pallino

Government trojans

Recommended Posts

Hi Emsi Team,

 

how good are Emsi product at protecting a clean computer from government trojans as Regin, Babar, FinFisher/FinSpy, Gh0st, BlackShades, Remote control system of Hacking team, Casper, and malware of the Equation group?

 

Do EMSI IS and EAM detect all the above ones?  (On virustotal I just saw Emsi apparently does not detect 2 Finspy ones, MD5 2d5c810035dc0f83036fb12e8775817a and 434b83eba7619cb706492ff019ade0d5 :o:( ).

 

Did the BB detect them before signatures were avilable?

 

How good can EMSI IS as EAM detect them on a infected system?

 

What additional SW (if any) do you recommend  to install to check for these infections and to prevent these infections (or to get some alerts)?

 

Thank you! :)

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

how good are Emsi product at protecting a clean computer from government trojans as Regin, Babar, FinFisher/FinSpy, Gh0st, BlackShades, Remote control system of Hacking team, Casper, and malware of the Equation group?

There is no way of knowing for sure, simply because the majority of those samples are kept secret. We do detect all the samples that leaked to the public. That does not necessarily mean we detect all the samples that exist though.

 

Do EMSI IS and EAM detect all the above ones?  (On virustotal I just saw Emsi apparently does not detect 2 Finspy ones, MD5 2d5c810035dc0f83036fb12e8775817a and 434b83eba7619cb706492ff019ade0d5 :o:( ).

Those are not samples but password protected archives. If you download those archives and unpack them, you will see that the samples they contain are detected just fine.

 

Did the BB detect them before signatures were avilable?

In the cases where samples leaked to the public, yes. Most of them were even picked up by the very first version of our behavior blocker that was introduced 10 years ago.

 

How good can EMSI IS as EAM detect them on a infected system?

All samples that leaked to the public are detected when active and properly removed.
  • Upvote 1

Share this post


Link to post
Share on other sites

how good are Emsi product at protecting a clean computer from government trojans as Regin, Babar, FinFisher/FinSpy, Gh0st, BlackShades, Remote control system of Hacking team, Casper, and malware of the Equation group?

 

Did the BB detect them before signatures were avilable?

 

How good can EMSI IS as EAM detect them on a infected system?

 

Hello pallino,

 

I learned about Emsisoft when reviewing the leaked internal tests against various security software by Gamma Intl - creators of the FinSpy surveillance suite.

 

Emsisoft and Comodo were the only products that alerted on all the tested system installs.

 

If I recall correctly the EAM"s Behavior Blocker alerted.

 

 

What additional SW (if any) do you recommend  to install to check for these infections and to prevent these infections (or to get some alerts)?

 

There is a signature-based scanner called Detekt.  Although, I would bet by this time the vendors have modified the softs such that Detekt will not detect.  No pun intended.

 

However, I do understand what you are really getting at.  Your way of thinking is that if a security software can detect/alert to the presence of what should be the very best of malware then it must be good.  I tend to agree but it I don't think it should be used as an absolute indicator of an AV's capabilities.  It's debatable.

 

The bottom line is that in my experience in all the areas that really matter... stability, compatibility, ease-of-use and high-level protection during typical use, both EAM and EIS do a really fine job on my system.

Share this post


Link to post
Share on other sites

Fabian and hjlbx,

 

thank you!

 

EMSI Team great job if BB could block them all before signatures were released!!!! :)

 

I knew about Detekt but also that it might provide FP  and that it only detects few and older state-trojans. :(

 

I asked about additional SF to check for these infections and to prevent these infections since unfortunately no program detects 100% of malware, and always. 

I m looking for an excellent  NIPS or a HIPS to add to the AV that might alert if something suspicious is getting in or out of the system (or other SW that might increase the security of my system, even if with some more alerts and FP).

 

Any suggestions?

 

thank you

Share this post


Link to post
Share on other sites

Any suggestions?

 

Hello pallino,

 

Just a suggestion...

 

If you feel the need to add additional protection, then take a look at AppGuard.

 

I've tested it and it works very well with both EAM\EIS.  So much so that I did not need to add either EAM or EIS to the "Power Applications" exclusion list.

 

AppGuard will block any unauthorized scripts from running and other executables in Medium or Lock-Down modes.

 

It's protection model is Default-Deny which is to block everything; only white-listed apps on your system are permitted to run.

 

AppGuard is a much better option than HIPS in my experience.

 

The primary issue with Default-Deny is user inconvenience.  And I would not be surprised if ways to defeat it are eventually discovered; nothing IT is bullet-proof.

 

* * * * *

 

From my perspective a HIPS alert tells me changes are being made to the system, but most of the time it is just IT gobbly-gook to me.

 

If you combine EAM/EIS with HIPS then you are going to get double-alerts (both BB and HIPS) and you will quickly tire of it.  Even with HIPS only, depending upon how you configure the settings, you will very likely get frustrated with the amount of notifications.  Dissatisfaction with HIPS is why I switched to Emsi.

 

Emsi's Behavior Blocker is much more capable than you think... and its alerts are understandable compared to HIPS notifications.  All Emsi alerts are really optimal for typical user.  I know from experience using a bunch of other security software.

 

If the Emsi BB alerts "out-of-the-blue," then even a real novice can understand something isn't right.  HIPS alerts all the time so users quickly ignore it - which completely defeats its protection.

 

I routinely test malware packs.  I don't scan, but instead I actually run the malware.

 

To be perfectly honest, I have only seen the BB\AMN combination fail completely one time.  It was against a clever script-downloaded screen-locker.  However, Emsi's Surf Protection blocked the connection to the malicious host and prevented the install. +100 for Emsi.

 

I understand the inclination to build an impenetrable, multi-layered, digital fortress.  For me it only degraded system performance and negatively affected my user experience.

 

Emsi, along with reasonable computing habits, have kept my system malware-free.  So now I'm mindful, but not pre-occupied with security.

 

It will be all right...

Share this post


Link to post
Share on other sites

Actually, I think you can run all digitally signed apps with limited rights by default.

So, they will not do any harm but will leave traces that some scanner might detect.

Right?

Share this post


Link to post
Share on other sites

Actually, I think you can run all digitally signed apps with limited rights by default.

So, they will not do any harm but will leave traces that some scanner might detect.

Right?

 

Hello Siketa,

 

Yes, that is correct.  That would be using AppGuard's Medium Mode. Even if a file is digitally signed, AppGuard will block actions affecting protected apps\system resources. 

 

For example, pokki.exe is digitally signed and therefore permitted to run - but certain code injections are blocked.  I do not recall what they were exactly.

 

I would think that most malware that is digitally signed and allowed to run will leave traces.

 

In my experience setting a policy to trust digitally signed installers\files is a really bad idea.

 

Most users will not bother with AppGuard Lock-Down mode as it even blocks Windows Updates (mis-perceived inconvenience).

 

Simple fix... just disable AppGuard, update Windows, then re-activate AppGuard.

Share this post


Link to post
Share on other sites

Hello Hjlbx,

 

thank you for the clear and informative answer. :)

 

I also thought at Appguard as at voodoshield or SecureAplus....still trying to find out the differences and what to use.

Do you know them?

 

What defence SF do you use when you test malware (on the host)? EMSI AM and Appguard + VM/sandboxie or maybe also antiexploit+++?

I can live with alerts and lower performance, I prefer fort-know configuration since I prefer to prevent than to cure. :)

 

 

Emsi Team,

 

looking for infos about the state trojans I found some Md5 that apparently VT never saw .....  I hope they are not FP and  this helps you to find them!. :)

 

Does Emsi detect them? :unsure:

 

a3915d7e41eb51ba07a2ae5e533e0673  on VT but 0 detection

 

75BF51709B913FDB4086DF78D84C099418F0F449  never uploaded

7F266A5E959BEF9798A08E791E22DF4E1DEA9ED5 never uploaded

C2CE95256206E0EBC98E237FB73B68AC69843DD5

 

91961aad912dc790943a1cb23b6e8297

f6a793a177447e3cab4108a707db65cd

 

4faeaed1065815e40bc7c4d9b943f439

3a7ef9a8c216bcdbbfecef934196d9c1

b7f54924450ae0675ce67c5edad1f243

Share this post


Link to post
Share on other sites

 

I also thought at Appguard as at voodoshield or SecureAplus....still trying to find out the differences and what to use.

Do you know them?

 

What defence SF do you use when you test malware (on the host)? EMSI AM and Appguard + VM/sandboxie or maybe also antiexploit+++?

I can live with alerts and lower performance, I prefer fort-know configuration since I prefer to prevent than to cure.

 

All the anti-executables are fine as long as you use the highest restricted-policy mode (Lock-Down) and - more importantly - do not trust digitally singed installers\files.  The trade-off is that Windows Updates may be blocked.

 

Really, an anti-executable is going to be really inconvenient if you intend on doing a lot installations.  An AE works best for someone who sets up their system and adds things to it infrequently.

 

Anti-executables make no sense when testing malware as they block the very files you are trying to test  An AE's real benefit is system lock-down for security.  They can still be installed on the system, but will need to be disabled during testing.

 

For testing - both beta and malware - I use only Shadow Defender.  EAM\EIS work perfectly with SD.  And SD is simple, yet extremely effective. 

 

I have no interest in VMs as I have no need of them with SD.

 

On my W8.1 64 bit system EIS + Shadow Defender is by far the best combo.

 

That combo is reliable, dependable, secure and....well....plain fun to use.

Share this post


Link to post
Share on other sites

If you are a high risk target and fear you will be targeted by a state sponsored agency, we are not the right product for you. I doubt any product will be the right product for you. Instead switch to a verified strictly read only system like a verified Linux live CD for example.

  • Upvote 1

Share this post


Link to post
Share on other sites

I also run some of the above mentioned software.  My security starts with EIS, followed by SBIE, Appguard NVT's ERP and Hitman Pro.Alert.  I use VMware Workstation v11 for malware testing among other things.

 

I post this for one reason and it is a most noteable reason: To test any of the other software against malware, I always 1st have to disable EIS.  Well done Emsisoft.

 

Pete

Share this post


Link to post
Share on other sites

Hjlbx,Peter2150,

 

thank you for sharing it.

 

 

Fabian,

 

appreciate the sincere answer.

Did you check the MD5 above? Even if EMSI is not specialized in state trojans I thing it should detect/ protect from as many as possible. :)

Share this post


Link to post
Share on other sites

I hope the above are already detected since apparently VT never saw them...and so EMSI (at least no signatures are available).

If I have time I'll try to find the files and check them on VT.

 

I really hope you have them since others researchers already have them and their Sha256 or Md5...

Share this post


Link to post
Share on other sites

I checked our databases, we don't have the majority of the samples you mentioned. Without the files, there is no way to know whether we detect them or not.

 

Thank you for checking, really appreciated.

 

I m just a surprised since I thought that AV vendors would by extremely interested in getting sophisticated malware or malware that nobody of few detect.

If I had the required deep knowledge, I would "pay" to get these and be thrilled to anayze them and to find a way to detect and block them! :)

 

I can try to find one of them but I know that my knowledge of the "www dark side" is far from yours as my detection/defence capabilities.

I won't find them on google.com ...who knows what will happen on my pc when I find them on some "dark side" site.

Can you try to find one of them? :)

thank you

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.