pallino

Member
  • Content Count

    306
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by pallino

  1. Today I had 2 new cases. As for all cases before, Emsi IS 12 is with default settings, updated, active since a long time. BB monitors files with bad reputation but doesn't block them nor alerts user. https://www.hybrid-analysis.com/sample/95170338ff95db78f6dd38f2a2d1d4cdf3123621f60686f47fddeb21896c3994?environmentId=100 In this case BB worked slowly but it did what we expected it to do. It monitored the file, checked reputation, found that the file had a bad reputation and after some time it quarantined it. The 2 malwares below were monitored but not blocked nor user was alerted even when these files have bad reputation and are not trusted+ infected on isthisfilesafe.com. Nothing happened in the next 2 hours: both still in memory, high cpu, nothing from Emsi. https://www.hybrid-analysis.com/sample/6692c2d08f94faa2e073981897465ff380fd4a6422d41f3b14fe5542da86d87e?environmentId=100 https://www.hybrid-analysis.com/sample/93890608a8e2f39564a1f72262ef002cdf32d574d1946b412934c4f9e2986d73?environmentId=100 Same as with the one below before yesterday. https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/ Update: After 2.5 hours monitoring the file, BB quarantined the proforma_invoice.bat file (now it can be seen under the BB log tab). The other file is still monitored. Can you pls check why? thank you
  2. I didn't change any settings. Emsi didn't do anything, just BB was monitoring the file...Nothing in the log. Malware was in memory, active with CPU >40% in process explorer
  3. I just had another case. https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/ Malware starts and stays in memory with high CPU usage (>40%). No alerts from Emsi IS but under protection, BB tab I see it is being monitored and also that the file has "bad reputation. This time I selected the file and checked online. On isthisfilesafe.com it showed: status: not trusted Infection details & removal : this file is infected! Why didn't behavior blocker alert me and/or quarantine it since it has "bad reputation"+ it is "not trusted" + "this file is infected"? If a thief (the malware) with bad intentions is getting in my home (my pc) I don't wait to react till he/she does something bad, I kick him/her out asap...shouldn't Emsi BB do the same? thank you for checking this issue.
  4. Hello Arthur, thank you. In my case I was testing Emsi IS with default settings with all components updated and active. It was a malware. I started it and didn't get any alerts from Emsi. I checked under the protection tab and saw that BB was checking the reputation. After some time it showed "bad reputation" but it didn't block nor alert me even though the malware was in memory and active (>40% cpu). Since there was a bad reputation, BB should have alerted and recommended to quarantine it, right? ...or only if the bad reputation was "bad enough"? What does it mean "bad reputation"? The file was already seen and analyzed by Emsisoft but no signature is available yet? Similar to this is the firewall that blocks connections to a known malware site....it correctly blocks the connection and ask what to do; why does Emsi not also recommend to quarantine the program that tried to connect (unless it's a known browser)? thank you
  5. Hello Emsisoft Team, some days ago under the protection tab I saw that Emsi behavior blocker was monitoring 2 files; these files had a "bad reputation". Why doesn't Emsi BB alerts and recommend to quarantine these files that were active in memory since they have a bad reputation (and in fact they were malware) as it does when suspicious activity is detected? thank you
  6. Thank you Arthur. Can you pls check with Fabian how Emsisoft now handles filess infections? Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection? Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not? thank you
  7. Arthur, Thank you for remembering us this important quality of Emsi. I still think that an advanced option to alert the user that the file was never seen before with an option to upload the executable file would be liked by many advanced users and would surely increase Emsi database as the detection rate.
  8. I agree and understand that as it is it provides the best possible level of protection with the low as possible level of hassle (false alarms, delays, customer queries etc). I would still love to know all files (or executable/dangerous files...wsf,.js.jve included) I run were or will be firts analyzed by Emsi..I'll immediately buy a 5 year license if I had this option! I think no many options should be "hidden", only this one "Do you want Emsi to upload and scan unknown files (executable) before allowing them to run?'. I think advanced, security oriented (some of them maybe security paranoid) user will love it too..same for users with "important" data to be protected. If one day you change your mind (as you did for the anti-exploit ), pls let me know!
  9. GT500, thank you. - Isn't it possible to add an expert/advanced option where all files get checked the following way: the file is known (sha, hash..), the recommended action is chosen (BB of course always keeps checking for suspect action). The file is unknown, files get first checked by Emsisoft analysis system. I would love this and would feel way safer this way.....Do I need to way some time before being able to run the file? I wouldn't have any problem to wait a little for way more security. thank you
  10. Hello Emsi Team, Can you pls explain how exactly Emsi behaves when a file not detected as malware by signature /heuristic is executed? 1- Emsi checks the network database every time an unknown file is run: if the file is found the "info" is used, if not BB monitors the file's behavior and if suspect it alerts the user. Since not found on the Anti-malware network database the "recommended action" is the one provided by 90% of users who have allowed or blocked it (does this still apply?) 2- the network database is checked not always but only when BB flags the file as suspicious. After that the network "info" is used if available, if not BB will ask user what to do. If memory serves, Emsi uses the second approach...why can't approach 1 be used/proposed as an option to advanced uses? Thank you
  11. Hello Fabian, how does Emsisoft now handles filess infections? Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection? Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not? thank you
  12. I still think this system has something "weird" but will trust you and "live " with it. Thank you for your help! Bye
  13. Does your laptop have 2 videocards(e.g on the MB and on slot)? I just saw that disabling one, speeds up the boot process (somehow Windows had them both enabled). Do also advanced malwares, say APTs, always leave some traces on tge HD that are in the Fbar, Emsi, Avz logs?
  14. Kevin, I hope you are right. I had many weird happenings with this laptop. I just reinstalled all. Boot time as before but I ll hope an update will solve it since it s not caused by malware. Thank you for your time and help! Bye
  15. Kevin, Have you ever not "seen "a new malware or it s signs with FBAR or is thwre always something in the 2 reports? Thank you and nice weekend
  16. If bios and mbr are fine, hd is fine, why doesn't a win 10 refresh even before updated solve the problems? About the winlogon.exe ertor, I don't have 2 OS on my laptop. I just have 2 partitions, 1 Win 10 and 1 for my data-no os. What should I do?
  17. My problem us this is the only device with these issues...and i just refreshed Windows....all other, same programs (now actually they have way more programs at startup) are way faster at boot, no issues at all till now...
  18. I don't know what to do anymore. I have 5 + systems..all work fine, load normal and way faster than this laptop. This laptop was and should be the fastest. I tried all I know, nothing helped. Even a win refresh didn't bring any change, but ..exe signature warning, problem to scan with avz, to install Emsi etc.... All but one other systems are older, with "cheaper/lower" components. All have Emsi, win 10 , are updated daily. Only this has problems. A unknown malware is the only think I can imagine. Btw, Thank you for staying online with me today !
  19. Sure it is read, but before or after a boot dvd ? If i boot from dvd, can i scan the mbr from a safe environment before the mbr is loaded(e.g by the bios)?
  20. Kevin, If you check my msgs above you see something is very weird. After refreshing win 10, I csnnot install Emsi, run AVZ. Got a weird win signature error msg and the boot time is still extreme slow.... Pls, tell me what i can do to find out what it is and to fix it. Thank you
  21. After a win refresh shouldn't the laptop boot faster? 2-What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows? Error 0x0000428 The digital signature cannot be verified C/windows/system32/boot/winload.exe 3If I boot from a AV boot cd/dvd, the HD Mbr is loaded before or after the dvd/AV on the dvd ? 4 I deleted the uncompketed emsi is installstion using emdi clean tool. Rebooted but dtill cannot install Emsii, same ertor msg. Last question: before I repair/fix the MBR, do you want me to copy it for further analysis? Emsi mbrmastr is Win 10 compatible and does it copy the whole mbr/vbr (also if whith malware)? Is it a good program for this or what do uou recommend?
  22. What about error message below when booting with Win 10 dvd (created with media creation tool and used to install Win 10 on the same device before) to try to refresh windows? Error 0x0000428 The digital signature cannot be verified C/windows/system32/boot/winload.exe What can it be and how to solve it? After a win refresh shouldn't the laptop boot faster? If I boot from a AV boot cd/dvd, the HD Mbr is loaded before or after the dvd/AV on the dvd ? Does it help to boot from boot dvd to scan MBR and detect malware in mbr/vbr? Last question: before I repair/fix the MBR, do you want me to copy it for further analysis? Emsi mbrmastr is Win 10 compatible and does it copy the whole mbr/vbr (also if whith malware)? Is it a good program for this or what do uou recommend? Thank you P.S I run Fbar but AVZ could update but soon after starting running the standard script 2 a "problem caused the program to stop working correctly". I decided to (re) install Emsi IS (after refreshing win 10 and runnung fbar and AVZ). Soon after start, BSOD, windows is collecting infos (few seconds) and restarted. As far as I could see the ertor was in epp.sys. What's going on here??? FRST.txt Addition.txt
  23. On the weekend I decided to refresh windows 10. I used the dvd created with windows media tool some months ago when I updated from win 8.1 to win 10. I used thid dvd to install win 10 few months ago. When I booted from the dvd I got twice an error message. Error 0x0000428 The digital signature cannot be verified C/windoes/system32/boot/winload.exe I pressed F8 to fix it but nothung happrned ...onky a quick refresh of the same winfow. I then used another dvd created the same wsy on another laptop and refreshed windows. Unfortunately same long boot time with long black window. P.S. Repartitioning the hd doesn't "force " to create a new MBR? Or only a new FAT but not the VBR etc?
  24. If I boot from a AV boot cd/dvd, the HD Mbr is loaded before the dvd, correct? So to boot from cd doesn't really help too much to detect a MBR/Vbr infection, or? Imagine I have a unknown/ undetected MBR/VBR , what would be the safest way to reinstall? If I delete the partition booting from a DVD, create a new one, maybe 2 and reinstall windows should I be safe/ have deleted the malware? or -How would you proceed? -What programs would you use? I masking because this laptop has something since some time and if memory serves me, installing win 10 didn't help. This laptop was very fast and still is after boot.