarios contained in RanSim. If the false-positive scenarios can run without being stopped by your anti-virus, they "executed" successfully and the test passed. If your anti-virus stops the scenarios from running, the test failed. Vulnerable or Not Vulnerable are results that relate to the ransomware and cryptomining scenarios within RanSim.