Fabian Wosar

Emsisoft Employee
  • Content count

    4800
  • Joined

  • Last visited

  • Days Won

    143

Fabian Wosar last won the day on January 31

Fabian Wosar had the most liked content!

Community Reputation

400 Excellent

4 Followers

About Fabian Wosar

  • Rank
    Forum Veteran
  • Birthday

Contact Methods

  • Website URL
    http://www.emsisoft.com
  • Skype
    fwosar

Profile Information

  • Gender
    Male

System Information

  • Operating System
    Windows 10
  • Firewall or HIPS Software
    Emsisoft Internet Security

Recent Profile Visitors

45207 profile views
  1. We do cache results. So if you ever had the file checked before, the returned verdict will be remembered, internet connection or not.
  2. Because it makes sense to display the reputation in an overview screen. It didn't. If it had, it would have blocked it. We reworked the overview screen to display processes that finished checking already immediately. That is why processes now pop up over time instead of the screen being empty for a minute and then populate all at once. Your process was simply checked as one of the first.
  3. We are not affected by cloudbleed. While we do use Cloudflare, only our static pages are routed through it. All shop transactions etc. are not going through Cloudflare. So even if data from our websites was exposed due to leaks, those would have been just page data that is available publically anyway. That being said, none of our data has been found in any of the search caches of the major search engines and our websites don't contain the invalid HTML code that triggers the bug to begin with.
  4. Many different reasons. Most likely: It didn't do anything malicious because your system didn't meet the requirements or it was unable to talk to its C2 server. Not necessarily. We will discuss it internally.
  5. All applications running within the user context are being monitored by default. So as long as a user started it or a process that the user started started it, it is being monitored. When a process isn't being monitored, the process doesn't exist for the BB. No data is being gathered or processed for said process. Therefore, nothing will be detected by the BB.
  6. In general: The smaller the files you use, the better. Otherwise the verification of the keys will take longer the bigger the files are. Best results can be achieved with about 100 - 500kb files.
  7. @gostevie, I just published a new version. Would you mind checking that new version? EDIT: Just tested it with your files. The correct key should be "4:2:Z_h_r_H_t_D_S_t_F_n_". Used the PF_2_File_001.jpg files you provided for the comparison. Results in 4 keys. The third one decrypts all the files you provided.
  8. It doesn't look like Globe to me. The PDF file in particular looks fully encrypted while Globe only encrypts the first 64 KB. Are there any ransom notes or anything else left that could give a clue? If not, it is likely Spora or alternatively PCLock. Could also be something entirely new as well.
  9. It is FenixLocker. They switched to TEA and generate the key in a secure way now. Given that the RSA key they used to encrypt the generated keys are large enough to make brute force impractical, there is unfortunately nothing we can do in your case.
  10. The file you provided is for Spora, not MRCR. Are you sure it's the correct file?
  11. To trigger the scan. I think we can argue about adding a way to quarantine selected processes from that screen. However, it is unlikely that we would do automatic quarantine in that particular case, because it would legitimately add nothing to the user's protection. Because they would have to have the screen open permanently for that, to trigger constant reputation checks of all processes.
  12. It a purely informational screen. There isn't supposed to be functionality in there. The purpose is for the user to look up the status on the running processes. We aren't Emsisoft Anti-CPU Hog. CPU usage is not a malicious behaviour. If we quarantined your video encoder or your browser while watching an 8k video on YouTube you wouldn't be happy either.
  13. We could. But what good would such a function be? It would only be enabled if you have the screen open. That is why it makes no sense. What would make sense is to just check every process in the background permanently, but that is too big of an invasion of privacy for us to do.
  14. Which triggers the reputation check. Reputation is checked in exactly two situations: You go to the BB overview, which queries the running processes or an application shows malicious behaviour, which triggers a cloud lookup as well. Only in the latter case there is an auto-quarantine.
  15. They don't trigger a reputation check. You trigger it manually. If those files had triggered it, they would have been quarantined. Which both doesn't qualify it as malicious behaviour, warranting an automatic cloud check and quarantining them. Yes, simply because they didn't do anything malicious yet. They are no longer functional because their C2 server are taken down. We don't know they are malware yet. To do that, we would have to look up every process indiscriminately via the cloud, which is something we don't want to do.