Yes, nice SW
What could be done to "remove" false positives is the selct which notes to look for. I.e the readme file.
Simply deselect it before the scan is performed so that file is not scanned for.
Or if a file is scanned for, the size can be compared to other files with the same names.
Simply make the verifying process more secure. I guess you in addition to the signature of the files, could have a SHA1 of them som you can simply compare if the files spread on the computer has the same content.
A hash of the ransom note would be useless (thus why I don't use it on IDR), since ransom notes typically have the victim's ID, private BTC address, differing contact addresses, etc. One character change, and the entire hash is drastically different.
I could possibly see about adding a dialog to select individual notes. Was trying to not over-complicate the GUI.
Hi, I agree about this vs different notes. My thoughts were these. For one user, one ransomnote is identified by name, then a sha is made, then anonther note is found on the same computer with the same name, another sha and these notes are compared. If they differ the user is informed. Not that notes from one user is compared to another user.
That way you may be able to remove false positives, or at least present them. The program, could then "show the content of the file" (preview, so the user could check it.
Not by browsing through the whole list, but the program could auto present possible candidates. First the signature on id ransomware is used, but after the scan the users files are used.
It is rather unlikely multipple different ransomwares are found on on computer, but it is very likely multipple files from the ransomwares are found, as html, png, jpg, txt-files etc, this is where I mean sha can be used to "differ" local files with same names, but different content. And the time stamp could also be "collected" to indicate all happened at the same time.
In other words, adds a few extra level, and yes complicate the program for the creator maybe, but avoid some options for the users, unless all "tests" fail or give different results.
I was thinking in that alley.
I have a say. Adding security and simplicity is very demanding, not for the user alone, but for the ones adding these levels. The only way to add less of security and simplicity is to have more educated users. Inside a comany this is possible, but for world wide audience, then adding these levels are needed, so the work from the author / creator of the SW increases dramatically. Of course you may say you are not responsible for what th user(s) remove, but you still try to avoid removing thing that could be needed.
And you could maybe add, this task, The rasom notes will be erased, are you sure you have gotten rid of the encryption, and fixed all encrypted files... etc. As the notes could be needed to be able to fix. Maybe one not can be kept and backed up to a certain location, to help the victim...
Then like with Tesla, key.dat, registry key etc, thay are also "ransom notes" but they could be needed, so maybe give th user the chance to keep them backed up for future use.
In other words, after the scan is completed. ( I had to repeat scan for each drive, could not select scan computer) then Preset to the user. These and thes notes were found, indicating you had these and thes ransomwares, then allow the user to select which to remove, and which to get more info about.
The whole idea with the cleaner is to get rid of "trash" when the user(s) have fixed their other issues, not remove their last chance of recovering. Again with Tesla .vvv the notes are not important, since all in included in each encrypted file, but for other versions some other files are needed for successfully fixing the problem, those, one of a kind notes should not be simply removed, but instead the user should be giving the option to back them up.
You are the expert, and the only one that knows the full correlation between files and what is needed or not. The users are the less educated, so if they should be given the option to select / deselect, the choices should be as secure as possible.
Now I use my self as an example. I run this program, I am quite cautious, and I know what I'm doing. I get presented a list like this, with hundreds of notes.
First I would want to have a preview log file in txt format, so I can open it. Then I would need to see if there are more than one type, and if so, I need to find out which.
so based on notes, I need the notes attached to the possible ransomware types. Then when that is ok, I need to see where the notes are found
Based on this investigation, I deselect three files, I think can be false positives ( I can simply rerun the program for another search another time so, reducing the list is good).
Ok, no as a user I'm as sure as possible, the notes are not needed, so I remove them. I get another log file, what was removed ( you already have this).
I'm happy mots notes are now removed, and rerun the program. Only three notes were found, I use the preview function, or the programs feature, go to locations ( browse location and examine the files. Two were ordinary readme files and I leave them, and erase the last file. I do another scan and find only two files (false positive)
Another thing as mentioned above is this backup thing, but instaed of backing up 2000 identical notes from 2000 locations on the system, one can be backed up a sha with th others are made to make sure all the 1999 others are the same. If so the file location is not that important anymore, and by having a log-file backed up to the same location could help.
This backup location could smiply be my documents or the desktop if you like (make sure the user is allowed to back up...)
As you understand now, the program will be more complicated, yes, but not neecesarily more complicated for the user, only for the author.