Emsisoft Employee
  • Content Count

  • Joined

  • Days Won


Everything posted by GT500

  1. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
  2. There is more information at the following link:
  3. There is more information at the following link:
  4. There is more information at the following link:
  5. As Kevin said, this is an offline ID. I recommend running the decrypter once every week or two so that you can see when we've added the private key for your variant. There is more information at the following link:
  6. From About the STOP/Djvu Decrypter:
  7. None that I've heard of. I recommend following BleepingComputer's news feed, as they will usually report on ransomware decrypter releases:
  8. STOPDecrypter won't be able to decrypt your files. It has been discontinued by its creator in favor of a newer decrypter. Fortunately you have an older variant of STOP/Djvu, however your ID is an online ID and you'll have to upload file pairs via our online submission form to help our decrypter "learn" how to decrypt your files. There is more information at the following link:
  9. Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link: Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  10. I'm fairly certain the File Guard doesn't cache scan results, however I'll ask QA to verify this.
  11. I've forwarded that to QA. Yes. That's also something a corporate entity may do during their backup procedures, or more advanced home users may do as well. People use 7-Zip to make encrypted archives all the time. Of course. One could write a batch file that acts as ransomware using only built-in Windows commands, or a batch file that acts as a trojan and downloads other payloads using only built-in Windows commands. While these technically do work, they aren't practical, and would be too easy to defeat. It should be saved as an Application Rule. Application Rules for files that no longer exist are automatically deleted.
  12. @Yilee I have been informed that the official end of support date for Windows 7 has been set for March 31st, 2021: They have an interesting concept, however I don't know how effective it is in application. I'm also not certain how it will effect software compatibility in the long term. In the short term it may be fine though, and if they are good about resolving issues caused by their patches then in theory that shouldn't be a real issue.
  13. These are newer variants of STOP/Djvu. If you have an offline ID, then once we can find the decryption keys for these variants and add them to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link:
  14. I'm glad to hear that. Be sure to get a good Anti-Virus and make regular backups so that it doesn't happen again.
  15. We have not yet set an end of support date for Windows 7. We're not yet certain how long our customers will continue it, or how log it will be possible to keep Windows 7 computers safe, especially with Microsoft offering extended update support for up to 3 years for businesses who pay for it. We recommend installing January updates as well. There may be another service stack update in addition to the security updates released in January. These will be the last updates you will get, unless this is a business computer and it has a subscription to Microsoft's Extended Security Updates for Windows 7. Does this happen with the latest stable build (2020.2) of Emsisoft Anti-Malware?
  16. Assuming you used the export settings button under Back and Restore in the settings, this is because Custom Scan settings are not persistent. They revert to defaults every time EAM restarts. If you want to save/load Custom Scan scan settings, this must be done from the Custom Scan configuration (you may need to scroll down to see the buttons). As already explained, scripts are scanned via AMSI or IOfficeAntiVirus on execution if they are executed by a Microsoft script interpreter (most of Microsoft's software supports one of these API's). Anything else is monitored by the Behavior Blocker. As for people who don't understand the difference between an application and a script, they usually aren't running scripts. They're also not generally aware of what a script is, and trying to explain that in support documentation about EAM's protection settings would be counterproductive (people don't like to read long documentation, and it would more than likely cause too much confusion to try to explain it in the middle of explaining what the protection settings do). You can exclude scripts you don't want automatically blocked/deleted. Absolutely. As a software company there are times when we have to make compromises that we know at least some users will be unhappy with, and that extends to the information that we can give to users/customers about how our software works. We try to be as open as possible, but there's always a fine line that we try not to cross that could reveal too much information. BB rules can be changed at any time, so if our malware analysts feel that there is a reason to do so then they will. That being said, from the description, the "exploit" wasn't an exploit. All it did was look for a legitimately installed copy of 7-Zip, and execute with a command to archive files and encrypt them, then delete the originals. Are we to just delete every script that tries to invoke 7-Zip this way? When there's no real malware that does this? Actually they're only allowing that one type of behavior. EAM will still sometimes display notifications for other types of malicious behavior from the same executable or script. The firewall entries are relatively small (if bytes) and there's no problem with having them there, so removing them has never been a high priority. It's possible we may do so in the future, but it may not happen right away.
  17. Did your friend post a link to the malicious executable/script that did this? Or at least a link to VirusTotal scan results of the file?
  18. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
  19. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
  20. There is more information at the following link:
  21. There's nothing that can be done for online ID's. We'd have to have the private keys, and only the criminals who made/distributed the ransomware have those. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
  22. What variant of STOP/Djvu are you dealing with? .domn?
  23. You can whitelist files/folders via exclusions to keep them from being scanned. You can also abuse wildcards to whitelist file extensions, however I wouldn't recommend doing this. The File Guard and the on-demand scanner are separate components of the software, with their own settings. The setting to detect PUPs blurred the lines for a while, but even it appears separately for the File Guard and the on-demand scanner now. Custom Scan settings aren't intended to be copied, but rather saved and reloaded later when needed again. I've been told that the KB article is correct. Programs are scanned on execution, which is handled differently than normal reads and writes of files to the filesystem. Scripts are executed by programs, and those programs (even cmd, PowerShell, and cscript) are monitored while processing scripts. In order to block script execution, you block the script interpreter, and quarantine the malicious script (in most cases it's not difficult to figure out what script was executing). That's because we try to keep answers vague enough that it's difficult to put together a clear picture of how it works. No need to make it easier for the bad guys by posting on our forums how our Behavior Blocker works. When Emsisoft Internet Security was still around, it saved firewall rules in that file. The formatting of the file may not have been change since it was discontinued, as this would allow reading of old backup copies of a2rules.ini that contain these firewall entries.
  24. There's no need for you to do anything. They keystream is saved in our database, and the decrypter will simply connect to our database and retrieve the keystream from it. Just run the decrypter again, and most of your MKV files should be decrypted.