All Activity

This stream auto-updates   

  1. Today
  2. A good example of this sort of thing (if I've got the details right) is that the BB might warn you that a particular program looks like it might be acting like a keylogger (ie malware that records everything you type). But, as I understand it, that would be because it had asked Windows to pass to it a copy of all the keystrokes. And in fact, lots and lots of programs do that so that they can implement 'hot keys' - ie have some key combination that, when you type it, makes that program do something, even if the program was only running in the background. So you can see that the BB can see /potentially/ malicious behaviour but not be able to distinguish it from perfectly normal behaviour. Of course, there's no /guarantee/ that the customers who decide that some program is ok, on the Anti-Malware Network, are actually correct. Very few of them are likely to have seen the source of the program in question, or monitored precisely what it does. It's more likely that they believe the program is innocent based, perhaps, on the programmer or vendor's reputation. If such a program, using my example, seems to have no need whatsoever to intercept keystrokes, that would be worrying. You may still need to make your own judgement - or eg to ask on a vendor's forum WHY your EAM detected that behaviour, and see what the vendor says.
  3. Thank-you.
  4. It's hard to be certain. It depends on the feedback we get about the beta, and whether or not there any any new issues that need to be fixed before we can release it as a stable build.
  5. I've passed on the suggestion.
  6. The Behavior Blocker is one of our real-time protection components. It monitors running applications, and warns about any potentially malicious behavior. What you're seeing in the log is that an application performed a behavior we monitor for, and one of our mechanisms for reducing the number of alerts you see determined that the application was safe to allow, so it was allowed automatically and a rule to always allow it was created automatically. "Allowed by community" in the "Event" column means that the application was allowed based on the fact that more than 90% of our customers who have also encountered this application also allowed it. The system that stores this information is called our "Anti-Malware Network", and the information on what programs are safe or not is supplemented with data from VirusTotal.
  7. I just installed Emsisoft and am running it in trial mode as I am trialing it to decide if I want to use it. I just ran a scan and the following showed up in the Behavior Blocker Log. I don't really understand what this means. It looks like iSyncr was blocked and then allowed anyway with an exclusion. Is this a false positive? Why was it originally flagged as a problem? Thanks! Bill
  8. Hello, Hit sometime last night or this morning, likeliest vector is RDP (though I use strong passwords >:( ). It appears to be the same flavor as bruticus0's given the filenames. Encrypted files have .onion extensions and are 36 bytes larger than the original file. The attached example is an ASCII file, but I can provide a binary if needed. Please note that I got the original by downloading a previous version that was maintained by Google drive. Google drive had named the file "mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc.id_1726307421_fgb45ft3pqamyji7.onion.desc" which wasn't the original name and so I renamed it to what you see attached. Hopefully that doesn't mess anything up for your analysis. I believe people are dubbing this one Cry128? I caught the trojan in the act and turned off the machine, so I'll likely be able to provide the virus files tomorrow. Where should I submit those? I've tried the Cry9 and CryptOn decryptors and neither worked. The former complained about the 68 bytes as others have posted, the latter gave a popup saying I need to drag both files at the same time (but I definitely did). More info... ransom notes are -DECRYPT-MY-FILES.txt and are *not* in every directory. Possibly because like I said I caught it "mid-stream". They make no mention of the culprit (e.g. citing the nemesis decryptor), however I safely visited the url given in the note and it said clearly at the top, "NEMESIS Ransomware". Also, in some threads I've been reading, some people have noted no size difference. I've checked several of my files by removing the new extension to bring it back to its original file name, and several of the files were still accessible, i.e. not encrypted. Perhaps if you're seeing no file size difference you should try the same. For me, the files that were apparently unencrypted still had the extra 36 bytes though. I can provide these kinds of files too if desired. Along with the virus exe and supporting files, I will be looking for new/altered user accounts, altered local/group security policies, and checking logs for port accesses and anything else that stands out. Let me know if I should look for anything else. And definitely let me know whatever I can do to help this effort. I'm reposting this on forum now - Many thanks to everyone spending their well-earned free time on cracking down on these <expletive deleted>. -DECRYPT-MY-FILES.txt mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc mc-generated_tgp1_tbp1_tsr0.667_tmc9_trainset.txt.unified.desc.id_1726307421_fgb45ft3pqamyji7.onion
  9. Yesterday
  10. Buenas, Tardes Tengo el mismo inconveniente con mis archivos de datos y no los he podido desencriptar, me sale snapshot_00A889008F08_20170307191459.jpg.id_4180165461_fgb45ft3pqamyji7.onion
  11. Иван! Очень хотелось бы Вам помочь, но, увы, с 2016 года Emsisoft не поддерживает работу своих продуктов на Windows XP. На Windows 7, 8 и 10 обновится до 2017.3. Работу на Windows XP мы не поддерживаем. Никак. Единственный вариант возврата - с текущей версии на предыдущую, если использовать "Отложенный канал обновлений". Информацию об этой версии можно найти в блоге (промежуточные релизы и бета - только на английском языке)
  12. Hawki: no, as soon as you switch back EIS will update to the old stable version thus losing the beta. If you change to the beta feed you need to keep using that feed until the corresponding stable update is released, then you can go back to taking stable updates only.
  13. Can I switch to the Beta Update just to get the "shut down fix" and then switch back to released updates? Or won't that mixing work well ? Any idea yet when the beta fix will be released ?
  14. Lately I have had problem with play store opening with a specific app to install when using Firefox. I go to the loaded apps and close, but quite often another play store app loads. I ran Emsisoft mobile but it does not detect anything. Android version 4.4.2. Could this be malware?
  15. > Adding UI elements ... Ah. > If you want to copy the version number ... If all that information is deemed useful (and I can see why it would be) when someone sends an email, it would sensible to have all of it placed on the clipboard when someone clicks the yet-to-be-added button in the About box!
  16. Natalya , могли бы вы дать архивную ссылку или прислать Emsisoft Internet Security\August 14, 2015 , и Emsisoft Internet Security\July 26, 2015 ? - Эти версии EIS работали на Windows XP нормально , без БСОДов . Похоже последняя Emsisoft Internet Security\September 30, 2015 начала давать БСОДы на Windows XP. Помню точно БСОДы пошли после обновления версии , и в сентябре я обращался к Владимиру за помощью. Скажите ещё, если сейчас например поставить EIS , он не обновится на последнюю EIS ? Если обновится , то как запретить обновление на последнюю версию ? И последнее , что это за отладочная версия Emsisoft Internet Security\August 19, 2015 ? Компьютеры все обновлялись на неё ? Просто хочу выявить БСОДовую версию ,что-бы её не поставить.
  17. Thanks for the info. The beta setting has fixed the issue.
  18. Does using the latest beta version resolve the problem? Here's how to try it if you'd like to: Open Emsisoft Internet Security. Click on Settings in the menu at the top. Click on Updates in the menu at the top. On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list. Click on the Update now button on the right side.
  19. Adding UI elements shouldn't be difficult. I was just explaining why you couldn't copy the information displayed on the "about" dialog. If you want to copy the version number, then open EIS, click on Support, and click on Send an email. A pre-formatted signature is automatically added to the form field (which you can copy all or part of) that lists the product name, the type of license, version number, whether it is beta or stable, the language, and what version of Windows you are using.
  20. Both of those options should allow for easy recovery if anything goes wrong. Just be sure that the Windows XP machines don't have access to any backup media when files are not being backed up (although I tend to recommend that for all computers, regardless of the Operating System).
  21. I really feel for you guys. But it's actually a big relief knowing I wasn't the only one with my own one of a kind, unique problem that no one has ever said anything about If you guys are in immediate need of a little relief, I've been in Safe Mode using Easus Data Recovery Wizard. You end up finding stuff under your "Lost Files" folders.
  22. I got the same problem too. All my file are encrypted with this extension.(id_3249203987_gebdp3k7bolalnd4.onion._) Please help. Thank in advance. _DECRYPT_MY_FILES.txt bootstrap.min.js.id_3249203987_gebdp3k7bolalnd4.onion._ bootstrap.min.js glyphicons-halflings-regular.eot glyphicons-halflings-regular.eot.id_3249203987_gebdp3k7bolalnd4.onion._
  23. Same here, got hit last night. It looks like the same encryption with 36 byte difference in files. It would be TREMENDOUS if you can produce a decryprter for this one! Thanks a bunch!! _DECRYPT_MY_FILES.txt FileZilla_3.16.0_win64-setup.exe FileZilla_3.14.1_win64-setup.exe.id_1914190023_gebdp3k7bolalnd4.onion._ hdtunepro_560_trial.exe hdtunepro_560_trial.exe.id_1914190023_gebdp3k7bolalnd4.onion._
  24. It's stickied in this forum you're posting in Here At the bottom, fabian mentions the ID place. Sorry I wasn't clear to begin with. I am currently dealing with my own ransomware atm too. There's not a decrypter for it yet since it's new. So I am using Easus Data Recovery Wizard. I've had it for a long time, so I can't tell you where to get it. Basically, you choose your drive and select "Complete Recovery" I think. It will take a very long time to scan. After it is done you pick a partition to recover. It will always be the one with the most number of files listed. And be sure not to check the $MFT box. The results will look confusing at first. But you should see a folder that says, "Lost Files" or "Lost Files 2". Now, in these you should/hopefully/maybe find your original files, along with their encrypted counterparts. Which is a pain. You will have to meticulously go through each and every file you want recovered and check it. Then Recover it by picking a place to send the recovered files to. Good Luck.
  25. Results of Safe Mode run. No change that I can see. Fixlog attached. The advice offered in the article is no longer valid. All avenues suggested by the article are now being blocked Restore Reset on Windows Recovery Environment is likewise blocked from running. Windows reinstall file from Microsoft is also blocked. A new HDD seems to be the only way out Fixlog.txt
  26. Last week
  27. Hi Sarah. I don't mean to rush but do you have an estimate as to when Fabian will be able to roll out the new version of the decrypter?
  1. Load more activity
  • Who's Online   0 Members, 0 Anonymous, 48 Guests (See full list)

    There are no registered users currently online