Popular Content

Showing content with the highest reputation since 10/31/18 in all areas

  1. 3 points
    It means that the tests done by AV-C and AV-T have a clear image of how they think AV software should work. The problem arises when your product doesn't fit the mould. Then you get penalized for not doing what everyone else does, even though what everyone else does may not be in the best interest of the user, to begin with. Best example: Snooping around in your encrypted connections, which literally every AV vendor screwed up at least once in the past and probably will continue to happen, exposing users to potentially greater risks than most malware does. For starters, the test sets aren't nearly as representative anymore. When we participated in AV-T and AV-C both tested with less than 200 samples a month on average. 200 samples out of literally tens of millions. The exact selection isn't clear and not representative of what users deal with either. None of them tests with PUPs for example, even though a simple look at any tech support community will tell you, that it is probably by far the biggest problem users are dealing with. So no, neither of those test scores represents real-life performance and it becomes blatantly obvious when you go to places like Bleeping Computer, GeeksToGo, Trojaner Board, Malekal, and all those other communities where people infected by malware show up for help and look at what products these victims used at the time they became infected. Then you will notice that a lot of these products with perfect scores don't look nearly as perfect in real-life conditions. The reason for this discrepancy is quite simple: Most AV vendors will specifically optimise their products for these tests. The most severe cases are where vendors end up outright cheating and detecting the test environments which then results in a change of behaviour of the product (think Dieselgate, but with anti-virus). But there are many ways you can game these tests. For example: you can try to figure out the threat intel feeds the companies use, then just buy those same threat intel feeds so you have all samples in advance you can track their licenses and supply different signatures to them or use your cloud to treat those test systems differently some particularly shady organisations literally also sell you their sample and malicious URL feed, so you can just outright buy the samples and URLs your product will get tested on later What you end up with as a result is a product that is optimised really really well for the exact scenario they are being tested under using the exact type of URLs and samples these testers use, but that is utterly useless when it comes to anything else. We just really don't want to create this type of product. So when we were asked whether we wanted to continue to participate this year, we discussed the matter internally, looked at what we get out of these tests (meaning: whether these tests have a discernable impact on our revenue) and decided that they are simply not worth it and that the tens of thousands of Euros we spent on them every year would be better spent on extending our team and building new ways of keeping our customers safe.
  2. 2 points
    I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you.
  3. 2 points
    That's an offline ID. Support for it should be added to STOPDecrypter soon, and once that happens it should be possible for you to decrypt your files.
  4. 2 points
    I've been told that the time window for being able to figure out keys for .kiratos has ended, however I will go ahead and pass this on to the developer of STOPDecrypter so that he can archive it just in case he's able to figure out the decryption key at some point in the future.
  5. 2 points
    Hi Marshall. Not sure, but I do know that I recognize the URL of "MVPS Hosts" and I recognize the list. I don't recognize the list attached to MVPS Hosts (Domains). To view the list, click the blue "Details", "View" & "Original" buttons - see image. Sorry I couldn't offer a better explanation.
  6. 2 points
    Hi Marshall. To add the MVPS Hosts list to uBlock Origin, perform the following steps (see images for more details): (1) Go to the following link: https://filterlists.com/ (2) Enter "130" in the page field. (3) Click the blue "Details" button on the "MVPS Hosts" line. (4) Click the blue "Subscribe" button. You're all done! The MVPS Hosts file should now be added to uBlock Origin in your browser. To check you can look at the uBlock Origin "Options" page by right-clicking the uBlock Origin icon in your browser, as per images. Hope this helps. Best Regards, Steen
  7. 2 points
    Personally I think following the tests is a waste of time. If you are really concerned then you will need to make the effort to do your own testing. that is what I did. Also the tests don't tell you a thing about the nature of the company. I will stick with Emsisoft because I think it's the best
  8. 2 points
    Hallo Moreau, vielen Dank für Ihre positive Rückmeldung. Immer wieder gerne und vielen Dank für die freundliche Kommunikation. Ich wünsche Ihnen einen guten Start in die (noch fast) neue Woche!
  9. 2 points
    > Thanks how do I turn off the notification please ? See: Settings - Notifications - Browser Security verifications
  10. 2 points
    Hello, This is legitimate. You can read more about it here: https://blog.emsisoft.com/en/32517/new-in-2018-12-safe-web-browsing-with-emsisoft-browser-security/
  11. 1 point
    If he can't remove it, then I can write a script for FRST that can remove it. That being said, it doesn't appear to be old. KMSpico used to use a Scheduled Task, however this version appears to be using a service, which is (as far as I know) a new behavior.
  12. 1 point
    I'll pass this on to the maker of STOPDecrypter, but note that we need to have the MAC addresses of every network adapter on the computer (even if it isn't a normal ethernet adapter). Hopefully the information you provided will be enough to be able to find your decryption key quickly, however please note that we can't make any promises. That is more than likely a variant of the STOP/Djvu ransomware. You may verify that using ID Ransomware if you'd like to: https://id-ransomware.malwarehunterteam.com/ While STOPDecrypter probably won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Important: STOP/Djvu now installs the Azorult trojan as well, which allows it to steal passwords. It is imperative that you change all passwords (for your computer and for online services you use) once your computer is clean. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  13. 1 point
    Hi Damaxx, can you share the decryptor. Wanted try it will work for my files or not.....
  14. 1 point
    This is almost certainly GlobeImposter 2.0, however you can verify that using ID Ransomware: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  15. 1 point
  16. 1 point
  17. 1 point
    You're welcome. Just follow the instructions I posted at the following link: I've forwarded your ID and MAC addresses to the creator of STOPDecrypter so that he can archive them in case he is able to figure out your decryption key at some point in the future. All you have to do now is give us some time, and we'll do what we can for you.
  18. 1 point
  19. 1 point
    QA isn't aware of any issues with languages reverting to English. Unfortunately, without debug logs, it wouldn't be possible for us to know for certain why it happened.
  20. 1 point
    You're welcome.
  21. 1 point
    Hello, ECC its just in beta, it will be corrected soon, i have also report that.
  22. 1 point
    Now i removed every tool and free virus protection software
  23. 1 point
    That is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  24. 1 point
    That is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  25. 1 point
  26. 1 point
    The server I own was recently infiltrated with the .nampohyu ransomware. I have a Synology Diskstation that I use to store my DVD and Bluray collection, consisting mostly of direct backups of my collection (for DVDs it's file folders each containing the .VOB files and .IFO files for each individual movie. For Blurays, its a folder for each movie that contains either an .ISO file of the disc or BDMV and CERTIFICATE folders for each individual movie). The files on my Diskstation are not 'encrypted' even though the ransom note would have you believe that. While I could physically wipe the server and re-load all my movies (they are in boxes in my basement), I've discovered a time-consuming solution for myself: For the DVDs, each movie was saved in an individual folder containing the AUDIO_TS and VIDEO_TS folders from the DVD. In the folders are the .VOB files, .IFO files and .BUP files. I used command prompts to bulk remove the .nampohyu extensions from the .VOB files. I found that the existing .IFO files were corrupted so I deleted them and renamed the accompanying .BUP files as .IFO files. This restored the functionality of the DVDs. For the Blu-Rays, the ones that were saved as .ISO files, it seems that the .nampohyu ransomware corrupted the header in the .ISO file. I used the command prompt line to bulk delete the .nampohyu extensions on the files. Then I purchased a program called IsoBuster, loaded the .ISO file of the movie into it, then extracted the BDMV, CERTIFICATE and whatever other files were in the .ISO file into another folder. I'm assuming this got rid of the corrupted header in the original .ISO file because it brought the Bluray back to life. It is a tedious process to do this for all my movies but at least I didn't lose my collection and be damned if I am going to pay some thief to return to me what id rightfully mine. Hope this information helps.
  27. 1 point
    @nneo Keys are unique per victim, and only some are lucky for me to be able to recover a key in very rare cases. Everything is explained in the first post and FAQ of the support topic: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/ If you were hit by extension .kiratos, I need this information ASAP. If any other extension, I just need it to archive.
  28. 1 point
    I just started playing around with the new "My Emsisoft Cloud Console". My first experiences have been quite positive. 🙂 Two little things that I would like to suggest for improvement: 1) I use only one policy for the whole network (i.e. workspace). This is why I delete all computer groups except "New Computers" (which cannot be deleted). I then set all required policy settings/options on the highest possible level, which is the "root" group called "Workspace". These settings are then of course inherited by the "New Computers" group (and possibly some other groups that I might add later). The problem is that whenever you re-visit the "Protection Policies" section by clicking in the navigation bar on the left hand side, the view defaults to the "New Computers" group. So if I'm not very careful, I'll change settings in this group instead of the root group "Workspace". It would be nice if the selection could default to "Workspace" whenever you re-visit the Protection Policies section. 2) Using the Enterprise Console, it was easy to see at a glance if the settings on some client PCs deviated from the original policy setting (the overview in EEC then shows a little round arrow next to the policy name in the "Computer Policy" column). In the cloud console, you must have a detailed look at the settings of each client PC to see if there is anything different to the original policy. It would be very helpful to be able to see policy vs. current client settings differences directly on the overview dashboard. (please bring back the round arrow 😉) Furthermore, there are some minor cosmetic issues: - When clicking on the menu of the root protection group "Workspace", the menu item "Clone" is not greyed out. It is clickable, but (as expected) nothing happens. It should be greyed out like the rest of this group's menu items. - Some German translations don't fit into the UI (mostly on buttons) - When using browser zoom (I use 120% by default) some lines around some UI fields get cut off And two final questions: - I was wondering what the setting "Detect registry policy settings" in the Scanner Settings section does (see attached screenshot). -Why does my license vanish from the "Licenses --> Personal Licenses" section after assigning it to a workspace ? Is this by design? This seems confusing to me... What happens if I delete a workspace - will the license be returned to the "Personal Licenses" section? What about client PCs that are NOT associated with the workspace - will they have licensing problems (I don't want to add all my PCs to the workspace)? Thanks for the great job so far! Raynor
  29. 1 point
    STOPDecrypter lists the MAC of every network adapter. Since the average user doesn't know how to find the MAC address of their network adapters, let alone what a MAC address even is, it's best for them to run STOPDecrypter. As for the possibility of running it on the wrong computer, I have added a couple of lines to the instructions I wrote covering that and pointing to the FAQ. Перевод предоставлен Google. STOPDecrypter перечисляет MAC-адрес каждого сетевого адаптера. Поскольку рядовой пользователь не знает, как найти MAC-адрес своих сетевых адаптеров, не говоря уже о том, что такое MAC-адрес, для них лучше всего запустить STOPDecrypter. Что касается возможности запуска его на неправильном компьютере, я добавил пару строк в написанные мной инструкции, охватывающие это и указывающие на FAQ.
  30. 1 point
    I have forwarded your ID and MAC to the creator of STOPDecrypter. Either he or myself will contact you if he is able to figure out your decryption key.
  31. 1 point
    If you do not know how to find the MAC (physical) address, then look at the screenshot there. Write only the address of the network card you used to access the Internet at the time you received the infection (wired or wireless (W-Fi)). Do not write both addresses! Determine exactly. This is not difficult. It is necessary for you more, than for the developer of STOPDecrypter. Such common errors lead to the fact that files cannot be decrypted.
  32. 1 point
    Hi Raynor, We currently don't have concrete plans to end Emsisoft Enterprise Console. If we ever come to that point, we would make an announcement at least one year in advance to provide planning safety for our customers. 1) Local update caching will become available later. 2) We have no plans to offer a profiles migration path, for now. Re-connecting existing devices from EEC to ECC will become an easy procedure and can be automated. We are working hard to add new features to Emsisoft Cloud Console. Feel free to start testing it and see how stable it is. You can connect existing Emsisoft installs manually as of version 2019.3. Thanks
  33. 1 point
    The Behavior Blocker in Emsisoft Anti-Malware does do cloud lookups on unknown applications that are exhibiting potentially malicious behavior. This is primarily used for determining if an application is known as safe, as a form of whitelisting, however there are malicious programs that are detected through cloud lookups as well. The reason we don't rely heavily on cloud lookups for detection is simply due to the fact that the Behavior Blocker will block/quarantine any unknown applications that exhibit potentially malicious behavior, so it will generally take care of infections on its own, and only needs help with identifying safe applications so that its less likely to block/quarantine them along with malicious applications.
  34. 1 point
    More than likely 3DMark's software has an issue with the kind of hooks Emsisoft Anti-Malware opens to monitor it. This is something that they will have to fix, as it's a bug in their software.
  35. 1 point
    Ich dachte das wollte man ändern? https://support.emsisoft.com/topic/30225-neues-lizenz-system-abonnement/
  36. 1 point
    You can technically just remove all entries from your hosts file using Notepad. Just delete everything except the " localhost" entry if there is any. Lines starting with "#" are comments by the way. Pretty much. We are not an ad blocker, no. You use uBlock Origin which is pretty much the best adblocker you can get. So you are well covered in that area already. Correct. When you try to click the link, it will block access to the site. But I do understand that a lot of people would like to know before they click, which is why we consider adding it. Interestingly enough WOT got in trouble for the very same thing that some AVs are doing with their extension. You can always set up your own DNS server locally or in a cheap VPS box online. DNS also can be tunneled via various secure protocols (DNS-over-HTTPS for example). Those use methods that provide k-anonymity. Firefox in addition also sends "fake" requests if I remember correctly so the hoster of the block list does not know whether that was a website you actually surfed to or a random request. If you are so concerned, just host your own VPN. Get a cheap VPS with bitcoin at njal.la for example, host OpenVPN and your own DNS server on it and there will be no link between you and the VPS. It's serious overkill though.
  37. 1 point
    The gold star is an indicator for Admin mode. When you have activated an administrator password to lock EAM for unwanted manual setting changes. When you open the main program and enter the password to unlock the program, the Goldstar will show up The Pacman is the indicator for Game mode which was renamed to Silent mode a while a go,.
  38. 1 point
    @Jimbo - There's an on/off control in Settings - Notifications.
  39. 1 point
    Hallo Eric Cartman, vielen Dank für den Hinweis. Ich habe bereits meine Kollegen informiert. In der Tat eine Falschmeldung; wir haben diese behoben und die Änderung wird mit dem nächsten Update veröffentlicht. Danke für die Unterstützung. Ich wünsche einen schönen Tag!
  40. 1 point
    Advanced users can still see if we block something by checking on VirusTotal.For those who don't know what to do with that list, it doesn't need to be there. It's just a type of simplification, so that only custom rules are shown now. Yes, the host rules are still there, they're just not displayed anywhere in the UI anymore. No, that was developed to supplement the Surf Protection, and not to replace it.
  41. 1 point
  42. 1 point
    Hello Jonathan. It looks like a translation file didn't update itself properly, and the restart reloaded it. Thank you for following up!
  43. 1 point
    Still no bloat I would say. The extension is not 100% needed but "only" recommended for EAM users since it adds to the phishing protection. The existing surf protection based on DNS-requests will still be available. (And of course is still needed to block network requests by malware.) The extension is also only ~90KBs. What would be bloat imho and much more invasive is adding some sort of MITM, deep packet inspection, intercepting SSL-certificates in the browser and stuff.
  44. 1 point
    I have received 2 phone calls regarding this issue. Is this legitimate?
  45. 1 point
    It is theoretically possible for the WFP (Windows Filtering Platform) driver used by Emsisoft Anti-Malware to cause such an issue, however it might be more likely for it to be an extension, or perhaps just a poorly designed website.
  46. 1 point
    Please upload an encrypted file or ransom note to ID-Ransomware and copy/paste the results here for one of the experts to look at. https://id-ransomware.malwarehunterteam.com
  47. 1 point
    If you could do the following, I could try and see if I can find information about the file in question: Open Emsisoft Anti-Malware. Click on Logs. Type sll.exe into the search field at the top. Find an entry in the list from the Behavior Blocker showing it detecting suspicious behavior for sll.exe and double-click on it for more information. The third line should be enclosed in parenthesis and should have SHA1: followed by a long string of numbers and letters. Copy this line, and paste it into a reply.
  48. 1 point
    You could follow the steps here https://support.emsisoft.com/announcement/2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/
  49. 1 point
    Hello inadream, Thank you for your reply. Please, could you send me a private message (PM) with your license key here in our support forum? Renewals with upgrades or downgrades are only valid if a license is about to expire within the next three months. We'll be glad to help you upgrading manually. Should you have any further questions, please just let us know.
  50. 1 point
    Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts which are usually correct when dealing with malware infections can make things worse when dealing with ransomware. Please see the following steps as a guideline when dealing with your ransomware infection. Do not delete the ransomware infection The natural instinct of most users is first to remove the infection as quickly as possible. This instinct is, unfortunately, wrong. In most cases, we will require the ransomware executable to figure out what exactly the ransomware did to your files. Finding the right ransomware sample becomes infinitely more challenging when you deleted the infection and can't provide us with the ransomware. It is okay to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a backup. Disable any system optimisation and cleanup software immediately A lot of ransomware will store either itself or necessary files in your temporary files folder. If you do use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, disable those tools immediately and make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or necessary ransomware files from your system, which may be required to recover your data. Create a backup of your encrypted files Some ransomware has hidden payloads that will delete and overwrite encrypted files after a certain amount of time. Decrypters may also not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In those cases, an encrypted backup is better than having no backup at all. So we urge you to create a backup of your encrypted files first, before doing anything else. Server victims: Figure out the point of entry and close it Especially recently we have seen a lot of compromises of servers. The usual way in is by brute-forcing user passwords via RDP/Remote Desktop. We firmly suggest you check your event logs for a large number of login attempts. If you find such entries or if you find your event log to be empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port. Also, it is important to check all the user accounts on the server, to make sure the attackers didn't create any backdoor accounts on their own that would allow them to access the system later. Figure out what ransomware infected you Last but not least it is important to determine what ransomware infected you. Services like VirusTotal, which allows you to scan malicious files, and ID Ransomware, which lets you upload your ransom note and encrypted files to identify the ransomware family, are incredibly useful and we will probably end up asking you for the results of either of these services. So by providing them right away, you can speed up the process of getting back your files. If you struggle with any of these points, please feel free to ask for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up