Jump to content

Rob.Turner

Administrators
  • Content Count

    271
  • Joined

  • Last visited

  • Days Won

    19

Everything posted by Rob.Turner

  1. sorry, there's no way to print Immunet scan history short of manually opening HIstory dialog and printing that as screenshot. It's not what you asked for but is as close as Immunet can do - The Summary dialog will give you a count of files detected as clean & malicious for the last 30 days at a time.But again, a screenshot is the closest you'll get to that being printable
  2. only from what I just read on https://blog.virustotal.com/2019/10/virustotal-bitdefender-theta.html tldr; Theta is bitDefenders automated malware analysis engine. all AVav companies, including Immunet, have a few. Some are better than others, but newer ones are always prone to FP's.
  3. Great FP Analysis BellGamin, I came to all the same points you did. I'm m submitting this to our internal virus analysis team for further review , only because it's a perfect trojan, and it's a smaller /lesser known/used app (that being said I do remember using a taskbar tweaker back in the windows XP days. Now I use classic start menu, though I do note taskbar tweaker has more features than classic start menu, and all it's features work - another point in favor of it being a FP That being said, there has been a growing trend of hacking source code access to older indy projects, injecting malware into them. And I want to make sure that isn't the case here as I vaguely remember using taskbar tweaker back in the windows XP days. Now I use Classic start menu, And it doe swht I ned but I also note taskbar tweaker has more features;
  4. start -> control panel -> add remove programs (or just programs in win8 and win10) -> Immunet -> uninstall.
  5. Thanks bellgamin, The devs here appreciate your kind words. In answer to #1 y clam is included so there is a local AV engine in case the Immunet Cloud can't be reached, or if internet speeds r lagging the local Clam Engine can sometimes result be faster than the cloud engine. #2 Immunet offers the option of disabling clam to put the power in the hands of th user so they can set up Immunet in the way that bests suits them. #3 Great Idea - It's been added to our list of potential enhancements. Will let you know on this thread if iwe decide to implement it. Thanks, RobT
  6. Unfortunately Immunet won't be able to remove bios and rootkit malware, but it should t least be able to be able to at detect and confirm if you have a bios or rootkit virus. At one point Immunet had a paid version that included an av engine that was capable of rootkit removal. With an infected bios your shot is to to re-flash the bios and hope that fixes it. I suspect You might be bumping into a "Feature" of dell machines - DElls sometimes have a portion of their hard drive partitioned as a recovery drive, that contains a full windows installer. In the case the machine needs to be factory reset the user disk partitions can be wiped, and the recovery partition used to re-install a fresh copy of windows. To support this factory reset feature , dell installs a custom bios with their machines that contains the factory reset program, also prevents anything from modifying the contents of the recovery partition so nothing can accidentally (user/av software), or intentionally (virus's/malware), corrupt the emergency recovery partition.
  7. Successfully reproduced with Chrome on Win7x64 & Win10x64 today - Thanks again Deathinition, you rock! Hopefully we'll have the FP fixed by Monday. On another note, that's for introducing me to listenonrepeat . Am learning to play a guitar and it' s going to be really handy.
  8. Yup, this is the right place for your questions. Sorry, Immunet doesn't offer spam or phishing protection, Interestingly , older versions of Immunet could scan local Outlook.pst email databases for malicious email attachments, but we shelved this feature for a couple reasons: 1) the average user moved to cloud email services (gmail, Hotmail, outlook.com / etc), most of which provide absolutely minimal span and phishing protection, making local emal scanning redundant 2) Microsoft changed their outlook.pst format and libraries a couple times resulting in Immunet failing to quarantine just the attachment from within the outlook.pst database file; and instead quarantined the entire email database.
  9. Thanks for all the info Deathinition - I I only tried reproducing with IE on Win 7&10 x32; so ll take a try with Chrome, vivaldi, UBlock Origin and Nano Adblocker and Vivaldi. I Think briefly tried Vivaldi 5 or 8 years ago right after it's initial release. To soo actually, it unusable at the time. Am interested to see how far it's come.
  10. Hi Dethinition, I can't reproduce your detection on Win10x64 using internet explorer & Immunet 7.0.0.11362 , Can you tell us what operation system, browser, and version of Immunet you're seeing the detction on?
  11. Cryptic malware detection names often only mean that the detection name (and likely virus definition too ) were generated on the fly by some type of an artificial intelligence detection engine. In this case I think Immunet's Sperro engine saw enough It didn't like about your file to trigger a detection and quarantine attempt. Since Immunet couldn't quarantine the file that it usually means the file was in use by something Immunet couldn't stop: Possibly a virus, possibly a false positive on a safe file that's in use by the windows operating system itself. Since it's a temporary file (i.e. in the windows temp directory) whatever program that was using the file may have finished with it and deleted it when done. or as zombuny points out if it was indeed malicious another av program on your machine could have successfully quarantined it just before Immunet attempted to. Things you can do : 1) reboot the computer and immediately scan that file to see if it's still detected or can now be successfully quarantined. 2) upload that file to https://www.virustotal.com and see what other av companies detect the file as (which it sounds like Richie has already done). With any luck no other AV products will will detect it, in which case; sorry, Immunet's detection may have been false positive. On the other hand another av product may be able to identify a more helpful virus name that you can google for removal instructions.
  12. Hi all, I am indeed working on debugging this. A quick trouble shooting test for anyone on the thread have update issues is to try to browse to each of the url's below. They should all show something in a browser window or prompt you to download and save an executable. Don't bother saving or installing them, Immunet will get do that automatically for you if needed. This step just proves Immunet will be able to connect to all the resources it might need. 1) https://mgmt.consumer.amp.cisco.com/health/ 2) update.immunet.com/updates/protect/update-6.5.0-64.xml 3) https://sourcefire-apps.s3.amazonaws.com/fireAMP/windows/6.5.0.11255/Release-Logging/installer-univ-tcp-injected-ExprevDisabled.exe 4) https://orbital-88fcda36-e81e-9b43-6085-5f5d6054dc22.s3.us-west-2.amazonaws.com/consumer-ampwin-setup-0.9.3.exe
  13. Immunet doesn't have any know issues running in virtualized environments and has been thoroughly tested in vmware workstation, vmware server and virtual box. and once even in Microsoft's cloud. Complaints we've gotten about running in visualized environments usually stem from unrealistic expectations of performance on non-dedicated hardware (i.e. cloud hardware thats randomly shared with strangers (e.g. the free trial and budget tier's of google, amazon and Microsoft clouds). There is just too high a chance someone like me is sharing hardware time and already pushing the machine to it' s limits (see paragraph below:) To set some hardware expectations, I test Immunet on a local desktop running dual xenon e506 2.13Ghz CPU's +12 gb ram (ouch), and 2 independent scsi 1TB drives ( one dedicated to my os & apps, the other dedicated to vmware images) and it easily simultaneously powers my win10 working desktop (chrome, waterfox, and IE browsers, email, visual studio, and an Android Virtual device) plus 3 copies of immunet running on vmware workstation images for win7x32, win7x64, & xpx32. It can also power an additional win 10x64, but at this point the images start to chug ( I think disk bandwidth is the bottleneck). I can easily run this same level of compute (dektop + 4 images) + an additional win10_x64 image on a single more modern Intel i-core 7 + 64gb of ram and 2 sata disks (one flash drive for the OS & apps an a 1tb 7200 rpm disk for the images). Getting back to your original problem, yochenhsieh you nailed it figuring out clamAV, I've seen similar stats with my benchmarking too. The clam av engine loads it's full virus definitions signature set into memory: which takes from 100 to 600mb. add to that the clam scanning engine and virus definitions updater and clam alone can in a worst case scenario use in the the 700mb of memory range. Currently we have extra experimental blue keep preventative signatures out for a worm we're expecting that are inflating the usual virus definitions set size. You can try updating the clam av definitions set via the update button in the gui and running a full scan overnight. That might get you a smaller more concise set of definitions that'll take less memory and get you over the initial performance hump of building the local cache up.
  14. Just to be sure you were actually clicking the save settings button at the bottom of the config page after changing settings right? Immunet does save settings but changes don't take effect & aren't retained until you intentionally save them. Many web and mobile interfaces are designed around the paradigm of instant and pregnant effect "immediately on change", But most desktop & security software is still designed around the paradigm of one last confirmation of changes before taking effect. The idea, at least with security software is to give the user one last chance to fully think through the implications of their changes, and also to save users who mis-click/type a wrong setting by accident. E.g. in any security software you wouldn't' want to accidentally add a partially typed exclusion for c:\ even for a moment.
  15. Thank you Richie a VPN in Immunet is a great suggestion, and thanks Cyrille for the +1 and being willing to pay for it. I've escalated the suggestion and can only wait and see what comes of it.
  16. Looks like a fix went out sometime yesterday
  17. Thanks Richie, I've passed this on to the clam team for a fix.
  18. Thank you very much for reporting this Jon. I've successfully reproduced it, and at this point my only advice is to steer clear of win 10 1809. as far as I can MS pulled it after release due to driver incompatibilities and potentially deleting user data when upgrading from previous versions. I was able to obtain a 1809 iso through MSDN and it ended up bootlooping during install of both home& pro win 10 versions (installing to vmware workstation). I had to use a workaround just to complete the OS install: https://luyentap.blogspot.com/2017/10/windows-installation-cannot-proceed.html. After that I was able to install Immunet and repro your bug.
  19. the The FP'ing sig was fixed late yesterday and it's safe to to turn the Clam engine back on, and but please ensure you start a manual clam definitions update too; by clicking he update now button in immunet gui. And that will ensure the sig is updated asap.
  20. confirmed, is defiantly a Clam false positive. Thanks to everyone who reported this. we're reprod it internally and are working on a fix. In the mean time, if you turn off the clam AV engine in Immunet's settings that'll prevent the constant FP notifications and still keep your computer protected with the immunet cloud engine. We'll notify the thread to turn clam back on as soon as the fp is fixed.
  21. Richie is correct - the internet connection icon is a standard windows thing. the Bing image search told your browser to show an image from neilrosenthl.com and your browser went to grab it from 104.27.175.64. According to https://dnslytics.com/ip/104.27.175.64 that ip is hosting 290 domains/websites. likely one of them at one point was hosting something malicious. Though currently neilrosental.com appears to be safe. Looks like a false positive to me. Sorry, our bad on that one. I do have one concern here though. It's common to first notice the internet connection icon after having a random router/modem reboot. I The internet stops working, so you go to your network connections to check your ip/network status and while your poking around the internet connection icon appears out of nowhere when the router/modem comes back online. There are lots of good reasons for a router to reboot itself, but it should be noted that not all vpn connections can survive a router reboot. Some can, some will notify you the vpn closed unexpectedly, and some will just fail silently and your internet activity will automatically re-route over non encrypted public internet. Thanks, RobT
  22. The bios bug Wookiee mentions is usually found with brand name manufactured computers, ie Dell / EMachines/etc. and otherwise we have seen installation issues where users have special characters characters in their Windows user names. e.g ' " , <> ]!@$%^&*()_ Any chance either of those apply?
  23. I think what's your probably seeing is the Immunet *UI* only supports 1 user at a time. The real time virus protection component does protect all simultaneously connected users, but only the first user to launch the UI ( system tray icon / application with the scan now & settings) will appear to be connected. All other users will have Immunet UI's that appear disconnected. Further if the user who has the connected UI logs off or manually closes the Immunet tray icon, the UI connection will be go to the next user who has had the Immunet UI running the longest; and their disconnected UI will switch to connected. Note when a rdp user disconnects their programs are all left in a running state. Including leaving the the immunet UI running, potentially holding the Immunet UI connection. Given the above limitations, what we usually see when the UI appears disconnected in in multi-user environment is that the one Immunet UI connection has passed to an unknown user who disconnected when they were done without actually logging off. If you think this has happened to you The least disruptive way to reclaim the Immunet UI connection is to: 1) login as an admin user 2)start -> run -> "Services" -> stop the Immunet Service 3) open task manger & enable show processes from all users. Then task kill all the sfc.exe processes ( sfc.exe is Immunet's UI process). Note if you get a message from task manager saying sfc.exe could not be terminated it's probably because the Immunet service hasn't been fully stopped yet. 4) Once all the Immunet UI's are closed restart the Immunet Service and then UI and it should appear connected within 30 seconds after both are started. Another approach is to use the task manager to force log off other users who have the Immunet UI / sfc.exe open and then restart the UI on your own session. This approach doesn't require stopping the immunet service. Note though if you log off someone who is actively using he system you can expect them to immediately re-logon and potentially take the Immunet UI connection token again. The last and easiest approach is to restart the machine and be the first to login - note if the machine is set to auto logon at startup then the auto-login user will be the first to login and get the working Immunet UI session.
  24. it sounds like you might have turned on Verbose Tray Notifications. Open the immunet interface and check Settings -> Notification Settings -> Verbose Tray Notifications. When turned on Immunet will popup the message you're seeing whenever it detects a new file on the system, regardless of if the file is clean or malicious.
  25. The last time I tested them together they were compatible (i.e. no bluescreens), but I found the performance of the virtual machine I was testing on unacceptable even after adding exclusions to each AV for the other. At any rte You can safely install both and always then remove one if it doesn't work out. Please let us know your experiences running the two together.
×
×
  • Create New...