pallino

Member
  • Content Count

    306
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by pallino

  1. Fabian, thank you. Is there a way to know if it is accessing the firmware? Maybe a specific alert before an access and so maybe before a flashing would help.
  2. The difference is that with a direct disk access warnig only many users won't understand exactly what's going on and allow it; with a bios/firware specific alert many will know exactly what s going on and block it, most if the sw they are running has nothing to to with bios or firwware.
  3. Having access to the pc is another story. I m talking about a user that get his pc without malware and want to kkeep it this way. If government want to spy, I don't have anything to hide. I wouldn't like it, but I can live with it if it helps to get the bad guys. What I DON' T want at all is bad guys on my pc/network.... I think they won't take long before they "copy & change a little" the advanced state-malware and use it against "normal" targets. If Emsi's BB warns with a "direkt disk access" warning it's good! ...but in my opinion not enough since many programs want it. As suggested before a special module would be better, something thta alerts "a program wants to access the bios, the usb, HD, etc firmware", do you want to send it first to EMSI for analysis? Do you really want to install it?
  4. That's another problem that SW (probaly) cannot solve (or it's very very difficult). I just suggested a specific module, like the banking one, just for "Bios and firmware block": if a program tries to access them or to change them the user should be alerted/action blocked unless approved after online scan.
  5. I hope the above are already detected since apparently VT never saw them...and so EMSI (at least no signatures are available). If I have time I'll try to find the files and check them on VT. I really hope you have them since others researchers already have them and their Sha256 or Md5...
  6. as of now I'm not really concerned (but wouldn't like it) about being infected by state-trojans since I'm far from being a "target " for them...and even if, I don't have things to hide from them.... What scares me is that, as we know malware writers, they will try to get these malwares, study them, disassamble them, change them a little to avoid (at least signature) detection and use them for their purposes...it's just a question of time...little time in my opinion. Even I could super easily find a copy of FinFisher/FinSpy, even without looking for it but just for infos about it! That's why I hope that AV, EMSI will be pro-active and develop bios-firmware specific protection modules that alert as soon as a SW tries to write the bios/firmware
  7. ...and unfortunately I was right.....state trojans that infect bios and firmware are not POC but are real and were created and used years, sometimes a decade ago...apparently they were/are used only on few targets but, who knows and want to risk or like to get infected? I also think that soon malware writers will decode these state-trojans and create some similar, advanced malware to infect "standard computers". I hope again that AV will be pro-active and develop bios-firmware specific protection modules that alert as soon as a SW tries to write the bios/firmware (at least until HW manufacturer won't implement safer firmware and jumper/dip to prevent unauthorized flashing). I built a new desktop and updated the bios. The update program immediately froze the computer and was not blocked by EMSI. I thought Emsi would alert me that a program wanted to update the bios and ask me if I wanted to allow or block it....... btw I just read http://forums.theregister.co.uk/forum/1/2015/03/19/cansecwest_talk_bioses_hack/....scaring.... thank you
  8. Hjlbx,Peter2150, thank you for sharing it. Fabian, appreciate the sincere answer. Did you check the MD5 above? Even if EMSI is not specialized in state trojans I thing it should detect/ protect from as many as possible.
  9. luckily it didn't get back. The below is still there, anything to be worried about? Error: (03/18/2015 09:02:11 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 thank you!
  10. Hello Hjlbx, thank you for the clear and informative answer. I also thought at Appguard as at voodoshield or SecureAplus....still trying to find out the differences and what to use. Do you know them? What defence SF do you use when you test malware (on the host)? EMSI AM and Appguard + VM/sandboxie or maybe also antiexploit+++? I can live with alerts and lower performance, I prefer fort-know configuration since I prefer to prevent than to cure. Emsi Team, looking for infos about the state trojans I found some Md5 that apparently VT never saw ..... I hope they are not FP and this helps you to find them!. Does Emsi detect them? a3915d7e41eb51ba07a2ae5e533e0673 on VT but 0 detection 75BF51709B913FDB4086DF78D84C099418F0F449 never uploaded 7F266A5E959BEF9798A08E791E22DF4E1DEA9ED5 never uploaded C2CE95256206E0EBC98E237FB73B68AC69843DD5 91961aad912dc790943a1cb23b6e8297 f6a793a177447e3cab4108a707db65cd 4faeaed1065815e40bc7c4d9b943f439 3a7ef9a8c216bcdbbfecef934196d9c1 b7f54924450ae0675ce67c5edad1f243
  11. Fabian and hjlbx, thank you! EMSI Team great job if BB could block them all before signatures were released!!!! I knew about Detekt but also that it might provide FP and that it only detects few and older state-trojans. I asked about additional SF to check for these infections and to prevent these infections since unfortunately no program detects 100% of malware, and always. I m looking for an excellent NIPS or a HIPS to add to the AV that might alert if something suspicious is getting in or out of the system (or other SW that might increase the security of my system, even if with some more alerts and FP). Any suggestions? thank you
  12. So, what do I do? All otber logs line are fine? Thank you
  13. Hi Emsi Team, how good are Emsi product at protecting a clean computer from government trojans as Regin, Babar, FinFisher/FinSpy, Gh0st, BlackShades, Remote control system of Hacking team, Casper, and malware of the Equation group? Do EMSI IS and EAM detect all the above ones? (On virustotal I just saw Emsi apparently does not detect 2 Finspy ones, MD5 2d5c810035dc0f83036fb12e8775817a and 434b83eba7619cb706492ff019ade0d5 ). Did the BB detect them before signatures were avilable? How good can EMSI IS as EAM detect them on a infected system? What additional SW (if any) do you recommend to install to check for these infections and to prevent these infections (or to get some alerts)? Thank you!
  14. Hi Kevin, I just waited some days and rescan the computer. Just saw some items that look weird....can you pls check the attached logs? thank you what are e.g HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09989326.sys? FF user.js: detected! => C:\Users\angel\AppData\Roaming\Mozilla\Firefox\Profiles\xbs92dq2.default\user.js [2015-02-09] Thank you P.S. Do you recommend or have you something against using "detect" to check for government trojans? Do you recommend other tools? Addition.txt FRST.txt virusinfo_syscheck.zip
  15. Is there a way to be sure all is right/ to check the official nr of malware signatures? Today I have 7 359 610, got less after every single update since 4-3-15...just to be sure nothing altered EMSI or my laptop. thank you
  16. But were apparently FP (no detection on VT nor on other url test sites)...and were not opened by me...was repubblica.it hacked or some ads in the page malware? Today I checked again, just opened http://www.repubblica.it/esteri/2015/03/09/foto/alla_deriva_su_un_blocco_di_ghiaccio_salvataggio_estremo_sul_lago_michigan-109124957/1/#1and enabled all scripts on the page (to be able to see the images) and got new alerts....no detection on VT...weird.... Are these FP or something is wrong on my laptop (considereing the issues with KIS and these)? thank you
  17. Thank you. So now in the future the decision is/will be taken based on EMSI's database of programs, on the level of danger of the detected behavior, or on what? So Emsisoft Anti-Malware Network = ? Will EMSI AM and IS not check the Emsisoft Anti-Malware Network anymore or will it change its meaning? thank you as usual for your answers!
  18. Hi EMSI Team, I read that with the last update to 9.0.0.4985 you improved the update process and the optimized the database. In the last 3 days I saw that the number of malware signatures is decreasing (e.f from 7 409 462 to 7 383 053 today)..just to be sure, is this due to the optimization or is this not normal (on my system)? thank you!
  19. Dear EMSI Team, what does it mean exaclty that you use Bitdefender engine? Do you have the same scan engine as Bitdenfender? Do you use their signatures and also the heuristics of BD or also other features/options? Do you also get their signatures as soon as they are released? thank you!
  20. Fabian, can you please explain why a full scan is a waste of time? thank you
  21. I installed EMSI IS now and got away from the ssl issues but got also something when opening some images on www.repubblica.it . Addition.txt FRST.txt
  22. I wasn't sure this would be enough (in the comment on the blog "What’s the point of having a firewall" it seemed to be more difficult)! thank you!
  23. All, thank you for your answers! I also prefere to decide on my own...at the end. As said, best would be to get a suggestion based on the Emsisoft Anti-Malware Network and to ask the user if it accepts it (will this be available in the future?). Just to be sure, - Emsisoft Anti-Malware Network = EMSI database about how other users decided in the same situation/for the same program. - as Fabias said, first Emsisoft Anti-Malware Network is quered. What happends then? If enough users (90 percent by default) took a specific action, it automatically applies that action? Is this correct? Thank you
  24. Pls find them attached (same as in attach of post 91 and 96). I checked and I still get the alert below even after disinstalling KIS and restart many times Error: (03/05/2015 09:17:58 PM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. uteyndy4.sys is not on my system and I cannot find it on golole.com..... thank you
  25. Why do I get these authenticity alerts only on this laptop and not on the other 3 pcs and 2 devices conected to the same router (1 through ethernet and all other through wifi as this laptop)?