Jump to content

Christian Mairoll

Emsisoft Employee
  • Posts

  • Joined

  • Days Won


Everything posted by Christian Mairoll

  1. Like all ransomware, Hermes locks a victim’s files and demands payment to unlock them. Emsisoft battles ransomware like this on the front line daily, with the creation of free decrypters to help victims get their files back. But, what is actually involved in the creation of a decrypter? Today we explored exactly this via live stream as Emsisoft CTO and Head of our Malware Research Lab, Fabian Wosar, cracked Hermes. Fabian decrypts Hermes by attacking the encryption generator In a recent blog post, we discussed the best way to remove ransomware including the use of decrypters to unlock your files without paying the ransom. Today, in the video embedded below, Fabian demonstrated the way in which a decrypter is actually created. In the case of Hermes, Fabian was able to uncover the seed responsible for generating the file encryption and subsequently create the necessary key. Important: Though we have demonstrated that a decryptor can be made for the Hermes Ransomware, it is not yet available. We will update both the decrypters site and the Emsisoft Blog when as soon as it is ready for use. For more information on the identification and decryption of ransomware, see this interview with Michael Gillespie, security researcher at Malware Hunter Team and creator of IDRansomware. Prevention is the best cure when it comes to ransomware There are practical steps that can be taken to recover files once ransomware has taken hold, however, the key to protecting your private date lies in preparedness. Keep your software and operating systems up to date. Spring clean your system regularly. Do not install applications from unfamiliar sources or untrusted websites. Read permissions closely when requested by programs or apps. Back up data and devices frequently. Learn how on the Emsisoft Blog. Install and regularly update a quality anti-malware product such as Emsisoft Anti-Malware. Our software has a proven ability to capture and eliminate ransomware. Read about our performance against ransomware here. If infected, take every possible step to avoid paying. Remove ransomware the right way. Have a nice (ransomware-free) day! View the full article
  2. In the past week, we saw a lot of online media attention around the question whether antivirus software actually poses a threat to users’ safety because it intercepts and manipulates encrypted HTTPS online traffic. Since then, a number of customers contacted us concerned that Emsisoft uses the same practices to build its Surf Protection functionality in our Emsisoft Anti-Malware and Emsisoft Internet Security products. To answer that question right away: Emsisoft does not intercept any HTTPS traffic. Background: Why spy on HTTPS traffic? As described in an elaborated study done by security researchers, a large number of antivirus products rely on looking into your web surfing traffic in order to find malicious scripts and phishing attempts. By design, HTTPS encrypted connections don’t allow anyone to know which exact website address and path you’re surfing at. So the only way to be able to block certain bad websites is by looking into all your traffic. This is done by installing a traffic interception module between your browser and the target website server that proxies all traffic. As that would break the concept of HTTPS end-to-end encryption, antivirus software usually installs a new, so-called root certificate on your computer that basically helps to simulate the encrypted connection. Technically speaking, your browser only communicates with the local antivirus HTTPS proxy and its self-made certificate, and consequently all encrypted websites show up with the ‘safe’ lock symbol in the browser. The proxy then scans the decrypted traffic and connects to the actual web server encrypted again. This concept generally works (otherwise those vendors wouldn’t have chosen it), but the main problem with that approach is that the traffic is no longer end-to-end encrypted. The local antivirus scan proxy has to simulate web servers perfectly down to the tiniest detail in order not to weaken the encryption chain. Here is where implementation mistakes are easily made and the security problems described in the earlier mentioned study arise. Doing it differently: How Emsisoft’s Surf Protection works Emsisoft chose a different method to make sure you can’t access malicious and fraudulent websites. Instead of filtering on URL level (example: https://badsite.com/folder/malwarefile.exe), it blocks known bad hostnames (example: badsite.com) on DNS level. Host names are resolved to the servers’ IP addresses by the operating system. Emsisoft’s Surf Protection intercepts that process of address resolution independent of browser and traffic by returning an invalid IP address for hostnames that are on the blacklist. That method may not be as precise as URL filtering, but it comes with two significant advantages: It doesn’t rely on spying on any encrypted traffic, so it doesn’t provide as much surface for attackers as other concepts. It doesn’t require huge cloud-based databases to verify good and bad website addresses, which means it’s less intrusive on your privacy by design, as all matching is done locally on your computer. Why you should still use antivirus/anti-malware software In the media it was often quoted that people would be better off without antivirus software. If we would share that view, we probably wouldn’t have spent the last ~15 years developing malware protection software. We at Emsisoft believe that the main purpose of antivirus software is to prevent users from suffering from the consequences of occasional mistakes that are made by all of us. Once in a while, even the best security experts make unintended clicks on a bad file or on the wrong checkbox during a setup that installs a PUP when they are in a hurry- and regret it the second after. Antivirus software is your safety net for those (hopefully) rare situations. But let’s be honest: Perfect software does not exist. Each of the many million lines of code may contain an undetected error that somebody could use to exploit and misuse a product. Emsisoft is no exception in that regard. Yet we always aim for highest code quality and try to react as quickly as possible to any leaks that may be found by valuable security experts. View the full article
  3. As in previous years, AV-Comparatives, a renowned independent testing organization of security products, released their annual report rating various anti-malware products tested throughout 2016. We are delighted to announce that Emsisoft Anti-Malware is ranked as a Top Rated Product with four Advanced+ awards won over the course of the last 12 months. In addition, Emsisoft received a joint Silver Award for File Detection, and joint Bronze for Performance. Throughout 2016, AV-Comparatives subjected 19 security products for Windows to rigorous investigation, including Emsisoft Anti-Malware. All the programs were tested for their ability to protect against real-world Internet threats, identify thousands of recent malicious programs, provide protection without slowing down the PC, and remove malware that had already infected a PC using the following tests: Real-World Protection Test – Emsisoft Rated Advanced Performance Test – Emsisoft Rated Advanced+ File Detection Test – Emsisoft Rated Advanced+ Malware Removal Test – Emsisoft Rated Advanced Emsisoft rates high in detection rates with low system impact To be considered an AV-Comparatives Top Rated Product, the tested software had to score consistently high in both file detection and performance. Given Emsisoft’s relentless focus on keeping you protected without slowing you down, this award is an acknowledgement of these efforts. The File Detection Test evaluates the scanning ability of a product. You can learn more about our award-winning dual-scanning technique here. A high detection rate of malware – without causing false alarms – is one of the most important and reliable features of an anti-virus product. Why? It proves the accuracy of a product to detect malware without making unnecessary errors and wasting your time. The Low System Impact Test makes sure that anti-malware solutions run efficiently in the background without slowing down your system. For the test, security products must remain turned on under all circumstances, while users are performing their usual computing tasks. Some products had a higher impact than others on system performance while performing some tasks. AV-Comparatives specifically highlighted: “Emsisoft demonstrated a lower impact on system performance than other products.” Beyond performance, it’s important for us that our customers find the Emsisoft product experience effortless and a pleasure to use. AV-Comparatives seemed to think so in their report: “We liked Emsisoft’s informative setup wizard, and the very clean and modern interface design.” We are very happy to be rated so highly in these categories. Efficiency with no bloat has always been one of our top priorities and the advanced+ awards we received this year clearly reflect that. As we look to 2017, we would be thrilled to see a new category for ransomware protection as part of the AV-Comparatives’ tests, as it would reflect the rising threat of ransomware (and because we’re confident we’d do very well 😉). However, while positive test results are great to have, Emsisoft’s goal is to keep customers protected from real-world threats, such as ransomware, rather than optimising our products for testing authorities. So as in previous years, our goal remains clear: providing you with the best possible protection without slowing you down. Malware doesn’t sleep, and nor do we. For further information on the features and protection provided by Emsisoft Anti-Malware, visit this page. AV-Comparatives: industry leaders in independent testing AV-Comparatives is an independent organization and highly reputable testing authority. Their tests check whether security software, such as PC-based antivirus products and mobile security solutions, live up to their promises. To be highly-rated by AV-Comparatives is to be highly recommended to the industry and customers alike. You can compare our AV-Comparative results in all testing conditions with competing software providers, see our performance test results from past years, or read the full report from AV-Comparatives here (English). You can also see our many other accolades here. Have a great (malware-free) day! View the full article
  4. Please note that none of those hosts are static. They will most likely change occasionally. Therefore, always use a wildcard for *.emsisoft.com to unblock. SSL ports need to be enabled too. You could try to use FiddlerTool to trace all server calls from the software and find the error.
  5. Duncan, on the date you mentioned we only published a beta update. Just as a precaution: Please try to avoid using beta updates on production servers. Beta software always includes the risk of some glitch or fail. I'd rather recommend using the "Delayed" update feed instead.
  6. Darüber hinaus ist das Video kein "Test", sondern eine technische Demonstration des Behavior Blockers und klar ersichtlich von uns selbst produziert.
  7. Bezüglich des Ordner-Auswahldialogs: Da ein kompletter Malware-Scan nur rund eine Minute dauert, ist das scannen einzelner Ordner zu einer äußerst selten genutzten Funktion geworden. Entsprechend hat das Thema keine hohe Priorität, sorry. Da gibt's deutlich wichtigere Dinge, die es sich zu implementieren lohnt.
  8. Die Windows-Benachrichtigungen verwenden wir u.a. deshalb nicht, weil sie nur eine einzelne Klick-Aktion umsetzen können. Außerdem ist die Größe und daher der Inhalt begrenzt. Einige unserer Notifications benötigen 2 Buttons, bzw. unterschiedliche Textlängen. Wir wollen auch nicht die Hälfte über Windows fahren und die andere Hälfte nicht, und bleiben daher bei der selbst gebauten Lösung.
  9. Enter bestätigt grundsätzlich immer das gerade aktive Steuerelement (Button, Checkbox, etc.). Wenn der Fenster-Fokus daher (zufällig oder nicht) auf dem Button zum Löschen ist, löscht ein Drücken der Enter-Taste natürlich. Mit der Tab-Taste kann man den Fokus von einem Element zum anderen springen lassen. Das Problem hier ist, dass die Liste selbst nicht als aktives Steuerelement angesehen wird und daher die Funktion außerhalb anspringt. Ich werde das als Anregung weitergeben, damit das geändert wird. Vielen Dank!
  10. Auf der gleichen IP-Adresse kann die Lizenz leider nicht gutgeschrieben werden. Das würde Tür und Tor für Missbrauch öffnen, indem man sich einfach mehrfach hintereinander neue Betriebssysteme installiert. Schick aber bitte deine Daten (dein Key, geworbener Kunde bzw. dessen Email vom Kauf als Beleg) an [email protected] Dann prüfen wir das und lassen uns was einfallen.
  11. Beide Programme verwenden das gleiche Update-Modul. Bei EEK v10 Freeware sind die simultan Downloads jedoch auf 1 beschränkt. In Version 11 wird das auf 5 erhöht.
  12. Um das SOLL möglichst kurz und generisch zu beschreiben: Die Kernaufgabe der Software ist es, echte Malware zu erkennen und davon abzuhalten, aktiv zu werden. Bei EIS zusätzlich noch, dass sie den Netzwerktraffic nach Wunsch einschränkt und dadurch die potenzielle Angriffsfläche für Attacken von Außen reduziert. Die Aufgabe der Software ist es nicht, auf simulierte Angriffe, die durch nicht echte/nicht gefährliche Malware generiert wird, zu reagieren. Dazu zählen insbesondere proof-of-concepts, die nur einzelne Aspekte von Malware demonstrieren, unterm Strich jedoch für den Benutzer keine Gefahr darstellen und daher nicht als Malware gesehen werden. Anders gesagt: Antiviren-Testlabore, die mit echter Malware möglichst alltagsnahe Szenarien nachstellen, erlauben eine objektive Bewertung der Software-Qualtät bezogen auf das SOLL. Jegliche Leaktests hingegen zeigen letztlich nur, ob die Software entsprechende Anti-Leaktest-Routinen eingebaut hat, aber nicht, ob sie vor echter Malware schützt.
  13. Wenn bei der Log-Aufzeichnung kein Geschwindigkeitsproblem existiert hat, nützt es uns leider nicht viel. Unsere Entwickler testen aber derzeit noch eine andere Möglichkeit, die unter Umständen Ursache für die Probleme sein kann. Welche Betriebssysteme zeigen die Symptomatik?
  14. Entweder SSL in EAM abschalten oder alternativ SSL Support in Fiddler aktivieren (installiert ein lokales Zertifikat).
  15. Wäre es eventuell möglich, die Datei bei Dropbox, Google Drive oder ähnlichem hochzuladen damit ich sie herunterladen kann?
  16. 175 MB erscheint mir extrem groß für Fiddler. Wie groß ist es gepackt (zip/rar)?
  17. Könnte mir bitte jemand mit den langsamen Updates ein Fiddler log wie in Antwort #4 beschrieben, zukommen lassen? Ohne entsprechend Aufzeichnungen können wir leider auch nur Rätsel raten, da die Probleme nicht flächendeckend sind.
  18. Christian's Rückmeldung bedeutet letztlich, dass der Test kein Firewall-Test sondern ein HIPS-Test ist, und EIS nunmal kein HIPS ist. Entsprechend ist jegliche Diskussion über die Ergebnisse letztlich wertlos. EIS arbeitet genau so wie es soll.
  19. The charts in this blog post may be of interest: http://blog.emsisoft.com/2015/03/25/antivirus-anti-malware-anti-pup-what-is-emsisoft-really/ Especially the "detections by engine", which is interesting given the fact that only the delta signatures on top of Bitdefender are active in our products.
  20. The stable version will be released as soon as the product meets our quality requirements.
  21. A summary of the improvements in version 11 can be found in our blog as usual: http://blog.emsisoft.com/2015/10/24/a-sneak-peek-on-emsisofts-version-11-series/ Keep in mind that it is currently only available via the Beta updates option.
  22. Mostly the user interface. For detection and protection stuff we're sharing the same codebase.
  23. The Android tests are unfortunately not included in AV-Comparatives' main test series, so they are to be paid separately. Since we're closely partnering with Bitdefender for Emsisoft Mobile Security, we expect their results to apply mostly to our product as well and therefore we simply saved the money to have ours included in those tests too.
  24. EAM sollte das eigentlich nicht auslösen. Decken sich die Intervalle eventuell mit den Windows-Updates bzw. den Installationen derer?
  • Create New...