Sign in to follow this  
malik4477

Always block this application(impossible to run) -- because the file contains a virus ETC

Recommended Posts

Hello,

 

Some questions on EIS if I may.

A. Always block this application(impossible to run) -- because the file contains a virus!

Setting "Always block this application(impossible to run)" to an executable in EIS produces an alert that the executable is a virus but EIS scan says it is not. It seems that EIS default pop-up alert for all that is set as "Always block this application(impossible to run)" is prejudged as "the file contains a virus" even it is not. It can be confirmed when you manually scan the executable file. Prejugding a file as containing a virus while EIS's own scanner says "No suspicious files were detected during the scan."

See observations below:

1. Set as Kingsoft's updateself.exe / wpsupdate.exe as "Always block this application(impossible to run)"
Set Kingsoft's updateself.exe / wpsupdate.exe as "Always block this application(impossible to run)". Try to launch Kingsoft's updateself.exe / wpsupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan Kingsoft's updateself.exe / wpsupdate.exe with EIS. EIS says "No suspicious files were detected during the scan."

See image below. View report below:

updateself_virus.png
AsdEFom.png

 

Emsisoft Internet Security - Version 11.0.0.5958
Last update: 11/29/2015 12:23:32 AM
Initiated by: XXXXX-PC\XXXXX

Scan settings:

Scan type:
Objects: C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\updateself.exe, C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/30/2015 12:17:30 AM

Scanned    2
Found    0

Scan end:    11/30/2015 12:17:30 AM
Scan time:    0:00:00


Why is it that EIS is stating that the file "contains a virus" but when you scan it EIS says otherwise....?

2. Set opera_autoupdate.exe as "Always block this application(impossible to run)". Try to launch opera_autoupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan opera_autoupdate.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

opera_autoupdate_virus_popup.png
D9ajV1v.png


 

Emsisoft Internet Security - Version 11.0.0.5958
Last update: 11/29/2015 12:23:32 AM
Initiated by: XXXXX-PC\XXXXX

Scan settings:

Scan type:
Objects: C:\Program Files (x86)\Opera\33.0.1990.58\opera_autoupdate.exe

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/30/2015 12:40:40 AM

Scanned    1
Found    0

Scan end:    11/30/2015 12:40:41 AM
Scan time:    0:00:01



3. Set Glary Utilities 5 CheckUpdate.exe as "Always block this application(impossible to run)". Try to launch opera_autoupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan opera_autoupdate.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

glary_CheckUpdate_popup.png
XHoSh5x.png

 

Emsisoft Internet Security - Version 11.0.0.5958
Last update: 11/29/2015 12:23:32 AM
Initiated by: XXXXX-PC\XXXXX

Scan settings:

Scan type:
Objects: C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.exe

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/30/2015 12:51:02 AM

Scanned    1
Found    0

Scan end:    11/30/2015 12:51:02 AM
Scan time:    0:00:00



4. Set Emsisoft's very own HijackFree --a2hijackfree.exe as "Always block this application(impossible to run)". Try to launch a2hijackfree.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan a2hijackfree.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

Emsisoft_a2hijackfree_virus popup.png
fmS8U4B.png

 

Emsisoft Internet Security - Version 11.0.0.5958
Last update: 11/29/2015 12:23:32 AM
Initiated by: XXXXX-PC\XXXXX

Scan settings:

Scan type:
Objects: C:\Program Files (x86)\Emsisoft HiJackFree\a2hijackfree.exe

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/30/2015 12:58:52 AM

Scanned    1
Found    0

Scan end:    11/30/2015 12:58:52 AM
Scan time:    0:00:00


B. Kingsoft wpsupdate.exe set at "Always block this application(impossible to run)" can run momentarily via wpp.exe gui

As wpsupdate.exe has been blocked and set as "Always block this application(impossible to run)". I checked if it can be executed via the Kingsoft Office applications gui -- wps.exe -- Kingsoft Writer / et.exe -- Kingsoft Spreadsheets / wpp.exe -- Kingsoft Presentations.

Clicked the question mark (?) at the top-right-corner of the gui. Drop down menu shows. Clicked "Check for Updates".
There was no evidence of wpsupdate.exe executing or running with wps.exe / et.exe BUT with wpp.exe -- Kingsoft Presentations there is momentarily. There is a pop-up that says, "Can't access the Internet, please try it later. May be the internet connection is failed. Or the updater is blocked by the firewall. Or the proxy settings are incorrect."

Why is it that there is still an execution of wpsupdate.exe. I believe if you set "Always block this application(impossible to run)" to an executable/application it should be impossible to run it right..?

See images attached.

XQ2lKdX.png


nBjUfve.png


m1swHrR.png


C. Kingsoft's Presentation "wpp.exe" quarantined because it has been classified as "Behavior.DirectDiskAccess". What to do with this..?

See image below.

eC3Yv5U.png
 

 

Share this post


Link to post
Share on other sites

A. Always block this application(impossible to run) -- because the file contains a virus!

Setting "Always block this application(impossible to run)" to an executable in EIS produces an alert that the executable is a virus but EIS scan says it is not. It seems that EIS default pop-up alert for all that is set as "Always block this application(impossible to run)" is prejudged as "the file contains a virus" even it is not. It can be confirmed when you manually scan the executable file. Prejugding a file as containing a virus while EIS's own scanner says "No suspicious files were detected during the scan."

This is an old dialog that hasn't been changed in far too long, and could certainly use an update to more clearly convey why the application was blocked from running (as well as what blocked it). Our QA Manager is aware of this.

B. Kingsoft wpsupdate.exe set at "Always block this application(impossible to run)" can run momentarily via wpp.exe gui

As wpsupdate.exe has been blocked and set as "Always block this application(impossible to run)". I checked if it can be executed via the Kingsoft Office applications gui -- wps.exe -- Kingsoft Writer / et.exe -- Kingsoft Spreadsheets / wpp.exe -- Kingsoft Presentations.

Clicked the question mark (?) at the top-right-corner of the gui. Drop down menu shows. Clicked "Check for Updates".

There was no evidence of wpsupdate.exe executing or running with wps.exe / et.exe BUT with wpp.exe -- Kingsoft Presentations there is momentarily. There is a pop-up that says, "Can't access the Internet, please try it later. May be the internet connection is failed. Or the updater is blocked by the firewall. Or the proxy settings are incorrect."

Why is it that there is still an execution of wpsupdate.exe. I believe if you set "Always block this application(impossible to run)" to an executable/application it should be impossible to run it right..?

It wasn't executed from explorer.exe, and probably wasn't blocked until it performed an action that our Behavior Blocker monitors for, however I will have to verify that with one of our developers.

C. Kingsoft's Presentation "wpp.exe" quarantined because it has been classified as "Behavior.DirectDiskAccess". What to do with this..?

You can submit it as a false positive via the quarantine. Was it quarantined automatically, or did you select to quarantine it from a Behavior Blocker alert?

Share this post


Link to post
Share on other sites
Thanks for the reply. 
 

This is an old dialog that hasn't been changed in far too long, and could certainly use an update to more clearly convey why the application was blocked from running (as well as what blocked it). Our QA Manager is aware of this.
-- Well I hope this will be corrected as it sends a wrong signal to the user. It can be done on the part of the devs. 
 

It wasn't executed from explorer.exe, and probably wasn't blocked until it performed an action that our Behavior Blocker monitors for, however I will have to verify that with one of our developers.
-- I just checked earlier and it's still like that. I was checking Process Explorer but it wasn't running. I guess it does get blocked I mean the wpsupdate.exe but the one that is bothering me is the trigger launch from the gui of wpp.exe. 
 

You can submit it as a false positive via the quarantine. Was it quarantined automatically, or did you select to quarantine it from a Behavior Blocker alert? 
-- Will submit. It was quarantined automatically. 
 

Share this post


Link to post
Share on other sites

Got three "Error occurred" as I was to submit the file to Emsisoft. When I tried to re-scan the file it said "No quarantine items were detected as false positives". What's going on here....? (Just updated to Build 5984 earlier).

Accear4.png

uvr5L10.png

mAIIDLw.png
 

Share this post


Link to post
Share on other sites

Did you send the error reports? If so, then our developers will receive them.

For now you can restore the file from the Quarantine, upload it to VirusTotal, and then post the link to the analysis for us to take a look at.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.