Emsisoft Anti-Malware 8.1 released

Discussion in 'other anti-malware software' started by emsisoft, Aug 19, 2013.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    what kind of malware was thatÉ
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I never heard the claim that a behavior blocker can block all malware? If that was the case, malware signatures would no longer be needed. Also not all malware "behaves" badly. The most virulent forms are designed to be totally stealth.
     
  3. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Don't announce that you will test something. Literally nobody cares. Just do it, do it properly, and provide useful (!) feedback once you are done. Make sure you also have a copy of all the samples you executed and provide them to the vendor you tested if he asks for them. You still insist the Babylon installer in one of your videos was a rootkit for example, but even after Kevin and I asked you for the actual sample multiple times, you still didn't submit it. Don't be surprised that nobody takes you seriously if you are not willing to put any proof behind your claims or try to argue with VirusTotal results.
     
  4. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    It is unclear. He never actually submitted the file he claimed was a rootkit. From the video it looks like a normal Babylon toolbar installer. But one of the scanners he used on his system or VirusTotal called the file a rootkit, so he is convinced it was a rootkit.
     
  5. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    It was an ikarus detection using hitmanpro, so obviously a false positive.
    You will recall ikarus I am sure Fabian.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thank you for the clarification Fabian Wosar:thumb:
     
  7. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    no it wasn't ikarus that found it
     
  8. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    i sent though BitDefender
     
  9. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    hey Fabian Wosar how do you feel if av says a known or unknown file was a rootkit
     
    Last edited: Sep 1, 2013
  10. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    Fabian Wosar i though the file at the time was poisoned by malware
     
    Last edited: Sep 1, 2013
  11. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    i did gave it to you guys in a folder named rootkit
     
  12. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Actually the detection was from GData and from the name it seems it was detected by the BitDefender engine.

    We don't get samples sent to BitDefender. We only get the signatures that result from it.

    If I am a user, I would trust it, simply because I kind of have no idea how to verify it. But you are not a user. You want to be a reviewer. And as a reviewer you should have the skill set necessary to determine whether a file is malicious or not, without blindly trusting a detection some detection tool spits out.
     
  13. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    @Fabian

    I profusely apologise for my error and obvious oversight, i hadn't watched that review (?) in quite some time :oops:
     
  14. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    if i was a user i saw that i world had put in a sandbox or in this case a vm to see if the file will do any type of damage to the pc
     
  15. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    btw Ikarus FP's numbers are dropping as side note
     
  16. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    Fabian Wosar you still don't understand what im trying to say to you i also do from user and reviewer points why not ask malwaregeek for more info
     
  17. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    i didn't say that a behavior blocker is foolproof what i mean it got bypassed because their bb was outdated at the time and besides poisoned software is on the rise like what the Zero Access rootkit is doing with Google and Adobe Flash Player by injecting its own code into their installers.
     
    Last edited: Sep 4, 2013
  18. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    What you mean with "injecting code into installers".
    i see some samples coming with legid adobe installers, but there is no code injection, its only bundled, an legid adobe installer in an archiv with an tdss installer.
    If you mean the new zero access sample using the google folder for autostart, its also no code injection into google binaries, as far as i know.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Now this is very interesting.

    So I gather you have proof that an Adobe installer downloaded from Adobe has a TDSS rootkit in an archive in the download? Or are you saying a download from a third party site?

    I am interested in this since I have lately seen msiexec.eve /V running after a boot. I never saw that task running after a boot previously in WIN 7 x64 SP1.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I just noticed a2service connecting to IP 146.82.192.208 which appears to be Level 3 Communications in Denver, CO. Perhaps a backbone server? Shortly thereafter a svchost.exe connect to the same IP address.

    Comments appreciated.
     
  21. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
  22. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    page is dead
     
  23. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Works for me...;)
     
  24. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    Sorry, edited
     
  25. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    works now
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.