pallino

Member
  • Content Count

    309
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by pallino

  1. I completely agree. I also don't see "savings" in internet usage since BB/Emsi in all 5 cases above already connected to the cloud and verified the files...CPU, Emsi and Internet were already used I don't understand why after this check, when a file is marked as bad/infected on the cloud BB cannot immediately quarantine the files. Keeping something malicious that wants to do bad things in memory does not make any sense.
  2. OK, but I still think that since all are known to be malware (Emsi cloud) they shouldn't be kept in memory but quarantined. Any change for a new settings to allow BB to alert and then recommend to quarantine this kind of malware's? Thank you
  3. Thank you for asking developers. I think it's still very weird. - if the files have "bad reputation"+ are not trusted +infected they should be quarantined. Anyway, even if they are still trying to connect and really cannot, why keep them in memory since they are malware???? Pls consider that one of them got quarantined at the end, but only after 2 5 hours. Last, 5 cases in 3 days? All could not connect and all were really not harmful? Below the first 2 files I didn't provide the link before. https://www.hybrid-analysis.com/sample/997014f7acea58298a7cbd2e018122806926331bfb4510978328bc119a111a96?environmentId=100 https://www.hybrid-analysis.com/sample/89f3967e149178dc830219d44e362597e38d7a9a8994465eeac660b62a7ef0bb?environmentId=100 And hybrid-analisys report of the one I found on the 31st. https://www.hybrid-analysis.com/sample/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7?environmentId=100
  4. Today I had 2 new cases. As for all cases before, Emsi IS 12 is with default settings, updated, active since a long time. BB monitors files with bad reputation but doesn't block them nor alerts user. https://www.hybrid-analysis.com/sample/95170338ff95db78f6dd38f2a2d1d4cdf3123621f60686f47fddeb21896c3994?environmentId=100 In this case BB worked slowly but it did what we expected it to do. It monitored the file, checked reputation, found that the file had a bad reputation and after some time it quarantined it. The 2 malwares below were monitored but not blocked nor user was alerted even when these files have bad reputation and are not trusted+ infected on isthisfilesafe.com. Nothing happened in the next 2 hours: both still in memory, high cpu, nothing from Emsi. https://www.hybrid-analysis.com/sample/6692c2d08f94faa2e073981897465ff380fd4a6422d41f3b14fe5542da86d87e?environmentId=100 https://www.hybrid-analysis.com/sample/93890608a8e2f39564a1f72262ef002cdf32d574d1946b412934c4f9e2986d73?environmentId=100 Same as with the one below before yesterday. https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/ Update: After 2.5 hours monitoring the file, BB quarantined the proforma_invoice.bat file (now it can be seen under the BB log tab). The other file is still monitored. Can you pls check why? thank you
  5. I didn't change any settings. Emsi didn't do anything, just BB was monitoring the file...Nothing in the log. Malware was in memory, active with CPU >40% in process explorer
  6. I just had another case. https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/ Malware starts and stays in memory with high CPU usage (>40%). No alerts from Emsi IS but under protection, BB tab I see it is being monitored and also that the file has "bad reputation. This time I selected the file and checked online. On isthisfilesafe.com it showed: status: not trusted Infection details & removal : this file is infected! Why didn't behavior blocker alert me and/or quarantine it since it has "bad reputation"+ it is "not trusted" + "this file is infected"? If a thief (the malware) with bad intentions is getting in my home (my pc) I don't wait to react till he/she does something bad, I kick him/her out asap...shouldn't Emsi BB do the same? thank you for checking this issue.
  7. Hello Arthur, thank you. In my case I was testing Emsi IS with default settings with all components updated and active. It was a malware. I started it and didn't get any alerts from Emsi. I checked under the protection tab and saw that BB was checking the reputation. After some time it showed "bad reputation" but it didn't block nor alert me even though the malware was in memory and active (>40% cpu). Since there was a bad reputation, BB should have alerted and recommended to quarantine it, right? ...or only if the bad reputation was "bad enough"? What does it mean "bad reputation"? The file was already seen and analyzed by Emsisoft but no signature is available yet? Similar to this is the firewall that blocks connections to a known malware site....it correctly blocks the connection and ask what to do; why does Emsi not also recommend to quarantine the program that tried to connect (unless it's a known browser)? thank you
  8. Hello Emsisoft Team, some days ago under the protection tab I saw that Emsi behavior blocker was monitoring 2 files; these files had a "bad reputation". Why doesn't Emsi BB alerts and recommend to quarantine these files that were active in memory since they have a bad reputation (and in fact they were malware) as it does when suspicious activity is detected? thank you
  9. Thank you Arthur. Can you pls check with Fabian how Emsisoft now handles filess infections? Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection? Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not? thank you
  10. Arthur, Thank you for remembering us this important quality of Emsi. I still think that an advanced option to alert the user that the file was never seen before with an option to upload the executable file would be liked by many advanced users and would surely increase Emsi database as the detection rate.
  11. I agree and understand that as it is it provides the best possible level of protection with the low as possible level of hassle (false alarms, delays, customer queries etc). I would still love to know all files (or executable/dangerous files...wsf,.js.jve included) I run were or will be firts analyzed by Emsi..I'll immediately buy a 5 year license if I had this option! I think no many options should be "hidden", only this one "Do you want Emsi to upload and scan unknown files (executable) before allowing them to run?'. I think advanced, security oriented (some of them maybe security paranoid) user will love it too..same for users with "important" data to be protected. If one day you change your mind (as you did for the anti-exploit ), pls let me know!
  12. GT500, thank you. - Isn't it possible to add an expert/advanced option where all files get checked the following way: the file is known (sha, hash..), the recommended action is chosen (BB of course always keeps checking for suspect action). The file is unknown, files get first checked by Emsisoft analysis system. I would love this and would feel way safer this way.....Do I need to way some time before being able to run the file? I wouldn't have any problem to wait a little for way more security. thank you
  13. Hello Emsi Team, Can you pls explain how exactly Emsi behaves when a file not detected as malware by signature /heuristic is executed? 1- Emsi checks the network database every time an unknown file is run: if the file is found the "info" is used, if not BB monitors the file's behavior and if suspect it alerts the user. Since not found on the Anti-malware network database the "recommended action" is the one provided by 90% of users who have allowed or blocked it (does this still apply?) 2- the network database is checked not always but only when BB flags the file as suspicious. After that the network "info" is used if available, if not BB will ask user what to do. If memory serves, Emsi uses the second approach...why can't approach 1 be used/proposed as an option to advanced uses? Thank you
  14. Hello Fabian, how does Emsisoft now handles filess infections? Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection? Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not? thank you
  15. I still think this system has something "weird" but will trust you and "live " with it. Thank you for your help! Bye
  16. Does your laptop have 2 videocards(e.g on the MB and on slot)? I just saw that disabling one, speeds up the boot process (somehow Windows had them both enabled). Do also advanced malwares, say APTs, always leave some traces on tge HD that are in the Fbar, Emsi, Avz logs?
  17. Kevin, I hope you are right. I had many weird happenings with this laptop. I just reinstalled all. Boot time as before but I ll hope an update will solve it since it s not caused by malware. Thank you for your time and help! Bye
  18. Kevin, Have you ever not "seen "a new malware or it s signs with FBAR or is thwre always something in the 2 reports? Thank you and nice weekend
  19. If bios and mbr are fine, hd is fine, why doesn't a win 10 refresh even before updated solve the problems? About the winlogon.exe ertor, I don't have 2 OS on my laptop. I just have 2 partitions, 1 Win 10 and 1 for my data-no os. What should I do?
  20. My problem us this is the only device with these issues...and i just refreshed Windows....all other, same programs (now actually they have way more programs at startup) are way faster at boot, no issues at all till now...
  21. I don't know what to do anymore. I have 5 + systems..all work fine, load normal and way faster than this laptop. This laptop was and should be the fastest. I tried all I know, nothing helped. Even a win refresh didn't bring any change, but ..exe signature warning, problem to scan with avz, to install Emsi etc.... All but one other systems are older, with "cheaper/lower" components. All have Emsi, win 10 , are updated daily. Only this has problems. A unknown malware is the only think I can imagine. Btw, Thank you for staying online with me today !
  22. Sure it is read, but before or after a boot dvd ? If i boot from dvd, can i scan the mbr from a safe environment before the mbr is loaded(e.g by the bios)?
  23. Kevin, If you check my msgs above you see something is very weird. After refreshing win 10, I csnnot install Emsi, run AVZ. Got a weird win signature error msg and the boot time is still extreme slow.... Pls, tell me what i can do to find out what it is and to fix it. Thank you
  24. After a win refresh shouldn't the laptop boot faster? 2-What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows? Error 0x0000428 The digital signature cannot be verified C/windows/system32/boot/winload.exe 3If I boot from a AV boot cd/dvd, the HD Mbr is loaded before or after the dvd/AV on the dvd ? 4 I deleted the uncompketed emsi is installstion using emdi clean tool. Rebooted but dtill cannot install Emsii, same ertor msg. Last question: before I repair/fix the MBR, do you want me to copy it for further analysis? Emsi mbrmastr is Win 10 compatible and does it copy the whole mbr/vbr (also if whith malware)? Is it a good program for this or what do uou recommend?