Popular Content

Showing content with the highest reputation since 01/20/19 in all areas

  1. 3 points
    It means that the tests done by AV-C and AV-T have a clear image of how they think AV software should work. The problem arises when your product doesn't fit the mould. Then you get penalized for not doing what everyone else does, even though what everyone else does may not be in the best interest of the user, to begin with. Best example: Snooping around in your encrypted connections, which literally every AV vendor screwed up at least once in the past and probably will continue to happen, exposing users to potentially greater risks than most malware does. For starters, the test sets aren't nearly as representative anymore. When we participated in AV-T and AV-C both tested with less than 200 samples a month on average. 200 samples out of literally tens of millions. The exact selection isn't clear and not representative of what users deal with either. None of them tests with PUPs for example, even though a simple look at any tech support community will tell you, that it is probably by far the biggest problem users are dealing with. So no, neither of those test scores represents real-life performance and it becomes blatantly obvious when you go to places like Bleeping Computer, GeeksToGo, Trojaner Board, Malekal, and all those other communities where people infected by malware show up for help and look at what products these victims used at the time they became infected. Then you will notice that a lot of these products with perfect scores don't look nearly as perfect in real-life conditions. The reason for this discrepancy is quite simple: Most AV vendors will specifically optimise their products for these tests. The most severe cases are where vendors end up outright cheating and detecting the test environments which then results in a change of behaviour of the product (think Dieselgate, but with anti-virus). But there are many ways you can game these tests. For example: you can try to figure out the threat intel feeds the companies use, then just buy those same threat intel feeds so you have all samples in advance you can track their licenses and supply different signatures to them or use your cloud to treat those test systems differently some particularly shady organisations literally also sell you their sample and malicious URL feed, so you can just outright buy the samples and URLs your product will get tested on later What you end up with as a result is a product that is optimised really really well for the exact scenario they are being tested under using the exact type of URLs and samples these testers use, but that is utterly useless when it comes to anything else. We just really don't want to create this type of product. So when we were asked whether we wanted to continue to participate this year, we discussed the matter internally, looked at what we get out of these tests (meaning: whether these tests have a discernable impact on our revenue) and decided that they are simply not worth it and that the tens of thousands of Euros we spent on them every year would be better spent on extending our team and building new ways of keeping our customers safe.
  2. 1 point
    It's not possible to know for certain what caused it without a memory dump. It may be safe to assume that the issue more than likely originated in another driver, which caused a fault in tcpip.sys and thus a BSoD, however there's no way to say for certain. I would believe the assumption that Anti-Virus causes such BSoD's is based on the fact that most of them use some sort of network filter driver, however Anti-Virus is not the only software that loads drivers related to networking, and it could be an issue with any such software. Keep in mind that tcpip.sys is a vital part of the Windows Operating System, and has been for a long time. If a build of Emsisoft Anti-Malware had such a serious compatibility issue, it would never pass through QA.
  3. 1 point
    EAM, HMPA and Heimdal is overkill, plus I believe HMPA is still a bit buggy. If I were to use something alongside EAM it would be OSArmour or Malwarebytes Anti-exploit.
  4. 1 point
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. 1 point
    I know it's not quite the same thing, but there is an "Add file" button in the quarantine that you can use to delete pretty much any file (files that are in use may require a reboot). Anyway, I'll go ahead and pass on your suggestions.
  6. 1 point
    It depends on the algorithm of actions used by the malware. Data recovery programs can read information from sectors on the hard disk and restore the deleted file even if the recycle bin has been emptied. Yes, it is possible, but only immediately after deleting the file and emptying the recycle bin. They will not be able to recover information if the sector where the deleted file, later was entirely overwritten or the remaining information was overwritten with zeros or garbage. They will not be able to recover information if the deleted file was first modified or damaged, and then deleted. In this case, the program will restore the latest (modified or deleted) version of the file. They will not be able to recover information if the deleted original file was moved to a temporary directory, and then this place was overwritten many times by other temporary files. In this case, the program will restore only the some latest of the file or several small files.
  7. 1 point
    Offline keys almost always end in t1 with the only exceptions being a few early variants from roughly a year ago.
  8. 1 point
    This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you will be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. 1 point
    На этот вопрос лучше ответить по-русски, т.к. некоторые словесные обороты будут неправильно переведены. Все софт-коммерсы жаждут продвинуться и развиться, поэтому наблюдение и отслеживание (в т.ч. шпионаж и слежка до кучи) у них стоят во главе угла. Эти действия, скорее всего, будут носить характер сбора информации о другом ПО и предпочтениях пользователя. Так повелось изначально, без этого им не выжить. Но у этого сбора инфы есть другая более опасная сторона. Скорее всего эти мелкие компашки будут кем-то взломаны и база данных о клиентах утечет со всеми вытекающими последствиями. Вам это надо? Нет, разумеется.
  10. 1 point
    The programs that computer manufacturers pre-install is based on corporate contracts. Not all of those programs are free from annoyances or other potentially unwanted behavior. Many technicians will remove OEM software from new computers when they set them up for a client for this reason.
  11. 1 point
    The GUI in EAM doesn't display how many days remain on your license key when you have a subscription license (this type of license key isn't considered to have an expiration date since it will auto-renew). You should be able to see when it will automatically renew in My.Emsisoft.
  12. 1 point
    It looks as if you have a subscription licence that will auto-renew when the licence expires, hence why it shows 'abonnement' under status. What does it show on the overview screen ? My licence is a fixed 1-year licence and the overview screen shows that my licence ends in 189 days. I don't know if you're able to do this, but if I hover the mouse over the '189 days' green text, the tooltip shows the licence end date - perhaps yours just shows 'abonnement' ? Failing that, as your licence is a subscription, maybe you can determine when it's due for renewal by checking the email that you would have received when you ordered it ?
  13. 1 point
    Malware scans look for files whose contents are known/suspected to indicate that they are malicious. On the other hand the Behaviour Blocker looks at what a program/file seems to be doing /once it is actually running/. A file can look innocent to a malware scan but once run do something that might be suspicious. In your case the BB is telling you that lots and lots of installs are being attempted. The BB alerts are all because a "hidden installation" is being attempted, that is, an "MSI" file (which is a standard Microsoft installer file) is being run. Maybe the file you downloaded was named "something.msi". If so, it is not itself executable, but is read and processed by the parts of Windows that understand MSI files. It looks as if either this particular .MSI file first unpacks itself to create many temporary files, named MSIxxxx.tmp, then uses those, or - as you say, maybe downloads a set of MSIxxxx.tmp file and uses them. Either way, the sheer quantity of them is - perhaps - dubious. If any program in Windows wants to create a temporary file - perhaps by unzipping or unpacking a container of files, (or by downloading some) - it is likely to put them in a folder whose purpose is to hold temporary files. Its name depends on the version of Windows you are running and your userid. It has a symbolic name TEMP (or %TEMP%) so that programs can refer to it without knowing what its full name is on your system. If you open a file explorer window, then put the caret in the file/folder-name area at the top (which looks a bit like a URL bar in a browser) and type %TEMP% and hit enter, the temporary files folder for your userid will be opened. On my W8.1 system, if my userid was Fred, it would be named: "C:\Users\Fred\AppData\Local\Temp" There are other temporary file folders in Windows... If an installer running under an Admin id (ie with UAC permission) creates temporary files they will probably be put in a different folder - a similar folder name but instead of the "Fred" but it'll be the Admin id's name there, eg "C:\Users\TheNameOfTheAdminId\AppData\Local\Temp". I am not sure that it's safe for you to try to exclude some folders from monitoring by the behaviour blocker; it might be a way to reduce or stop these alerts, but done incautiously it can also stop alerts coming from any malicious software that's also managed to come to roost in that folder - and it's a very likely folder for iffy things to end up in.
  14. 1 point
    the Ransomware need decryptor.... they removed shadow volume copy, so wont be able to restore and also encrypt the original file, so no point of using data recovery tool. Please suggest
  15. 1 point
    Здравствуйте, Попробуйте, пожалуйста, с включенным и отключенным брэндмауэром, если конечно вы это еще не пробовали. т.к. Я видела на скриншотах, что вы прислали включенный полностью брэндмауэр и частично включенный. Также нам понядобятся дебаг логи. 1. Откройте, пожалуйста, саму программу Emsisoft. 2. Слева в меню выберите "Настройки" 3. Перейдите на вкладку "Прочие" 4. Внизу данного блока найдите самую последнюю строку "Расширенное ведение отчётов". Выберите "Включить на 1 день". 5. Перейдите в главное меню, для этого слева в меню выберите "Обзор" (значок "Домик") или просто закройте окно Emsisoft. 6. Воспроизведите проблему, с которой Вы столкнулись, пару раз. Ошибка обязательно должна появиться, чтобы зафиксироваться в логах, иначе в них нет смысла. 6. После этого зайдите в папку c:\programdata\emsisoft\logs\, соберите все логи в этой папке и пришлите их мне в личные сообщения. 7. Поскольку расширенное ведение отчётов может замедлять работу приложения, то можно отключить его работу вручную сразу после сбора логов. Или через день программа сама отключит эту опцию (в случае, если Вы выбрали вариант "Включить на 1 день"). Также FRST логи будут крайне полезны: Вы можете загрузить программу Farbar Recovery Scan Tool (FRST) перейдя по следующей ссылке https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Примечание: Вам нужно загрузить версию, совместимую с Вашей операционной системой. 1. Загрузите совместимую версию FRST и запустите программу. 2. Когда она откроется, нажмите "Yes", чтобы продолжить работу. 3. Убедитесь, что внизу справа стоит галочка для "Addition.txt". 4. Нажмите кнопку "Scan". 5. Дождитесь завершения процесса. 6. Когда сканирование завершится, оно сохранит логи в текстовом документе под названием "FRST" в том же месте, откуда Вы запускали программу (если Вы сохранили FRST на своем Рабочем столе, то и лог "FRST" будет сохранен нам же). 7. Прикрепите файл лога "FRST" в ответ на это сообщение. 8. В той же папке будет лог "Addition". Прикрепите этот файл тожет и отправте мне в личные сообщения
  16. 1 point
    DrWeb can decrypt some files that STOP-Decrypter cannot decrypt, only in another way. Only .pdf encrypted files and all the Office documents .doc, xls, docx, xlsx, ppt, pps, etc … Unfortunatly with this way can't will decrypt photo, video, audio and many files with other extensions. If free test decrypt these files will successful, the fees requested by Dr.Web experts 150 EUR for Rescue Pack (Personal decryptor + 2-year DrWeb Security Space protection). There is no alternative to receiving this service. If the test-decrypt will fails, no payment will be required. Tell me, if this way suits you, I will let you know what files you need to collect for this. I do not participate in this process and do not provide any help except this information. I not having any financial benefit and is not involved in this decryption service at all.
  17. 1 point
    Some info on this here andrey https://borncity.com/win/2019/08/14/windows-updates-kb4512506-kb4512486-drops-error-0x80092004/ Do you have KB4474419 and KB4490628 installed?
  18. 1 point
    Ach, so they are. I just c&p them out of the OP's report and looked them up separately. I wonder why the OP had two copies?
  19. 1 point
    Hello, The main causes of laptop random reboots, list in order, are: Heat Faulty hardware Faulty drivers Software crashes Malware You logs show no Malware. Also I see no crash dumps in the FRST logs. The Event log shows that Chrome is misbehaving and an Intel Driver is crashing. There is an Alternate Data Stream that should be removed. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Close Notepad. NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version.
  20. 1 point
    That's not encouraging... Hopefully someone from Emsi will come along and explain. It seems to me that there's three issues: first, whether or not with 'Paranoid' being set, files are being scanned as they are downloaded. I'd certainly have hoped so; if not we need an "even more Paranoid" setting... Secondly (if files are being scanned on download): why is a scan-on-download not making the same detection as a custom scan later on? Downloading files is surely the main way that most of us get potential malware, so a scan then should be as thorough/rigorous as possible. Thirdly, the Behaviour Blocker's behaviour. If all you've let the installer do is start & display its splash screen then it probably hasn't yet done anything that the blocker would think is suspicious, so no BB alert is fair enough. (I'm not suggesting you should let it do more if you think it is dodgy.) I don't think/know that the fact that the installer is running with Admin privilege is relevant. I /hope/ that malicious softare running under Admin auth is blocked when it actually does do something dodgy.
  21. 1 point
    Make sure that you don't have any ports forwarded for the NAS in your router, and make sure that UPnP is disabled in the router's configuration.
  22. 1 point
    Asdu374idfg68O9eTFDNbn8z2O956vweaL1v2GY5gvWBYMKcmt1 It looks like an online key with which decoding is not yet possible.
  23. 1 point
    I expect that's not possible, because EAM requires Windows to be running, and what's more it might need to be Windows on amd/intel cpus. What cpu and OS does the TV run?
  24. 1 point
    I have the same thing but instead of a .txt file its a HTML Application (.hta) here is the send space link https://www.sendspace.com/filegroup/sRHSwJySqZ3cXRFJlc5CJQ here is a few more files if you need to look at them https://www.sendspace.com/filegroup/hxqKfEGN6R7TeHM5QosANw4RRiK2jD1hr%2BCvM9fMngsru26QlocERasGfm6BgXzr0wo1k6OBXuOKTginvVxsBA
  25. 1 point
    All Emsisoft decrypters https://www.emsisoft.com/decrypter/ There will be a message in my article, if I lucky to live to such a significant event.
  26. 1 point
    Hi Damaxx, can you share the decryptor. Wanted try it will work for my files or not.....
  27. 1 point
    Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. 2019-06-25 15:25 - 2019-06-25 15:25 - 000000000 _D C:\Users\klime\Desktop\umowy 2019-06-24 19:00 - 2019-06-24 19:27 - 000000000 __D C:\Users\klime\AppData\Roaming\vrguqgoqzs 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\SysWOW64\tmumh 2019-06-24 15:59 - 2019-06-24 15:59 - 000000000 ____D C:\WINDOWS\system32\tmumh 2019-06-20 22:15 - 2019-06-20 22:15 - 000000048 ____H C:\Program Files (x86)\k5wlusm0mk.dat 2019-06-18 11:55 - 2019-06-18 11:55 - 000001024 C:\WINDOWS\SysWOW64\%TMP% ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak pliku ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> Brak pliku ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> Brak pliku ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> Brak plikuClose Notepad.NOTE: It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemRun FRST64 and press the Fix button just once and wait.If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.NOTE: If the tool warns you about an outdated version please download and run the updated version.
  28. 1 point
  29. 1 point
  30. 1 point
    EAM doesn't work on XP or Vista now. System requirements are :- For Windows 7/8.1/10, 32 & 64 bit
  31. 1 point
    Hallo und danke für die Anfrage. Vielen Dank auch für die Unterstützung @eric cartman Eventuell noch als Nachtrag ein Verweis zur Übersicht der Produkt-Updates: https://blog.emsisoft.com/de/category/emsisoft-neuigkeiten/produkt-updates/
  32. 1 point
  33. 1 point
    [!] No keys were found for the following IDs:[*] ID: kdKoug7mCqSlGVQyBnLCBiCVzGFqKASgYnaVFcph (.roldat )Please archive these IDs and the following MAC addresses in case of future decryption:[*] MAC: 8C:16:45:3D:C1:B6[*] MAC: B2:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:23[*] MAC: B0:FC:36:27:0F:24This info has also been logged to STOPDecrypter-log.txt
  34. 1 point
    mario.rossi Today the STOPDecrypter has been updated with the support of the .dutan extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Try decrypting some files first by making a copy of them for test.
  35. 1 point
    That is more than likely a variant of the STOP ransomware. ID Ransomware can confirm that, and can let you know if STOPDecrypter can recover your files. Here's a link to ID Ransomware: https://id-ransomware.malwarehunterteam.com/ If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Actually, Demonslay335 told me earlier today that he already helped you, so you should be good to go. If you need anything else, then please let us know.
  36. 1 point
    Some of them may be recoverable. I've asked the creator of STOPDecrypter whether or not he's already seen your post here. If he has, I imagine he's already contacted you. If he hasn't, then he may still contact you once he has a chance to look over your information. His screen name on our forums is Demonslay335.
  37. 1 point
    You are dealing with two different ransomware. ID Ransomware picked up on the "second layer" of STOP Djvu with the .adobe extension. No way to determine what the first ransomware was without the malware or ransom note from it. Support topic for STOP Djvu: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/
  38. 1 point
    OK. Let us know if you're able to recover anything, that way we know whether or not to continue recommending trying file recovery software.
  39. 1 point
    The cheapest option for you would be the 3-PC license key, even if you only have 2 computers. You're not required to have a 3-PC license key though, so if you prefer to buy two 1-PC license keys (one for each computer) then feel free to do so, however note that the total cost of doing so is usually more than a 3-PC license key.
  40. 1 point
    Hi Gawg Thanks for your comments. I'll try a reboot first when future problems arise.
  41. 1 point
    You can technically just remove all entries from your hosts file using Notepad. Just delete everything except the " localhost" entry if there is any. Lines starting with "#" are comments by the way. Pretty much. We are not an ad blocker, no. You use uBlock Origin which is pretty much the best adblocker you can get. So you are well covered in that area already. Correct. When you try to click the link, it will block access to the site. But I do understand that a lot of people would like to know before they click, which is why we consider adding it. Interestingly enough WOT got in trouble for the very same thing that some AVs are doing with their extension. You can always set up your own DNS server locally or in a cheap VPS box online. DNS also can be tunneled via various secure protocols (DNS-over-HTTPS for example). Those use methods that provide k-anonymity. Firefox in addition also sends "fake" requests if I remember correctly so the hoster of the block list does not know whether that was a website you actually surfed to or a random request. If you are so concerned, just host your own VPN. Get a cheap VPS with bitcoin at njal.la for example, host OpenVPN and your own DNS server on it and there will be no link between you and the VPS. It's serious overkill though.
  42. 1 point
    The Behavior Blocker will catch the payload. While it does have some exploit protection, it isn't intended to provide a full range of exploit protection, and thus will only catch certain exploits.
  43. 1 point
    Siehe hier.. https://support.emsisoft.com/topic/30508-build-9204/?tab=comments#comment-190523
  44. 1 point
    With notification turned in in EAM setting I was offered the option to install it via clicking on the slide info. (No need to have a Microsoft account to get this from the store in case anyone is wondering) Installed and running
  45. 1 point
    Then you should already know how to get them.
  46. 1 point
    I would believe our developers are still looking in to it, however thus far we have been assuming it is an issue with Windows 10 since certain Windows tools still read the firewall status correctly.
  47. 1 point
    We're aware of the issue. Some parts of Windows 10 seem to detect that Emsisoft Internet Security's firewall is active, and some do not.
  48. 0 points
    This is new variant of STOP Ransomware (v0187) You need to wait until support for this variant added to the decryptor. It need to analyze. Previous variants contained 't1' at the end of personal ID (if used offline key). If nothing has changed, then your case is associated with an online key. Developers work on it every day. Details here
  49. -1 points
    I would rather have "broken sites" than trackers. Easy to allow them, if needed. Only reason I stay with EAM is "SURF-PROTECTION" Can't use your extension. Will not upgrade to the latest Firefox, and will never use Chrome or Edge browsers.
  50. -1 points
    "We are hiding the build-in hosts for the same reason as we hide signatures. This is internal stuff and has no added value for users." No value for dummies, is this what you think your users are?😒 I remember when OS Armor was bought out by you, the owner said it would be the greatest piece of software, WRONG! Man, how can you wreck a piece of software. Sorry, but that's the truth.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up