i used around 5 different versions including the latest one and all of them crashed. it only crashed when i was interacting with an OS or if i was installing a new OS, the crash was not instant.
I had a similar problem with Vmware Workstation once, but I refreshed my computer. When I was using the VM, the computer became slow because both the VM was using disk and the whitelist service was also heavily using the disk using 80mb/sec (I had already whitelisted the entire disk).
so you mean if you have any files in the pc, it will be automaticaly whitelisted by secureaplus? I had them on the pc but if what you said was true then seureaplus would not warned me on all of them when I ran them. BUT IT DID WARN ME ON SOME OF THEM. So that would make your assumption FALSE. Infact secureaplus warned me on around 80 to 90% of them when I ran their exe to install and only a couple incl. the police ransomware did not give any warning upon trying to run them.
Hi Jryder54, Based on the dmp file that you have provided, it seems that the crash was not due to SecureAPlus. But to be sure, is it possible to zip and send the MEMORY.DMP located at C:\Windows\ to secureaplus@secureage.com? Thanks. Cheer, sinlam
Hi treehouse786, thanks for the info We will definitely look into this but may need to spend more time for further testing and diagnosing. We really want to make sure there is no compatibility issues. So the result will not be out so soon... Sorry for any inconveniences caused. Cheers, sinlam
Yes, this is how SecureAPlus does its whitelisting. After initial installation, SAP scans all executables on the drive/s and adds them to the whitelist. For instance, when I first tried SAP, it added certificates for Panda and Avast! to the whitelist even though I didn't have them installed but the installer files are sitting on a different partition and tagged the installers as Trusted Installer. Just guessing here but the prompts from SAP you got were probably asking you if the executables you launched should be treated as an installer because of spawning of new executables. As for the ransomware exes, SAP already tagged them as Trusted Installer during initial whitelisting so you did not get any prompts (other malware in folder were tagged as Trusted Application hence the prompts when they created new exes). So in essence, SecureAPlus assumes that you have a clean environment to begin with. Any malware resident on the OS drive or other partitions would be whitelisted along with legitimate software. Perhaps it could be tweaked with later releases to only whitelist executables in Program Files, Program Files x86 and Windows folders. Hope we hear from sinlam about this.
Just noticed this thread a little earlier today, from another post here. P.S. From a quick look at the website, I found two download links, one for the AV version and also, the non AV version. Out of the the two, I will probably go for the non-AV version. P.P.S. I have a lot of reading, 20 pages for this thread.
Hello, I installed SecureAPlus with AV in one of my computer, and noticed that clamd.exe is using 228 MB. Is this normal?
Hi jnthn, thank you for explaining SecureAPlus so well It shows that you have a good understanding of how it works Regarding your suggestion in last paragraph, it may not be a good idea to whitelist executables found in Program Files, Program Files x86 and Windows folders. Different users have different behaviours and some may choose to store the program files in another path / folder. To ensure a more robust protection, it is still better to whitelist all the files on the pc. Cheers, sinlam
Hi Tarnak, welcome to SecureAPlus forum. Hope you enjoy reading through the 20 pages I can understand why you have chosen the non-av version and our next revamped version of SecureAPlus hopefully will change your thought Cheers, sinlam
Hi kupo, yes. Unfortunately, this is something really beyond our control since it is a third party av engine... Cheers, sinlam
Thank you, for the welcome. Quick question, I am a hold-out still running XP Pro. Does your application run as a service?
Hi KelvinW4, thanks for pointing this out. We will look into this and see how we can improve the performance Cheers, sinlam
Hi Tarnak, SecureAPlus supports Windows XP SP2 and above. But if you are using SP2, you need to make sure all the Windows program are up-to-date. Besides running as a service, it also runs as a driver. Hope this answers your query Cheers, sinlam
Hi taleblou, thank you for sharing the 11 malware samples with us Out of these 11 samples, only one sample, 'adobe_flash.exe' is found to be infected with ransomware based on the scanning result of VirusTotal. Good news is SecureAPlus is able to block it even in the midst of the initial whitelisting process. SecureAPlus is also able to block all the remaining malware samples except for one file, lhttsiti.exe which is signed by Microsoft and the root CA is VeriSign. We suspect that this file may not be infected. To be sure, we have tested this specific file with multiple antivirus and application whitelisting product. So far, none of them detected it as malware. This is the harsh of the file: 1. Virus Total: All AntiVirus detected it as clean. 2. Bit9 3. Comodo Instant Malware Analysis 4. MalwareBytes Anti Malware: No malicious items detected. Please refer to the log below. ------------------------------------------------ Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org Database version: v2013.10.30.07 Windows XP Service Pack 3 x86 NTFS Internet Explorer 6.0.2900.5512 test :: PC-TEST [administrator] Protection: Disabled 10/31/2013 9:37:39 AM mbam-log-2013-10-31 (09-37-39).txt Scan type: Custom scan (C:\temp\lhttsiti.exe|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P Objects scanned: 1 Time elapsed: Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) ------------------------------- Cheers, sinlam
hmm I do not know why on my test it did not block it fast enough to stop the ransomeware from launching and taking over the VM. ANyway that file that was clean, is the one that is in Russian or some foreign language? It might be a PUA and not a infected object. SO it might got there because it is a possibly unwanted application (PUA). But it is good to see it blocks now. Also virustotal is not always trustworthy as in the past I have seen bad infected samples that were not detected by any avs in virustotal, but screwed the pc. Maybe because it was too new. I would wait a week and retest the sample with virustotal and if still safe then it must have been a falsely flagged malware. Later I will retest secureaplus with a new fresh set of malwares and will try to take screenshots of the test if possible. Since I am using a linux as a host and am getting to know it, might take me a while to get the hang of it.
Also as you can see from your VT screenshot that 18 people flagged it as bad although VT says its clean. SO this must be a PUA or PUP and shady program.
Hi taleblou, So for the best bet, we have not only scanned it with virustotal but also other security products as seen in my earlier post. Happy to know that you will be testing again with fresh set of malwares. Please share them with me if you can Cheers, sinlam
One thing I learned over the years is that you should not trust all signed or valid looking apps as they can be faked. An example was the comodo sign validation a few years ago where its validation method has been compromised. So secureaplus having the option of allowing or white-listing a app with valid digital sign and signed in the white-list option is not safe. Secureaplus should pop up and ask for a signed app to be white-listed or not and block un-signed or bad apps by default. Also it should not assume a pc is clean when it at first trys to run its first white-listing process. It should have a great AVs or to send the files to the cloud or online scanners to be determine if the processes are safe and then whitelist them at the beginning. Many security programs do that. They run an initial malware scan and then install and secureaplus should do this via a good AV.
Btw, for your third paragraph, SecureAPlus is already doing that SecureAPlus also does not rely on just the digital signature of the file.
Would it be too much to ask taleblou to re-do his tests on SecureAPlus, but only this time let SAP do its initial whitelisting on a clean VM setup and after the whitelisting, add the malware files unto the VM and execute the files? And if time permits, can test with both interactive and lockdown mode? This should clear up issues regarding SAP and its efficacy.