Outpost Firewall pro auto learn mode

1) Please display the properties of AZYTUL.EXE?
2) I have no such file on my setup and google search only shows your post here about it?
3) How do you know it is malicious where did it come from?

 

The wifimaster.net/raz (part named) file can be downloaded from malcode database under today's date ..28th.Running it spawned the process that outpost allowed shown in screenshot with auto learn enabled..That named process is one of many names that it seems to use.Jottis showed 11 detections earlier.mbam also detected it as malware.

 

I've been scouring the Internet with a couple of search engines and i can't find any evidence for this variety wifimaster.net/raZ of Malware, maybe its something new..

 

You can currently download it on page 4 of malcode database

 

With a current license all updates, including any version changes, are free. If the license expires then you will get no updates, including signatures, presets, etc. but you can use the software forever. This is not a major deal with the firewall but with the suite it makes the AV engine seriously outdated.

Nag screens after a year - I don't know but probably. My licenses don't expire. Sorry.

 

That is odd indeed. It shouldn't of happened. You might consider contacting Agnitum support about this. Maybe there's a reason that it considered that file trusted and/or normal. I'm not familiar with that file.

What's that Shadow Mode button above OP. Is that involved somehow?

 

I hve the suite on my desktop PC and ran that malware on it.The file name that was spawned there was pecoxa.exe and the autolearn allowed it.I disconnected from the net and ran mbam from safe mode which cleaned it.I repeated runnning the malware from my laptop which also has the suite on which when run spawned the other named file.The shadow mode is because on my laptop i used shadow defender to revert back to clean system.on the desktop i didnt but resulys were same apart from tje file name which changes.If anyone is familiar with malcode database the file can be downloaded under malware for the 28th .It will probably be a few pages back by now but would be nice.if another outpost user tested it in autolearn too.

 

I can't think of a reasonable explanation but I have no time to fool with dowloading malcode and testing. You should contact Agnitum support and have a dialog with them: http://www.agnitum.com/support/contact.php

I informed them and hopefully they will reach out to you.

 

Manny do you know what i miss ?

the alarm sound of attack detection!!

 

I submitted the file to agnitum.I ran it again today,only with antileak at max and noticed that the spawned file (different name ukmeh.exe) is marked as trusted (green) in the outpost popup.Anyway heres the mbam log for any thats interested.
...................................................................
Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.28.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
***** :: HOME [administrator]

Protection: Disabled

02/03/2013 12:50:18
MBAM-log-2013-03-02 (12-56-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202198
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Detected: 1
C:\Users\*****\AppData\Roaming\Ijucdu\ukmeh.exe (Malware.Packer.SGX1) -> 3168 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{AD6CF4F3-190B-AD42-8B3B-1F5FAA083C42} (Malware.Packer.SGX1) -> Data: C:\Users\*****\AppData\Roaming\Ijucdu\ukmeh.exe -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\*****\AppData\Roaming\Ijucdu\ukmeh.exe (Malware.Packer.SGX1) -> No action taken.
C:\Users\*****\Downloads\raZjQgsG.exe (Malware.Packer.SGX1) -> No action taken.

(end)
............................................................................

 

I haven't heard any sound out OSS in a good while either. Actually, even though alerts says it should have sound I don't see a sound file for it. Beats me. I don't remember seeing an AD popup in a good while either so I wasn't aware sound was missing.

Why don't you submit it as a bug report to support.

 

i did submit the log bug
maybe it's a bug
in outpost pro 8 , i disable the log, but outpost continues to log
i submit in the outpost forum

 

Better log here from outpost showing malware allowed through with auto learn.Seems to be some memory injection going on.The malware file razjqgsg(1).exe when executed is allowed ,which then creates the taez.exe (name randomly changes) which outpost also allows.The file then seems to use memory injection on windows dwm.exe (desktop management) which is then allowed by auto learn.It sets some autostart entries too.The thing that bugs me is that its allowed through outpost with ease ,but the actual thing is really easy to get rid of.Just using taskmanager closes the process and it can be deleted.Sent ticket and uploaded file to agnitum.
...........................................................................
2013/03/03 21:54:42 [EXPLORER.EXE:1340] create process "c:\users\*****\desktop\razjqgsg(1).exe" [0000505c]
2013/03/03 21:54:42 allow [0000505c]
2013/03/03 21:54:42 action allowed (sync) [0000505c]
2013/03/03 21:54:47 [RAZJQGSG(1).EXE:4108] create process "c:\users\*****\appdata\roaming\obixy\taez.exe" [00005060]
2013/03/03 21:54:47 allow [00005060]
2013/03/03 21:54:47 action allowed (sync) [00005060]
2013/03/03 21:54:52 [TAEZ.EXE:5124] write memory "C:\WINDOWS\SYSTEM32\DWM.EXE" [00005064]
2013/03/03 21:54:52 process event: allow by autolearn [00005064]
2013/03/03 21:54:52 action is accepted for session[00005064]
2013/03/03 21:54:52 process_rules: allow action [00005064]
2013/03/03 21:54:52 [TAEZ.EXE:5124] allow write memory "C:\WINDOWS\SYSTEM32\DWM.EXE" [00005064]
2013/03/03 21:54:52 action allowed for session (sync) [00005064]
2013/03/03 21:54:52 sending sys_guard common rules
2013/03/03 21:54:52 sending sys_guard global rules
2013/03/03 21:54:52 sending sys_guard process rules
2013/03/03 21:54:52 sending app_guard global rules
2013/03/03 21:54:52 do not send folder_guard config - disabled
2013/03/03 21:54:52 sending antileak global rules
2013/03/03 21:54:52 sending antileak process rules
2013/03/03 21:55:00 [RAZJQGSG(1).EXE:4108] create process "c:\windows\syswow64\cmd.exe" [00005068]
2013/03/03 21:55:00 process event: allow by rule[00005068]
2013/03/03 21:55:00 action is accepted[00005068]
2013/03/03 21:55:00 process_rules: allow action [00005068]
2013/03/03 21:55:00 allow [00005068]
2013/03/03 21:55:00 action allowed (sync) [00005068]
2013/03/03 21:55:01 [TAEZ.EXE:5124] change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Run\{F2E5DE36-E927-AD40-6214-39195D561A04}" [0000506c]
2013/03/03 21:55:01 process event: allow by autolearn [0000506c]
2013/03/03 21:55:01 action is accepted[0000506c]
2013/03/03 21:55:01 process_rules: allow action [0000506c]
2013/03/03 21:55:01 [TAEZ.EXE:5124] allow change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Run\{F2E5DE36-E927-AD40-6214-39195D561A04}" [0000506c]
2013/03/03 21:55:01 action allowed (sync) [0000506c]
2013/03/03 21:55:01 sending sys_guard common rules
2013/03/03 21:55:01 sending sys_guard global rules
2013/03/03 21:55:01 sending sys_guard process rules
2013/03/03 21:55:01 sending app_guard global rules
2013/03/03 21:55:01 do not send folder_guard config - disabled
2013/03/03 21:55:01 sending antileak global rules
2013/03/03 21:55:01 sending antileak process rules
2013/03/03 21:56:00 [TAEZ.EXE:5124] change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable" [00005070]
2013/03/03 21:56:01 process event: allow by autolearn [00005070]
2013/03/03 21:56:01 action is accepted[00005070]
2013/03/03 21:56:01 process_rules: allow action [00005070]
2013/03/03 21:56:01 [TAEZ.EXE:5124] allow change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable" [00005070]
2013/03/03 21:56:01 action allowed (sync) [00005070]
2013/03/03 21:56:01 [TAEZ.EXE:5124] change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" [00005074]
2013/03/03 21:56:01 process event: allow by rule[00005074]
2013/03/03 21:56:01 action is accepted[00005074]
2013/03/03 21:56:01 process_rules: allow action [00005074]
2013/03/03 21:56:01 [TAEZ.EXE:5124] allow change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" [00005074]
2013/03/03 21:56:01 action allowed (sync) [00005074]
2013/03/03 21:56:01 [TAEZ.EXE:5124] change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings" [00005078]
2013/03/03 21:56:01 process event: allow by rule[00005078]
2013/03/03 21:56:01 action is accepted[00005078]
2013/03/03 21:56:01 process_rules: allow action [00005078]
2013/03/03 21:56:01 [TAEZ.EXE:5124] allow change critical object "HKEY_USERS\S-1-5-21-666998238-3927855050-4186091600-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings" [00005078]
2013/03/03 21:56:01 action allowed (sync) [00005078]

 

Is this the same file: http://www.backgroundtask.eu/Systeemtaken/taakinfo/221559/Main/disclaimer.php

 

The name seems to be the same but the hash and size are different.I uploaded the file at this site and it said unknown process ,after temporary analysis.I dont really like the way it tends to visually show that its probably safe ,even though its showing unknow process.Comodo valkyrie upload shows it as malware with memory code injection,mutexes created etc among other things.As you can see when executed under thier conditions theres different process names ,folder names which is expected.
.....................................................................File Info
Name Value
Size 313344
MD5 c0807e0377a3f36d493e89da85f8556d
SHA1 3dc4d7b8a83f4270bfa804a9813ad9333afbc9b3
SHA256 e3b98eea4409b6c16f1319618f64879a15c2f6f4876897ca798b2d0853db894a
Process Active
• Keys Created
Name Last Write Time
CU\Software\Microsoft\Suyvy 2010.08.24 19:22:50.343
• Keys Changed
• Keys Deleted
• Values Created
• Values Changed
• Values Deleted
• Directories Created
Name Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\Application Data\Ucylem 2008.08.07 03:37:39.498 2008.08.07 03:37:39.498 2008.08.07 03:37:39.498 0x10
• Directories Changed
• Directories Deleted
• Files Created
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 313344 2008.08.07 03:37:39.498 2008.08.07 03:37:39.498 2008.08.07 03:37:39.498 0x20
• Files Changed
• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
PId Process Name Image Name
0x68c uvov.exe C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe
• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x3dc svchost.exe 0x640 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x68c uvov.exe 0x600 0x7c810867 MEM_IMAGE 0x4010b0 MEM_IMAGE
• Modules Loaded
• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x41cbdf CreateRemoteThread(hProcess: 0xd0, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x17fadea, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)|0xd4
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x41cbdf CreateRemoteThread(hProcess: 0xd0, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x92adea, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)|0xd4
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x41cbdf CreateRemoteThread(hProcess: 0xd0, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x295adea, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)|0xd4
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x41cbdf CreateRemoteThread(hProcess: 0xd0, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0x9eadea, lpParameter: 0x0, dwCreationFlags: 0x0, lpThreadId: 0x0)|0xd4
• DNS Queries
• HTTP Queries
• Verdict
Auto Analysis Verdict
Suspicious+
• Description
Suspicious Actions Detected
Injects code into other processes
• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x67c C:\TEST\sample.exe 0x40a6c1 Global\{B261300D-36AB-D5D6-DD05-A41FD1F1870D}
0x67c C:\TEST\sample.exe 0xa02386 Global\{2700254F-23E9-40B7-DD05-A41FD1F1870D}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-00E0-B06D0C14937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-0CE6-B06D0012937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-14E0-B06D1814937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-24E7-B06D2813937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-28E6-B06D2412937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-3CE2-B06D3016937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-44E4-B06D4810937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-54E3-B06D5817937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-60E5-B06D6C11937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-98E3-B06D9417937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-9CE6-B06D9012937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-BCE1-B06DB015937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-C4E0-B06DC814937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-CCE2-B06DC016937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-D0E3-B06DDC17937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-E4E1-B06DE815937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-E8E1-B06DE415937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40a63b Global\{707B13D8-157E-17CC-F4E3-B06DF817937F}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40aeef Local\{0D781546-13E0-6ACF-DD05-A41FD1F1870D}
0x7b4 C:\WINDOWS\system32\cmd.exe 0x162386 Global\{2700254F-23E9-40B7-DD05-A41FD1F1870D}
• Events Created or Opened
PId Image Name Address Event Name
0x67c C:\TEST\sample.exe 0x40b0fc Local\{1FAB5749-51EF-781C-DD05-A41FD1F1870D}
0x68c C:\Documents and Settings\User\Application Data\Ucylem\uvov.exe 0x40afbe Local\{1FAB5749-51EF-781C-DD05-A41FD1F1870D}
0x7b4 C:\WINDOWS\system32\cmd.exe 0x77a89422 Global\crypt32LogoffEvent
....................................................................

 

Odd, isn't it? One place calling it safe and another malware. Lets see what Agnitum has to say about it.

 

I'm not sure how agics site works but I'm pretty sure the file wasn't run like it was at Valkyrie site.It was literally a few seconds before it gave a verdict.It seemed a little too quick to analyse it properly.....but then again what do i know?

 

Well, I was informed that this will be fixed in the next set of updates. Perhaps by tomorrow. I don't yet have all the information of what this is all about but maybe you could do this again in two or three days and see if the problem remains.

 

Thanks for the info Manny....will check in a few days or so.

 

I had an email from agnitum today saying that the malware is now detected in the security suite by the av part of it......and nothing else about why it easily bypasses the hips part of outpost and why it shows as trusted.I tested today and indeed the antmalware module detects it in the suite.Unforotunatley though if the av is off or if your just using outpost pro firewall ,then the malware is still able to bypass outpost in autolearn mode and still shows as trusted.In view of this i would say keeping outpost in auto learn permanently is not a good idea.See pics aboked.exe.

 

Thanks for testing. There's an additional check besides the AV and that is what's called the Static Analyzer of Unknown Malware (abreviated SPA). SPA does additional checks of files characteristics to determine what kind of file it might be. It's not 100% as you saw but they are adding additional criteria that should help. My point is that it doesn't mean that the firewall without the AV doesn't do any checking. It does. Of course, the additional checking by the AV signatures helps.

We are having further discussions on this topic since I'm not yet sure I fully understand what happened here. Since we are in such different time zones this conversation may take a while but I'll get back to you about it.

Thanks for hanging in there.

 

I see a 6.5.1 version available at FileHippo.

http://www.filehippo.com/download_outpost_firewall/

 

Question 1:how Outpost FW should be configured to alert if a program wants access to internet?
Question 2:the free FW (not the suite) version works on Win 7?As far as i remember when i tried it last time,it wont install if it detects Win 7.

 

When trying this out, I noticed that when an UAC pop-up appears when an Outpost pop-up is on the screen, the Outpost pop-up just disappears. In the logs I can only find that something was requested, not if it was blocked or allowed.

 

When you download the free version "6.5.1" you'll see an offer to upgrade to the 7.1 pro version for $9.95,
something like that, its a great deal!!