Easy Company

Does Emsisoft support real time scan?

Recommended Posts

Hi,

When I download KMSpico and extract it to a folder Emsisoft does nothing. It even lets me run the program with admin privileges. It even monitors the KMSpico setup task. But when I do a manual scan or scheduled scan Emsisoft picks up the file. The same thing happens for eicar.org files. Is this a normal behavior?

Share this post


Link to post
Share on other sites

If you go to the Protection settings (click on the Shield icon on the left side of the main GUI screen), then look at the File Guard settings there, you can make a choice ("Scan Level") for how often EAM looks at files.  The default is probably less often than you'd like, but means less impact on system performance.

  • Confused 1

Share this post


Link to post
Share on other sites

I changed it to paranoid, it still has the same problem. The folder is on the desktop. Firefox can still download it without any problem. I can still run the setup file with admin privilege. But when I manually scan the folder Emsisoft detects the files and asks to quarantine.

You can see in the screenshots that Emsisoft is monitoring the program but does nothing. But when manually scanned it detects those files.

  • Scan level set to paranoid. It lets the program run but monitors

Capture3.thumb.PNG.6b722d116e01145755164115b9b59d11.PNG
Download Image

  • Now it detects when scanned.

ICapture1.thumb.PNG.67d355f248b182354109fd740a46f504.PNG
Download Image

 

 

 

Capture.PNG
Download Image

Share this post


Link to post
Share on other sites

That's not encouraging...   Hopefully someone from Emsi will come along and explain.

It seems to me that there's three issues: first, whether or not with 'Paranoid' being set, files are being scanned as they are downloaded.   I'd certainly have hoped so; if not we need an "even more Paranoid" setting...

Secondly (if files are being scanned on download): why is a scan-on-download not making the same detection as a custom scan later on?   Downloading files is surely the main way that most of us get potential malware, so a scan then should be as thorough/rigorous as possible.

Thirdly, the Behaviour Blocker's behaviour.   If all you've let the installer do is start & display its splash screen then it probably hasn't yet done anything that the blocker would think is suspicious, so no BB alert is fair enough.  (I'm not suggesting you should let it do more if you think it is dodgy.)    I don't think/know that the fact that the installer is running with Admin privilege is relevant.  I /hope/ that malicious softare running under Admin auth is blocked when it actually does do something dodgy.

  • Upvote 1

Share this post


Link to post
Share on other sites

Exactly. I tested bitdefender on a second machine and its real time scanner works as intended. Also tried a ransomeware simulator (Ran Sim from Majorgeeks),  Emsisoft and Bitdefender both stopped the launcher from running. Bitdefender also stops eicar.com files from being downloaded, but Emsisoft doesn't.

Share this post


Link to post
Share on other sites

Ok, so I figured it out. It was probably my fault to begin with. My windows default scanner settings were probably borked because of Shutup10. I probably made some mistakes while picking options there.

When I uninstalled Emsisoft, windows set all the settings to default related to Windows Defender. Then I reinstalled Emsisoft and everything works now.

So after testing 4 avs, Emisisoft is my pick. No bootup delay, detects files fine, not very aggressive and resource hungry, and the main thing is IT RESPECTS USER PRIVACY.

 

Since Emsisoft itself suggested shutup10, you guys should look into the issue.

Share this post


Link to post
Share on other sites

> Shutup10

I suppose I should ask: which version of this were you using?  Is that the uptodate one?   And which options do you think may have been the wrong ones to use?

(I don't use this program myself, but any help you can provide to anyone else who comes along with the same issue in future, would no doubt be appreciated.)

Share this post


Link to post
Share on other sites
9 hours ago, JeremyNicoll said:

That's not encouraging...   Hopefully someone from Emsi will come along and explain.

It seems to me that there's three issues: first, whether or not with 'Paranoid' being set, files are being scanned as they are downloaded.   I'd certainly have hoped so; if not we need an "even more Paranoid" setting...

Secondly (if files are being scanned on download): why is a scan-on-download not making the same detection as a custom scan later on?   Downloading files is surely the main way that most of us get potential malware, so a scan then should be as thorough/rigorous as possible.

FWIW ~ KMSpicko-setup file is Zip'd = KMSpico-setup.zip .... so Emsisoft may only scan setup.zip on the surface (if at all).  
On demand setup.zip scan may/will scan n' detect different.   Note: KMSpico-setup.zip extract is password protected.   My on-demand scan KMSpico-setup.zip with my current resident security (not Emsisoft) reports No threats found.  

My current resident security (not Emsisoft) did not report on the KMSpico-setup.zip download....however, did detect n' quarantine KMSpico-setup.exe as Threat name: PUA.Keygen.KMS & PUA.Keygen.KMS!g3
Granted Threat names are not relevant.  

File: KMSpico-setup.zip
File size: 3.05 MB (3,194,701 bytes)
MD5 checksum: B1212B7DB00725AFB7E3E64D6BBA7921
SHA256 checksum: 9C5FA44E371B28A0A1A710B2438FBAB1D2F2F3120951E80A3603B69D3209339A

Filename: KMSpico-setup.exe
Threat name: PUA.Keygen.KMSFull Path: C:\Users\bjm\Desktop\KMSpico-setup\KMSpico-setup.exe
File Thumbprint - SHA:64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a
File Thumbprint - MD5:a02164371a50c5ff9fa2870ef6e8cfa3

Just my $.02   Zip'd samples need extra scrutiny.  

Edit: about an hour later on a routine automatic quick scan.
File: C:\Users\bjm\Desktop\ KMSpico-setup.zip Threat Removed

Share this post


Link to post
Share on other sites
20 hours ago, Easy Company said:

When I download KMSpico ...

KMSpico is an activation bypass for Microsoft Windows and Office products. We have a strict non-piracy policy, and are not supposed to provide support to someone who is using pirated software until they have removed such software from their computer.

That being said, KMSpico does install malware. It doesn't necessarily do it 100% of the time, and it doesn't always install the same malware, however many people have recently been hit with the STOP/Djvu ransomware after installing it.

 

19 hours ago, Easy Company said:

Firefox can still download it without any problem.

If you download it with a browser that supports IOfficeAntiVirus (which I would believe is every modern browser except Firefox) then it will be detected.

We decided to use this particular method of automatically scanning files due to the minimal impact on performance, the larger user base of browsers that support IOfficeAntiVirus, and the fact that our Behavior Blocker will generally catch anything that's executed that the File Guard misses.

Mozilla removed support for IOfficeAntiVirus 6+ years ago, and I don't think anyone expects them to add it back to Firefox anytime soon. All I found in a quick search was bug reports related to it having been removed, however from the developer comments it sounds like the issue may have been Firefox at least occasionally getting stuck scanning downloaded files, which would prevent downloads from completing.

 

19 hours ago, Easy Company said:

I changed it to paranoid, it still has the same problem.

Out of curiosity, do you have the File Guard set to quarantine PUP detections?

 

13 hours ago, Easy Company said:

Since Emsisoft itself suggested shutup10, you guys should look into the issue.

We'd need to know exactly which options you had selected, and what version of Windows 10 was installed. Personally I'm not aware of anything in ShutUp10 that could cause such as issue, and I use it myself.

Share this post


Link to post
Share on other sites
10 hours ago, bjm__ said:

FWIW ~ KMSpicko-setup file is Zip'd = KMSpico-setup.zip .... so Emsisoft may only scan setup.zip on the surface (if at all).

The contents of archives will only be scanned when running an on-demand scan. Extracting archives to scan the contents is a huge resource waste, and will cause noticeable performance issues.

Most versions of Windows support scanning files being extracted from archives via IOfficeAntiVirus when using the archive manager built in to Windows Explorer, however on 32-bit editions of Windows this functionality appears to be broken, so it really only works properly on 64-bit editions of Windows. Since 32-bit editions of Windows are very rare these days, most people don't run into these issues.

I'm not certain about IOfficeAntiVirus in third-party archive managers. 7-Zip doesn't appear to support it, and WinRAR may not support it either.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

The contents of archives will only be scanned when running an on-demand scan.

Do you mean a 'custom scan'?  Then it only happens if you also actually turn that option on.

What about a File Explorer context scan?   I'm not clear on that - not least because (a) it seems too fast, and (b) the report only ever says one object was scanned.   I think that if a user intentionally ask for a zip to be scanned, that way, then the contents should be looked at and the report should show the true counts.

Share this post


Link to post
Share on other sites
12 hours ago, GT500 said:

KMSpico is an activation bypass for Microsoft Windows and Office products. We have a strict non-piracy policy, and are not supposed to provide support to someone who is using pirated software until they have removed such software from their computer.

That being said, KMSpico does install malware. It doesn't necessarily do it 100% of the time, and it doesn't always install the same malware, however many people have recently been hit with the STOP/Djvu ransomware after installing it.

Sorry, I am not using any pirated software. I wanted to test the av against not that harmful malware. Eicar.com was not working, KMS tools came to mind. I did some 'research' and got this particular version from a 'trusted' source. If you need me to provide a screenshot of my windows OEM license I will do that. If I was a pirated software user, I would have gone with "free" antivirus software. Bitdefnder's top option costs half of what Emsisoft costs India because of regional pricing. I am going with Emsi because of your stance on privacy.

 

12 hours ago, GT500 said:

If you download it with a browser that supports IOfficeAntiVirus (which I would believe is every modern browser except Firefox) then it will be detected.

We decided to use this particular method of automatically scanning files due to the minimal impact on performance, the larger user base of browsers that support IOfficeAntiVirus, and the fact that our Behavior Blocker will generally catch anything that's executed that the File Guard misses.

Mozilla removed support for IOfficeAntiVirus 6+ years ago, and I don't think anyone expects them to add it back to Firefox anytime soon. All I found in a quick search was bug reports related to it having been removed, however from the developer comments it sounds like the issue may have been Firefox at least occasionally getting stuck scanning downloaded files, which would prevent downloads from completing.

 Brave's detection worked on the first installation.

 

12 hours ago, GT500 said:

Out of curiosity, do you have the File Guard set to quarantine PUP detections? 

Yes, I mentioned it earlier. Again the first installation was not working probably because of I used Blackbird, Windows 10 Debloater and ShutUp10 and one them could have broken something.

 

12 hours ago, GT500 said:

We'd need to know exactly which options you had selected, and what version of Windows 10 was installed. Personally I'm not aware of anything in ShutUp10 that could cause such as issue, and I use it myself. 

It could have been Blackbird V2 or Windows 10 Debloater Script or ShutUP10. File Guard was not working even with Paranoid mode and PuP detection enabled.

After I uninstalled Emsi, Windows Defender reset every settings, then I reinstalled Emsi and Now everything works. Emsi would not even let me open the KMS files, sending it to Quarantine. I have Custom scanned every drive with through settings and no rootkits were found.

 

Everything is fine now. To all those who are seeing this post: Emsisoft works.

Share this post


Link to post
Share on other sites
14 hours ago, GT500 said:

The contents of archives will only be scanned when running an on-demand scan. Extracting archives to scan the contents is a huge resource waste, and will cause noticeable performance issues.

Yes, on-demand scan....before n' after extract, is my practice.   Just saying. 

Share this post


Link to post
Share on other sites
5 hours ago, Easy Company said:

If you need me to provide a screenshot of my windows OEM license I will do that.

A screenshot of Windows pirated version (using KMS) is no different than a screenshot of genuine OEM Windows, so your statement proves nothing.

Share this post


Link to post
Share on other sites
15 hours ago, JeremyNicoll said:

Do you mean a 'custom scan'?  Then it only happens if you also actually turn that option on.

A context menu scan should use that option as well.

 

8 hours ago, Easy Company said:

If you need me to provide a screenshot of my windows OEM license I will do that.

I don't have any reason at the moment not to take you at your word. There's no need to try to provide proof.

 

8 hours ago, Easy Company said:

Brave's detection worked on the first installation.

Brave is Chromium-based, and thus supports IOfficeAntiVirus. The same goes for Opera 15+ and Vivaldi.

 

8 hours ago, Easy Company said:

It could have been Blackbird V2

I assume you mean the software from the following URL?

https://getblackbird.net/

I'm not familiar with it.

I usually use ShutUp10 (with almost every option selected), and then run a batch file that executes PowerShell to remove almost all of Windows 10's pre-installed apps. Detection, as far as I know, works fine under these conditions.

 

8 hours ago, Easy Company said:

Just one more thing, how do I integrate Emsi with PeaZip? It supports some avs but also has an option to add custom avs. Which Emsi exe file should I choose?

https://www.peazip.org/antivirus-scan-zipped-files.html

If it supports command-line scanners, then you'll want to use a2cmd.exe with the /s parameter. You can get the documentation by running a2cmd.exe /s /? in a Command Prompt (be sure to use the CD command to switch to the Emsisoft Anti-Malware folder before trying to run a2cmd.exe from the Command Prompt).

  • Thanks 1

Share this post


Link to post
Share on other sites
8 hours ago, andone said:

A screenshot of Windows pirated version (using KMS) is no different than a screenshot of genuine OEM Windows, so your statement proves nothing.

An OEM license has a logo embedded on the page. I also can show you the packaging of my PC which includes a Win 10 license in the spec list. My PC has a serial number on it which is also mentioned on the box.

Then again I am not required to show you anything. I was taking to Emsi staff, if he/she wanted proof I would be more than happy to show it to him/her.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

I assume you mean the software from the following URL? 

Yes, this was it.

I can't reproduce the error (whatever it was I am more than happy that it solved itself 😅). But as the screenshots show, the errors were real. Also I used this

https://github.com/Sycnex/Windows10Debloater

 

5 hours ago, GT500 said:

If it supports command-line scanners, then you'll want to use a2cmd.exe with the /s parameter. You can get the documentation by running a2cmd.exe /s /? in a Command Prompt (be sure to use the CD command to switch to the Emsisoft Anti-Malware folder before trying to run a2cmd.exe from the Command Prompt).

Like this? Nothing pops up after I do that from peazip context menu. (Open with Emsisoft).

peazip.PNG.65d6dc55e40fd5aa46e29964ce4daa14.PNG
Download Image

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

A context menu scan should use that option as well.

If they do then that's a problem.  The settings I mean are in the 'Custom scan - Scan now' dialog and get set just before initiating a custom scan.  I use different settings depending on what I want done in such a scan...   But if the settings also affect context-menu scans, for which one has no opportunity to set them at the point of initiation, then it means I would need after every Custom can to go back to the dialog concerned and reset options to what I want for the next Context scan.   I know I won't always remember to do that.   Or, are there separate options somewhere else? 

Share this post


Link to post
Share on other sites
23 hours ago, Easy Company said:

An OEM license has a logo embedded on the page.

There are activation bypass tools that are loaded by the bootloader and emulate the BIOS tables that contain OEM license data for Windows, which allows faking Windows into believing that it is reading legitimate OEM license information from the BIOS (including the logo if desired). It's also possible to patch OEM license data into a BIOS image, and then flash the BIOS with it.

Basically, there's no way to be 100% certain that someone has a legitimate installation of Windows without being able to do a forensics analysis with your own hands and eyes. Since I don't want to encourage anyone here to try to do that, I think it's best we not worry about proving whether or not the installation of Windows is legitimate for now.

 

23 hours ago, Easy Company said:

Like this? Nothing pops up after I do that from peazip context menu. (Open with Emsisoft).

You'll need to include the option to tell it what file to scan. Like this:

a2cmd.exe /s /f=<path-to-file-or-folder>

If PeaZip has a variable of some sort that you can add that tells it where to put the path to the files to scan, then replace everything after the equals sign with that variable.

Share this post


Link to post
Share on other sites

Oh, while I'm thinking about it, a2cmd.exe needs to be executed with administrator rights. If not, then if it does scan the file, the window will close right away once it's done and you won't see the results.

Share this post


Link to post
Share on other sites
15 minutes ago, GT500 said:

There are activation bypass tools that are loaded by the bootloader and emulate the BIOS tables that contain OEM license data for Windows, which allows faking Windows into believing that it is reading legitimate OEM license information from the BIOS (including the logo if desired). It's also possible to patch OEM license data into a BIOS image, and then flash the BIOS with it.

Basically, there's no way to be 100% certain that someone has a legitimate installation of Windows without being able to do a forensics analysis with your own hands and eyes. Since I don't want to encourage anyone here to try to do that, I think it's best we not worry about proving whether or not the installation of Windows is legitimate for now.

I don't really know about any of that. My laptop came with a Win 10, why would I reactivate an original copy? You can trust me. For MS Office I don't have it. I got LibreOffice and I am more that happy with it. I downloaded a whole archive of activators on my Arch installation, scanned it with Virustotal saw Emsi was detecting them, so I copied them to my C drive. I did that because the File Guard was not working with Eicer.org files. (NOW EVERYTHING WORKS). I can make a video of my laptop where Emsi is installed showing the laptop serial number and the box of the laptop which also has the same serial number and Windows 10 in the spec list. I just don't like to be accused of something.

 

21 minutes ago, GT500 said:

Oh, while I'm thinking about it, a2cmd.exe needs to be executed with administrator rights. If not, then if it does scan the file, the window will close right away once it's done and you won't see the results.

Ok, so if it detects PuP it will auto quarantine right?

 

One more thing, Emsi is false flagging Brave installation file in the temp folder.

Share this post


Link to post
Share on other sites
On 7/31/2019 at 2:33 AM, Easy Company said:

Ok, so if it detects PuP it will auto quarantine right?

Only if you include the /q parameter to tell it to quarantine files. Without the /q parameter, it will only report what it finds in the console window that opens.

Share this post


Link to post
Share on other sites
On 7/31/2019 at 2:33 AM, Easy Company said:

One more thing, Emsi is false flagging Brave installation file in the temp folder.

That happens when a software publisher doesn't digitally sign something. We can whitelist a specific file, but when that file gets updated then it's no longer whitelisted.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.