Hi, Thank you for all the information shared regarding this issue with SecureAPlus. We would like to investigate this issue further. Please share with us the ransomware sample file by zipping it with the password “infected” and send it via email to secureaplus@secureage.com. Your assistance is valuable in ensuring that SecureAPlus can protect its users. Regards, SecureAPlus Team
Thankyou for your swift response! I have submitted the 2 samples via the service you mentioned. File name should be "Downloads.7z" with password "infected". I have also attached it to the orginal thread on the forums in case.
SecureAPlus APEX engine doesn't scan other file formats like JS/VBS ? It says "Format Not Supported" here.
I noticed in my own testing that sometimes APEX's result will be "unknown" The user should have the option to submit any files unknown to APEX on the system, to APEX in the cloud. I've noticed that APEX on my system won't detect certain things that APEX on virus total will detect. Also...the databases of the engines in your cloud need to be updated once per hour. I've changed my thoughts about that. I once thought that once every 6 hours would be enough. But I'm starting to see the same engines on virustotal detecting things on virustotal that aren't being detected by the engines in the UAV cloud. One more thing! The inner workings of Avast and AVG have been identical since the first update after the makers of avast bought AVG. If one of them detects something, they both will detect it as the same thing. And several of the makers' engines on the mobile app don't offer a mobile version of their product. So a lot of those engines will never detect android-based malware. The only two that you have in the mobile app that detect android-based malware are sophos and avast, but I don't even know if the installation of avast that you have on the UAV includes the signatures for android malware. Those are some of the things I've observed while fiddling with your software.
The same goes for false positives, both from APEX and whitelisting alerts, a button to report on the alert popup window would be awesome. Esse
I don't have too many false positives from APEX did you set yours to maximum by any chance? That would do it. And as for the whitelisting prompts, what did you expect? A lot of software isn't whitelisted by SecureAge yet. If there's software that isn't whitelisted yet and you're fairly certain that it's safe, you can email them with a link to where you got the software, a link to a virus total rating that was submitted more than a few days ago and MD5, SHA1 and SHA256 hashes of the setup file. Then they can look at it and determine if the publisher is actually trustworthy or not. In the meantime whenever a whitelisting prompt comes up and it's not known to the UAV yet, upload it to the UAV and also check it on virustotal. If it's not known to virus total or the UAV and has an invalid digital signature or if the digital signature section of the prompt comes up with an error, it's probably bad. If it's unknown to virustotal, upload it there and then do a re-scan of it a few hours later before allowing it through S.A.P. And be sure to do a re-scan of it even if it is known to virustotal.
APEX set on medium, of course you can send emails, upload to VT and what not, why do you think I want a report/submit button in the alert popup...
I wouldn't want a report button like that. you can just email them with the info and ratings. They're pretty quick to answer emails.
The EXE for the "compact whitelist" command uses a lot of ram by the time it's done. While it's running on my system it can use anywhere between 3GB to nearly 7GB
Do you notice any significant benefits from compacting the whitelist? If so, please summarize what they are. (This is an honest question. I compacted the whitelist a while back. It took a good bit of time to finish & I couldn't tell what, if anything, it accomplished.)
the compact whitelist command removes invalid entries from the whitelist. Meaning any listing in the locally stored whitelist of a file that doesn't exist on your system anymore..
Does this program only detect on execution? I tried downloading some malware to test and nothing happened except for when I did a manual scan.
If you have the folder on the test system when you first install S.A.P. won't work right. It only keeps a clean machine clean. In my own testing I've noticed it will scan and detect every known piece of malware in any folder you have open right-click-scan or no. But if the cloud lookup time takes too long or if the locally installed APEX doesn't detect it right away, then yes, it's only on execution. Don't be worried about DLL injections, I've seen the application whitelisting stop those. I've also seen the application whitelisting stop python files (even before the script-stopper was programmed to deal with python scripts.) I've been using S.A.P. since around late 2012 to early 2013. or so. I don't know if they recognize my name whenever I email them about a problem I discover, but they're always quick to fix things that are broken. If you see a problem with the software, report it to their email support team and they WILL fix it. They have a track record of that.
APEX is a great engine when it comes to detecting binaries. It catches lot or those earlier than other programs. But overall SecureAplus on its defaults is bypassable especially if the average user thinks the application is safe and APEX doesn't detect it or the file format is unsupported. Also the fact that once you allow the program SecureAplus will add the program to its trusted whitelist list. I honestly don't like that implementation. UAV cloud needs have more engines especially the ones from the top products. Its a program that i am on the fence with right now. Personally i find WSVX superior to APEX and SecureA as a whole in my tests. Also a product like kaspersky free is much more automated and feels much better than Secureaplus.
What I highlighed there. Yes, the defaults suck. Switch the whitelisting setting to the "name and thumbprint" option and that's pretty much all you need to change on it. Whatever APEX and/or the UAV misses will be blocked by the application whitelisting so long as you have the name and thumbprint option selected. But if you have a guest user, you need to password protect S.A.P. and leave it in silent mode. Any novice user that would give S.A.P. a try would need to watch some demos on youtube or something. That would be a good thing to put on your youtube channel, SecureAge. And then embed that video on how to handle a S.A.P. alert on your website. A step by step guide on how to upload the unknown file to the cloud and also a step by step guide on checking virustotal and doing a re-scan on VT too. Arm your home-users with knowledge so they won't need to email you about anything related to just using the software.
All that being said it would be nice to have a option to automate actions like automatically uploading stuff to UAV cloud. Automatically quarantining of threats.
There's an option that's enabled by default to auto-upload samples to the UAV cloud, it probably gets analyzed by APEX whenever that happens. As for automatically blocking and quarantining things.... Well first, you absolutely need to change this first setting if you haven't already. Go to the main UI> App Settings > Application Whitelisting > Basic settings. And then select "Name & Thumbprint in Trusted Certificate List" You will need to be using the paid version for that to be possible And make sure it's in "lockdown mode" and never "automatic mode" After that, close the UI and right-click the tray icon. Click on silent mode and that will solve a lot of your problems with auto-quarantining known threats. Anything detected by APEX or the engines in the UAV cloud will be auto-quarantined instantly. If you have a little one that uses the PC, you will definitely need to password protect S.A.P. after switching it into silent mode. This will prevent not only tampering, but uninstallation as well. If you're looking for something to pair it with. The free version of Avast with PUP detection and scanning for "tools" enabled on everything in addition to enabling "hardened mode" would make your system more or less uninfectable. You will need to disable the option in S.A.P. that makes it register with the security center though. Avast has a silent mode too. And you'll definitely need to password protect the settings and the UI of avast too. In terms of positive identification, Avast is the best. In terms of Prevention, S.A.P. and voodooshield are the best. But I digress from the topic of this thread. I hope what I said here was helpful.
Does silent mode still give you alerts when threats are detected and auto quarantined? I guess its more of a gaming mode thing where there are no alerts
Silent mode gives no alerts at all. If a threat is detected it instantly quarantines it with no fuss. Just make sure that silent mode is also in lockdown mode. Automatic mode still needs some changes made to it and the way it is now I can't recommend using it to anyone.
Hi all SecureAPlus 6.5.2 is out now SecureAPlus 6.5.2 Release Notes – SecureAPlus Support Pages https://www.secureaplus.com/download/download-thank-you/ With best Regards Mops21