Elise

The short answer to that is: no. It can be broken by malware (as in: won't run) or blocked (a replacement is attempted but after a reboot the original bad file is back), but that is about it. That being said, malware doesn't need to manipulate it, if it can just circumvent it. If a system is infected and a replaced system file has sufficient permissions to fool Windows into thinking it is legitimate (this typically is rootkit-level), you can run SFC all you want and Windows will report everything is fine, while in fact you can have one or more infected system files. So running SFC is not a malware scan nor should it be used as such.

I will test this a bit next week, in the mean time you may want to check what the alert was for, because I highly doubt it was for 7zip and rather for the malware file(s).

It depends completely on how this script is executed; in a "normal" malware scenario it will be dropped or downloaded, which will lead it to be blocked.

Unfortunately I can't access that topic. I have checked the files and I suspect the issue is with the powershell script (mal.ps1). A script like that one is usually the result of being dropped by other malware or ending up on the system using exploit code, which will be blocked. To simulate that correctly in a test you would need to find out what malware dropped this script and run that instead.

Can you share the password as well?

Thank you for your feedback. Could you please send us the samples that weren't blocked so we can check out why they were able to encrypt files?

Generally speaking if you see (A) or (B) behind a detection name it is a signature detection. If it is not there and the detection is not from the Surf Protection (URLs), then it usually is a heuristics detection.

Yes, always use only one antivirus with real-time protection on to avoid conflicts. Windows 10 is smart enough to allow only one AV to be turned on though, so if you'd like to try the Emsisoft Anti-Malware trial, you could install it and it would automatically disable Windows Defender. Likewise if your trial were to expire, it would automatically turn on Windows Defender again.

Hello Peter, Good to hear everything went well. That box just is an offer to install the actual Emsisoft Anti-Malware program so the computer will be protected in real time. The emergency kit scanner only will scan a computer for malicious files, it doesn't offer any actual protection.

Merry Christmas to you both! Peter, it's completely normal to feel a bit confused when you are new to a forum, no need to apologize for that. If you have any other questions, please don't hesitate to ask!

You're welcome Peter.

Hello Peter, It does not matter where you save the EEK files. If you have them on your desktop for example, you can simply copy/paste them to a flash drive. To download it, open Emsisoft Anti-Malware on any device and make sure your flash drive is plugged in. Click in the left pane on Scan and then scroll down to Emergency Kit Maker. Select the platform version (most modern computers are x64 so if you're not sure just try that) and select the location to save the files by clicking on the ... button next to "Save to:". If you want to save the files to your flash drive it's recommended to create a folder (for example named EEK) on the flash drive and use that. Finally click the Create Emergency Kit button to start the download. Now all you have to do is to start the scanner from the location you saved the files to. You don't need to reboot or anything and nothing will be installed. All necessary files are present in the location you selected when you created the emergency kit. If you want to remove the files later it's as easy as just deleting them (or the folder you put them in). You can also download the emsisoft emergency kit from here (please note you will have to extract the files yourself if you do this): https://www.emsisoft.com/en/home/emergencykit/ If you have any further question about this, please let me know.

I can't comment on recommendations given by different security products since I don't know what their reasoning behind it is. You'll have to ask them about it.

If only the service is enabled and windows otherwise is configured as default there is no way that this service running can allow anyone to connect to your computer's registry remotely. As far as I know you can only do that using this service if the computers are on the same network and visible to each other. If your computer is accessible to the entire internet that way you have much bigger problems than a possibility that an attacker might access your registry (they could get to all your files).

Why would you want to disable it in the first place? It's a legitimate windows service. Unless you are a system admin just keep your windows services settings at the default level to ensure your OS functions properly.

Hello, Participating in independent lab tests is very important to us to ensure that we’re delivering only the best protection that’s on par (or even exceeds) with industry standards. We currently participate in Virus Bulletin (VB100) and AV-Lab tests. Emsisoft Anti-Malware was recently certified by the latest VB100 test (see here) and received excellent reviews from AV-Lab’s recent online banking protection test (see here). We’re currently evaluating our participation in the AV-Comparatives tests and are also actively looking for testing opportunities with other reputable independent testing organizations. Additionally, when it comes to choosing security software I'd recommend always to use a trial as well (which most products offer for a short period, typically 30 days) to see if the product suits you.

Hello, Thank you for contacting us. However Emsisoft has nothing to do with ESET's products. You will have to contact ESET in order to see what's going on.

Hello, This is legitimate. You can read more about it here: https://blog.emsisoft.com/en/32517/new-in-2018-12-safe-web-browsing-with-emsisoft-browser-security/

PUP behavior typically does not include password stealing (that would move it straight into the malware category). These are considered PUPs because the way they are distributed, however if you would like to install it because you think it's useful there's nothing wrong with it. It is possible that Tampermonkey is bundled in a third-party download wrapper that also may distribute adware/malware, however if you download it from the official website it should be fine.

I've never used it, so I can't really comment on the functionality, only that it is safe and not malicious.

Hello, This application is safe. If you can go to Logs and double click the entry where the file was flagged, you can copy the alert message and paste it here and I can whitelist the executable for you.

Hello, None of these keys are inherently dangerous, but it depends on what installed them. This can happen if you installed a program of Asian origin for example. I'd check the content of each key to be sure (you can export them by right clicking the key name and then selecting Export and post or attach the content here).

It depends of course on personal preferences, but for your computer's security Emsisoft Anti-Malware in combination with the Windows inbuild firewall really is enough.

Yes, when I checked it, it was taken down already (at least good that the hoster acted so quickly :)).

Thank you, I'll check it and detection will be added if necessary.