Jump to content
alfred

3 Spero Trees Are Now Active

Recommended Posts

All,

 

After working on our SPERO engine since our June release of 2.0 we have now shipped 3 SPERO sub-engines in 'convict' mode. This means you will start seeing SPERO detections popping up as of today. The three new sub-engines are virus 'family' specifc and are:

 

1. W32.SPERO.Allaple

2. W32.SPERO.SillyFDC

3. W32.SPERO.Startpage

 

You may in some cases see detections with those names and an appended '-0907' as well.

 

These sub-engines, as you might have guessed, are built to hit threats in the Allaple, SillyFDC and Startpage families. The last two 'families' are more references to threat types (those which copy themselves over network shares and those which change your start page on your browser). The represent the first of over a dozen sub-engines we will be releasing throughout the winter. We will also be switching on a 'Generic' tree in the next 10 days as well, this generic tree has our most signifigant boost in detections of all the trees ready to be brought to production right now .

 

The 3 engines above plus the Generic engine in training dramatically increase our in-field detection rates. So much so that it's probably the biggest single gain I have seen for our product since it's 1.0.10 release. To put it in plain terms they increase our in-field detection rates by 70% or more in our test harnesses. We expect to see this jump in the field by the end of November if not before.

 

Of course the risk of generic detection engines is that they will increase our FP rates. Please be sure to post in the FP Forum if you encounter any detections which you feel are FP's from these engines.

 

Best,

Alfred

  • Like 1

Share this post


Link to post
Share on other sites

Great news! A big ol' thumbs up to the Immunet team.

 

It should be noted the gains will be enjoyed by users of both the free and Plus versions and doesn't need an upgrade. It's automatic because it's in the cloud. Ya gotta love it!

 

Please let us know when the Generic goes live.

 

Cheers!

Share this post


Link to post
Share on other sites

This is great news! I have a question that I believe is of importance to most users. Just to clarify, when you all "ship" upgrades such as 3 Spero Trees, is this automatically enabled for all Immunet users?

 

The reason I ask is I have clients running various versions of 2.0.x. Will there be cases when users must upgrade to the latest release before they will see new feature add ons, or are they automatically pushed to all users? I guess to clarify, when versions jump from say 2.0.12 to 2.0.14 to 2.0.15, is this mainly bug fixes? How about users who still may be using version 1.0.x? Would they benefit from the new 3 Spero Trees or do they first need to upgrade to 2.0.x?

 

Thanks!

Share this post


Link to post
Share on other sites

This is great news! I have a question that I believe is of importance to most users. Just to clarify, when you all "ship" upgrades such as 3 Spero Trees, is this automatically enabled for all Immunet users?

 

The reason I ask is I have clients running various versions of 2.0.x. Will there be cases when users must upgrade to the latest release before they will see new feature add ons, or are they automatically pushed to all users? I guess to clarify, when versions jump from say 2.0.12 to 2.0.14 to 2.0.15, is this mainly bug fixes? How about users who still may be using version 1.0.x? Would they benefit from the new 3 Spero Trees or do they first need to upgrade to 2.0.x?

 

Thanks!

 

Hi,

 

That is a good question. The SPERO functionality is only available in 2.0. I sometimes forget we have a substantial amount of 1.0 users in the field. SPERO also helps collect malware, so 1.0 users will see benefit from this but regrettably not in the direct sense of the word.

 

Best,

al

Share this post


Link to post
Share on other sites

FYI. As of right now, these current engines are deployed:

 

Allaple.07.11

Mazebat.07.11

Cosmu.07.06.11

Skin.07.06.11

Dialer.07.06.11

Fakeav.07.11

Fenomen.07.06.11

Ridnu.07.06.11

Startpage.07.06.11

Trymeia.07.06.11

SperoFX

Prolixus.0825

Trojan.Generic.1123

W32.Invictus

 

Also you will see convictions ending in .rc - these are from a new cloud engine called Recon. Convictions ending in .tt are from the Turntable engine.

 

Best,

al

Share this post


Link to post
Share on other sites
Guest OrlandoP

FYI. As of right now, these current engines are deployed:

 

Allaple.07.11

Mazebat.07.11

Cosmu.07.06.11

Skin.07.06.11

Dialer.07.06.11

Fakeav.07.11

Fenomen.07.06.11

Ridnu.07.06.11

Startpage.07.06.11

Trymeia.07.06.11

SperoFX

Prolixus.0825

Trojan.Generic.1123

W32.Invictus

 

Also you will see convictions ending in .rc - these are from a new cloud engine called Recon. Convictions ending in .tt are from the Turntable engine.

 

Best,

al

 

I wanted to talk with Adam in October about Fakeav Engine, but you preceded me. :lol:

 

Orlando

Share this post


Link to post
Share on other sites

FYI. As of right now, these current engines are deployed:

 

...

...

Cosmu.07.06.11

 

Also you will see convictions ending in .rc - these are from a new cloud engine called Recon. Convictions ending in .tt are from the Turntable engine.

 

 

Hi -- I'm new around here, as you'll probably be able to tell from the pure cluelessness of my question. But what does all this mean? Because I'm currently running a system-wide scan due to having some of my websites hacked last week, and a friend suggesting that perhaps my actual computer has been hacked somehow, hence my website login info being hacked -- specifically, my cPanel password. In the course of this system-wide scan, I have a little popup that says it has detected W32.SPERO.Cosmu.07.06.11, and quarantine was successful. But I don't have a clue what this means; I can't find any real info about this infection, whatever it is, and I need to know what further steps I may need to take to get rid of it -- quarantine sounds awfully temporary. I have no earthly idea about these "trees," or "engines," or "convictions," or any of the other jargon above, I just did a search here for this particular name (SPERO.Cosmu) and came to this forum. Can someone please enlighten me?

 

Thx much,

Andria

Share this post


Link to post
Share on other sites

Hi Andria, SPERO is a malware detection engine that uses cloud technology to update using end user based collective intelligence. It would appear you also have a cloud based anti-virus solution that uses the SPERO engine. Hence the SPERO detection. The Cosmu family of malware is rated at a very high treat level. This family of Trojans are known to be able to steal personal data and execute arbitrary code on the infected computer. If your AV quarantined this threat you are protected and the virus has been disabled. It wouldn't hurt anything just to keep it in quarantine, however, it may be possible to delete it now that it has been disabled if you can find the correct file path and any registry entries associated with it.

Share this post


Link to post
Share on other sites

Hi Andria, SPERO is a malware detection engine that uses cloud technology to update using end user based collective intelligence. It would appear you also have a cloud based anti-virus solution that uses the SPERO engine. Hence the SPERO detection. The Cosmu family of malware is rated at a very high treat level. This family of Trojans are known to be able to steal personal data and execute arbitrary code on the infected computer. If your AV quarantined this threat you are protected and the virus has been disabled. It wouldn't hurt anything just to keep it in quarantine, however, it may be possible to delete it now that it has been disabled if you can find the correct file path and any registry entries associated with it.

 

Alright; thank you very much for the reply and explanation. I have the free version of Immunet and it seems to have found things that nothing else found -- just like the ClamAV that came before it! When I click on the entry in the quarantine area, it gives me the path of the file; I'll use either Glary, AutoRuns, or HiJack This to try and find if it's hiding in the registry anywhere. I haven't seen any suspicious activity on this computer, but when my cPanel got hacked, a friend explained to me how difficult brute-forcing a long alphanumeric password could be, so it seemed possible that my computer was hacked to get that password. Now, I'd have to say that it seems unlikely, so I have to trust that changing all my cPanel and site admin passwords will keep them safe.

 

Thx much,

Andria

Share this post


Link to post
Share on other sites

Ok, I wasn't sure if you were using Immunet or not. An easy way to delete this Trojan is open the GUI and click on Quauantine. Click on the the quarantined threat. You will see options to restore or delete the file. Just click on "Delete." This should remove all traces of the virus. What ever you do though don't accidentally click on "Restore" or that will reactivate the virus! Any file that is restored from Quarantine automatically gets added to the Exclusion List. I also think it is a very good idea to change the passwords as a security precaution. I could see where that could be a time consuming process if you have many endpoints to deal with. Better being safe than sorry though, right? Best wishes, Ritchie...

Share this post


Link to post
Share on other sites

Ok, I wasn't sure if you were using Immunet or not. An easy way to delete this Trojan is open the GUI and click on Quauantine. Click on the the quarantined threat. You will see options to restore or delete the file. Just click on "Delete." This should remove all traces of the virus. What ever you do though don't accidentally click on "Restore" or that will reactivate the virus! Any file that is restored from Quarantine automatically gets added to the Exclusion List. I also think it is a very good idea to change the passwords as a security precaution. I could see where that could be a time consuming process if you have many endpoints to deal with. Better being safe than sorry though, right? Best wishes, Ritchie...

 

Thanks again... I did delete it last night, after searching my registry and finding only my own search for the pertinent filename. So then I rebooted and ran another full scan of the C drive where it had been hding in the System Volume Information directory, and it turned up nothing -- which would not have been the case if the thing had embedded itself in my registry to "resurrect" itself after a reboot -- had a real nasty one that did that, a couple years ago, but this one seems to have been dealt with effectively. The passwords weren't really a big deal, just the cPanel pw and a couple of sites; I had unfortunately used the same pw for one of those sites that I was using for cPanel, and I think that was the security hole through which the hacker was able to gain access to my cPanel -- but no longer!

 

This also prompted me to set up more than just the default weekly "Flash scan"; I also setup weekly scans of my Documents and Settings folder, the main folder in which I work on my websites, and the entire Windows directory and subtree -- those areas seemed more vulnerable than the other 600,000+ files which took 16 and a half hours to scan. That nasty one from a couple years ago set up housekeeping in my Windows/system32 directory, and I almost could not get my computer back to a functional state, after that one exploded.

 

But all seems safe now... (fingers crossed!!!)

 

Thanks very much!

Andria

  • Like 1

Share this post


Link to post
Share on other sites

×
×
  • Create New...