Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.
Never ever post live malware links on the forum.
Even all the big ones can have a bad day, who says other big companys will block this one ? ....
If you download cracked software there is always a chance to get infected!
Well more like, after that I noticed her windows update hasnt been run since 2019... Meaning all the defender defitnitions and **** were outdated as ****. But when I tried to ran it it gave me some error 0x80000005 or smth like that that I couldnt bother to fix at the time. So ye. But also funny how easy it was disabled, no self protection no anything. And completely reliant on virus definitions it seems. Other avs have other stuff but defender? "Nah we guchi with a blacklist" lol
If you don't have clean image just format and reinstall...
Yeah but she got a lot of stuff and **** like bank certificates I rather not
You could try on Emsisoft's forum but it seems that ATM decryption is not possible: https://support.emsisoft.com/topic/34536-files-are-encrypted-with-coos-and-decryption-is-impossible/
I tried the tool but it used online key and I had no programs installed in measure to track it, also the pc had the inbuilt windows firewall that basically allows everything so ye
Floyd, seems like you need an anti-virus that will protect the user from themselves.
Sounds pretty bad, but I've just read that the Win Def signatures weren't up to date? But wasn't cloud protection enabled and was this on Win 10? Because Win Def is indeed crap on Win 8.1, I disabled it and it refuses to turn back on again LOL. But that's why it's always a good idea to use a couple of extra tools, perhaps a tool like HMPA or AppCheck would have blocked it.
Idk, it should have been activated... Last thing I did before the infection was click Yes on the admin popup of the exe, then seconds later I see no setup opening, I open task manager, I see something like 3E7.exe running and I knew... But too late. U think HMPA or App check would have stopped it AFTER I allowed the exe to run explicitly?
We will never know, but an up-to-date OS and MS defender antivirus might have stopped this malware... now you blame MS defender
Also a good tool is Kasperky virus removal tool , to clean an infected system, but i think its too late.... a clean install with latest windows10.
I trust MS Defender updated as much as Avira and Kaspersky when I had them, but I would never ever rely on any AV as a first layer of defense, they cannot provide 100% security. Some people, including my 12 years old daughter and my wife, really believe that keeping a computer updated is a hassle and geeky stuff, she refuses to let me restore her computer to fix Windows update...
i suppose that's how wives & 12 year-olds are.
Heuristic rules and behaviour detection rules need updates too. In addition to that, if it would be allowed to run initially and was detected and terminated later, it could abuse one of the many unpatched priviledge escalation vulnerabilities in windows to get kernel rights and bypass any protection.
Well, other avs certainly wouldnt randomly stop updating themselves out of the blue, u dont want to set up automatic windows updates for someone who is a beginner with computer usage (even tho she uses photoshop quite well, way better than me lol), and then it will randomly stop working out of nowhere cuz of some error idk why, leaving em completely exposed cuz defender cant update, do u? And yeah first I used malwarebytes, detected 56 objects + some rootkit, then KVRT detected 5 things, 3 out of which were manifest.json from chrome and mozilla extensions, hmm... Not sure if completely clean now but not sure what else to do other than to use more scanners I guess?
And yeah I blame defender cuz, updates were working fine, then they stopped for no reason? I or her didnt touch anything, thats for sure. And an av shouldnt rely on just virus definitions, which apparently defender did, cuz the behavioural stuff or idk what else caught nothing. I mean, what could be suspicious in all your documents being encrypted and renamed ending in .coos extension, right? If this was any other av it would have caught it Im sure. Or, almost any, there is other bad avs out there.
Aint that how some avs work? Even if they miss the intitial detection with definitions, they can catch it when it starts doin smth bad? Not sure what u mean with the abuse thing. And idk what u mean with heuristic and behaviour rules needing updates, we've had ransomware from a long time, do u need periodic update to detect that encrypting all my documents out of nowhere is bad? Cmon defender u should know this.
Didn't Tamper Protection get added at a later time?
Anyway, so someone goes to a dodgy / suspect site, downloads cracked software onto a woefully unpatched machine, accepted a UAC prompt, all without even considering to have an image backup to begin with?!
You said windows hadn't been updated since 2019, that is a lot of unpatched security vulnerabilities that can be exploited, that is what i meant with abuse.
And once ransomeware gets detected by behaviour etc of course the ransomeware authors will change the ransomware behaviour, make it encrypt in another way, so they get no longer detected, so that's why you need the updates.
My impression about Flyod 57's story is, that it's all bogus,
to blame Windows Defender.
If true, Floyd 57 did everything wrong.
Instead of maintaining a relatives computer,
he infected it.
@Floyd 57 :
Stop wining, and blame yourself.
I looked up "ransomware with .coos extension"--according to Emsisoft, this is a new-ish variant of STOP ransomware. If nothing Defender-wise like signatures was updated since 2019, well DUH. There's a decrypter Emsi offers, though. Look for it on the website if interested.
Edit: it seems it wasn't possible to decrypt after all. My mistake.
meh that pc needed a reinstall anyway, it was complete mess
i just speeded up the process a little
First, create a regular backup routine. Macrium Reflect is free.
Next, ensure Windows Update is kept up to date -- ALWAYS!
Ensure whatever AV or other security program you choose is also up to date.
Don't be click happy, downloading cracked software.
I'll stop there but hopefully you learned a lesson from your experience.
No antivirus protects against all threats. If you open files from risky sources, you will get infected sooner or later. The most important steps to avoid infection are to keep Windows and vulnerable software updated and to never ever open any file you aren't sure is safe. If you take those simple steps, it usually very hard to get infected, regardless of what antivirus you use.
Not all AV's have got advanced local based behavior blocking, that's why tools like HMPA and AppCheck may come in handy sometimes. From what I understood, Win Def relies mostly on cloud protection for behavior blocking. Without the cloud it might miss malware especially if signatures aren't up to date. However, it does have tamper protection, so I don't think it was disabled, but the question is, who disabled Win Update? And that's definitely a weakness of Win Def, it relies on Win Updates to get signatures.
Separate names with a comma.