pallino

Member
  • Content Count

    309
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by pallino


  1. I finally found the culprit...Windscribe  1.83 build 20 on my host is somehow blocking Emsisoft's update...if I disable Windscribe, Emsisoft can update. I could update it this way but wouldn't like to use it without VPN on my host. If Emsisoft cannot connect to the server to update it probably also cannot connect to check the AMN in case behavior blocker detects something suspicious, right?

    Can this issue be solved? thank you

     


  2. Hello Emsisoft team,

     

    since 7 days Emsisoft AM (2020.2.1. 9977) cannot connect to the update server anymore. Internet connection is working and all other programs (windows update, Firefox,  on demand scanners etc) can connect/update.

    I also uninstalled/rebooted/reinstalled Emsisoft but still no luck; safe after resetting settings to default.

    Emsisoft is running inside  Virtulabox 6.12 (VM was not updated lately and host as guest are windows 10, latest update).

    How can this be fixed?

    thank you

     

     

     

    update.PNG
    Download Image


  3. Thank you for the explanation.👍

    How widespread is the cheating problem?

    How many might be cheating (e.g in %) and don't these companies cheat in all tests they take part in causing the same problem in all tests? 

    Shouldn't test companies detect these (or other AV companies denounce them), make these public and ban the cheaters ( at least one suspect got caught and banned in the past) and this act as a big deterrent?

    Were the driver problems during AV-C tests the same that affected Cruelsister test last year?

    Have these all been fixed?

    Thank you

     

     


  4. Hello Arthur,

     

    what do you mean with "all you have to do is design it to pass the test"?

    On 3/31/2019 at 5:34 PM, GT500 said:

    To make sure your software passes the test, all you have to do is design it to pass the test. Whether or not they design their software to do more than pass tests, I have no idea.

     

     

     

    ...and with "We've decided that it's more important to focus on the best protection for real-world threats than to focus on passing tests "?

     

    On 3/31/2019 at 2:55 PM, GT500 said:

    Passing tests are not the same as protecting against real-world threats. We don't have the resources of larger companies like BitDefender, Kaspersky, and ESET so we have to be more selective about where we focus our development efforts. We've decided that it's more important to focus on the best protection for real-world threats than to focus on passing tests so that we look good in statistics.

     

    Can you please explain better? What could you do differently to pass the test and why would this affect negatively the real world detection capability of Emsi?

    In other words, if Emsi's real world detection is very high, why shouldn't it also be for the AV-comparatives test?

    thank you!

     


  5. More Infos should be available at 

    https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo

    Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. 

    I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC!

    Can Emsi scan a file while it's in transaction?

    Thank you

     

     

     

     


  6. Why was the file detected as malware on the AMN (isthisfilesafe.com) but not by your fileguard/signatures?

    Why didn't the BB detect the encryption of the documents, pictures etc or check AMN ?

    Does BB still monitor something when a file has a valid certificate? 

    I understand there are few cases of malware with valid certificate but I found 2 in the last days and read about more online (https://www.bleepingcomputer.com/news/security/crypt-globeimposter-ransomware-distributed-via-blank-slate-malspam/).

    How can users get protection from cases like this until the certificate is blacklisted?

    Before users could disable trusting signed files (if memory serves me), now it's not possible anymore.

     

    Thank you

     

     


  7. GT500,

    The problem is that apparently Emsi completely trusts signed files and that a malware with a (still) valid certificate can infect/encrypt the device.

    I just found another ransomware with valid certificate (a Globelimposter, I submitted yesterday, Sha b269b77b38e3fee6e445b04ef8ac9294a6062dc42dcbaf015d134abef308b5ef ).

    I  saw that Emsi doesn't check it's AMN (where it is already detected as malware). The BB states the file is good and that it is being monitored (under BB protection tab after enabling to display trusted files).

    If I check the rules, all is allowed (BB as firewall in/outbound).

    If BB is monitoring it why were my files encrypted (all in desktop, documents, pictures) when normally Emsisoft blocks the ransomware immediately (when files are not signed)?

    If memory serves some time ago you had an option to enable/disable "trust signed files"...can you add it again (at least in a "expert mode")?

     

    Thank you!

     

     


  8. GT500 thank you.

    What happens when a file digitally signed is executed? What should  Emsi and Emsisoft's BB do?

    Is the validity of the certificate checked, then If valid  a rule is added and all is allowed in BB & firewall?

    Before the certificate is blacklisted the malware can do what it wants or some components of Emsi still check it?

    Thank you

     

     

     


  9. Hello Emsisoft Team,

    How does Emsi handle a file digitally signed when this is executed?

    Does Emsisoft immediately classify it as a "trusted program",  create ApplicationRules and allow it to run without any protection from the Behavior blocker or does BB still monitor it or only some behavior?

    In other words, if a malicious file is digitally signed, when executed can it do whatever it wants or can Emsi still block malicious behavior?

    Thank you

     


  10. I'm happy you liked the idea. 😊

     

    In general, why check for reputation if then nothing is done with it?

    In the case above, why did BB check in "background"for reputation and after getting the bad reputation didn't do anything with it, alert nor block the malware?

    I hope you also  discuss internally to allow BB to block Malware whenever a bad reputation is found. 😉


  11. Fabian, Arthur,

    Thank you!

    Since in this case the sample was in memory, BB under protection tab showed it looked for its reputation and it was bad, why didn't it alert me and block it?

    Normally I see a window where Emsisoft tells me a suspicious activity was detected and Emsi is checking the cloud.

    This time nothing popped up...Did  BB miss it?

    Last question...When Emsi firewall alerts the user about outbound connectios on unusual ports and the user chooses to block all connections, why doesn't the BB also ask the user if it wants to quarantine/kill the process?

    Can you add this rule to help user kill/quarantine bad processes? 

    Btw, the file Emsi BB let in memory even with bad reputation is

    https://www.hybrid-analysis.com/sample/adcbe27a828b0e47b43153ac66252b15466afa75dd83208d63a60f6849c6ce90?environmentId=100

     

     

     

     

     


  12. Fabian, Arthur,

    -When does BB monitor a file? What triggers the BB monitoring? 

    What happens when BB monitors a file vs when it doesn't? If it doesn't and the file does something bad BB won't detect it if it is not monitoring it?

    - when in the BB log we see that a rule was added for a program that is running in memory, what does this mean? Will BB still monitor it or alert if something suspicious happens because of the program?

    Today I saw a malware that was in memory, no CPU usage... I disconnected the PC from internet, then I checked BB protection tab..The file had a bad reputation, so BB checked already before I opened the tab.

    Apparently BB checks for reputation on the cloud not only when the user checks the BB protection tab, is this correct?

    Since it knew the file was bad, I really don't understand why you want to keep it in memory and on the HD.

    I really hope you will change this.

    Thank you

     

     

     


  13. What does it mean when BB in protection tab classifies a program as  with" bad reputation " but online, on isthisfilesafe the file is unknown?

    How is this possible?

    Just to be sure

    Emsi anti-malware network=isthisfilesafe = list of programs already scanned by Emsi with special algorithms to detect if malicious +user database of most used action after being alerted by BB?

    File reputation= determined according to Emsi anti-malware network=isthisfilesafe?

    Thank you


  14. 38 minutes ago, Fabian Wosar said:

    We could. But what good would such a function be? It would only be enabled if you have the screen open. That is why it makes no sense. What would make sense is to just check every process in the background permanently, but that is too big of an invasion of privacy for us to do.

    Why do you need the screen open?

    Even if the screen needs to be open, since the user triggered a reputation scan by opening the bb protection tab:

    -the screen might still be open or you could keep it open till the reputation check is done (and informing the user about this)

    - the user got suspicious and wanted to check for the file and expects  Emsisoft to take the best action, alert + quarantine the malware.

    Since the work was already done and a malware is in memory I think most of Emsi user would like an easy  automated action from Emsisoft, alert window that informs file was quarantined because it is malware.

    Keeping something malicious in memory is kind of just playing with fire... 


  15. I didn't trigger any reputation check at all.

    I just saw BB didn't alert nor quarantine and saw under BB protection tab it was monitoring them and for 2 it was checking for reputation in that exact moment.

    Then I checked online to see what the cloud said.

    So again, since BB checked already and alone for reputation and it was bad, why keep a malware in memory?

    2- it's confusing now: when should BB quarantine a malware? Only after a bad enough action or also after checking for reputation and getting a bad reputation for the file?

     


  16. On 2/5/2017 at 11:22 AM, Fabian Wosar said:

    Because you force the BB to do the reputation check by going to the list. The BB does not do a reputation check before then and naturally doesn't know what is and isn't bad because the reputation check is only triggered on observing a malicious behaviour. Obviously, we could add that it asks you to quarantine then. But that is not what you want. You want us to check the reputation of every application you start indiscriminately and quarantine automatically, which is something we won't do for privacy reasons. Because then we would know at any time exactly what applications you are running. You may be fine with that, but a tonne of other people would not.

    I didn't ask to check for all files.

    This time I provided 5 link of files that triggered a BB reputation check.

    The reputation was bad and on isthisfilesafe.com it stated  all 5 were not trusted and infected.

    All were active in memory for more than 1 hour, 40+ CPU usage.

    No alerts from  BB; it monitored the files but didn't alert nor block them.

    Because of this I asked to check why BB didn't block them since bad and malicious.

    Again, it doesn't make any sense to keep known malware in memory, even less after you checked your cloud and know they are bad/infected.


  17. Fabian,

    Why does your BB check the reputation of a file with your cloud (so the hash is generated anyway), find out it has a bad reputation (is not trusted/is infected on your cloud) and doesn't do anything with it?

    It does not make any sense:

    - the work was already done (hash, CPU usage, upload of hash, reputation scan etc )

    -Why keep a malware in memory???

    In all  these cases the BB checked for the reputation on its own!

     

     

    • Upvote 1