I use RansomWhere, a tool to protect from ransomware. I have OS X Yosemite.
As far as I understand, RansomWhere just warns me whenever an app tries to encrypt data. It's up to the user to judge whether they trust a process or not. (And whether the application is one which should need to encrypt data.) The user is given the choice of Allow or Terminate each time there is a warning. It has warned me about several apps I trust and that I figure did need to encrypt data, and I have simply clicked Allow.
However, just now I got a warning about a process I don't know what was. The message said "is encrypting data", so I figuredd I had to hurry, so I just clicked Terminate immediately after seeing that I wasn't sure what the process actually was. After clicking Terminate, the dialogue box disappeared, and I heard nothing more from RansomWhere regarding the issue.
Now, I want to know what this process actually was and what was going on. I don't remember the details given in the message, just that I wasn't sure which process it was. I wish I would have taken a second to take a screenshot before pressing Terminate, but unfortunately, I didn't.
How can I find out which process this was and what was going on?
Best Answer
According to RansomWhere's own site the data is stored in
/Library/RansomWhere/installedApps.plist- a list of applications already present on the system./Library/RansomWhere/approvedBinaries.plist- a list of binaries explicitly approved by the user./Library/RansomWhere/whitelist.plist- a list of safe binaries (that often legitimately create encrypted files)./Library/RansomWhere/graylist.plist- a list of system binaries that are not explicitly trusted.However, because an app that was terminated is by design not remembered, it will not appear in any list.
You could check Console to see whether it generated an event at the time - I can't test that as I've never run RansomWhere.