Jump to content

Zombunny

Members
  • Content Count

    6
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Zombunny

  1. Hi all, I noticed a thread that's been moved to the FAQ section (therefore I can't reply on it) regarding someone wanting to use the CLI to restart the immunet service. The solution offered was to use good-old "net stop" / "net start". This requires you to know the exact name of the service (obviously). The problem is that over the years I've used Immunet, the service name has changed occasionally. It has been known as "ImmunetProtect", "Immunet", "Immunet[version.number]", etc. If you want a generic way of always reliably starting and stopping the service from a terminal, you need something that just needs to know that the service you're after is Immunet, but doesn't care about the exact name. The solution? The following "generic" commands: Stop any service that's got the word "Immunet" in its name: wmic service where "name like 'Immunet%'" call stopservice Start any service that's got the word "Immunet" in its name: wmic service where "name like 'Immunet%'" call startservice Please note that these work directly on the commandline. If you wish to execute these from within a batch file, you need to replace 'Immunet%' with 'Immunet%%' (add a second %), or it won't work. These two commands should allow you to always be able to restart the service, regardless of if the developers change its name slightly from version to version. I use these in a .bat file that adds the latest Sanesecurity and Securiteinfo ClamAV signatures to Immunet (amazing detection rate), but I will wait until the "ask me" bug in 6.2 is fixed before posting the source here, as these signatures cause many false positives.
  2. Great! I had been worried my original post was waaaay too long so you and the devs wouldn't have time to read it. I just tried to give you all the info I could to help you test/diagnose it on your machines.
  3. Windows 10's Defender automatically disables itself if it detects Immunet installed, so will only flag up Immunet's files if you set it to scan your hard disk regularly (which is off by default when you install another AV program). I haven't yet found a way of running the two in parallel like you could on previous versions of Windows. Personally I'd just disable Defender completely and use something else as a second-opinion scanner for occasional on-demand scans, such as MalwareBytes, F-Secure Online, Emsisoft Emergency kit, or others...
  4. @Wookiee, this is the problem I detailed in my response to the post "Immunet 6.2.0.10768 errors" on September 13th. (See Immunet 6.2.0.10768 Errors By Cipollino). In that post, I list three different ways of reproducing this bug. In short, at some point, Immunet 6.2 stops asking you, and just silently quarantines detections - despite ensuring "Ask me" is selected in the preferences. Deselecting and reselecting doesn't work - once it stops asking you, it stops for good. I must stress that quarantine still happens - so users are still protected from malware. It is, however, still (in my opinion) a dangerous situation, but for different reasons (i.e. because false-positives can and do happen).
  5. Zombunny

    Immunet 6.2.0.10768 Errors

    Incidentally, I discovered the behaviour on stopping and restarting the service, because I've written a script to detect an Immunet installation and stop the service, copy the Securiteinfo and Sane Security custom databases into the "ClamAV" folder, then restart the service. It really improves Immunet's detection rate from about 50-75% depending on the malware that day to over 90% in my (very limited) testing. I will post the script in another thread when I get the chance.
  6. Zombunny

    Immunet 6.2.0.10768 Errors

    Hello all, I have been a long time user of Immunet (on and off) pretty-much since it was first released as a very simple cloud-only process monitor. Anyway, I thought I'd register on here so I could start trying to give a bit back. I've identified another defect in the latest version of Immunet, and it seems to be pretty reproducible. Basically, after a while, files get quarantined with no confirmation message popping up above the task bar. I always set Immunet to "ask me" on detections, as i don't want it doing anything without my explicit say-so, particularly given how just one faulty signature can completely screw-up your PC (think of the Bitdefender "Trojan.Fakealert.5" fiasco in 2010). I think I have traced the problem to either the ClamAV module or the initialisation of the Immunet service itself. There are three different paths that lead to this problem. Steps to reproduce: Scenario 1: Install Immunet 6.0.8, and set it to "ask me" on detections. Enable blocking, all cloud engines and ClamAV. Optionally enable detecting packed files. Download the eicar test file. --> Everything works as expected. Upgrade to Immunet 6.2.0.10768, reboot if necessary, then download the eicar test file --> File is quarantined with no user notification(!!). Scenario 2: Install a fresh, new copy of Immunet 6.2.0.10768. Ensure it is set to blocking mode, enable "ask me" on detections, and enable all cloud engines and ClamAV. Download eicar test file. --> Everything works as expected. Now switch off ClamAV. Download eicar test file. --> File quarantined with no user notification. Re-enable ClamAV. Download eicar test file. --> File quarantined again with no user notification. Scenario 3: Install a fresh, new copy of Immunet 6.2.0.1068. Ensure it is set to blocking mode, enable "ask me" on detections, and enable all cloud engines and ClamAV. Download eicar test file --> Everything works as expected. stop and restart the Immunet service (e.g. in a terminal, type the following): wmic service where "name like 'Immunet%'" call stopservice wmic service where "name like 'Immunet%'" call startservice Verify the service is running and, if it makes you feel better, close the tray icon and re-open the immunet gui. Now download the eicar test file --> File is quarantined without user notification. This seems pretty reproducible and consistent on a Windows 10 64-bit machine that's fully patched. Please note I'm not deleting or restoring anything from quarantine, so I can tell the quarantine is still happening, because the number of the files increases. To check, I verified this behaviour with several different viruses from my malware collection. The behaviour is the same regardless of whether the detection is the Eicar test file, or one of several different real malware-samples. --- So, to summarise - stopping and restarting the Immunet service, or disabling then re-enabling ClamAV breaks user notifications, and there doesn't seem to be a way to restore them without reinstalling Immunet from scratch.
×