Jump to content
Cipollino

Immunet 6.2.0.10768 Errors

Recommended Posts

1 minute ago, evjlsrain said:

yes but I'm just partially protected. I trust my test because when I performed tests between v6.0.8 and v6.2

6.2 detected nothing while 6.0.8 detected most of the malwares (a few days old)

I tried to execute the malwares that 6.0.8 detected but 6.2 missed. 6.2 failed to protect and the VM was encrypted by a ransomware (which was detected by v6.0.8)

which means 6.2 doesn't fully protect users

That could simply be a signature issue, what file(s) of malware are you running against? Have you submitted FPs?
Is ClamAV enabled or disabled? Are you mirroring the settings of 6.2 and 6.0.8?

Share this post


Link to post
Share on other sites
Just now, Wookiee said:

That could simply be a signature issue, what file(s) of malware are you running against? Have you submitted FPs?
 Is ClamAV enabled or disabled? Are you mirroring the settings of 6.2 and 6.0.8?

they are some malwares I collected and 1 of them was python ransomware. The VM was destroyed by the ransomware so it wasn't a FP. Since v6.0.8 detected it, I didn't submit the malware

I mirrored the settings of both. They are both tested in default settings but only ClamAV engine was disabled to verify if cloud signatures were working or not

 

Share this post


Link to post
Share on other sites
56 minutes ago, evjlsrain said:

yes there is. I'm a malware tester and I can see 0 cloud problem leaves users unprotected from less than a week old malwares (ClamAV offline engine is disabled). It could still detect old malwares but quite limited

 

I highly recommend to temporarily switch to the older version because at least it works

really??? let's see what wookie says

 

ok. i got my answer!

Edited by Aris
already answered

Share this post


Link to post
Share on other sites
1 hour ago, evjlsrain said:

they are some malwares I collected and 1 of them was python ransomware. The VM was destroyed by the ransomware so it wasn't a FP. Since v6.0.8 detected it, I didn't submit the malware

I mirrored the settings of both. They are both tested in default settings but only ClamAV engine was disabled to verify if cloud signatures were working or not

 

If you can obtain the files, I can do a comparison, but these would all be signature based.
Signatures are what 'find' the malware / ransomware etc.
The signatures aren't going to change version by version from 6.0.8 to 6.2, unless the malware itself is changed (or there was an issue with the signature in the first place, to which we push updated signatures out).

I am not disbelieving you, But without knowing the exact file, the exact signature- this is a lot of 'he said', 'she said'.
There was a few issues with some signatures about a week ago, in regards to detecting certain files, as malicious when they weren't, which were corrected.
I would need the malware file(s), to conduct any test to see the following:
1) IF something has changed between versions (signature versions or software versions)
2) what signature(s) are being detected
 

Though, nothing should of changed (other than the signatures possibly and I don't know that without the sample malware file(s)).

 

  • Like 1

Share this post


Link to post
Share on other sites
7 hours ago, Wookiee said:

If you can obtain the files, I can do a comparison, but these would all be signature based.
 Signatures are what 'find' the malware / ransomware etc.
 The signatures aren't going to change version by version from 6.0.8 to 6.2, unless the malware itself is changed (or there was an issue with the signature in the first place, to which we push updated signatures out).

I am not disbelieving you, But without knowing the exact file, the exact signature- this is a lot of 'he said', 'she said'.
 There was a few issues with some signatures about a week ago, in regards to detecting certain files, as malicious when they weren't, which were corrected.
 I would need the malware file(s), to conduct any test to see the following:
 1) IF something has changed between versions (signature versions or software versions)
 2) what signature(s) are being detected
 

Though, nothing should of changed (other than the signatures possibly and I don't know that without the sample malware file(s)).

 

Hi, I appreciate your input

I just want to point out the cloud issue in the new version that immunet cannot obtain any signature from the cloud => which leaves users (partially) unprotected from a week-old+ malwares. I believe there is no difference between the 2 products. The problem is v6.0.8 can connect to the cloud database while v6.2 cannot

here is the evidence of what I'm trying to say

this is the link of the sample I use, if you can't get the file, I can send it to you. This is not a new malware

https://www.virustotal.com/vi/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/

 

this is the screenshot of immunet v6.2.0 tested inside a windows 7 VM with 0 user cloud issue, ClamAV was disabled. I also tested in my main machine, same result

1258845373_62(Copy).thumb.jpg.d08268f1acccf9c3fd573c55473762b8.jpg

 

this is the screenshot of immunet v6.0.8, WITHOUT the zero cloud issue, ClamAV disabled

402418011_608(Copy).thumb.jpg.e98c9acfa51466a05154f594b2caae0f.jpg

Edited by evjlsrain

Share this post


Link to post
Share on other sites
25 minutes ago, evjlsrain said:

Hi, I appreciate your input

I just want to point out the cloud issue in the new version that immunet cannot obtain any signature from the cloud => which leaves users (partially) unprotected from a week-old+ malwares. I believe there is no difference between the 2 products. The problem is v6.0.8 can connect to the cloud database while v6.2 cannot

here is the evidence of what I'm trying to say

this is the link of the sample I use, if you can't get the file, I can send it to you. This is not a new malware

https://www.virustotal.com/vi/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/

 

this is the screenshot of immunet v6.2.0 tested inside a windows 7 VM with 0 user cloud issue, ClamAV was disabled. I also tested in my main machine, same result

1258845373_62(Copy).thumb.jpg.d08268f1acccf9c3fd573c55473762b8.jpg

 

this is the screenshot of immunet v6.0.8, WITHOUT the zero cloud issue, ClamAV disabled

402418011_608(Copy).thumb.jpg.e98c9acfa51466a05154f594b2caae0f.jpg


The cloud stats message, shouldn't have anything to do with you having the latest signatures. It should not leave you unprotected.
You will need to make sure you are running the same signature set on both versions.

  • Like 1

Share this post


Link to post
Share on other sites
3 minutes ago, Wookiee said:

 You will need to make sure you are running the same signature set on both versions.

how can I do that? for cloud engines, not clamAV

 

ETHOS and SPERO are checked in both products

Edited by evjlsrain

Share this post


Link to post
Share on other sites
8 minutes ago, evjlsrain said:

how can I do that? for cloud engines, not clamAV

 

ETHOS and SPERO are checked in both products

Can you send me the quarantined file ? So, I can run some tests via a private message? I can see if I can get it working. Though, the cloud option being '0' shouldn't matter because signatures are what protect / find files to which are quarantined.

The virus definitions are updated a few times a day (similar to ClamAVs).  I would say if , you updated on both systems for the signatures. It would both technically contain the latest

Share this post


Link to post
Share on other sites

Hello all, I have been a long time user of Immunet (on and off) pretty-much since it was first released as a very simple cloud-only process monitor. Anyway, I thought I'd register on here so I could start trying to give a bit back.

I've identified another defect in the latest version of Immunet, and it seems to be pretty reproducible.

Basically, after a while, files get quarantined with no confirmation message popping up above the task bar. I always set Immunet to "ask me" on detections, as i don't want it doing anything without my explicit say-so, particularly given how just one faulty signature can completely screw-up your PC (think of the Bitdefender "Trojan.Fakealert.5" fiasco in 2010). I think I have traced the problem to either the ClamAV module or the initialisation of the Immunet service itself. There are three different paths that lead to this problem.

Steps to reproduce:

Scenario 1:

Install Immunet 6.0.8, and set it to "ask me" on detections. Enable blocking, all cloud engines and ClamAV. Optionally enable detecting packed files. Download the eicar test file. --> Everything works as expected.

Upgrade to Immunet 6.2.0.10768, reboot if necessary, then download the eicar test file --> File is quarantined with no user notification(!!).

Scenario 2:

Install a fresh, new copy of Immunet 6.2.0.10768. Ensure it is set to blocking mode, enable "ask me" on detections, and enable all cloud engines and ClamAV. Download eicar test file. --> Everything works as expected.

Now switch off ClamAV. Download eicar test file. --> File quarantined with no user notification.

Re-enable ClamAV. Download eicar test file. --> File quarantined again with no user notification.

Scenario 3:

Install a fresh, new copy of Immunet 6.2.0.1068. Ensure it is set to blocking mode, enable "ask me" on detections, and enable all cloud engines and ClamAV. Download eicar test file --> Everything works as expected.

stop and restart the Immunet service (e.g. in a terminal, type the following):

wmic service where "name like 'Immunet%'" call stopservice
wmic service where "name like 'Immunet%'" call startservice

Verify the service is running and, if it makes you feel better, close the tray icon and re-open the immunet gui.

Now download the eicar test file --> File is quarantined without user notification.

This seems pretty reproducible and consistent on a Windows 10 64-bit machine that's fully patched. Please note I'm not deleting or restoring anything from quarantine, so I can tell the quarantine is still happening, because the number of the files increases. To check, I verified this behaviour with several different viruses from my malware collection. The behaviour is the same regardless of whether the detection is the Eicar test file, or one of several different real malware-samples.

---

So, to summarise - stopping and restarting the Immunet service, or disabling then re-enabling ClamAV breaks user notifications, and there doesn't seem to be a way to restore them without reinstalling Immunet from scratch.

Edited by Zombunny

Share this post


Link to post
Share on other sites

Incidentally, I discovered the behaviour on stopping and restarting the service, because I've written a script to detect an Immunet installation and stop the service, copy the Securiteinfo and Sane Security custom databases into the "ClamAV" folder, then restart the service. It really improves Immunet's detection rate from about 50-75% depending on the malware that day to over 90% in my (very limited) testing. I will post the script in another thread when I get the chance.

Share this post


Link to post
Share on other sites
On 9/12/2018 at 9:45 AM, evjlsrain said:

yes but I'm just partially protected. I trust my test because when I performed tests between v6.0.8 and v6.2

6.2 detected nothing while 6.0.8 detected most of the malwares (a few days old)

I tried to execute the malwares that 6.0.8 detected but 6.2 missed. 6.2 failed to protect and the VM was encrypted by a ransomware (which was detected by v6.0.8)

which means 6.2 doesn't fully protect users

 

There was one signature issue, which was corrected. Report FPs via the immunet website.

But 6.2 still fully protects as does 6.0.8

Share this post


Link to post
Share on other sites
On 10/12/2018 at 11:07 AM, Cipollino said:

@Wookiee

So is it ok to upgrade to 6.2 ?

Is the cloud issue fixed ?

Thanks in advance for your reply.

It was never not safe. You can upgrade. Cloud issues that reported '0 people protected' is fixed.

  • Thanks 1

Share this post


Link to post
Share on other sites

Yeah, I'm seeing the same thing too Cipollino. The cloud stat bug has seemed to have reared it's ugly head once again! Thanks for reporting this.

It seems you also encountered some other issue with the UI that I'm not seeing at present. Are you getting this error with the Last Scanned, Last Updated data or both?

Share this post


Link to post
Share on other sites

@ritchie58

Here what I guess you've asked me :

https://imgur.com/a/Kuf2g0e

2 Process's errors & the fact that Windows 10x64 Pro (version 1803 build 17134.376) can't recognize Immunet's status.

On a side note setting game mode within the settings won't stick aka every startup I see it not flagged in the tray icon.

Thanks in advance for your time and patience,if you require more info,just ask,have a good day sir.

Ps: I've got this error after Immunet updated itself automatically.

Edited by Cipollino

Share this post


Link to post
Share on other sites
8 hours ago, Cipollino said:

@ritchie58

Here what I guess you've asked me :

https://imgur.com/a/Kuf2g0e

2 Process's errors & the fact that Windows 10x64 Pro (version 1803 build 17134.376) can't recognize Immunet's status.

On a side note setting game mode within the settings won't stick aka every startup I see it not flagged in the tray icon.

Thanks in advance for your time and patience,if you require more info,just ask,have a good day sir.

Ps: I've got this error after Immunet updated itself automatically.

The Dev's are aware and are looking into the notifications, as far as the gaming mode setting- i'll check into it

Share this post


Link to post
Share on other sites

Hi guys, I mistakenly thought you were having some other issue with the UI stats Cipollino.

With this new build you do get pop-up messages when Immunet prevents (possibly suspicious/malicious) access to Windows processes by third-party apps. I have an app too (that's completely legitimate) where I get numerous pop-up messages. I also use Gaming Mode so I won't keep having to deal with these notifications.

Actually Gaming Mode is automatically reset to disabled when you boot-up. This is a built in security feature in case a user forgot that Gaming Mode is still enabled but that makes it necessary to enable Gaming Mode after every boot-up.

I've already put forth the idea, for a future build, that users can make their own custom exception rule(s) for the process protection feature and/or to disable it entirely at the user's discretion in case it becomes too problematic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×