RichardBurt

Boot time scan

Recommended Posts

Is it possible to configure IS9 to run a full scan at system boot?

 

I have one machine that has *something* on it, incoming connections to svchost on port 17.

 

I've run adw cleaner and roguekiller on the system, various things found and removed (initially roguekiller kept crashing on explorer.exe)

Share this post


Link to post
Share on other sites
Guest Tempus

Hello RichardBurt

 

If you mean if Emsisoft Internet Security ( Emsisoft Anti malware) has something like Avast boot time scan, then is the answer, no. (Maybe Emsisoft Commandline Scanner could be an alternative.)  If you think you have " something " / malware on your system then create some logs ( START HERE, if you don't we are just going to send you back to this thread) and attached the logs to your post in the forum "Help, my PC is infected!". You will be in good hands and guided through by Kevin Zoll.

Share this post


Link to post
Share on other sites

Some Security Suies start protection the instant your system begins to boot into WIndows, Some give you an option wether-or not to start Real Time  protection on start up - I believe that is the question.

Share this post


Link to post
Share on other sites

We already do that and already provide such an option ("Protect the computer even if no user is logged on"). So that is not it.

others AV like avast provides a feature that enable on boot scan which means that before windows loads a scan can be scheduled. for more info you can visit their site

Share this post


Link to post
Share on other sites

others AV like avast provides a feature that enable on boot scan which means that before windows loads a scan can be scheduled. for more info you can visit their site

In the end only Richard knows, but he hasn't commented again. So we are all only guessing.

Share this post


Link to post
Share on other sites

In the end only Richard knows, but he hasn't commented again. So we are all only guessing.

Jeje however can we expect that feature in future releases??? It would be great as sometimes malware can prevent the AV from working..a live cd will be good also

Share this post


Link to post
Share on other sites

Jeje however can we expect that feature in future releases???

I wouldn't hold my breath to be honest.

It would be great as sometimes malware can prevent the AV from working..a live cd will be good also

It is unlikely. A solution based on Windows PE is too expensive to offer officially. A solution based on Linux would require us to port our entire code base to Linux first. You can create your own boot disk relatively easy though. EEK supports most of the Windows Live disks out there like for example Bart PE. If you have an Enterprise version of Windows you can also use the Windows To Go feature that comes with Windows 8 and 8.1 Enterprise.
  • Upvote 1

Share this post


Link to post
Share on other sites

I wouldn't hold my breath to be honest.

It is unlikely. A solution based on Windows PE is too expensive to offer officially. A solution based on Linux would require us to port our entire code base to Linux first. You can create your own boot disk relatively easy though. EEK supports most of the Windows Live disks out there like for example Bart PE. If you have an Enterprise version of Windows you can also use the Windows To Go feature that comes with Windows 8 and 8.1 Enterprise.

well yes, tha is true.. but it uses to happen a lot that on infected machines EEK for example will not run, thanks god that there are tools like combofix or rkill to solve the issue. Last time i got a sample that it was spreading via USB in the campus, i almost got infected but BB saved my life but when trying to clean my mates pc i noticed that the malware was preventing EEK from running.. after process kill EEK was able to run. I have read that some malware uses the debugger function like for example

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution AV VENDOR NAME]
"Debugger " = "ntsd -d" 

and that entry is able to prevent the AV from running next time system reboots... so, if not catched by BB how EAM will behave in that scenario.. and some times for example a ransom... what we can do there? i have seen some ransoms that are able to start in safe mode... so this is why a was complaining about.

PST: 

md5 for the file: 7cf97db53ff38e9b9b7a8a552e749c18

Share this post


Link to post
Share on other sites

Easiest way is to just rename the the EEK executable file to for example firefox.exe or iexplore.exe.

believe that didnt work....  but i was talking about two different scenarios with the registry key yes, you are right but with the sample mentioned EEK didnt run after rename

Share this post


Link to post
Share on other sites

In general things like these are always a cat and mouse game. Bad guys find a way to stop us, we will find a way to stop them from stopping us and the entire ordeal starts again. The definitive solution is to use a boot disk. We don't provide one for the aforementioned reasons. As said before, EEK is compatible to various third party boot disks. So your easiest solution if you have to deal with ransomware infections on a regular basis is to just create a Bart PE or any other kind of boot disk and put EEK on it.

Share this post


Link to post
Share on other sites

Gads, have folks not heard about system imaging/backup.   If you do that regularily and you are suspicious enough that you want to ran scans at boot up, you can just restore an image

Share this post


Link to post
Share on other sites

Well, we try to do our part by regularly offering bundles with various backup tools and highlighting the importance of backups in our blog articles. But most users think they don't need backups until they find themselves in a situation where they would need a backup.

Share this post


Link to post
Share on other sites

Gads, have folks not heard about system imaging/backup.   If you do that regularily and you are suspicious enough that you want to ran scans at boot up, you can just restore an image

you cant go, and say that to a person who doesnt care about... am just saying because i as i said before i use EEK to clean up the mess from others... as for me well indeed ransom and cryptos are very dangerous but i think that i have my ways for them not to run.. however i do agree with your point

Share this post


Link to post
Share on other sites

In the end only Richard knows, but he hasn't commented again. So we are all only guessing.

Sorry, I forgot about this thread!

 

Yes, I am talking about a scan at startup *before* Windows loads.

Share this post


Link to post
Share on other sites

In that case, no. You can't run such a boot scan and it is unlikely to be added as well as it would require major changes to the scan engine to be able to scan that early in the boot process.

Share this post


Link to post
Share on other sites

It can be somewhat useful for malware removal. But as I mentioned before, implementing it requires major changes to the way our scan engine work, so it is rather unlikely to happen.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.