Sad that so soon another virus named soft10.exe has emerged to bypass ShadowDefender v1.1.0.262.:-[

Tony has been informed and is working on it now.

Expect v1.1.0.263 very soon !:lurking:

More importantly though, is it in the wild or is it POC. Additionally, what are the chances you will come in contact with it.

For those who are interested,

Ilya has informed me that DefenseWall successfully blocks and contains the soft10.exe virus. As for me, with Returnil 2008 Personal Ed.'s "session lock" enabled under Vista 32 SP1 with hardware DEP enabled, upon execution this virus crashes.


Peace & Gratitude,

CogitoErgoSum

AE also will detect and remove it immediately as an unauthorized executable.
To me, ISR-softwares don't have to protect themselves against this type of malware, because they are recovery softwares.
Security softwares or security settings have to protect ISR-softwares against this type of malware.
Let each software do its job, after all SD is not a Anti-Malware scanner.
ShadowProtect doesn't protect itself against this malware either.

{QUOTE-> AE also will detect and remove it immediately as an unauthorized executable.
To me, ISR-softwares don't have to protect themselves against this type of malware, because they are recovery softwares.
Security softwares or security settings have to protect ISR-softwares against this type of malware.
Let each software do its job, after all SD is not a Anti-Malware scanner.
ShadowProtect doesn't protect itself against this malware either. <-QUOTE}

Totally agree! I have another programs which kill soft10.exe

{QUOTE-> AE also will detect and remove it immediately as an unauthorized executable.
To me, ISR-softwares don't have to protect themselves against this type of malware, because they are recovery softwares.
Security softwares or security settings have to protect ISR-softwares against this type of malware.
Let each software do its job, after all SD is not a Anti-Malware scanner.
ShadowProtect doesn't protect itself against this malware either. <-QUOTE}

thats what i was claiming in the cs.exe thread , they just need to be able 2 work correct in working environment not in filthy place of malware.

chers:)

{QUOTE-> Sad that so soon another virus named soft10.exe has emerged to bypass ShadowDefender v1.1.0.262.:-[

Tony has been informed and is working on it now.

Expect v1.1.0.263 very soon !:lurking: <-QUOTE}

It is out now

can anyone tell me what this virus attempts to do?

Hello zopzop,

Although, the checksum of the soft10.exe virus in question is different, the two links below are still relevant and will give you a good overview as to what this virus attempts to do.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-041007-2548-99&tabid=2
http://www.threatexpert.com/report.aspx?uid=a3fa4374-74c1-4db1-867b-057c7f513d74

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

{QUOTE-> http://www.symantec.com/security_response/writeup.jsp?docid=2008-041007-2548-99&tabid=2 <-QUOTE}

That's the name Norton gave to the one that got by Returnil on me. I don't know if it affected userit, but this variant modified explorer.exe and dropped a conime.exe into c:\windows. It bluescreened me and when I came back up, conime was still there and explorer.exe was still altered.

to my understanding..ISR software are bypassed/killed by means of disabling their ability to protect/restore MBR successfully..one can have imaging software,back up his MBR and set imaging software to restore daily,when not in ISR mode...MBR ISR insurance if u will :D u do not even need to reboot ur machine

{QUOTE-> to my understanding..ISR software are bypassed/killed by means of disabling their ability to protect/restore MBR successfully..one can have imaging software,back up his MBR and set imaging software to restore daily,when not in ISR mode...MBR ISR insurance if u will :D u do not even need to reboot ur machine <-QUOTE}

restore MBR with imaging software,you have to restore whole part. in order to restore MBR. Its only possible outside Windows,have to boot/reboot obviously. If it is the real cause like you said,then boot to recovery console and do fix mbr and your done but then the mal. stuff on your disk will cause same problem again !

well at least with acronis true image home restart is not necessary...feel free to try..

{QUOTE-> to my understanding..ISR software are bypassed/killed by means of disabling their ability to protect/restore MBR successfully..one can have imaging software,back up his MBR and set imaging software to restore daily,when not in ISR mode...MBR ISR insurance if u will :D u do not even need to reboot ur machine <-QUOTE}
Until now I never met a malware that killed my ISR-software, but my ISR-software was killed 3 times by installing new legitimate softwares in 2 years.
All these ISR-threats don't have a chance, when you have an anti-executable solution on board.
Even when it happens and it did happen already 3 times without malware, ShadowProtect will save my system.
ISR-threats are pure routine work to me, because each time, when I update my system partition, I use the same procedure when I was hit by an ISR-threat, but that won't happen because Anti-Executable will kill them immediately.

Of course when users
- are not prepared
- don't have an Image Backup software
- only have an old image to restore
- only have an infected image to restore
then ISR-threats and many other threats can be a serious problem and they will waste alot of time to fix it.
If you have Windows + Applications + Data on ONE partition and your image is old, then you will even lose data and losing data is the worst scenario. Most images are from yesterday or older, which means you will lose your data of today or even worse.

Hello,
What about ... not running suspected executables and thus avoid the dilemma?
I know this sounds strange, but why try murder the operating system?
Mrk

{QUOTE-> Hello,
What about ... not running suspected executables and thus avoid the dilemma?
I know this sounds strange, but why try murder the operating system?
Mrk <-QUOTE}
Indeed, but most users don't care about that. They want a new screensaver, they want to try new softwares from anywhere, etc. No wonder they get infected.

Hello,

Most users don't know about instanty recovery software either.
I'm talking about YOU and all other SD users - why do you use the program?

So you can have flexibility in your setup?

OR

So you can try to break it?
So you can see what dangerous program that you should possibly never run in sanity can damage / destroy / infiltrate the OS?

Mrk

{QUOTE-> Sad that so soon another virus named soft10.exe has emerged to bypass ShadowDefender v1.1.0.262.:-[

Tony has been informed and is working on it now.

Expect v1.1.0.263 very soon !:lurking: <-QUOTE}

It,s just another dog. Let me reapeat it will be a cat n mouse game. It might be just futile to run after such threats.

Best policy will be to implement an add-on in an ISR that can stop driver/ service install and direct disk access, MBR access etc and this add-on can be enabled by the user if he feels the need to do so. Not so many updates will be needed then.

It,s just my thinking and I am not a programmer, just an ordinary user.

or something that kill treats instantly if accessing memory,Boclean ?

{QUOTE-> Hello,

Most users don't know about instanty recovery software either.
I'm talking about YOU and all other SD users - why do you use the program?

So you can have flexibility in your setup?

OR

So you can try to break it?
So you can see what dangerous program that you should possibly never run in sanity can damage / destroy / infiltrate the OS?

Mrk <-QUOTE}
That's why most users get infected all the time, when they use a normal system without ISR or IB. I don't need ISR (= luxury), I need minimum IB (= necessity), but I like luxury because I'm lazy.
Of course I have flexibility with ISR on board, I can do the same things, like in the past, but without the garbage like in a normal system.
The expression "frozen system" doesn't mean you are stucked with an annoying system that makes everything difficult. If that is the case, you don't know how to use it.

{QUOTE-> Hello,
What about ... not running suspected executables and thus avoid the dilemma?
I know this sounds strange, but why try murder the operating system?
Mrk <-QUOTE}

My thoughts exactly!

I can't believe these epic threads where people are getting bent out of shape because xyz.exe bypasses the latest sandbox application and then everyone is all happy because the developer of the sb will produce a fix for it post haste. As Mrkvonic says, just don't run suspect executables. It's that simple!

{QUOTE-> or something that kill treats instantly if accessing memory,Boclean ? <-QUOTE}
Certainly not IMO. BOClean is just another signature based product that might fail so easily.

{QUOTE-> My thoughts exactly!

I can't believe these epic threads where people are getting bent out of shape because xyz.exe bypasses the latest sandbox application and then everyone is all happy because the developer of the sb will produce a fix for it post haste. As Mrkvonic says, just don't run suspect executables. It's that simple! <-QUOTE}
As I already said, also legitimate executables can corrupt your system due to compatibility problems with your entire system.
You also have to get rid of a software completely, if you don't like it. I don't trust Add/Remove or even uninstallers to uninstall a software completely.

{QUOTE-> As I already said, also legitimate executables can corrupt your system due to compatibility problems with your entire system.
You also have to get rid of a software completely, if you don't like it. I don't trust Add/Remove or even uninstallers to uninstall a software completely. <-QUOTE}

Hi ErikAlbert,

fwiw, I quite like your approach to system security because it's different, thinking "outside the box" as it were :) You don't have to worry about piling on a battery of different security apps in hopes of thwarting every conceivable malware threat on the planet. Not only that, your reasons given above are also no doubt valid. My mindset has changed considerably of late, as I tend to now take a more laid back approach to home computer security. Mrkvonic's approach used to bug me, as I thought he was too casual about things, but in truth he has many valid points in his approach, Just using common sense and a minimal security package, some degree of LUA and perhaps SRP (though I don't particularly like with the latter) is all that is really required to avoid malware infection. I have got custom modified (more restrictive than default) "Power user" accounts set up on all three of my XP machines, with a limited Windows Services profile and there has been no malware in > 5 years. This way no one is completely shackled. I use common sense in what I'm doing as well as what my family does. They do not surf stupid sites and I have told them to never click on links or launch attachments in email, as well as other "best practice" computer use habits. No stupid messenger services either. They do very well considering they have minimal understanding of how computers and the Internet work.There is only a software fw (with a custom made, tight ruleset) and AV on these machines all behind a router. ATI images are in place for all machines just in case. Recovery, if needed, is quick and easy.

In truth, all three machines could have been running full Admin over this long duration and there still would not have been malware infections, simply because malware has never been encountered on these machines in this time, other than once when NOD32 was triggered by a suspect wallpaper download. It was not downloaded.

As for my latest "xyz.exe-bypasses-sandbox-application-rant", it is because "what is the point?" It will never end with these latest exploits, and vendors will always be scrambling to patch yet another stupid hole to satisfy their customers. Hackers must be having a riot reading over these threads. As has been mentioned, just use common sense and don't launch suspect files. Malware will be nothing to worry about.

{QUOTE-> AE also will detect and remove it immediately as an unauthorized executable.
To me, ISR-softwares don't have to protect themselves against this type of malware, because they are recovery softwares.
Security softwares or security settings have to protect ISR-softwares against this type of malware.
Let each software do its job, after all SD is not a Anti-Malware scanner.
ShadowProtect doesn't protect itself against this malware either. <-QUOTE}

Here, here.

Untill a simple small standalone app ever becomes developed for simple install-it-and-forget-it against these MBR disrutpters, Faronic's AE is an absolute positive against these executables in any form.

Seems a lot of attention is being given lately to malware makers to try to infiltrate partition/MBR which in my opinion is as destructive as file infectors ALMOST.

And it requires stopping everything you're doing if hit by one of these and inserting a CD with say TESTDISK or another MBR app that can safely return the written crap back to it's original state.

EASTER

{QUOTE->
Seems a lot of attention is being given lately to malware makers to try to infiltrate partition/MBR which in my opinion is as destructive as file infectors ALMOST. <-QUOTE}
It's a logical reaction of the bad guys to write such malware. More and more users (+ companies) are using ISR.
ISR makes all their malware disappear during reboot, no matter how hard they worked on it. That must drive them crazy and I find that very amusing. ;D
One thing they can't beat : Zero tool + Image Backup, which is usually done offline.

Like you I hope one day they create something that does protect certain areas of the disk, like MBR, etc. permanently in order to prevent low level changes. :)

Hi, folks:

Just learn that these so called build 260, 261, and 262 are merely SD's internal testing alpha versions, needing some tweaking/adjustments.

Failing to achieve some sort of protections is not unexpected.

The last available( bona fide official) version build IS 259.

Users(like myself) other than keen alpha/beta testers, do not need to be concerned.

when new build is ripe, it will roll out smoothly before you even know it. :-*

Here is the GesWall log, stopping the malware form damage. :thumb:

i think eqs has an option to monitor for low level disk changes..how well this works?any tests vs such threat families?

I am curious too. All HIPS like SSM, NG, CFP and PS have such filters. I expect them to work good as they had worked against KillDisk Virus etc.