Cannot get Release 14 System Safe Pro to work properly

[Rilla927]

I done a fresh install twice and the icon is a orange yellow color. I cannot get it to turn green for virtual mode or red for non virtual. When you hover over the icon is does say "virtual mode enabled" when in virtual mode. I checked the disk space when supposedly in virtual mode and it is taking the space so I don't know if it's actually working and just not changing color or what. It cannot update either... always says no internet connection of some sort.

From start I thought maybe it was cuz the FW didn't make rules automatically so I allowed every .exe in Returnil folder with outgoing TCP 80, 443 and UDP 53 for DNS.

This is a fresh install of windows and when I first installed it there was no other security programs installed then the second install I had Private Firewall (disabled on install) installed and the same results.

I'm puzzled cuz I have never had a problem ever with this program.

Thanks

[Cudni]

see
http://www.wilderssecurity.com/showthread.php?t=303024

[Coldmoon]

Hi Rilla927,
When you open the program and then open Home > Overview do you see a "System requires attention" message?

Mike

[Rilla927]

Hi guys,

Believe it or not I got up today and it is back to normal. I did get something about the core system not working after I rebooted after install.

Yes Coldmoon, I did have "System requires attention" message. What does that mean? Probably cuz it didn't do any updates I'm assuming.

Since I'm here, I have another question because I don't remember the answer; what AV engine you guys use? It started with a F so the only ones I could think of is F-Prot, F-Secure. Does it scan when it hits the HD?

I love this program... it stays among everything else.

[Coldmoon]

Quote:

I did get something about the core system not working after I rebooted after install.

Are you still getting that error message?

Quote:

I did have "System requires attention" message. What does that mean?

It can mean any of the following:

1. You have the default setting to notify user if the Virus Guard is deactivated and you have the VG real-time monitor deactivated.

2. Visa-versa to #1 if you have the Virtual Mode deactivated and the preference is changed to warn if VM is turned off.

3. You have performed a System Restore and have not checked the File Restore option. This is a little more advanced and does not mean you have to restore any files from the previous machine state, just that this option is available. To clear without restoring any files from the previous state, simply open the File Restore feature and then select not to restore any files.

Quote:

I have another question because I don't remember the answer; what AV engine you guys use?

Frisk's F-Prot engine is a compliment to our AI/Machine learning engine in the Virus Guard.

Mike

[Rilla927]

Sorry Coldmoon,

I was down a short time.

No, I'm not getting that error message any more.

Answer to question 1) No 2) Yes, when virtual mode is active 3) No restore performed.

The "Core Service" not working is still here and there.

Sometimes when put in virtual mode the bar goes across 40 (yes, I counted) times and other times it's a random number.

I just discovered the AV quarentined a exploit. How can I get this file to support to see if it is a FP?

Now it has another file nvstreaming.exe and says "Denied". I tried to uploead it at virus total but it said I didn't have permissions to open the file.

[Coldmoon]

Check your quarantine and see if the file is there. If yes, you can use the exclude option and have the file returned to its original location. Once there, you can make a copy of the file and then place it in a ZIP or RAR archive to send to us - also check your upload queue to see if information for the file is pending upload to the AI analysis server.

For the content that was blocked, check the path and then make a copy of that file to send to us as described above. "Denied" simply means that it was blocked from executing so it will need to be checked by the team for a potential white list update.

[Rilla927]

Okay, when I look under "log" there is two files listed. One is "quarentined" and one denied.

When I click "view quarentine" under scan there are no files listed. Do I use support (@) returnil .com?

Nothing in the upload que. This is the first time I ever looked in here where the upload que is. It also says "Do not use my permission to send files to Returnil"... is this supposed to be checked?

[Coldmoon]

Quote:

Okay, when I look under "log" there is two files listed. One is "quarentined" and one denied.

So one file detected and quarantined by the Virus Guard and one blocked via the A-E.

Quote:

When I click "view quarentine" under scan there are no files listed. Do I use support (@) returnil .com?

What is the one that was supposed to be quarantined detected as in the log? And yes, open a ticket so we can get a copy of the detection log (use the export option in the log menu (More actions drop down)).

Quote:

Nothing in the upload que. This is the first time I ever looked in here where the upload que is. It also says "Do not use my permission to send files to Returnil"... is this supposed to be checked?

If there was anything there, it has already been sent to the AI server. That option, when checked, will simply upload the information in the queue to the AI server automatically. If unchecked, you will need to manually authorize the upload.

[Rilla927]

To the first question, yes.

The file quarentined is appdata\local\microsoft\windows\temporary internet files\content.IE5\80Y3W300\counters[1].htm.

Okay, I will send log. Is it support (dash) tech (@) returnil (dot) com or support @ returnil.com

Do I still need to copy the files themselves and send also?

When in virtual mode and the AV catches something, shouldn't it be gone on a reboot?

[Coldmoon]

Quote:

Okay, I will send log. Is it support (dash) tech (@) returnil (dot) com...

Yes, that is the correct address

Quote:

Do I still need to copy the files themselves and send also?

yes, if possible so the research team can get a look at the actual file. In the case of the A-E block this would go towards an update of the white list if applicable. But as this is web content rather than a file on your system, it may not be possible or advisable to white list in the first place.

You may need to adjust your A-E setting to the lowest level when accessing a trusted site where that content is required. If it isn't required or you do not trust that site, it might be best to simply let it be blocked just in case. From the name of the file it appears to simply be related to site tracking and would have no problems being blocked...

Mike

[Rilla927]

The support (dash) tech@returnil.com was undeliverable. It bounced right back.

Where can I d/l build 13 at? I'm gonna restore my system.

[Coldmoon]

Hi,
can you PM me the bounce message? That is the correct address and it should be working just fine. I tested it from my private ISP e-mail account and did not get a bounce at this end...

Mike

[Rilla927]

It says it couldn't deliver it because there was a illegal attatchment. I will send a copy PM'd.

I sent a copy of the log and a zip file with nvstreaming.exe in it. The other file that was quarentined couldn't be found in the temp file folder cuz there was a kazillion files in there.

How can I d/l build 13? It worked much better for me.

[Coldmoon]

Got the PM - see the ways to get around the filters for that scenario. As for REL13, I am still waiting for the engineering team to get me a copy for you.

Once the new version is released, the binary goes the way of the dodo on the server. The team retains the code of course, but needs to compile a new exe in this scenario.

Mike

[Rilla927]

Okay, I have found build 13 on one of my flash drives and installed it. Thanks for trying to help with this.

File has been sent to support.

Upon restoring a clean image with no security programs except Returnil (build 14) I tried safe removal of my external USB drive and the system hung. I done a hard reset. USB flash drives remove okay.

I'm just curious how the exploit that was quarentined got on the system if it was in virtual mode. Shouldn't any detected files while in quarentine be dumped when booting out of virtual mode?

The nvstreaming.exe that was denied is a FP... I confirmed that when I restored my clean image cuz it has never seen the internet and Returnil is the only program installed. Virus Total detects it 2/43. This is part of Nvidia driver 275.33.

[Coldmoon]

Quote:

I'm just curious how the exploit that was quarentined got on the system if it was in virtual mode....

Virtualization by itself has an Achilles Heel: Inability to make decisions about what is good, bad, or suspicious. All it can do is to remove (drop) any changes made during the virtual session at restart of the computer. This means that without other mechanisms in place, malware can infect the Virtual System and may even run as it was designed to do by the maldev who created it.

This does not infect the Real System, but can be just as problematic for the user unless it is blocked (A-E) or detected and quarantined (Virus Guard). This is why RSS has these component parts. As the A-E is default deny for unknown content, the A-E serves as this type of automatic decision maker in the RVS versions without AV.

Quote:

...Shouldn't any detected files while in quarentine be dumped when booting out of virtual mode?

RSS/RVS control the real disk which allows the software to actually access the Real System when required:

1. To save content per user preferences
2. To detect and remove known malware through the Virus Guard
3. To update the VG signatures and cloud policies
4. To quarantine detected items

Quote:

The nvstreaming.exe that was denied is a FP... I confirmed that when I restored my clean image cuz it has never seen the internet and Returnil is the only program installed. Virus Total detects it 2/43. This is part of Nvidia driver 275.33.

That is usually a good indication that it is a true false positive. We won't know for certain until the deeper analysis is done in the lab, but I suspect that a signature/white list update is a real possibility here. Keep checking to see if the file is blocked to know when this has been updated.

Mike

[Rilla927]

Okay, thanks for help and detailed explanation Coldmoon

[Rilla927]

Hi Coldmoon,

I haven't heard anything about the FP of nvstreaming.exe since I sent it on August 15, 2011. Is there a way to check on this?

[Coldmoon]

Quote:

Originally Posted by Rilla927

Hi Coldmoon,

I haven't heard anything about the FP of nvstreaming.exe since I sent it on August 15, 2011. Is there a way to check on this?

Is it detected when scanning?

[Rilla927]

No, cuz I don't have the AV enabled in Returnil. Just wondering why I haven't heard anything.

[Coldmoon]

You should have received a note acknowledging the sample submission. Other than that, the support team has no means or reason to track the status of that submission outside of getting a confirmation from the research team that they have the file and that it is being analyzed to close out the ticket.

Verification of an update to resolve the detection would be from the user who reports the detection - that is, the file is no longer detected following a signature/policy update to the software.

Mike