Emsisoft Anti-Malware & Emsisoft Internet Security 10 available

Discussion in 'other anti-malware software' started by emsisoft, May 10, 2015.

  1. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    As mentioned I am NOT suggesting to have Paranoid Mode brought back. I'm just pointing out an issue that lowers the security of the behavior blocker, at least for advanced users, and hoping you will fix it, one way or another.

    I'll look forward to the fix you have mentioned and I will definitely test it and let you know whether it can stop the PowerShell attack or not. As for now, I will stay with the old version of Emsisoft Antimalware so I can still be protected from PowerShell attacks.

    Once again we see how newer it not always better.
     
  2. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    You have repeatedly asked for an option to be introduced to disable the whitelisting. Disabling the whitelisting is the one and only thing Paranoid Mode did. Therefore you repeatedly requested for Paranoid Mode coming back.

    To be completely fair, you are pointing out a theoretic issue that nobody had a chance to verify as you don't want to share your exploit with anyone. Everyone is just guessing at this point. There is a real chance that the exploit you are complaining about will never be fixed because of that, because without an actual proof of concept to analyze, we will continue to just guess and stab in the dark. Vague hints of how it supposedly works and what it supposedly does are not much to go on.

    Sticking to an old version means you can't get any updates, including signature updates. That alone is a bigger security risk than any PowerShell based attack could ever be.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I agree. As I understand what happened, an email attachment contained an Excel document. When the Excel opened, it executed a macro in the document containing a PowerShell command that launched the malware payload. Since macros are disabled by default in Excel, I really don't see how this scenario could have happened. Macros in MS Office products have been disabled by default for a number of years.

    -EDIT- Here is something very similar to what the OP is referring to: http://www.hackinsight.org/news,243.html

    Note the following excerpts:

    A legitimate and undetectable by AntiVirus method to deliver an executable (if the executable itself is undetectable of course), is by embedding an object to a PowerPoint presentation. However, it only works on MS Office 2007 and earlier versions, but not on MS Office 2010 or 2013.

    When the document is opened by the target, he will be notified that “Macros have been disabled” by a security warning bar. It is crucial to trigger target’s curiosity in order to bend his will and make him enable macros.
     
    Last edited: Aug 11, 2015
  4. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Of course you can. Just disable the "Enable beta updates" option and you don't get beta updates and go back to the latest stable version. That being said, we fixed the blue screen you were experiencing in the latest beta version we just released..
     
  5. javagreen

    javagreen Registered Member

    Joined:
    May 2, 2005
    Posts:
    96
    I believe I have received this update, but it seems to be downloading this update over and over again after each reboot, and keeps prompting for a reboot.

    Windows 10 home x64.
     
  6. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    You can go to C:\Windows\System32\Drivers and rename the fwndislwf64.sys file you find there to fwndislwf64.old. Then reboot. This should fix the reboot loop.

    PS: In the extremely unlikely off chance that your internet connection stops working afterwards, go back to the directory and rename the fwndislwf64.old file back to fwndislwf64.sys and reboot again.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's another "goodie" based on recent 0-day macro exploit: http://www.securitysift.com/ . Again only applicable if macros are enabled in the respective MS Office executable.

    And an excerpt from the article to show how truly dangerous powershell can be:

    Even after bypassing any Exchange-based AV and successfully delivering the attachment to the target, you still have to deal with AV detection for the downloaded executable. In many large organizations this means not only bypassing client-side AV once it’s downloaded, which is relatively easy (see here for more), but also firewall and web proxy AV, which could prevent the download altogether. Sure it can be done, but if you’re using a macro-based exploit in a penetration test, why try and tackle AV bypass if you don’t have to?
    Instead I figured why not remove the executable entirely and harness the power of Powershell? For our demo we went with a simple Meterpreter reverse TCP shell, generated with the handy
    Unicorn tool (by Dave Kennedy at TrustedSec).

    Rather than wrestle with VBS and it quirky string length limits, we can embed the Powershell script right into the Document properties of the Word file (in this case, the Author field) and just reference the value via a local function variable in our macro.

    http://www.securitysift.com/wp-content/uploads/2015/02/macro1.png

    We don’t want the Powershell window to display for the end user at all, hence the -nologo, -win hidden, etc.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think you've made your point.
     
  9. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,338
    Location:
    Adelaide
    Fabian Wosar You have the patience of a saint, that's all I'll say :thumb:
     
  10. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Ask Peter, I am really not that patient. But as long as I have a feeling people are interested, I don't mind explaining and repeating things.

    The attack itman's article showcases will be mitigated with one of the next updates by the way.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    This worked perfectly here... Thanks!
     
  12. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Glad it worked for you. We will supply a new beta update that finally fixes this annoying issue for good in the next day or two :).
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    WIN10 is keeping you busy :D
     
  14. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Honestly? XP and Vista are so much bigger of a pain than Windows 10 could ever be. Mostly because these ancient OSes often come paired with ancient hardware as well. I recently "dared" to enable SSE support in some of our components and we instantly had XP users with 15 year old CPUs show up complaining that EAM stopped working.

    Luckily I won't have to deal with XP or Vista in a couple of months anymore as we won't support either of them past April 2016.
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    True didn't consider this... I can imaging that maintaining compatibility across all these different OSs is quite a challenge!
    [and your last sentence will create some turmoil from XP and VISTA users]
     
  16. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    We did announce it about 2 months ago and so far pretty much nobody cares:

    http://blog.emsisoft.com/2015/06/24/support-for-windows-xp-and-vista-will-end-april-2016/

    In the meantime the amount of people using our products that still use XP or Vista is going down rapidly. Especially since the Windows 10 release.

    The harsh and cold hard truth though is, you can't protect XP at this point. That is especially true for the latest kernel mode code execution vulnerabilities that were found in the past couple of months, which all exist under XP as well, obviously completely unpatched. So I think it is time for us to stop pretending that XP can somehow still be used safely on the internet and just move on.
     
  17. javagreen

    javagreen Registered Member

    Joined:
    May 2, 2005
    Posts:
    96
    Fixed the issue for me too, thanks!
     
  18. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,338
    Location:
    Adelaide
    My colleague sitting at the desk right next to me is using XP with outdated versions of Flash and Java. Our IT guy doesn't seem to care. What could possibly go wrong?
     
  19. javagreen

    javagreen Registered Member

    Joined:
    May 2, 2005
    Posts:
    96
    Okay I have the same reboot loop again. Do I need to rename the same file this time too?
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    A fix was issued for the boot loop, see here: http://changeblog.emsisoft.com/
    Version 10.0.0.5629, but of course you will be requested to re-boot (once again). :)
     
  21. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    That problem is fixed in 5629. You may still get this loop once from updating from 5601 to 5629. But the first update and reboot performed with 5629 should get rid of it :).
     
  22. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    What I am hoping for is that the behavior blocker becomes as effective now as it was in the old version (so it can once again stop the described attack via macro/PowerShell). How it's achieved or what it is called, is less important. I'm concerned about security, not word games.

    Understood, and I really wish I could share the document. I am a bit surprised though as I know that the PowerShell attack is used by banking malware, so I had no idea this would be hard to reproduce. I mean, it's not a new thing. I could be wrong of course, but it is still my impression that most people with knowledge of penetration testing and the use of Metasploit know exactly what is happening based on my description. I might ask my friend again if I can please share the malicious document for the benefit of all of us, but I think I know the answer already.

    I have the AV disabled anyhow as I don't believe much in the blacklisting approach and know how easy it is to FUD malware. I use the behavior blocker as a supplement to my HIPS.



    @itman
    As you have already guessed, I needed to allow the macro to run. But there are malware campaigns using this method, and some users do in fact allow the macro to run.
     
  23. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I refer to my recent posts in this thread, and problem concerning a BSOD after updating EAM beta version.

    Earlier today, I updated another of my snapshots that was running v10.0.0.5532 last updated on July 24. I am now at v10.0.0.5561, and it is OK.

    However, I do not want to risk beta updates since, there appears to be some unreliability with the software on XP, going forward.

    P.S. Fabian can you email me instructions in how to go into the BSOD snapshot and attempt to fix. I only have Safemode without networking available to me.

    ScreenShot_EAM_update_not for 20 days_01.gif ScreenShot_EAM_update_not for 20 days_04.gif ScreenShot_EAM_update_not for 20 days_08.gif
     
  24. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Well, the malware attacks that do use PowerShell either use it by invoking a script (-File) or they pipe in the script to execute via the command line (-Command or -EncodedCommand). However, you said in your case PowerShell is just started without any kind of command line parameters. And that would be unusual.

    The behavior blocker does utilize the signatures as well. By disabling updates, you cripple the behavior blocker by a lot.
     
  25. ReverseGear

    ReverseGear Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.