Jump to content

zombunny2

Members
  • Content Count

    78
  • Joined

  • Last visited

  • Days Won

    12

Everything posted by zombunny2

  1. Many generic Windows installers can be called from the "run" dialogue (SUPER + R) or from the command prompt with the "/silent" option. It's generally undocumented and support is not universal, but it sometimes works. So, if the Immunet installer is called "setup.exe" and resides in the root of drive D:, you'd hit SUPER+R, and type "D:\setup.exe /silent" in the box, then hit enter/OK. Other commandline options that may get you what you want: /silentinstall or /verysilent or /y I've not tried any of the above but I've seen and used them for various other installers. I'm fairly certain Chocolatey makes use of this trick for most installers, so you may want to see if you can find Immunet's NuGet install script on Chocolatey's web site to see how it calls Immunet's installer. To deploy this on another machine, you'd have a .bat file calling the installer with the correct commandline option, and run that instead of running the installer directly. This does of course sound a bit like you might be managing some sort of commercial deployment, so if this is the case then AMP will suit your needs better and is of course licenced and supported for such scenarios. Sometimes it's worse to use the wrong tool for the job than to just not do the job at all. If something's worth doing, it's worth doing right. If you're doing this for an organisation, just get AMP.
  2. I suspect that adding Adobe's "program files" directory will do little or nothing to alleviate your problem, unless it also uses that location for its cache. Do you know (or know how to find out) where your Adobe software stores all its cache files? Seeing as all the file reading and writing is causing Immunet to repeatedly scan everything as it's read/written, you need to find out the location on this disk where all the reading/writing is taking place. I.e. you need to find the directory that Adobe uses for its cache. If you exclude this directory, you may find that performance returns to normal acceptable levels. Good candidates to watch would be any "Adobe" related folder that resides within %programdata%, or see if Adobe creates an "Adobe" folder within %temp%. In the meantime, you can speed up your systems slightly by de-activating the ClamAV engine, and/or blocking mode - however the former will decrease your offline-protection and the latter will decrease your overall protection. Good luck.
  3. I've just had a look at the Blackmart app description and I'm not surprised Immunet's quarantining it. It's an unofficial app store, so contains code to download other apps - hence might have code similarities to trojan droppers. So could be a false-positive. But there are much bigger concerns with this app: It's worth noting that Blackmart's description says it makes-available cracked versions of premium software. I'd therefore suggest you don't use it as you're far more likely to get a virus or trojan in cracked software and the app-stores that promote such software. Shady developers of cracked apps already have less morals, therefore are more-likely to insert malware to further their own ends. They have no problem stealing from developers, why would they suddenly develop a conscience when faced with the choice of stealing your bank details or uploading your nude selfies to porn sites? They also come into contact with other shady developers and shady apps more often, therefore are more likely to have been compromised themselves, and therefore are more likely to unknowingly be inserting malware into their apps. I'd recommend steering clear. There's no need to ever crack an app when there's almost-always a freeware or free/open-source app with the same functionality. Try to stick to app-stores such as F-Droid (free and open-source), UpToDown (virus-scans their apps and supplies legitimate apps), the /e/ store (legitimate apps) and Aptoide (if you stick to the verified apps and avoid cracked apps, there are a few security checks performed on them). If it's a particular game you want to crack, or something else that you can't really find an equivalent to, make your decision: it's either worth paying-for or it's not worth playing at all.
  4. You're right, an Android .apk will not harm a Windows system, as Windows can't execute an APK by itself, without an Android emulator. However, it's common (and a bit of a courtesy) for virus scanners to detect malware for other platforms - ClamAV, the engine that powers Immunet's offline detection capabilities, wouldn't exist if this wasn't the case, as it was originally developed for Unix-like platforms at a time when viruses for these platforms were simply not observed in the wild. The ability to detect threats in .apk archives is therefore handy for people who sideload apps on to their Android devices using ADB, etc. - Just as scanning a word .doc on your BSD or Linux system helps prevent you passing an infection on to a Windows user when you send it to them. If you don't know where the APK file is coming from, I suspect a web site is dropping it on your computer in an attempt to infect you. Most web exploits used to target Windows, but with the massive amount of Android devices now, as well as the fact that manufacturers stop releasing security-patches for them far too early, this means that there are millions of people browsing the net on insecure Android devices, which makes them a desirable and easy target, much like Windows used to be. One of the web sites you're viewing may have been compromised, (or more likely, the ad network displaying ads on it has been compromised) and it's speculatively dropping an infected apk onto your machine, in the hope you're an Android user who can get infected. Immunet rightly detects the apk and attempts to quarantine it. If the site deletes it before Immunet has had the chance to quarantine it, then quarantine will naturally fail. Also, if Immunet is your secondary protection, your primary protection might neutralise it before Immunet gets the chance, resulting in the "quarantine failed" message. If you have downloaded the APK manually yourself, there's a good chance that the .apk file is compromised and has a trojan in it along with the legitimate program. Sometimes it's a malicious download where someone's compromised a popular app and uploaded it to one of the many download sites - and sometimes it's the developer's fault because they often bundle in telemetry and adware into apps (especially gratis ones). After e-mail, the biggest vector I've ever seen for malware-distribution is the advertising/tracking networks. You can embed an ad in your website or app one day, thinking it's clean - but the ad will be different each time it's viewed, and each time is an opportunity for a malicious ad to get displayed. The ad networks don't care so don't check their own ads before serving them. Again, this will result in a detection from Immunet and a quarantine-failure if either the file is deleted or your primary AV cleans it, before Immunet gets the chance. It might be worth doing a full scan of your system with Immunet, and then another with your primary protection (and/or Windows Defender) to root-out anything stubborn. Don't use your computer until the full scans are all complete, and try to close anything you can that's running in the background before you do the scans (temporarily close/exit any unnecessary tray icons like Skype, your printer software, your Sat Nav updater, iTunes, and so on).
  5. If you are running Immunet in parallel with another AV like Norton, you can safely disable the ClamAV module in Immunet. ClamAV is very CPU-intensive, and you may find that this is the component that's causing the CPU-spike. I personally leave ClamAV enabled, because I often add custom signatures to it - but it does really hammer that CPU. You should also make sure you've gone into Immunet's settings and excluded Symantec/Norton's directories under %programfiles%, %programfiles(x86)% and %programdata% as relevant/necessary. You may also want to add Immunet's folders to Norton's exclusions (these are %programfiles%\Cisco\Immunet, %programfiles%\Immunet, %programdata%\Cisco\Immunet, %programdata%\Immunet if you are running 64-bit). I'd be willing to bet a lot of your trouble is Norton and Immunet scanning each other whenever they do anything. As WilliamKing321 states, updates and things also cause this behaviour. I know when my W10 is running an update because Immunet in particular starts consuming massive resources scanning it all. And seeing as I'm a fairly infrequent Windows user, this is very noticeable every time I have the misfortune of needing to boot that operating-system.
  6. Oh, and by the way, I forgot to mention Ritchie, it goes without saying that all the work you do on these forums is really appreciated. It must be pretty hard as it's probably quite a frustrating and thankless task, but the fact you haven't given up is an absolute godsend to the remaining loyal users! I try my best to help too, but you seem to have super-powers and have usually already solved someone's issue before I've even read their post!
  7. I have done a little more investigating. It seems that on a fresh install, attempting to run an update manually from the gui ("update now") fails if ClamAV is enabled and it's a new, fresh install that hasn't updated before. If you leave it for a while to silently-update, the process then seems to be "fixed" (i.e. works as expected). I've tried on a couple of PCs now. Basically I install Immunet, disable ClamAV, blocking-mode, and ClamAV updates, and leave it for a few minutes. I then re-enable ClamAV and ClamAV updates, and again leave it for a few minutes. Then, triggering an update in the GUI seems to result in the statement that "everything is up to date" - and indeed, checking the ClamAV subfolder within Immunet's program folder, reveals that main.cvd, daily.cvd and bytecode.cvd are all present with a recent timestamp. Finally, I re-enable blocking mode. All seems OK. On a slower machine, you can actually tell when this first automatic update happens in the background, because when ClamAV first verifies/loads the database, it will consume a lot of CPU for a moment, causing the machine to be less responsive, and causing Immunet to appear frozen/not responding for a few seconds to a minute. Then, all is well. I'm not sure why updates were temporarily broken on my older installation though.
  8. Haha thank you Ritchie! I'd of course "like" your posts, but until you mentioned it I didn't even know how you gave other people "likes" on here! Will give it a go on your post. I don't always keep Immunet installed, but I do pop on here occasionally to check on its progress and to help other users as I really want it to succeed. It's lightweight and minimalistic, doesn't require an account in order to use, and optionally uses the ClamAV engine, which I find indispensable as it means I can add custom signatures. TL;DR I really like Immunet when it works, and I don't want to stop using it!
  9. ^^ This is yet another reason why Cisco should provide a dedicated removal tool for Immunet, like most AV vendors do with their own products. AV integrates itself so much into a Losedows system that if anything goes wrong (which it eventually will), a clean-up tool to fix broken installations/uninstallations is an absolute must. I've solved this problem before with both Revo Uninstaller (gratis but proprietary) and BCUninstaller (true "free" software - i.e. released under the GPL3-compatible Apache Licence 2.0). Revo is the older and more well-known, established program. I think BCUninstaller is a bit more rigorous and thorough though. Perhaps try Revo first and see what happens. BTW OP, I can fully sympathise with your girlfriend. I'm very comfortable tinkering and experimenting on any system that's Unix-like, but I the reason I now call that OS from Redmond "Losedows" is because I just find it too fragile and easy to break, and am getting pretty tired of constantly repairing it for both myself and friends/relatives.
  10. Exclusions to do in Immunet's settings: Exclude the entire folder C:\ProgramData\Kaspersky Lab\ or if you want to reduce the amount of excluded content, try excluding C:\ProgramData\Kaspersky Lab\´╗┐AntiRansom4\protected\Bases\Cache\ instead. There is no need to do both, as you see one is just a subfolder of the other. Similarly, you should also exclude Kaspersky's folder within "Program Files" or "Program Files (x86)" as necessary. Exclusions to do within Kaspersky's settings: I have never had a problem with Kaspersky detecting Immunet's updates, but just in case (and to improve performance), go to Kaspersky's settings and exclude C:\Program Files\Immunet\ (or the equivalent in "Program Files (x86)" if you are on 32-bit), and C:\Programdata\Immunet\
  11. Hey Ritchie, Thanks for the suggestion. I did wonder whether I should have created a new topic or just done a "me too" on this one. Sorry I can't post on the announcement topic you link to. Maybe I need to have reached a certain number of posts or reputation before being allowed to post there or something. I seem to remember last time I had this issue, installing via Chocolatey seemed to work at least temporarily. I may try another re-install and will post back if it works. It would be in Cicsco's interests to either fix bugs in Immunet and monitor the forums more closely, or just kill Immunet off completely, once and for all. I have actually been steering my company and others away from considering AMP because of Immunet's relentless bugs, as the two solutions share common code. That in itself is no big loss to Cisco, but if I'm doing that, many others may possibly be doing that too.
  12. I have the same failure - The ClamAV module downloads the database update and then finishes saying it failed to apply the update. This is when performing a manual update via the GUI - no indication is given that it fails when automatic updates are tried, so I have no idea how long this has been going on. This is on any machine I use or administer for friends/family, with Immunet present. Nothing seems to be blocking Immunet updating (e.g. firewalls or other security software). I suspect updates have been silently failing on many users' systems for a long time. Seems to make no difference whether Immunet is the only security solution on the system, or whether it is run in tandem with others (obviously with each included in the others' exclusion lists). As an experiment, I downloaded ClamAV for Windows, and freshclam was able to update with no problem, so it's not a connectivity issue between Immunet/my machine and the ClamAV servers. In fact, from the way the error occurs, it seems to be that the problem is with Immunet actually applying the downloaded update! Maybe Immunet is preventing all writes (including its own) to its program directory?
  13. I presume you weren't trying to install another program at the time? If it just happens randomly, out of the blue, could it perhaps be that your other antivirus is updating at that moment? Perhaps check if it's performing an update when you see this message. When I tried Immunet alongside Bitdefender free a long time ago, I noticed that Immunet always popped-up with a detection of the "Eicar" test file whenever Bitdefender updated. Additionally, it always said it couldn't quarantine the detected file - presumably because Bitdefender had already used and deleted it. I couldn't add it as an exclusion, because it was always a different random-string filename within the temp folder, every time. I didn't want to exclude the whole temp folder, either - so it was an annoyance. These detections look like they're coming from the ClamAV engine, which makes me inclined to think they could be false-positives. Especially as it's always the same signature that's triggering the detection. Another thing that can cause it is your browser's adblocker. I sometimes get a lot of ClamAV false positives like this when my browser's adblocker updates its blocklists - but they are usually in the browser's folder, not the temp folder. You can probably get rid of these messages by disabling the ClamAV module (but leave Ethos and Spero enabled), especially if you have another antivirus program running at the same time. Ethos and Spero detect more than the Clam engine, and the Clam engine is only of use when you're offline. If you're not using another AV in combination with Immunet, then I'd perhaps be a little more concerned about these detections.
  14. Can confirm Ritchie's solution. I've had this issue before. Solved it exactly the same way: I rebooted into Safe Mode (I think I used safe mode with command prompt, but safe mode without networking will probably also work), and used Revo (proprietary freeware) on one occasion, and BCUninstaller (FLOSS) on another. It's a shame the Immunet/AMP developers don't produce a removal/cleanup tool like the other AV vendors do.
  15. By the way, with regards to the error code EX0 or whatever it is... I have issues with these forums in Firefox, Vivaldi, and Icecat (based on Firefox ESR); however these forums work perfectly in the Pale Moon browser (forked from an early version of Firefox, but with security patches and modern web technologies added in).
  16. In short, no. Immunet can't coexist with Windows Defender anymore. In earlier versions of Windows, it was possible to install multiple AV solutions (including Defender or Security Essentials, as it was then called) simultaneously - and bog-down the machine really badly. In Windows 10, any security solution that registers itself in the security center causes Windows Defender to automatically disable itself. This is based on the assumption that two realtime security solutions will always clash, and that "companion solutions" such as Immunet and Malwarebytes don't exist. Therefore, installing Immunet automatically disables Defender. Which is a shame, because the combination of the two was really good on earlier versions of Windows. Malwarebytes is another companion anti-malware solution, and it specifically gets around this problem by providing an option in the settings "integrate into Windows Security Center". If you set to "no", it doesn't integrate and therefore doesn't disable Defender, allowing you to run the two in tandem. Immunet doesn't include this feature, which means in Windows 10 it will automatically disable Defender. I suggested the "integrate into Security Center" toggle option as a feature request in Immunet ages ago. The best you can do, if you want to use Immunet and Defender, is to set the "allow periodic scanning" option in the Security Center. That way, although Windows Defender won't provide any realtime protection, you would still be able to run manual scans with Defender. That said, as Ritchie points out, you can do far better than Windows Defender. On machines I look after, I've successfully run Immunet alongside Sophos Home Free, and it's really fast and stable. I've also tried it alongside Kaspersky Free, and it was also OK. On my personal Windows installation (everything else I have is Linux) I run it in tandem with both F-Secure AV and Malwarebytes Premium, with each excluding the "program files" and "programdata" folders of the other two solutions, and they all play nicely together. Immunet gives by far the greatest performance-impact, but that's probably because I leave ClamAV enabled. That hardware is an 11 year-old box (Celeron, I think), with 4GB RAM and a mechanical hard disk, and it has absolutely no trouble with it.
  17. ^^This! Especially when a significant number of Linux distributions still provide 32-bit x86 binaries (Debian, Devuan, Trisquel, Gentoo) that work faster and better with current software, than XP ever did. I still have 2 XP-era machines. If I had any "XP-only" software that only ran on XP, they'd be airgapped, for sure. - But most of the time, you can use a modern Linux distribution with Wine, which so far seems to run any XP-era (or earlier) Windows binaries I throw at it, flawlessly. Thanks to Wine, I recently managed to revisit some games I created when I was at school, using Europress Klik n' Play, and Corel Click n' Create! Happy days...
  18. Thinking about your threat-model... The legacy system is believed to be currently-clean, and not on the internet. This means any threat would have to come from somebody using an infected USB, CD-ROM, or floppy-disk (or network-shares, if it's on a LAN). This is great as you can potentially avoid wasting your resources on realtime protection on this machine at all. I don't use AV on my emulators and vintage VMs, as (for the same reasons as your XP machines) there's hardly any way they could get infected. For nostalgia's sake I have a copy of Dr Solomon's on a W95 VM, and Datafellows or F-Prot or something on my Windows for Workgroups one. I can't remember the last time I ever scanned anything with them though. I guess it would help if I ever discover a floppy disk in the attic or something. As the person responsible for these machines, you likely have some degree of authority that you can perhaps wield here: Have you considered mandating that any storage-medium to be connected to this machine must first have a full scan performed on it by whichever computer it came from? Make it part of company IT policy for legacy machines, put a little reminder sign by the legacy machines... Going even more extreme, you can even buy manual locks that plug in to USB ports and floppy drives, to prevent unauthorised usage of such devices. Should anyone wish to use such a device, they'd have to ask you for the key. I'm not surprised you couldn't get Immunet 5 working. I seem to remember XP-era Immunet was circa version 3 and below. Version 5 was probably compiled against Vista or 7, so probably can't run on XP. Additionally, Version 5 itself is now very outdated. The Immunet infrastructure has changed since then, so cloud lookups would probably fail if you were online. Additionally, the ClamAV engine has received numerous updates since then, so the current ClamAV database will probably fail to load in the old engine. You may have a moderate degree of luck if you hunt the various vintage-software archives for old versions of behaviour-based protection tools (I'm thinking NoVirusThanks OSArmor and VoodooSoft VoodooShield here). I'm not sure when those tools came into being, but they may have been around early enough. I used to know a number of people who ran Comodo's firewall as their only protection, due to its behaviour-blocking techniques. So one of the more-sophisticated XP-era firewalls might be what you're looking for. Therefore, although it won't provide you with up-to-date static file-detection, a vintage copy of Comodo Firewall or Comodo Internet Security might give your XP machine sufficient protection to stop most of the payloads and hacks that it'd still be capable of running anyway. Given that fewer and fewer crackers and viruses will be specifically targeting XP due to the dwindling numbers of remaining installations, one of these solutions may just give you enough protection. Your gran's W7 or W10 PC running nothing but Windows Defender, navigating from her webmail to a fake online-banking page, is much lower-hanging fruit for an average cracker than an airgapped legacy machine in a corporate environment. If someone's targeting the latter, your firm is a specific target not an opportunistic one, and you'd be best off hiring a consultant. If a network share serves these XP legacy machines, you may wish to configure virus-scanning on that share on the server. I guess Windows servers do that automatically with their realtime protection. On Linux, you can configure ClamAV to do on-access scanning of selected paths quite easily via clamd.conf. As an on-demand scanner on these machines, you could try ClamWin, but it's been abandonware for a number of years, so probably can't load the latest ClamAV databases. You could also try ClamAV for Windows (from the ClamAV web site), but again, this is compiled against newer versions of Windows so XP probably doesn't have the correct DLLs and APIs present for it to run. Another problem you may run into is that a current virus database will probably occupy more RAM when loaded, than a typical XP-era machine has to offer. Therefore I think the problems surrounding having these machines attempt to protect themselves, are far, far greater than the benefit you would gain over having modern machines just scan whatever disks you subsequently feed to these legacy machines.
  19. TL;DR Layered approaches are good, your behaviour is key, spyware/tracking/adware are also malware, if telemetry/personal data aren't collected, they can't be leaked/exploited, if unsolicited connections aren't made, you know your exposure and can trust your devices, you need to be able to trust the developers. The long version: I suppose how far you're willing to go depends on your threat-model. My defences are overkill for my minimal (ordinary guy) threat-model. The more defences you have, the more inconvenience you will experience, and the more your computers will get bogged-down. Also, more defences increases the likelihood of false positive detections, accidentally corrupting/deleting/losing-access to your data, etc. That said, layered defence is definitely the way to go. I'd also remark that security overlaps somewhat with privacy. Once you neutralise a threat to one, it often reduces a threat to the other. Additionally, security isn't just what packages you install. It's a whole philosophy and workflow. It's a method you have to constantly adhere to, not just something you can install and forget, or just do once. I am primarily a GNU/Linux user, but I do occasionally boot Windows 10. My main most obvious defence methods are the following: Platform-independent Pi-hole DNS-based blocking with a handful of well-known spyware/tracker, adware and malware-blocking lists. (Personally, I believe all of those are just "malware", but apparently some people distinguish between them). If scummy hosts can't connect in the first place, they can't infect you. Firewall/router disallows any outgoing connection not originating from the Pi-Hole, with a destination of port 53, to mitigate against creepy devices that try to use their own hardcoded DNS (e.g. other people's portable devices, possibly my TV even though I only use it as a "dumb" TV). (If it's not making an unsolicited connection and not contacting undesirable hosts, it's harder to exploit. Believe it or not, even smart light bulbs can be hacked to operate in botnets). All my passwords (except perhaps 1 or 2) are very long, randomly-generated strings of alphanumerics and symbols. I store them in a free and open-source password-manager (Keepass is a good option). If they're hard to brute-force, hard to guess, unique, and stored safely, it's harder for malware and crackers to get at them. I don't use "the cloud" for anything - although I do have a little bit of Nextcloud storage I occasionally use like a USB stick. It's encrypted with Cryptomator. I log out of everything the instant it no longer has my attention - i.e. I check my emails, then I sign out. I check my secondary emails, then I sign out. This should work for Facebook, Google Drive, virtually anything you use. If you're not signed-in, malware can't exploit your login as easily. You also can't be tracked as easily, and if you're not being tracked, that information can't be leaked and then exploited for phishing etc. Every time I sign out of something, I clear all browsing history, cookies, cache, the lot. I don't save anything in the browser - no addresses, payment-methods, passwords, nothing. The browser is a prime target for crackers looking to attack desktop users. If it isn't stored in my browser, it's harder for any malware that slips through to get it. Make sure as much of your software as possible is free/libre, or at least open-source - or that the developer is well-known, trustworthy, honest, and has a clear, plausible business model. If source-code is available, someone can vet it for malware; if the software is proprietary but has a good, transparent developer with a believable revenue-stream, the developer has little incentive to insert malware into their code. I don't install an app on any portable device, if the web site provides the required functionality, even if less convenient. Browser I use Mozilla Firefox, GNU Icecat, or Pale Moon with a variety of about:config tweaks, detailed at spyware.neocities.org, restoreprivacy.com and privacytools.io. I also use Vivaldi on occasion, but never, ever Chrome under any circumstances. Useful extensions include Ublock origin, Cookie Autodelete, Decentraleyes, Privacy Badger, HTTPS Everywhere, CSS Exfil Protection, Privacy Oriented Origin Policy, and either Trace (Vivaldi) or ClearURLs (Mozilla-based) to cover the remaining tracking-methods not already covered by about:config tweaks or other extensions. If you don't mind taking ages to fix broken web sites the first time you visit them, then NoScript would boost your security immensely, but it's not for the faint-hearted or beginners. I shutdown any PC or tab whenever I'm not using it. I'm very wary of browser extensions, especially if they're not released under a free/open-source licence, and the developer doesn't have a good reputation/online-presence. I periodically make sure none of my extensions haven't been sold to new developers (like what happened to Nano). Ad and tracking networks have distributed malware several times in the past. If a site asks you to disable your content blocker, tell the webmaster to go to hell and then navigate to a better site. Don't use an adblocker that participates in any sort of "approved ads" programme (or at least disable the whitelisting of such ads). If data about you isn't collected, and a piece of code isn't allowed to run in your browser, that's one less way for your name and credit-card details to be leaked, and one less way for malware to infect you. Linux-specific Don't run any proprietary packages, for instance Skype or Zoom - use the web versions (where available) instead. Only use the distro's official repository - not even semi-official user-contributed repos. AppArmor enabled. Always sandbox anything internet-connected (e.g. browser, mail client, instant-messenger) with Firejail. I use additional databases for ClamAV - the SecuriteInfo ones, and a subset of the ones provided by Sane Security. I used to also use the rfxn databases, but they caused a lot of false positives when used in conjunction with the other databases. I have ClamAV on-access scanning on my /home /media /mnt and /tmp directories for fast machines. For slow machines I just run a full ClamAV scan of my home folder every time I finish using the internet. Windows-specific I install all my software from Chocolatey because it's a bit like a Linux package-manager, so everything stays up to date. Additionally, the packages are all subjected to at least a small degree of checking/verification. O&O Shutup10 to disable as many of the Windows spyware functions as possible. If unsolicited connections don't happen, they can't be exploited. Additionally, if someone isn't able to collect your data, they can't lose it when they eventually make an error or get hacked. For AV/antimalware, I use F-Secure AV + Malwarebytes Premium (i.e. their paid version) + Immunet with ClamAV enabled. To get them to play nicely, I have gone into the "exclusions" settings for each, and excluded the program-files and program-data folders for the other two. Believe it or not, using all 3 real-time solutions doesn't bog-down anything but the slowest of old machines. Windows itself is so bloated and heavy that anything you install on top of it is negligable in comparison. (If you don't believe it, try to install W10 on an atom-powered netbook and watch how long it takes to do things like display the start menu). For behaviour-blocker, Voodoosoft Voodooshield or NoVirusThanks OSArmor are absolutely fantastic. Truth be told, they can almost function as the sole protection in their own right, and they consume negligable resources. I prefer OSArmor as it is less "noisy" with alerts, and has less false-positives. I also think its interface is neater and cleaner. That said, Voodooshield is more well-known, older/more-established, and still offers a free version. I have been using computers for over 30 years, and been an internet user for around 25 of them. I've never detected an infection or experienced symptoms indicative of an infection, on any computer in my household or workplace. This isn't a boast, issuance of a challenge to potential crackers, or an invitation for fate to give me a kick in the pants, it's just an indication that a moderate degree of effort and inconvenience that doesn't significantly-interrupt daily life or use of most sites/services, seems to have worked over time. Obviously my approach and software-choices have evolved over time, but the above should at least give you a hint of the type of philosophy/approach I've always taken. Sorry for the massive essay, but hopefully something in it will be useful to you.
  20. I made the assumption that everyone still logs out of sites when they're not using them, so forgot to mention... Because of the way the malware works, if you've been affected you should log out of all of your sites and services, as well as changing your password. I also forgot that "Edge" is a browser too. I've never had any desire to subject myself to it, but I believe it can now run Chrome extensions too, so if you're an Edge user who's installed Nano, you could also be infected.
  21. ClamAV eats a lot of CPU, especially if you have "scan on install" combined with "blocking mode" turned on. This will slow your machine so the best thing to do is only enable ClamAV if you are using Immunet as your sole AV. As ClamAV is signature-based, it should display no network-usage at all, unless updating (or attempting to update). Your high network usage can only therefore be coming from checking task-manager while ClamAV is attempting to perform an update. You are likely seeing ClamAV attempting a lot of updates because it keeps failing, so therefore stays "out of date", and therefore keeps trying again. There is a bug in the latest version(s?) of Immunet, where ClamAV updates keep failing. I have noticed that any installations I've performed "the proper way" (by downloading from the Immunet web site) display this problem, whereas when I installed using Chocolatey it didn't. I'm not sure if it's coincidence or if it's something to do with the Chocolatey install process, for instance the commandline-arguments that Chocolatey passes to installers. If you want to try this, uninstall Immunet first, selecting "no" to the "keep settings" dialog, to make sure none of the old configuration remains. YMMV.
  22. This is not stricly related to Immunet, but may be worth highlighting to visitors of this forum. In October, the lead developer of the popular adblocker extension "Nano Adblocker" and companion extension "Nano Defender" sold the identity and code-repository access (effectively "sold the extension") to some previously-unknown Middle-Eastern developers. In his defence, he had been unable to keep up with the maintenance requirements of the addon, and wanted its development to continue rather than leave his users "high and dry". He also performed some (albeit) minimal background-checking on the new developers before the sale, although he may have been a little naive and therefore too trusting. Unfortunately, the first thing the new developers did was introduce some very crudely-obfuscated spyware into the popular extensions. In a rudimentary attempt to conceal the existence of the spyware, the developers even attempted to have the extension detect if the browser's developer console was open, and modify its behaviour accordingly. If you use Chrome, (which is arguably a piece of spyware in and of itself), it is important that you remove these extensions immediately. I suspect the same extension will also be used in Opera/Vivaldi/Brave, so if you are a user of those browsers this could also apply to you. Fortunately, the Firefox version of the extension has not yet been updated with the malware changes, as the extension is developed for Chrome, and ported to Firefox by another maintainer. The new spyware was exposed before the Firefox maintainer had pulled-in the upstream code-changes. That said, it would be a smart move to delete this extension if you are using it on Firefox, as I don't see any updates being made to it from now on. You will probably find Gorhill's uBlock Origin a suitable replacement for Nano Adblocker, and in fact it is the extension from which Nano takes most of its (non-malicious) code. If you are already a uBlock Origin user, please doublecheck that you didn't install Nano Defender at some time, to protect uBlock. Fortunately, at the time of writing, this malware is easy to remove: Simply uninstall the Nano Adblocker and Nano Defender extensions. Then change all of your passwords. If you are extremely worried, and want to make extra sure that your browser profile is clean, delete your browser profile and create a new one. To the best of my knowledge Immunet does not yet detect these extensions when installed. I think it'd be a good idea for us to all treat this as a warning that an extension is only as trustworthy as its developer, and that the same developer may not always "own" an extension. It'd therefore be a good opportunity to have a look at all your browser extensions, and uninstall the ones you don't use. You could also take a look to get a feel for the public profile of each developer. Uninstall any that make you uneasy. Broadly-speaking, if it's not under a free (libre)/open-source licence, you can't verify that the code is benign and you need to be confident that you know how the developer(s) are paying for their time and resources. More info: GHacks Article Ars Technica Article
  23. This thread gave me a smile (much like the kind of smile you get when you wake up, open your coffin-lid, and see that the moon is full)! I have been doing a bit of investigating on every Windows machine I can get my hands on. Update Bug It seems that when I install Immunet the "normal" way, I get varied results. Whenever I have installed Immunet via the "Chocolatey" package-manager, it's worked perfectly and as-expected. This could be a coincidence, but it might be worth looking at the Chocolatey install scripts to see how the Immunet installer is called. All my Chocolatey-installed Immunet installations update the ClamAV engine as expected, with no kluges or workarounds necessary. "Restore from Quarantine Failed" Bug I think I detailed on another thread elsewhere on this forum, that occasionally, the "restore" feature failed, causing a quarantined file to be lost for good. I have noticed that this failure only occurs if the machine is under load, especially if you try to restore the file while Immunet is still performing its scan. A workaround is therefore to ensure that any Immunet scan has completed, and the machine is sitting idle, before attempting a restore from quarantine. This to me implies some sort of "timeout" issue between separate threads of Immunet - for instance the GUI thinking that the service isn't responding because the load on the machine is causing it to take too long. The solution would of course be to increase the relevant timeout value to a few minutes at the minimum.
  24. Ritchie, I'm surprised you haven't used BCUninstaller before. I do recommend you investigate it, because it's free and open-source (less incentive to spy on users, and less ability to hide such anti-features - also means programmers can contribute to or fork it). Most importantly, from the perspective of the "average Joe" who probably doesn't know or care about freedom-issues or spyware, it's a bit more thorough than Revo, and detects things like optional Windows components and Chocolatey packages. For those who are interested there's actually a massive discussion-thread over at Wilders where somebody tested every single uninstaller they could get their hands on, although I don't have the patience to read it all, and it also indicates that there's no cut-and-dry "best" or "better" one for all possible use-cases. By the way, I have no connection with BCUninstaller or its developer(s) and I still regard Revo pretty highly too. Using either in one of the "safe mode" options of Windows should purge Orbital out of the system. You can get into safe mode by starting your PC and then pressing the reset button as soon as it's started booting. If you do this 3 times, Windows detects the failed attempt at booting, and gives you the option to enter safe mode. Another option is to shut down the PC holding the shift key, and then navigate through all the counterintuitive menus and submenus until you accidentally stumble-across the hidden option to enter safe mode. It's a far cry from just holding down F5 when your computer starts (or F8 to get the boot menu). I think Microsoft's design-team have spent too much time sniffing glue or something.
  25. Note: I wouldn't normally advocate registry-cleaners, especially CCleaner, but this is the one instance where I think they can have some merit. I also forgot to add that another reason I tend to favour BCUninstaller is that it is often pretty clever at telling you if any processes need to be killed in order to remove an installed program, and gives you the option to kill those processes.
×
×
  • Create New...