pallino

Member
  • Content count

    316
  • Joined

  • Last visited

  • Days Won

    2

pallino last won the day on March 8

pallino had the most liked content!

Community Reputation

4 Neutral

About pallino

  • Rank
    Forum Regular

Recent Profile Visitors

3895 profile views
  1. "Process Doppelgänging" Attack

    More Infos should be available at https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC! Can Emsi scan a file while it's in transaction? Thank you
  2. Hello Emsisoft Team, what do you think of the "Process Doppelgänging" Attack? Does Emsisoft's behavior blocker protect from this or, if not, will it soon? https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf thank you
  3. file digitally signed

    Why was the file detected as malware on the AMN (isthisfilesafe.com) but not by your fileguard/signatures? Why didn't the BB detect the encryption of the documents, pictures etc or check AMN ? Does BB still monitor something when a file has a valid certificate? I understand there are few cases of malware with valid certificate but I found 2 in the last days and read about more online (https://www.bleepingcomputer.com/news/security/crypt-globeimposter-ransomware-distributed-via-blank-slate-malspam/). How can users get protection from cases like this until the certificate is blacklisted? Before users could disable trusting signed files (if memory serves me), now it's not possible anymore. Thank you
  4. file digitally signed

    GT500, The problem is that apparently Emsi completely trusts signed files and that a malware with a (still) valid certificate can infect/encrypt the device. I just found another ransomware with valid certificate (a Globelimposter, I submitted yesterday, Sha b269b77b38e3fee6e445b04ef8ac9294a6062dc42dcbaf015d134abef308b5ef ). I saw that Emsi doesn't check it's AMN (where it is already detected as malware). The BB states the file is good and that it is being monitored (under BB protection tab after enabling to display trusted files). If I check the rules, all is allowed (BB as firewall in/outbound). If BB is monitoring it why were my files encrypted (all in desktop, documents, pictures) when normally Emsisoft blocks the ransomware immediately (when files are not signed)? If memory serves some time ago you had an option to enable/disable "trust signed files"...can you add it again (at least in a "expert mode")? Thank you!
  5. file digitally signed

    GT500 thank you. What happens when a file digitally signed is executed? What should Emsi and Emsisoft's BB do? Is the validity of the certificate checked, then If valid a rule is added and all is allowed in BB & firewall? Before the certificate is blacklisted the malware can do what it wants or some components of Emsi still check it? Thank you
  6. Hello Emsisoft Team, How does Emsi handle a file digitally signed when this is executed? Does Emsisoft immediately classify it as a "trusted program", create ApplicationRules and allow it to run without any protection from the Behavior blocker or does BB still monitor it or only some behavior? In other words, if a malicious file is digitally signed, when executed can it do whatever it wants or can Emsi still block malicious behavior? Thank you
  7. I already said many times I do care, a lot but still think few file hashes sent to VT are not a privacy issue. You also do it when BB detects something, or? You upload less than maybe VS does, probably. Is this a huge difference? I don't think so and as everything , it can be discussed, criticized. Same with the increased security VS would add to Emsi. <sarcasm> I also use VS, daily for some time..I also speak without knowing VS...You know it better? Of course, why shouldn't you. Finally, don't worry, this was my last suggestion. Users that care to suggest improvements or highlight problems as missed detections should deserve kindlier answers, a "thank you" sometimes would also not hurt...But no, the "impression" I as other I know get is you know everything, Emsi is pretty "perfect"/already does it (again, our impression), what we say is worthless since all was already thought, done, detected....I don't remember seeing a "thank you", a "good idea"...maybe a "we'll discuss internally"....Of course I don't read/read all posts, might have missed plenty of these. Is all so worthless? No, examples? I have 3 just for me (anti-exploit protection, firewall blocks outbound connection->BB alert of suspicious activity, BB alerts file in memory had bad reputation even if is not doing anything suspicious yet). Nice weekend
  8. Thank you for sharing, interesting thread! It was 2013, Vs changed since then. I don't have problems with VS: if and when it alerts, the alerts are clear...In smart mode it's very, very discrete. It could be added to Emsi with an expert mode for the VS always on settings if wanted. FP and privacy issues are not present in my opinion.
  9. OK, thank you. Last thing.. I m not sure voodooshield uploads all files but rather think it upload the Sha. Privacy issue? I don't see one when uploading new files on VT. Many FP? I m using it on always on and don't get FP, alerts some, but very very few FP...In smart mode it is way better. Did you try it? Anyway, thank you for your answers.
  10. But now Emsi does not check all files on VT with 60+AV, does not have AI (but a great BB), no sandbox, is not a anti-exe/whitelist capable...With VT+AI+whitelist voodooshield is able to block earlier malware and probably more (in terms of nr, might still not be 100% ready for some tipes of files, e.g .J's or need the payed version ). I really think Emsi+voodooshield is (considerably) better than Emsi alone. If we had a big malware pack and run it against Emsi alone or against Emsi+VS I bet the ladder combo will detect/prevent considerably more.
  11. Did online armor check VT with 60+ other Av? Was it an whitelist/anti-exe?..Or a firewall with Hips? Did it have AI? Sandbox possibility..... with cuckoo sandbox/VM ? Does Emsi detect as much as voodooshield when running files/ did OA check them on VT before allowing them to run or does Emsi do it now? I really don't think so. It's just a suggestion, so of course you do what you think is best. Luckily as of now we can use voodooshield for free, so no problem for users that want it with Emsi. ..If another AV decides to add it to his program, things will be way different.
  12. Hello Emsisoft Team, Why don't you add voodooshield to Emsisoft (acquisition, partnership,....)? This would add a lot to Emsisoft: - higher static as dynamic detection -AI engine -Sandbox capability -Vt scan .... Or, looking at it from another point of view.... what it another AV does it before you? It will get a great advantage vs other vendors. What do you think of this?
  13. I didn't, it was a fresh image, but it's not important now since time passed. Thank you anyway.
  14. Fabian, In the case above BB checked for the reputation since when I disconnected from internet and checked the protection tab BB showed the bad reputation. BB didn't block it as the malware was still in memory. Emsi firewall alerted and outbound connectios were blocked. Why did BB check but not block the file? It seems something went wrong, or? Thank you
  15. I'm happy you liked the idea. 😊 In general, why check for reputation if then nothing is done with it? In the case above, why did BB check in "background"for reputation and after getting the bad reputation didn't do anything with it, alert nor block the malware? I hope you also discuss internally to allow BB to block Malware whenever a bad reputation is found. 😉