Zemana AntiMalware 2 BETA

Discussion in 'other anti-malware software' started by Emre TINAZTEPE, Jan 20, 2015.

  1. haakon

    haakon Guest

    If you're referring to MBAM Premium, I'm with you (but I'm still undecided because of the OpenDNS thing). After almost seven years, I've had it "up to here" (as we say here in The Colonies) with Malwarebytes' (edit) AntiMalware buggy releases, dismissive customer support and their forum "deity" mbam-clean fixes everything paste replies.

    Edit: I'm a satisfied user of MBAE Premium (actually ZVL ExploitShield) and their Android app. My beef is with MBAM and overall support/forum.
     
    Last edited by a moderator: Nov 28, 2015
  2. haakon

    haakon Guest

    Yes, got it! THAT'S 1000'S OF TIMES AN HOUR EVEN WHEN THE SYSTEM IS IDLE. As noble as OpenDNS makes themselves out to be, not everyone is in agreement. I won't use that service and here now it's getting zillions of hits from my system using an ancient TCP protocol.

    The screenshot I submitted in post 1331 is from one of my Windows 7 systems. It's even worse on my Windows 10 test system:

    ZAMopenDNSw10.jpg

    That's monitored in Nirsoft's CurrPorts. Sysinternals TCPView, the same. In my ~25 years of enterprise and consumer support, I've never seen such behavior. As much as I admire Zemana's work, this is illogical and absurd and IMHO cannot be justified.

    Or what?? A professional explanation would be greatly appreciated.
     
    Last edited by a moderator: Nov 28, 2015
  3. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    86
    Location:
    UK
    Well spotted.

    Regarding the OpenDNS thing what are the practical implication of this - machine slowdown? security loophole?

    I can’t say that I have noticed any performance penalty since installing ZAM.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That indeed doesn't look too good, does it keep making those connections? No security tool should do this.
     
  5. haakon

    haakon Guest

    •I edited my #1401 post re Malwarebytes.
    No slowdown. For performance and protection, ZAM is superb.

    As for security (or privacy), I don't know. Hence my posts asking for clarification/justification. I am, however, surprised that no one else here seems to have noticed it. Or maybe: "OpenDNS. Cool." This discussion spans my posts 1325, 1331 and 1402.

    In the meantime, I looked into it further with Nirsoft's Network Traffic View, and the activity occurs every five seconds. (The 443 connection is to nimbus.bitdefender.net. Ports 1900 and 5355 are under control, thank you.)

    I am hoping this is just a bug and a fix is in the works. Like hitting a Zemana server occasionally to "check internet status for ZAM to work properly." On port 443. Like Bitdefender. Right now, ZAM downloads signatures every 30 minutes, soon to be 15. Doesn't that mean it's working properly?

    Important BTW: ZAM blacklists all Nirsoft apps (as of this posting). One should keep them in a separate and excluded folder. Especially if you have RTP Action set to Delete.

    ZAM-NTV.jpg
     
    Last edited by a moderator: Nov 28, 2015
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Sigh. I think Bitdefender engine is the culprit with many Anti-Malwares.
     
  7. haakon

    haakon Guest

    Sigh. That association of my BTW comment with Bitdefender is senseless. I posted Zemana AntiMalware, ZAM, emphasized for you, will quarantine or delete Nirsoft. (That intervention, not unique to Zemana, has been for some time, and will continue to be, subject to lively debate.) Bitdefender has nothing to do with this discussion or ZAM. BD does not blacklist Nirsoft. BD connects occasionally to check for signature updates.

    I didn't filter out the port 443 and other connections data to demonstrate the ZAM port 53 TCP activity with OpenDNS occurrs even when the system is essentially idle and made mention of BD parenthetically.

    While you might guess the "Bitdefender engine" is "the culprit," the truth is that Bitdefender is a culprit only to the clueless. If BD was at cause in my discovery, I would have posted up that.

    You disparage what is an effective, widely accepted technology as if whatever you might extol has never been or ever will be "the culprit" for anything for anyone else. Your opinion is biased and off-topic; its injection into my discussion is unwelcome. :thumbd:
     
    Last edited by a moderator: Nov 29, 2015
  8. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Is Zemana Anti Malware real time protection strong enough to be used alone? I mean, without another antivirus in realtime ...
     
  9. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    86
    Location:
    UK
    Until ZAM is tested by an organisation like AV-Comparatives any views on this are likely to be subjective, and Zemana themselves will need to comment on whether it is designed to be used that way, although in the limited (and unscientific) tests I have done with ZAM it blocked virtually everything thrown at it.

    Personally I wouldn't rely on any a/v to provide my total source of security, but run in conjunction with sandboxing or anti-executable software there shouldn't be a problem.
     
  10. ida15

    ida15 Registered Member

    Joined:
    Jun 18, 2015
    Posts:
    202
    Location:
    Bosnia and Herzegovina, Sarajevo
    -Thank you, we will take it into consideration.

    -Thanks Gordon.

    -Hello, can you please PM me?

    No. We recommend using Zemana AntiMalware along with good antivirus and firewall software to ensure overall protection of your PC.



    Ida
     
    Last edited: Nov 30, 2015
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Apologies. No offence intended! It was just a passing comment referring only to your important BTW, and not at all to the OpenDNS issue.
    It is just based on my experience with HMP and EAM, both of which use BD and flag Nirsoft utilities. EAM indicates which engine is doing the flagging.
    As far as I recall, ZAM also uses BD, though they don't expose this anymore.
     
  12. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Thanks Ida, much appreciated :)
     
  13. ida15

    ida15 Registered Member

    Joined:
    Jun 18, 2015
    Posts:
    202
    Location:
    Bosnia and Herzegovina, Sarajevo
  14. ida15

    ida15 Registered Member

    Joined:
    Jun 18, 2015
    Posts:
    202
    Location:
    Bosnia and Herzegovina, Sarajevo
    :thumb::)
     
  15. Emre TINAZTEPE

    Emre TINAZTEPE Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    85
    OK let me explain why we need this:

    Since ZAM is a cloud based product, reaching Internet is our main priority otherwise we can not detect the malware nor clean it. So we must reach the Internet even it's not accessible by the browser, because it could have been locked by malware.

    To give you a reproducible example; lock the Internet with "K9 Web Protection" then you will see that the *only* antimalware product that can access the Internet is ZAM. This case is the same when the malware locks the Internet.

    Instead of querying with HTTP/HTTPS protocol which consumes more bandwidth, we have decided to query with small DNS packages and if it also fails then we are querying with HTTP.

    We query a sub domain of Zemana (magic.zemana.com) trough OpenDNS which always resolves to a hard-coded A record which is "168.62.41.41", if it fails we are trying DynDNS, if it also fails then start checking known content with HTTP on http://cdn9.zemana.com/CacheControl.bin. Where the CacheControl.bin content is always expected to be 5A454D414E41

    This process does not pose any risk to you nor does it decrease the performance of your PC. Since we are using small DNS packages every 5 sec, it consumes a very small network traffic, nearly invisible. If you think the opposite please let me know so we can discuss about it.

    When there is no active scan or update check we do NOT query the Internet. I'll check it and if it makes a query then we can fix it in the next release.

    This is not true, look at our tweet on "22 Oct 2015" https://twitter.com/Zemana/status/657214925203460096

    We all love and use Nirsoft utilities but the bad guys also love them, and anyone without any programming knowledge can make a USB stick with a small bat script around Nirsoft password recovery tools by using their CLI interface so when the USB is inserted, it can export all the saved passwords and copy them back to the USB again.

    So advanced users like you can exclude them, and then the new users who never heard about the Nirsoft utilities can be protected from such attacks. In order to not hurt Nirsoft utilities as a Trojan, we detect them as a "PUA:Win32/HackTool.Nirsoft" but in future releases we can put an option for hack/research tools so when you check this option they will not get detected.

    For on-execution protection, yes ZAM is more than enough but threat landscape includes many more different types of threats such as exploits, macro viruses and etc. This is why we recommend using ZAM alongside an AV product.
     
  16. ida15

    ida15 Registered Member

    Joined:
    Jun 18, 2015
    Posts:
    202
    Location:
    Bosnia and Herzegovina, Sarajevo
    [/QUOTE]
    No :D We recommend using Zemana AntiMalware along with good antivirus and firewall software to ensure overall protection of your PC.
     
  17. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,983
  18. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi @Emre TINAZTEPE

    You have a message from me

    With best Regards
    Mops21
     
  19. haakon

    haakon Guest

    Thank you!

    I used blacklist in a generic sense. Elsewhere I referred to ZAM's quarantine/delete action as a debatable intervention. Your mention of advanced users reveals you know we exist :D and a simple solution, voiced previously in this thread, is an optional expert mode where "Ask" is presented. As a user of ZAL Pro with its all-around granular settings for several years, the near-fully automatic nature of ZAM is an enigma.

    Like a locksmith's tools, some of Nirsoft's product can be abused. Those are well known to the community and you would be correct to isolate your users from potential victimization. But to quarantine the likes of CurrPorts and FolderChangesView throws the pliers and screwdriver in with the lock picks. (BTW, I use FolderChangesView to monitor the signatures.db and threats/samples.zdb updates in their Local folders. And other stuff, too.)

    Regarding performance, I can't detect any problems on my systems running trials in the past few months. That spans my primary third gen i7 tower (where ZAM-trial is in current use), and second gen i5 laptop, both Windows 7, and an ancient E8400 tower, amazingly running 10.

    So...
    I didn't mean to equate the port 53 activity with ZAM's (and ZAL) scan and update connectivity. It's a cloud app, of course, and the signature update refresh every 30 minutes is an effort that to my knowledge is unique in the industry. Your plan to up that to 15 minutes exceeds even that of the default 20 minute interval of Ikarus AV.

    I am not sure what you mean exactly by lock the Internet but I understand the strategy as you explain it relative to reaching the Internet, the efficiency of DNS (and TCP). OpenDNS and DynDNS give reliability approaching 100%.

    Given that this is at the core of the proprietary technology you market, I can't expect any further explanation. I know five seconds is an eternity in a system that counts in millions per second; the human in me is troubled by its exaggeration. I am not particularly keen on the use of OpenDNS, but as a personal bias it is one I still need to adjust to, if that's possible.

    All that is not to say I mistrust Zemana in any way. I look forward to the further development of AntiMalware (and with that, my plans to dump MBAM-Premium). And AntiLogger; just don't change the settings options!
     
  20. haakon

    haakon Guest

    I forgot to mention, the "Check updates" really, really, really, really, really, really, really, really, really, really needs a NOW - LATER option.

    Or at least rename it "Update right now if there is one even if you don't want to."
     
  21. ida15

    ida15 Registered Member

    Joined:
    Jun 18, 2015
    Posts:
    202
    Location:
    Bosnia and Herzegovina, Sarajevo
    -Thanks @haakon. We will take it into consideration.
     
  22. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    I would have to echo what @haakon says here, having an 'ask' as well as quarantine or delete would be a great improvement for us and ZAM.
    I've already had ZAM auto-quarantine a false positive (Windows firewall control to be exact) - ok not such a big deal as I could restore it but had I been 'asked' it could have been added to exclusions.

    Cheers
    Gordon
     
    Last edited: Dec 1, 2015
  23. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    This should only be available for advanced users. There's a risk that normal users would ignore a real infection.
     
  24. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Hi Shadek, Yes having an 'ask' option for advanced users is what I was suggesting.
     
  25. guest

    guest Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.