Latest EIS update 3/21/2016

[plat1098 0]

Hello:  some more questions for ya.

 

First, there was a lot of activity going on, more than usual, so look to check what's going on and there's a non-signature update.  I read the blog on what this is about and

 

1.  It required a restart.

2.  It fixed a vulnerability.

 

Well, I was never prompted to boot the machine, and am very curious as to what vulnerability there was.  Any information, please?

Download Image

[GT500 593]

A computer restart shouldn't have been needed, however Emsisoft Internet Security did need to restart itself in order to complete the update process. This is usually done fairly transparently, however there are times when you may see signs of it happening, and you can be asked if it is OK to restart the application if you ran a manual update and it downloaded new program files to install.

As for the vulnerability that was fixed, to my knowledge we have not published any information about it.

[Fabian Wosar 390]

Well, I was never prompted to boot the machine, and am very curious as to what vulnerability there was.  Any information, please?

It requires an application restart, not a system reboot. So you don't need a reboot. Since the vulnerability we fixed affects a whole bunch of products and we are just one of the first who released a fix for it, we won't release any more information about it. It just wouldn't be fair towards our competitors and the original reporter who asked for a synchronized fix. If the original reporter publishes a report about it, I will post it here.

[plat1098 0]

Oh! A restart of EIS, okay.  Yes, because after the update process, I get this ding-a-ling from Action Center informing me I have no firewall. 

 

Well, now you're intriguing me about this vulnerability so, yes if you please, an explanation when/if the circumstances favor it would be appreciated. 

 

Thanks for info!   

[GT500 593]

You're welcome.

[plat1098 0]

The latest (3/31/16) update reveals another process in task manager--Emsisoft Security Center.  What is this, please?  Since I'm here already, can you please (in really simple terms) explain the following EIS parlance or is there a dictionary somewhere that has this terminology?  I'm clicking as a knee-jerk reaction on the Allow Once tab without really understanding what EIS is telling me.  These are the notifications:

 

1.  Attempting to "install invisibly."

2.  CryptoMalware--?!

 

By the way, I installed a verified PUP (a necessary evil and known to me), which was detected in all its locations by AdwCleaner, which isn't whitelisted by me.  EIS also detected the main folder--didn't expect that.  Then, out of curiosity, ran subscription Malwarebytes with its PUP detection thing enabled and it didn't find anything at all after bashing my hard drive for five minutes.  My compliments to Emsisoft. 

 

Download Image

[GT500 593]

The latest (3/31/16) update reveals another process in task manager--Emsisoft Security Center.  What is this, please?

In version 11.6.0.6267 we now have a2start.exe pre-loaded on startup so that when you try to open it from the icon on your desktop, or from the System Tray icon, it opens instantly (or at least nearly instantly).

Since I'm here already, can you please (in really simple terms) explain the following EIS parlance or is there a dictionary somewhere that has this terminology?  I'm clicking as a knee-jerk reaction on the Allow Once tab without really understanding what EIS is telling me.  These are the notifications:

 

1.  Attempting to "install invisibly."

2.  CryptoMalware--?!

The term "invisibly installing" means saving files, more than likely executables, without showing something on the screen to tell you that it is doing it. Most automatic updaters and command line tools work this way, and if you trust the program in question then it is safe to allow it.

CryptoMalware is a term for a type of ransomware that encrypts files. Another common term is "crypto-ransomware". It is possible for a legitimate program to trigger a ransomware alert, especially if they deal with a large number of files, so once again if you trust the program in question then it is safe to allow.

You can also get the MD5 and SHA-1 hashes from the View details option on the right side of the alerts, and search for those hashes on VirusTotal to help in identifying the program and getting an idea of whether or not it is safe.

By the way, I installed a verified PUP (a necessary evil and known to me), which was detected in all its locations by AdwCleaner, which isn't whitelisted by me.  EIS also detected the main folder--didn't expect that.  Then, out of curiosity, ran subscription Malwarebytes with its PUP detection thing enabled and it didn't find anything at all after bashing my hard drive for five minutes.  My compliments to Emsisoft. 

It's possible that Malwarebytes categorizes it differently than we do. They have more categories for detections than we do, and some of them are off by default if I remember right. It may also simply be that it doesn't meet enough of their criteria for being categorized as a PUP, and thus they didn't add detection for it. You'd have to ask them about it to be certain though.

[plat1098 0]

OK, these are the answers, thank you very much!

 

Like tons of other people, I have a bad Windows 10 no matter what I do, and consider this a vulnerability-- a big one.  Naturally, I'm very interested in the security software on this machine and if there are changes from a previously highly satisfactory version, well, I have to ask. 

 

I read between the lines of what your developer posted previously and this vulnerability addressed in the previous update seems to be highly significant, not some piddly little matter.  So, I will renew my request to have a more detailed explanation posted accessibly when/if it's available.

 

By the way, this was a PUP.  You research the name of it online, everywhere it's PUP, PUP, PUP, adware. This is something that installs invisibly, for sure, and scatters its stuff in multiple locations.   Not too keen about Malwarebytes anymore, it is what it is and it should have been detected by that scanner.

 

Again, thank you, this information is really appreciated and helpful.

[GT500 593]

... So, I will renew my request to have a more detailed explanation posted accessibly when/if it's available.

That's understandable, however please note that the information will probably not be made public until every software company that needs to update their products has been able to do that, and unfortunately we have no idea how long that will be.

[Fabian Wosar 390]

I read between the lines of what your developer posted previously and this vulnerability addressed in the previous update seems to be highly significant, not some piddly little matter.

It's not. In fact, chances are you or anyone else will never be affected negatively by it. It's just not our place to disclose it.

[plat1098 0]

Fabian Wosar:  It's not. In fact, chances are you or anyone else will never be affected negatively by it.

 

I want to know what it was. 

 

Also:  There is no version # on my EIS interface.  Is this of nominal importance or does something need to be reinstalled?

 

Download Image

[GT500 593]

Also:  There is no version # on my EIS interface.  Is this of nominal importance or does something need to be reinstalled?

 

EIS interface.PNG

When you open Emsisoft Internet Security you can click on About in the gray box in the lower-right corner to see the version number.

If you want the version number to be displayed on the Overview screen when you open Emsisoft Internet Security, you can do the following:

• Open Emsisoft Internet Security.
• In the gray box that says License, hold your mouse over where it says Renew for free!.
• A little X will appear to the right of where it says Renew for free!.
• Click on the little X, and the version number will be shown instead.

[JeremyNicoll 58]

Please make that version number c&p-able, so it's easy to get it into a problem report!

[Fabian Wosar 390]

Problem reports sent from EAM/EIS do contain the number anyway, which is the preferred way to contact support.

[JeremyNicoll 58]

Preferred...   I didn't know that.    Does that route one's questions to a different set of people?

[Fabian Wosar 390]

No. Just end up in a different system that is monitored more closely than the forum so it gets you a quicker reply on average. Your request also automatically includes important information like the version you use as well as the Windows version you use.

[JeremyNicoll 58]

OK, thanks for clarifying that.   I've updated my notes appropriately.

[Fabian Wosar 390]

I want to know what it was. 

Check here:

 

http://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking

[plat1098 0]

It's not. In fact, chances are you or anyone else will never be affected negatively by it. It's just not our place to disclose it.

 

There was a published report recently on those vulnerabilities and it contradicts to a large extent what you say above.  It's now moot since it appears generally patched, but at the time, it was hardly something to pooh-pooh to the side.  Hardly!

[Fabian Wosar 390]

You are aware that the issue found is not a vulnerability in itself, right? The only way it could ever play a role is if an application would be already vulnerable to something else as it only makes exploitation easier, not allow exploitation to take place in the first place.

[plat1098 0]

Oops, missed your link to the article, found it independently.

 

 

You are aware that the issue found is not a vulnerability in itself, right? 

 

 

No, I wasn't aware of this. The term "patch" was used, wasn't it?  Why was the term "vulnerability" used in the original update log, then?  Something that can facilitate an exploit in conjunction with an existing vulnerability looks like a vulnerability to me.     

 

The article named some big brands, including a Microsoft product, so yes, this in itself was significant, and I see efforts at public relations and damage control here and there. The article, however, is pretty obscure. That tells me something also.. 

 

Thank you for posting that link, that article was an eye-opener!

[Fabian Wosar 390]

No, I wasn't aware of this. The term "patch" was used, wasn't it?

Patch just means that a problem or bug was fixed. It's definitely a bug.

Why was the term "vulnerability" used in the original update log, then? Something that can facilitate an exploit in conjunction with an existing vulnerability looks like a vulnerability to me.

Then we agree to disagree.

 

The article named some big brands, including a Microsoft product, so yes, this in itself was significant, and I see efforts at public relations and damage control here and there. The article, however, is pretty obscure. That tells me something also.

Well, all it should tell you is that someone tries to create hype for their Black Hat talk. The actual problems they found haven't been published at all. Just a lot of "look at me, we are going to release something at our talk at Black Hat".

[plat1098 0]

I wouldn't dare agree or disagree with anyone who possesses the inside knowledge I lack. 

 

Still, Emsisoft used the term "vulnerability" in its own update log.  That is a loaded word, especially when it applies to your trusted security software.  Even though "bug" and vulnerability are mutually exclusive terms, I'd think a technical bug would make things  inherently vulnerable, no?  Bug + vulnerability = even bigger vulnerability.

 

 

 
The actual problems they found haven't been published at all.

 

So it's back to:  When/if there's a more unbiased article with less of an apparent agenda, I'll look for it here.