ValarM5

FIXED
Samples that permanently crash real-time protection

11 posts in this topic

Hello.  I have been doing some malware testing lately and I have come across four samples that completely crash real-time protection.  After a reboot the notification icon is red, and after a few minutes I get a pop up as shown in the attachment.  One of the samples from 03/16 is still zero-day as the signatures and heuristics don't pick it up along with the Behavior Blocker misses it.  I have tested in both Oracle VirtualBox and VMWare with Windows 7, 8.1, and 10 and it occurs with all of them.  I have forwarded 3 of the samples to customer service over a week ago, but I see this hasn't been addressed yet and was advised to start a thread in this particular sub-forum to get the most quick and direct feedback from a developer.  Thanks.   

 

crash.png
Download Image

0

Share this post


Link to post
Share on other sites

Would you mind sharing the actual sample or alternatively the hash of the sample with us? It's hard to pull out a malware file from a screenshot ;)

0

Share this post


Link to post
Share on other sites

1C232A8252B20A9F440D1ED13DEC84B358D9423EF973591A72EAE8DB54FC5684

F0BD2E1352FCCCDB0886465742D604906A03DB7B704840DB24084FA4552C1BE0

2F0ECE60256BAF67878D4CD5E5A16A57C3BC383A4B27D223C9F2845CA8E19704

2123FEB27E9116DF8F8247ACF8C0384850CA88C250F856626F4D67A1C23FB9CC

I just wanted to show the error message with the attachment.  Didn't want to post live samples.  The 4th one is the 0-day sample.  I have them zipped up, if you want I can send them your way via PM or email.  

0

Share this post


Link to post
Share on other sites

Sounds good, thanks.  When I try to reproduce with the first 3 to try to simulate a real-world zero day encounter like the 4th one currently is, I make sure to disable FileGuard and AMNet before copying the samples to the VM, and the BB still misses it.  That's why I thought maybe it was just my one Windows setup, so like I said I used 2 separate VM software with 3 versions of Windows, on 2 separate machines.  I have never had this happen to me before outside of these 4 so far.  I also have some debug logs if you want them. 

0

Share this post


Link to post
Share on other sites

On side note, I am currently running EAM and Hitmanpro.alert, do you recommend adding monitoring and/or scanning exclusions in each program for one another, or is that not necessary?  I know they are both compatible but I'm just trying to avoid any possible conflicts.  Or is it better to leave it as is since HMP.alert does help mitigate against exploits and it could help protect the EAM processes.  Thanks.

0

Share this post


Link to post
Share on other sites

If it works on your system, there is no need to change anything.

0

Share this post


Link to post
Share on other sites

Ok.  If it's not to much to ask, would you mind keeping me updated on the crash issue?  Thank you.

0

Share this post


Link to post
Share on other sites

It's actually not really a crash issue. But yes, I will keep you updated.

0

Share this post


Link to post
Share on other sites

Then whatever it is doing then.  I can do a screen capture if you'd like to show you when it happens. Monitoring it in Process Explorer after execution, it usually takes around 30 seconds to complete, but several processes are spawned and dropped, and then eventually all three Emsi processes disappear.  Then the notification icon disappears when I try clicking on it.  After that I can't get into the GUI nor does it block any more samples, so the real-time protection isn't active anymore.  After a reboot I get the error message as in the picture.  The only way to resolve it is to revert back to a previous snapshot or reinstall.  My concern is for me or anybody else coming across this in the real world and not just in a testing environment.  But thanks I'd appreciate any updates.

0

Share this post


Link to post
Share on other sites

Locking this thread as discussion moved to PM.

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.