Jump to content


Photo

Immunet 6 - Initial Dissection, Etc.


  • Please log in to reply
5 replies to this topic

#1 dallas7

dallas7

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 161 posts

Posted 12 September 2017 - 10:37 PM

Hello again.

 

I've got 6.0.0.10574 installed on my Win10proX64-1607 test system.

I've been running Cisco's MBR write filer (MBRFilter.sys) since January and I was concerned about that during Immunet install.  No problem(s) I can detect.  

No issues to report so far running alongside...
Malwarebytes Anti-Exploit "Beta" 1.10.1.37
AppCheck Pro 2.0.2.17
Defender in Periodic Scanning mode.

Immunet Protect Tray Clinet (iptray.exe) and Immunet Protect (sfc.exe) are the running processes. 

 

Saw curl running, too.

sfc.exe occasionally hits an amazonaws server, so I'm thinking that handles the cloud services.  A bunch of ClamAV, Cisco AMP and, of course, Immunet stuff runs under sfc.

The clam cvd and cld files are present and up to date.  I see FRESHCLAM.EXE and FRESHCLAMWRAP.EXE running occasionally but haven't yet determined the triggers.  
• Updates check??  

I find immunetselfprotect.sys, immunetprotect.sys, and ImmunetNetworkMonitor.sys in System.  And dut.dll and dcm.dll in explorer.exe.

Not having complete recollection of previous Immunet versions, I believe the Morphisec stuff is new:
ExPrevDriver.sys in System (ntoskrnl.exe).
ExPrevApi.dll in sfc.exe.

Is this the new Advanced Threat Prevention engine noted in the new release announcement?

So far, Protector32.dll is running in teamviewer.exe but no where else.  And Protector64.dll is no where.

09/14 EDIT:  In 6.0.2 - Protector32.dll is in System.  Per post #5 below, 64 bit not yet supported.

• What determines ProtectorXX.dll injection?

The Tetra engine is has been associated with Bitdefender in Immunet:   Bitdefender's scan.dll is running under sfc.exe. 

The ubiquitous Plugins folder is devoid of the expected 900+ sigs/defs; without bdcore.dll, etc. there is no need for 'em.  
text deleted

09/14 EDIT:  In post #6 I've queried about the function of scan.dll under sfc in that the Tetra engine is not provided.

 

FWIW there are 6.0 threads over at Wilders and Malware Tips.  Having been, with few exceptions, overrun by trolls and clueless posers, I deleted my accounts late last year.

 

Did I miss anything? :)

Cheers.  And THANKS!


  • Valnat likes this

Time is the fire in which we burn. -Delmore Schwartz


#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,890 posts
  • LocationOil City, Pa. U.S.A.

Posted 13 September 2017 - 02:07 AM

Hi Dallas! Glad to see ya posting again! Very concise report!

 

There is a serious bug with this build however. It seems that the settings can't be changed from their default configuration. The Apply button seems to be non-functional. You can make changes to the settings, click apply and then click on settings again and it has reverted back to the default config. Although from observation the manually added exclusions & scheduled scan are remembered and seem unaffected. Are you observing this behavior too Dallas?

 

I would have been happy to private alpha and/or public beta test this build first before it got rolled-out as other folks would have volunteered their time too I'm sure. I even bet you would have been one to volunteer for this test phase had it taken place. I don't know why volunteer testing doesn't occur anymore just to find & fix bugs like this before it's released to the general public. I could have dusted off my VM test rig if required.

 

Best wishes, Ritchie...


* Immunet Global Forum Moderator *


#3 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,890 posts
  • LocationOil City, Pa. U.S.A.

Posted 13 September 2017 - 03:34 AM

Ok, there is a bug fix version available to correct this. You do need to do an uninstall first if you've already updated from 5.0. I would recommend to everyone that you do a clean uninstall by selecting, during the uninstall process, that your previous settings are not saved. You will have to add your own exclusions & the scheduled scan again after updating. https://download.imm...mmunetSetup.exe


* Immunet Global Forum Moderator *


#4 dallas7

dallas7

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 161 posts

Posted 13 September 2017 - 08:18 AM

Hi Ritchie.  Good to hear your'e still kickin'.

 

The bug fix version 6.0.0.10574 is the one I installed; looks like I got it just in time.  No setting problems whatsoever.  Good fix! 

 

And it was a fresh install, no 5.0.  In fact, I was running Bitdefender Free 1.0.9.21 which I fully purged first.

 

Having observed Immunet 6 I'm thinking it would run well with BD-Free with Tetra disabled.  I might be giving that a shot soon.

 

I know it's been a few hours since my post, but I would appreciate replies to the questions, particularly verifying Morphisec is the Advanced Threat Protection.  And clarifying the Protector injection determination.  I'm perplexed as to why I'm seeing it in only one process.

 

Morphisec is some kick-arse tech and snagging it at no charge is a screaming deal.  Immunet needs to shout that from the roof tops.

 

Cheers.


Time is the fire in which we burn. -Delmore Schwartz


#5 EugeneC

EugeneC

    Admin

  • Administrators
  • 14 posts

Posted 13 September 2017 - 11:09 PM

Hi there,
 
Thanks for your interest in Immunet! Some responses to your questions below:
 
We have indeed partnered with Morphisec in order to increase the protection that we provide! Their technology is part of a larger solution that we have developed as the Advanced Threat Prevention engine. We did not call one technology out specifically because only parts of their overall solution are enabled in Immunet.
 
As for what determines ProtectorXX.dll injection – you are not seeing them loaded everywhere because we currently only target specific processes, based on commonly exploited vectors. Furthermore, Immunet 6.0 also only protects 32bit processes at this time. We hope to add 64bit protection in a future release!
 
Regarding the Tetra engine: Unfortunately, we have stopped providing Tetra as an option in Immunet, but it is still an option in the enterprise version of our product.
 
Hopefully this answers your questions to your satisfaction!
 
Thanks,
 
The Immunet Protect team.  

  • Valnat likes this

#6 dallas7

dallas7

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 161 posts

Posted 14 September 2017 - 06:22 AM

Hi Eugene.  I've always been interested in Immunet, back to 2010 according to my profile.  That interest mirrored the ups and downs of the product releases and support.

Enterprise desktop and server support has been my career and in the seven years prior to retirement I did Regulation P and HIPAA auditing for various business concerns.  The only thing I don't do online these days is pay the city water and gas company credit card bills.  So security has become even very more important than my old job.  :lol:

Anyhow...

Of course it's self evident Immunet's ATP is a particular implementation of Morphisec's broad spectrum of solutions.  My post #4 wasn't to imply that Immunet is Morphisec, the generalization could have been expressed more precisely.

Thanks for the clarification on the injection.  This opens another round of inquiry.  Hope you don't mind.

• Are injected processes the sole recipients of ATP protection?  Is there a global, system-wide asset as well?

09/14 EDIT:  As of 6.0.2, Protect32.dll is in System.

• How does ATP know which processes to target?

Hope you get that 64 bit side rolling soon.

Regarding Tetra:

As evidenced by Bitdefender files in the Tetra folder and noting scan.dll from that folder loaded in sfc.exe and my recollections (and admitting they could be, um, faulty) of previous versions of Immunet, that you've stopped providing Tetra as an option is puzzling.

• Can you clarify that?

09/14 edit:  I'm thinking Tetra was full Bitdefender support with local sigs/defs for off line protection.  And scan.dll here is in support of the Spiro engine??
 

• Finally, shouldn't CiscoAMPHeurDriver.sys be loaded in support of the Ethos engine?

Thanks for your time and patience.  Cheers.


Time is the fire in which we burn. -Delmore Schwartz





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users