Jump to content

Amir

Member
  • Posts

    147
  • Joined

  • Last visited

Posts posted by Amir

  1. Hi

    This is done by my friend on Malwaretips

     

    ''one weakness I've found in Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.

    If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.

    This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:

    1. Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup.
    2. Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there.
    3. Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file.

    And all files got ENCRYPTED! (Emsisoft Anti-Malware 2020.2)

    Conclusions:


    This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.

    It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.''
     
    Only kaspersky could block the attack
    Improve the behavior blocker.
  2. 11 hours ago, Elise said:

    Unfortunately I can't access that topic. I have checked the files and I suspect the issue is with the powershell script (mal.ps1). A script like that one is usually the result of being dropped by other malware or ending up on the system using exploit code, which will be blocked. To simulate that correctly in a test you would need to find out what malware dropped this script and run that instead.

    I understand what you say

    But that powershell had Ransomwarelike behavior and should have been blocked by BB

  3. 1 hour ago, Amir said:

    Hi

    I found 12 malware which i posted them on Malwaretips

    One of the members tested EAM with them and EAM detected 6 of them by signatures and none of the 6 left item were blocked by behavior blocker!!and unfortunately files were encrypted by a Ransomware

    I think EAM could've done better and Emsisoft is far from it's good days

    Hope Emsisoft gets to the top soon 

     

    Also you can see the test here:

    https://malwaretips.com/threads/amirs-09-01-2020-12.97712/#post-852709

  4. Hi

    I found 12 malware which i posted them on Malwaretips

    One of the members tested EAM with them and EAM detected 6 of them by signatures and none of the 6 left item were blocked by behavior blocker!!and unfortunately files were encrypted by a Ransomware

    I think EAM could've done better and Emsisoft is far from it's good days

    Hope Emsisoft gets to the top soon 

     

  5. Hi 

    I just found this on Malwaretips :

    "EAM Against local malware behavior + HMPA to stop remote exploit code on all apps, Heimdal Security to protect dns drops, stop phishing, Botnets connections, and Binisoft WFC to erase commons weak MS firewall rules and recreate your personal rules with hard policies. it's the only way in which I can use Emsisoft. because it is not a complete security suite and weak in others combats"

    it was one of the members opinion and it got me really curious about how good is EAM in network protecting and protecting the pc against botnets, exploits and etc??

    i think EMSI is already the best AV for local malware protecting thanks to its great BB and you just should focus on features for making EAM better in network protection in the next versions (like you did before, Emsisoft web extension was a big move)

  6. 5 hours ago, GT500 said:

    If you have any other security software installed, then that might contribute to slower scan speeds. Anything reading/writing data to the hard drive can also slow down scan speeds, as can anything using a lot of CPU time.

    If the issue is something reproducible, then I can let you know how to get us debug logs.

    It's running smooth now

  7. Hi

    As i believe that Emsisoft respects it's consumers feedbacks, i''m gonna give you some suggestion

    new features:

    1_Please add ''add to quarantine'' option in right click options

    2_Please add ''Submit file'' option in right click options (i know it can be submitted through this forum or emsisoft site but an in app option, would be much easier for non advanced users)

    and i ask some changes in the UI

    at lease change the Tray icon, it dosn't look appropriate for an strong Anti malware

    It's seems that it's for a second opinion scanner or etc, it dosn't introduce EAM as a strong protection (i just say what i feel about it)

    What about a Blue ''E'' or "Emsi'' or whatever else?

  8. 44 minutes ago, GT500 said:

    Not in such a way that EAM would notify you that your computer is connecting to a botnet. That being said malware would be doing this and EAM should detect the malware (at the very least with the Behavior Blocker), and if we know the address of the command and control server EAM can block that with Surf Protection.

    I see but

    Isn't it better if you add a botnet protection as a separate component?

  9. 14 hours ago, GT500 said:

    Well, that might explain the log entries then.

    Technically we can't provide support for using our software along with a pirated edition of Windows. Even if it weren't for the legal issues, we have no way of knowing how the Operating System has been modified, and thus we can't guarantee that our software will work as expected on it.

    That being said, I suspect that the issue is a combination of the hardware (Celeron processors are budget processors and aren't intended to be fast, plus the system only has 2GB of RAM which is really only enough for Windows itself to run smoothly in) and the fact that there are more than three security softwares on the computer all using resources on startup. This is more than likely slowing down the initialization of our update process (it will start after 5 minutes if system load doesn't drop to 20% or lower within that period of time), and the service may also not be able to load the database in to memory any faster than that as well if there's too much hard drive activity.

    I understand

    Thank you for your assistance 

  10. 12 hours ago, GT500 said:

    Let's try getting a diagnostic log. Please download the Emsisoft Diagnostic Tool from the following link, and open/run it:
    http://cdn.emsisoft.com/EmsiDiagTool.exe

    When it runs, Windows will ask you if you want to allow it to make changes to your computer. Please be sure to click 'Yes', as this grants the tool the administrative rights it needs to be able to collect some of the diagnostic information. The tool will not make any permanent changes to your computer.

    After the Emsisoft Diagnostic Tool runs, simply click "Next" at the bottom, and it will begin collecting diagnostic information and saving it to a log file on your Desktop.

    Note that the tool can take a few minutes to finish, and it will appear to freeze for about a minute or two while running traceroutes to our update servers.

    When the Emsisoft Diagnostic Tool is finished, simply click 'Close' at the bottom, and there will be a file named "EmsisoftDiagLog". When you reply to my message, simply attach the "EmsisoftDiagLog" file to your reply.

    done;). Here you are:

     

    EmsisoftDiagLog.txt

  11. On 1/5/2017 at 2:34 PM, GT500 said:

    Lets try getting a diagnostic log. You can download the batch file for generating the log from this link, and there are instructions for running it at this link. Please be sure that you don't use the download link in the instructions, as it is out of date.

    When it's done, it will open a log in Notepad (as explained in the instructions). Please save this log somewhere easy to find, such as on your Desktop or in your Documents folder, and then send it to me in a Private Message so that I can take a look at it.

    Important: Don't post the log publicly. It contains a copy of your a2settings.ini file, which contains encrypted license information. If someone were to figure out how to break that encryption, then someone else could use your license key.

    I've sent it to you

×
×
  • Create New...