ZAM Free

Discussion in 'other anti-malware software' started by gorblimey, Jul 26, 2017.

  1. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    Just turfed Avast for s#&%ing 2 hours of hard work with a surprise upgrade banner--trying to drag myself back to Earth from Sirius Major I must have clicked the "Upgrade" icon...

    Anyway, instal ZAM Free and light the blue touch-paper, I get:
    ZemanaFirstScan.png

    I have no idea where "EnableShellExecuteHooks" came from, and I think I need to know. ZAM has deleted the entry, but what would have put that there? I do have to say I have not seen anything that looks like malware on this box.
     
  2. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Assuming you mean Zemana AntiMalware, I have not used it to decide if I trust it, or not. I would scan it with something else (regardless what I was using) - CCleaner and Malwarebytes for example and see what they say. I hate these "potentially unwanted ______" findings. I want my scanners to conclusively tell me if somethings is "malicious" or not.
     
  3. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    It's always a good idea to scan with another scanner, better if using different signatures, for example hitmanpro.
    About "EnableShellExecuteHooks", it could be related to browser hijacking:
    http://blog.zemana.com/2016/06/youndoocom-using-shellexecutehooks-to.html
     
  4. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    @Bill_Bright & @imuade, thanks for the input. ZAM--as was Avast--is not my primary anti-malware, VS does that now. And yes, "Potentially Unwanted Anything" covers a lot of false positives: ZAM promptly flagged HashGenerator and DownloadHashVerifier as PUPs :oops:

    I did do a quick search on "EnableShellExecuteHooks", and it wasn't reassuring. And I did have a browser hijack attempt some time ago, before I found VS, it was a rogue ad on Major Geeks, but was bowled for a golden duck (ask @Krusty) by CryptoPrevent. I swept up quite a lot of debris from that one, so the registry hack could well have come from that.
     
  5. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Drawing a blank on VS - what's that?

    FTR, I Windows 10 built-in Windows Defender and Windows Firewall as my primary security and Malwarebytes as my secondary on all our systems here. I use Pale Moon as my primary browser with IE as my secondary. Never had any security issues - but I do "practice safe computing" by first and foremost, making sure my systems stay current, I don't partake in risky behavior like illegal filesharing via Torrents or P2P sites, and I am not "click-happy" on unsolicited downloads, links, popups, or attachments. Of course, those are the same precautions users must take regardless their security setup.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Voodooshield

    Many of us use it. If you e-mail Dan he will give you a free two year license.
     
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Yeah, I just realized that when I saw another thread mention Voodooshield.

    Thanks.
     
  8. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    Free? They're practically giving the Premium version away!
     
  9. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,175
    The licence didn't work for me but I still use the free version of VS
     
  10. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    With respect to the Hollies, "Sometimes all I need Is the air that I breathe": ZAM seems to be a lot like VS, you can pay for the Premium, but the free version will do a more than competent job. Not that I have problems with paying a licence fee, but only if I need it for functionality. And somebody in the earlier pages of the VS thread did say that all you need is ZAM free and VS (free?) for more than adequate protection.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    ZAM free doesn't have realtime protection
     
  12. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    No. But VS does. So VS as primary layer, with ZAM Free for forensics and preemptive cleaning.

    BTW, the box boots much faster with ZAM Free than it did with Avast! I wonder why? :p
     
  13. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yeah, that's exactly my setup :thumb:
     
  14. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    After a spot of forensics on the Registry, and a quick email, it is confirmed from Kay Bruns personally that SuRun "... uses a ShellExecute Hook to intercept Process creation in a by Microsoft officially supported and documented way." I also found that SuRun has reinstated the key...

    FWIW, SuRun (http://kay-bruns.de/wp/software/surun/) is a sudo for Windows, extremely useful for localised Elevated Rights rather than Windows "Run As" putting you into the Admin account context.

    I reckon this is where VS--or some anti-executable--as primary defense is absolutely necessary, as I'm not sure any real-time AV protection would catch a browser hijack using a ShellExecute.

    But I am impressed with ZAM.
     
  15. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    Ummm. This (below) turned up today.
    VSalertBlock.png

    The first, my son allowed the block. The second, I blocked. The third appeared when ZAM Free wanted to update itself, and I blocked it immediately.

    So, I think the offender is ZAM. ZAM's notification icon has now disappeared :confused: But the %appdata% folders have disappeared and I cannot interrogate them.

    Is this the way ZAM upgrades itself? Because the alert looks pretty dodgy with no sig & etc. (sorry, I screenshotted it, but immediately overwrote with Wilders password o_O).
     
  16. guest

    guest Guest

    The hash of all three blockings is the same (at least the beginning of the hash), so in all three cases ZAM tried to update itself.
    Yes, the offender should be ZAM :)
    And according to the changelog, a new version has been released yesterday:
     
  17. gorblimey

    gorblimey Registered Member

    Joined:
    Jan 19, 2017
    Posts:
    158
    Location:
    West Oz
    Yes, the hashes are identical in every case. But this would also apply if it was malware...

    And I just got an email back from Zemana Support:
    Unfortunately I'm not sure Dan can treat this as "False Positive" since there is no parent process, and the folder and file names are different every time--exactly as malware does it.

    I hope that Zemana reps take a dekko at these pages occasionally, because I explained the problem in minute detail when I emailed Zemana Support, including both the varying random-looking names and the lack of a parent process. Life becomes really difficult when the anti-malware looks like actual malware :sick::gack:

    I might have to suss out MBAM... I already use that as a forensic scanner.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.