Jump to content


  • Posts

  • Joined

  • Last visited


2 Neutral

About Amir

  • Birthday April 20

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

3028 profile views
  1. Thank you Let's see what's their opinion about this malware and the technique it uses
  2. Here is the the VirusTotal link: https://www.virustotal.com/gui/file/045328f8848ef588fb8af4e635b1d06e7facb2e5e8221bc4e258ec55714dbd2c/detection
  3. Hi This is done by my friend on Malwaretips ''one weakness I've found in Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work. If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers. This piece of fake "malware", which I'm calling TrojanZipperPOC, does this: Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup. Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there. Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file. And all files got ENCRYPTED! (Emsisoft Anti-Malware 2020.2) Conclusions: This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability. It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.'' Only kaspersky could block the attack Improve the behavior blocker.
  4. I understand what you say But that powershell had Ransomwarelike behavior and should have been blocked by BB
  5. Also you can see the test here: https://malwaretips.com/threads/amirs-09-01-2020-12.97712/#post-852709
  6. Sorry, i totally forgot😁 INFECTED20 After you checked them, could you please explain why this happened? I've always believed in EAM Behavior blocker specially against Ransomware
  7. Of course I think that user send them to you and now you've added signatures but the behavior blocker did nothing at that moment https://www.upload.ee/files/10953237/12_new_malware_09.01.2020.rar.html
  8. Hi I found 12 malware which i posted them on Malwaretips One of the members tested EAM with them and EAM detected 6 of them by signatures and none of the 6 left item were blocked by behavior blocker!!and unfortunately files were encrypted by a Ransomware I think EAM could've done better and Emsisoft is far from it's good days Hope Emsisoft gets to the top soon
  9. Hi I just found this on Malwaretips : "EAM Against local malware behavior + HMPA to stop remote exploit code on all apps, Heimdal Security to protect dns drops, stop phishing, Botnets connections, and Binisoft WFC to erase commons weak MS firewall rules and recreate your personal rules with hard policies. it's the only way in which I can use Emsisoft. because it is not a complete security suite and weak in others combats" it was one of the members opinion and it got me really curious about how good is EAM in network protecting and protecting the pc against botnets, exploits and etc?? i think EMSI is already the best AV for local malware protecting thanks to its great BB and you just should focus on features for making EAM better in network protection in the next versions (like you did before, Emsisoft web extension was a big move)
  10. Fixed automatically!! now it's running smooth
  11. Hi I received 2020.1 version just right now and ran a quick scan after that the scan was stuck at %74 and the indicator was stuck too for 10 minutes and EAM was using %54 cpu i had to restart my laptop after restarting my laptop, i ran a custom right click scan (6 file), scan speed is extremely low
  12. Hi As i believe that Emsisoft respects it's consumers feedbacks, i''m gonna give you some suggestion new features: 1_Please add ''add to quarantine'' option in right click options 2_Please add ''Submit file'' option in right click options (i know it can be submitted through this forum or emsisoft site but an in app option, would be much easier for non advanced users) and i ask some changes in the UI at lease change the Tray icon, it dosn't look appropriate for an strong Anti malware It's seems that it's for a second opinion scanner or etc, it dosn't introduce EAM as a strong protection (i just say what i feel about it) What about a Blue ''E'' or "Emsi'' or whatever else?
  13. I see but Isn't it better if you add a botnet protection as a separate component?
  14. Hi there I'm back after 2 years😀 I was comparing Emsisoft with Eset in malwaretips and one of members said a thing i'm not sure it's true: "...and it has botnet detection etc which I am pretty sure Emsisoft doesn't have" Does Emsisoft really not detect Botnets?
  • Create New...