Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.
Product version ≠ build version
Is it me or this latest v188.8.131.52 BUILD1-24062015 features found in the changelog (blue) were already present in v184.108.40.206 BUILD1-15052015
Can't tell for the rest of them as I never checked them out...
i can tell with 100% accuracy that the changelogs of the 24062015 is :
where was 24062015 published...who knew.
Thanks....clean install w Export / Import was fun.
I wondered why this new build from 24-06-2015 is published now after more then year from the last "May's" beta...it's great news but a bit confusing.
I got the information from the developer himself.
= Two posts before i mentioned this newer build, i saw: "It's in the dev signature called v3.1_15052015_BUILD1."
But since i'm running a newer build i decided to mention it.
The only change should be: "better detection" of files within directories where only the administrator have access to (mentioned in my post: #5421)
I can get into more detail later but i think you'll notice the change.
does ERP protection start with Windows services, or with login to user account?
OK...thanks for reply and if this new build is capable do its job better it's only big profit for us...users
Thanks for posts on "new" beta
ERP (v3.1_15052015_BUILD1) and DRP shared the same problem, where both applications don't showed correct information about files.
In the case of DRP it was showing a wrong MD5 of "00000000000000000000000000000000" for:
...and all other drivers in C:\Users\Administrator or C:\Windows\Temp
In the case of ERP it was showing a wrong MD5 too and it was showing signed files as unsigned:
= Signed + MD5 A217A4233D83CFA84055CCD285A508D0 (correct Hash)
C:\Users\Administrator\Downloads\autoruns.exe (it's the same file as above)
= Execution => Alert-dialog: unsigned + MD5 D41D8CD98F00B204E9800998ECF8427E (wrong Hash)
C:\Users\Administrator\Downloads\whatishang-x64\WhatIsHang.exe (signed from Nirsoft)
Alert-dialog = unsigned + MD5 D41D8CD98F00B204E9800998ECF8427E (wrong Hash)
Do you see it above? ERP is showing the same hash for two different files, and this is not correct.
All executed files (signed and unsigned) in the administrator directory (or C:\Windows\Temp) = "unknown application detected" + unsigned + the same hash
Shortly after sending my bugreports for both programs i received this:
Only 2 days later he fixed it in both ERP and DRP. (Some vendors need months/forever for a bugfix, so i think 2 days is pretty fast)
After he released SOB (July 2015) there were no newer ERP-betas released.
I think SOB had more priority for him
Okay, thanks for clarification.
If you like, anyway I'm fine with your current comment.
Amazing infos, thanks a lot for these lines... Hope someday Andreas comes back to us.
Yes, 1x-2x each month i got this "Open Candy"-alert after installing some specific apps (CCleaner,CrystalDiskInfo, etc.). (But they stopped bundling their installer with OpenCandy several months ago)
Rundll32.exe is used to execute OCSetupHlp.dll (OpenCandy):
Another alternative is Applocker for blocking DLL's, but there's a "small" performance loss. But the loss shouldn't be so big as it is with Faronics, i think
an example of a current dll attack: cerber ransomware hijacks certain windows processes and forces them to load a rogue dll.
I am guessing that the new dll protection in hitmanpro.alert is meant to counteract that.
Yeah, but how did the cerber ransomware get to run in the first place??
I saw a post today from a guy who downloaded ammyy remote control software from the official site, but the site was hacked, and the download contained cerber. He got his files encrypted. That's a situation where a lot of users would rely on the download from the official site, and allow the installer to run.
What about digital signatures to check before running any exe installer?
What about having a driver like FIDES/Pumpernickel to protect your valuable files?
There are a lot of legit downloads that the dev doesn't bother with a digital signature. In this case, the legit file is in fact signed, and the infected one was not. But not everyone will know that.
Agreed. Malware digitally signed, an horror I'd admit...
But having a mini-driver filtering as I said in my previous post will suffice.
Was he running ERP. Or did he just allow it to run not knowing.
I don't think he was running ERP or anything too sophisticated,
he just let it run, not knowing. He says that he tells his clients to download it all the time, and the company is lucky that he got encrypted, not one of the clients...
Separate names with a comma.