• Content count

  • Joined

  • Last visited

Community Reputation

2 Neutral

About m0unds

  • Rank
    Active Member

Profile Information

  • Gender
    Not Telling
  • Location
    Albuquerque, NM

Recent Profile Visitors

5222 profile views
  1. will your filtering be further impacted when the chromium project (and chrome by extension) start blocking third party code injection altogether?
  2. Need Help

    Seems to me like it might be a bug with isthisfilesafe.com
  3. DNS Servers

    yea, DNS cache poisoning is increasingly rare because common DNS servers like bind, unbound, etc. do it by default
  4. DNS Servers

    Yup, you're correct. OpenDNS has limited malicious/bad site blocking (they focus on long-lived stuff like botnets) and phishing protection. Quad9 uses a bunch of vendors' threat intelligence feeds to block malicious and phishing sites. Comodo is vague, but claim they use RBLs. They aren't RFC-compliant with regard to DNS TTLs. No idea whether they redirect on NXDOMAIN (I don't trust Comodo as a company, so I haven't used this svc) Norton uses their own threat intelligence feeds to block phishing, malicious sites, etc, but last I checked, they redirect instead of returning NXDOMAIN, and partner with ask.com for that monetization stuff (yuck).
  5. DNS Servers

    Quad 9 is another good option w/malicious site blocking, but they're still working out some routing quirks in certain regions (Oceania, Eastern Europe, South America)
  6. Seems like it's this blocklist: https://iplists.firehol.org/?ipset=bbcan177_ms1 this particular list hasn't been touched since january 8, 2018 - not like stuff on the internet changes all that often, right? imo, a lot of these user-submitted lists are junk and are really poorly maintained - this particular list includes IP ranges belonging to CDNs used by a ton of reputable services including github (and emsisoft, and any other customer of highwinds). maybe that's why the maintainer hasn't updated - he can't push his changes to the git repo
  7. i agree, this would be a nice feature - you can always query https://www.isthisfilesafe.com with the file hash (sha-1 or md5) or executable name, but that's a bit unintuitive
  8. Why are logs migrated into forensics?

    looks like you might be on an older product build. this is what the current one looks like:
  9. Why are logs migrated into forensics?

    in "view" dropdown, under "components", untick "select all", tick "scanner"
  10. NVIDA Driver update

    Yep, that's how I run the product, however in the case of this particular file: See screenshot below
  11. NVIDA Driver update

    I tried capturing the file, but the installer extracts, executes and deletes it faster than I can grab a copy. Additionally, EAM fails to quarantine it but blocks the autorun modification attempt. Would be helpful if EAM would write the SHA-1/MD5/SHA-256 hash to the forensic log. The BB dialog is blank except for the action the file is taking. Here you go: https://www.virustotal.com/en/file/95705ae60a89adbf2b06534d52cb1817080d4480e1a5cc89f15d2a4dd7a096df/analysis/ file shows as NVI2.dll, but it had the same hash as the one being executed by the installer process after the install was complete (guessing it's registering the nv stuff to start w/the computer)
  12. Hey, I noticed that www.isthisfilesafe.com is available via ssl, but isthisfilesafe.com isn't - wasn't sure whether that's an oversight. In chrome, scripts loading from the naked domain (isthisfilesafe.com) are flagged as unsafe if the user is browsing www.isthisfilesafe.com over ssl. Just wanted to make sure you guys were aware of that inconsistency. Thanks!
  13. NVIDA Driver update

    I just updated my NV drivers using GeForce Experience - that particular file is signed by NV but tries to modify an autorun entry. It also had no reputation on the anti-malware network, so I'm guessing the combination of the two things caused the BB popup.
  14. yea, I run HMP.alert w/EIS and have no issues. the only thing I do is exclude hmpalert.exe from monitoring within EIS.
  15. no problem, thanks for confirming you got them