Fabian Wosar

Emsisoft Employee
  • Content Count

    4405
  • Joined

  • Days Won

    1

Everything posted by Fabian Wosar

  1. I suggest having a quick read here: http://www.kernelmode.info/forum/viewtopic.php?f=2&t=4687 There is really nothing else to add. Just some cheats trying to pass off publicly available knowledge as groundbreaking and original research.
  2. It's actually not really a crash issue. But yes, I will keep you updated.
  3. If it works on your system, there is no need to change anything.
  4. Would you mind sharing the actual sample or alternatively the hash of the sample with us? It's hard to pull out a malware file from a screenshot
  5. Hello Kate, I moved your thread into a more apropriate forum. We will require the malware file that encrypted your files in order to help. Can you check and post your Malwarebytes log by any chance? I can then tell you which of the files in your quarantine are the most likely candidates.
  6. Of course we can, and we do. There are plenty of applications out there that do what you want. We simply aren't one of them then. We have no plans to report back every single application you start to our servers to check its reputation. The BB intercepts the malware when it is about to do something harmful. Meaning: The BB will not let the malware do something harmful to your system. It steps in the moment it attempts to. At that time, nothing bad has happened to your system yet The BB can't protect you before a file enters memory and starts executing because by the very definition of the word "behaviour" the file has to exhibit behaviour that can be monitored first, which implies that it actually gets the opportunity to run.
  7. Using CPU is not malicious. You watching a Youtube video causes a tonne of CPU usage by Chrome. Should will auto-quarantine Chrome now? You are also missing the whole cause and effect chain here. You assume we know the file has a bad reputation right from the get go, but we don't. The only reason we know it has that bad reputation is because you triggered a reputation check manually by looking at the list, as we do not do indiscriminate and automatic reputation lookups of all the programs you start. The only way to trigger an automatic reputation lookup is the application doing something to the system, that we consider suspicious and if that reputation check comes back as "bad", we do quarantine the file automatically.
  8. We do cache results. So if you ever had the file checked before, the returned verdict will be remembered, internet connection or not.
  9. Because it makes sense to display the reputation in an overview screen. It didn't. If it had, it would have blocked it. We reworked the overview screen to display processes that finished checking already immediately. That is why processes now pop up over time instead of the screen being empty for a minute and then populate all at once. Your process was simply checked as one of the first.
  10. Many different reasons. Most likely: It didn't do anything malicious because your system didn't meet the requirements or it was unable to talk to its C2 server. Not necessarily. We will discuss it internally.
  11. All applications running within the user context are being monitored by default. So as long as a user started it or a process that the user started started it, it is being monitored. When a process isn't being monitored, the process doesn't exist for the BB. No data is being gathered or processed for said process. Therefore, nothing will be detected by the BB.
  12. In general: The smaller the files you use, the better. Otherwise the verification of the keys will take longer the bigger the files are. Best results can be achieved with about 100 - 500kb files.
  13. @gostevie, I just published a new version. Would you mind checking that new version? EDIT: Just tested it with your files. The correct key should be "4:2:Z_h_r_H_t_D_S_t_F_n_". Used the PF_2_File_001.jpg files you provided for the comparison. Results in 4 keys. The third one decrypts all the files you provided.
  14. It doesn't look like Globe to me. The PDF file in particular looks fully encrypted while Globe only encrypts the first 64 KB. Are there any ransom notes or anything else left that could give a clue? If not, it is likely Spora or alternatively PCLock. Could also be something entirely new as well.
  15. It is FenixLocker. They switched to TEA and generate the key in a secure way now. Given that the RSA key they used to encrypt the generated keys are large enough to make brute force impractical, there is unfortunately nothing we can do in your case.
  16. To trigger the scan. I think we can argue about adding a way to quarantine selected processes from that screen. However, it is unlikely that we would do automatic quarantine in that particular case, because it would legitimately add nothing to the user's protection. Because they would have to have the screen open permanently for that, to trigger constant reputation checks of all processes.
  17. It a purely informational screen. There isn't supposed to be functionality in there. The purpose is for the user to look up the status on the running processes. We aren't Emsisoft Anti-CPU Hog. CPU usage is not a malicious behaviour. If we quarantined your video encoder or your browser while watching an 8k video on YouTube you wouldn't be happy either.
  18. We could. But what good would such a function be? It would only be enabled if you have the screen open. That is why it makes no sense. What would make sense is to just check every process in the background permanently, but that is too big of an invasion of privacy for us to do.
  19. Which triggers the reputation check. Reputation is checked in exactly two situations: You go to the BB overview, which queries the running processes or an application shows malicious behaviour, which triggers a cloud lookup as well. Only in the latter case there is an auto-quarantine.
  20. They don't trigger a reputation check. You trigger it manually. If those files had triggered it, they would have been quarantined. Which both doesn't qualify it as malicious behaviour, warranting an automatic cloud check and quarantining them. Yes, simply because they didn't do anything malicious yet. They are no longer functional because their C2 server are taken down. We don't know they are malware yet. To do that, we would have to look up every process indiscriminately via the cloud, which is something we don't want to do.
  21. It's their shitty user application that does it. And no, NVIDIA doesn't sign all their components. That's why you get that autostart alert during every update. Because the component that does that isn't signed for example.