Google Pixel 4 Face Unlock Works if Eyes are Shut

Google has confirmed the Pixel 4 smartphone's Face Unlock system can allow access to a person's device even if they have their eyes closed. One security expert said it was a significant problem that could allow unauthorised access to the device...

Announcing Windows 10 Insider Preview Build 19002

Hello Windows Insiders, today we’re releasing Windows 10 Insider Preview Build 19002 (20H1) to Windows Insiders in the Fast ring. IMPORTANT: As is normal with pre-release builds, these builds may contain bugs that might be painful for some. If...

Hello all!

A few years back I used the malware removal instructions that I found in these forums to fix one of the computers I used at the time and now I'm back and have become a registered member. This time my issue is with my android phone. I want to say thank you for the help I found in the past as well as any help I receive now and in the future. Have a great day!

Rufus 3.8 | Infected with malware?

As a daily rutine on context-scanning or analyzing with VT every executable I download, this got my attention. I was trying to create a bootable USB with Rufus.

VirusTotal threw this: GrayWare/Win32.Generic


Yeah, I know what you are thinking. 1/60 is definitely a false positive.

Well, on the third analysis section (relations) on Rufus 3.8, content of the executable was sandboxed and tested, where it ended with the parent executable Win32 EXE d9da5ddf53b891f94b0a78ed043645ea.virus.


After opening the parent executable contained in Rufus 3.8, it's found a compilation of all these beauties.



Avast fights off cyber-espionage attempt, Abiss

Another attack on CCleaner and the reason for the latest update.
Avast deploys hardened self-defense and wider intelligence industry collaboration

Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target.
On September 23, we identified suspicious behavior on our network and instigated an immediate, extensive investigation. This included collaborating with the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team to provide additional tooling to assist our efforts and verify the evidence that we were collecting.
Read more here:
Latest changelog of CCleaner here:
v5.63.7540 (15 Oct 2019)
- This release contains an important security update and some minor bug fixes and UI updates

You can read more here: CCleaner v5.63.7540

RADIUS WiFi security

While I have used RADIUS when connecting to corporate networks, I'm not aware of its mechanics other than the request to install a certificate when joining for the first time.

Assuming (?) authentication is certificate based and not password based, it should be more secure.

In the past wep was broken and I have seen papers on attacks for WPA2, though don't know how realistic these are and how widespread but in any case, home network wireless seems to have been be a weak link.

Other than authenticating the server with a cert, what more does RADIUS offer in terms of security ?
Does anyone use RADIUS in their home network? how do they find administering it in terms of time burden, is it a 1-off to set it up and then minimal maintenance?
Which home or small business routers support RADIUS ?

Microsoft announces yet another Windows 7 support extension (for SMBs)

Microsoft announced yesterday that the option to get extended support for the company's Windows 7 operating system will be available to businesses of all sizes.

Enable or Disable Chrome Address Bar Instant Search

I tried chanary,beta,release...but i cant disable search in adress bar !

Kaspersky Protection Chrome Extension not working

I have to reinstall Chrome and then Kaspersky Protection Chrome Extension disappeared. So I download it from Chrome Web Store.
But It is greyed and did not work:(

Possible acrobat reader false positive

Hello all, just wanted to check your opinion. Zemana antimalware free detected two files from acrobat reader. I checked the two files with virustotal and they are 100% clean. Anyone else getting this? Safe to assume it's a false positive?


Acrobat Reader: 20198.021.20048 (latest version)
Zemana antimalware free: 3.1.450


McAfee Total Protection - October 2019 Report

McAfee Total Protection - October 2019 Report
Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted

* Dynamic BB Bonus Test (Resident Protection Disabled)
* Partially Blocked
* BSR: Before System Reboot
* ASR: After System Reboot

System Files
2nd Opinion
Final Status
1 / 2​
0 / 1
0 / 1*
1 / 2​

New member here, how do I download malware sample to test against varies AV products?

New member here, how do I download malware sample to test against varies AV products?

PCSL Android AV Test


PCSL Android AV Test

Malwarebytes & others did well. (y)

Zemana needs a little work. :)


This is an old PCSL PC malware test.

Since PCSL tests are not often seen by many, I'll post this older one.

It does not seem that they do PC malware testing anymore.

In this older test, you can see that 腾讯电脑管 finishes in first place.

Good job.

腾讯电脑管 has not had 1st place finishes in subsequent professional testing -- that I am aware of..

And you can see that Malwarebytes and Webroot finished in last place. What a surprise. :emoji_neutral_face: So this is not a new phenomenon. This reflects recent professional testing and testing done here at MT in the Hub.


McAfee Labs Stinger

What's new in this version:
McAfee Labs Stinger (32-bit)
New Detections:
- Generic
- Trojan-Injector.b
- W32/MSILRsrcRescan.a

Enhanced Detections:
- Generic
- Generic Trojan.kd

Wise Folder Hider 4.2.8

Calibre 4.2.0 is released

New features
  • macOS: Various improvements to dark mode support
  • Viewer: Dont generate covers for books that dont have a cover. Note that because of this all previously opened books will again be prepared for first time reading.
  • Viewer: Restore print to PDF functionality
  • Viewer: Allow also jumping to book positions in Goto->Location
  • Content server: When adding books and a duplicate is suspected provide more information about what books match the duplicate
  • FB2 Output: Speed up conversion of images and handle external links
  • Viewer: If the book has no ToC try to generate one from headings, if any.
    Closes tickets: 1847277
  • Viewer: Improve rendering of comics. No blank pages after large images or after every image in multi-page mode.
  • Viewer: Make it easier to use the bookmarks panel with only keyboard.
    Closes tickets: 1847423
  • Viewer: Set the classes calibre-viewer-paginated and calibre-viewer-scrolling on the <body> tag in Paged and Flow modes. This allows the User styles to target these modes, if needed.
    Closes tickets: 1847427
  • Viewer: Use the same loading spinner as is used by the rest of calibre
Bug fixes
  • Edit book: Fix a crash when editing CSS files caused by a behavior change in Qt 5.13.
    Closes tickets: 1846760
  • Fix a regression in 4.0 that broke rendering of PDF covers for PDF files that used JPEG2000 compression.
    Closes tickets: 1847567
  • Viewer: Fix a regression in 4.1 that broke creating new color schemes
    Closes tickets: 1847407
  • Viewer: Fix error while viewing books with a comment after a <meta> tag.
    Closes tickets: 1847977
  • Viewer: Fix an error when processing a CFI with an invalid text offset.
    Closes tickets: 1848320
  • Viewer: Fix scrolling backwards to previous chapter not always scrolling to the end of the chapter, if the chapter loads external resources.
    Closes tickets: 1847818
  • Viewer: Fix hang on books with namespaced attributes on <html> that do not belong to a known ebook namespace.
    Closes tickets: 1846886
  • Viewer: Fix search history not persisting between viewer restarts.
    Closes tickets: 1847976
  • Viewer: Fix scrollbar showing up on initial book open even if disabled in preferences.
    Closes tickets: 1847323
  • Viewer: Fix rendering of books with mathematics failing
  • Viewer: When changing between individual sections/chapters in the book, only render the new chapter after loading is complete
  • Viewer: Fix scrolling by screenfuls not working correctly in flow mode
  • EPUB 2 metadata: Fix obfuscated fonts being broken when updating metadata if the file uses Adobe font obfuscation and the identifier with the key has an uppercase UUID scheme name.
    Closes tickets: 1847890
  • Viewer: Fix right clicking on margins not showing controls
  • Viewer: Preselect text in search box when showing it.
    Closes tickets: 1847677
  • Viewer: Fix SVG images that use xlink:href to refer to paths not being displayed.
    Closes tickets: 1847181
  • Content server: Fix detection of iOS on iPAD with iOS 13 which defaults to desktop mode
  • Metadata jacket: Fix <br> tags in the comments not being rendered correctly when inserting the comments into the jacket page.
    Closes tickets: 1848327
  • Viewer: Show nicer error message for DRMed books
    Closes tickets: 1847468
  • Viewer: Fix preferences under Scrolling behavior not being saved correctly
  • Viewer: Fix remembered position sometimes off by one page in paged mode.
    Closes tickets: 1847322
  • Viewer: restrict max size of margin page turn indicators to 25px rather than 75px
  • Viewer: Dont flash the home page before loading a book if a book has been specified
  • Viewer: Fix ctrl+m shortcut not working on windows
  • Content server: Fix regression that caused series name in book details view not not be blue to indicate it is clickable
Improved news sources
  • Various Polish news sources
  • Il Sole 24 Ore

Eset Beta

New in version 13 Beta
Improved home network monitoring

  • Home network monitoring now provides improved device discovery and provides information on security issues that may affect your network, as well as ways to protect devices connected to your home network.
Advanced Discovery with HIPS
  • Host Intrusion Detection System (HIPS) protects the system from malicious and potentially unwanted activities. Its extension now controls some potentially suspicious processes even more carefully to provide protection against certain types of malware.
More robust security with advanced machine learning
  • Protecting your data has reached a new ultra-modern level! The ESET detection module now performs detection more efficiently and also better protects against previously unknown cyber threats and zero-day threats.
Note. To upgrade to beta, go to "Settings -> Advanced Settings -> Update -> Profiles -> Updates" and change the "Update Type" to Test Update.

WonderFox 2019 Halloween Giveaway [Total 17 High Ranked Software for free!]

LibreOffice Portable Fresh 6.3.2 (complete office suite) Released and The Document Foundation are proud to announce the release of LibreOffice Portable Fresh 6.3.2. LibreOffice Portable is a full-featured office suite -- including a word processor, spreadsheet, presentation tool, drawing package and database -- packaged as a portable app, so you can take all your documents and office suite wherever you go. LibreOffice Portable is packaged in Format so it can easily integrate with the Platform. And it's open source and completely free.
LibreOffice is packaged for portable use with permission and assistance from The Document Foundation
Update automatically or install from the portable app store in the Platform.

Kaspersky Security Network "KSN"

Portable versions of Defraggler, Recuva and Speccy

Just a heads up regarding Defraggler, Recuva and Speccy: the portable versions of these programs are no longer available, at least since October, 9th. The links for the portable versions are downloading the setup versions instead. I already reported it in the Piriform forum.

KCleaner - Free License

Get your free KCleaner license. The tool helps to effectively clean the system of temporary and unused files, and also offers a safe method of permanently deleting files
KCleaner, from the developer of SUMo and DUMo programs, is an effective "cleaner" of hard drives that tracks every useless byte to free up more space for important data - documents, music, photos, movies, etc. The program runs completely in the automatic background, so you do not need to worry about when to start cleaning.
As evidence of its effectiveness, KCleaner often detects additional GB of junk files even after cleaning with competing tools. And if you are interested in data security, you can use the methods of permanently deleting files offered by KCleaner, which makes deleted files unrecoverable by any known means.

Key features of KCleaner
Detects and cleans up temporary and useless files (cache, unused installation files, etc.).
Automatic background operation.
A safe method to permanently delete files.
Expert mode: allows users to control the file deletion performed by KCleaner.
2. Install the program on your computer. Supported OS: Windows Vista, 7, 8 / 8.1 and 10 (32-bit and 64-bit).
3. Go to the menu "?> About the program> Enter registration data" and activate the following license:
Name: GiveawayoftheDay
Serial number: 20069074102085066101081093076080083071077069130099051046054

New Android Warning: 40M Users Installed Video App Hiding Devious Malware—Delete Now

Here we go again—another popular Android app caught defrauding users on a huge scale. This is familiar territory now, although the numbers get bigger and more onerous. The app this time is SnapTube, a video downloader that lets users select YouTube and Facebook videos to play offline. The app’s developers claim more than 40 million users, and it has been installed many more times that that. The problem, it seems, is that while users are enjoying those videos, the app’s software is busy doing other things in the background—essentially defrauding both users and advertisers to generate material financial returns.

The disclosure against SnapTube has been made by researchers at Upstream, who say that their Secure-D platform detected and blocked “more than 70 million suspicious mobile transaction requests” from SnapTube installs on 4.4 million devices. And this was all inside a six-month period. Such fraud tends to run in bursts, and the team seems to have been monitoring the app at the right time.

According to Upstream, “SnapTube has been delivering invisible ads, generating non-human clicks and purchases... The ads are hidden from users as they do not appear on-screen.” Generating returns from adware or click fraud is one thing, but the report claims that SnapTube has gone further, to the triggering of premium calls and texts, and subscribing users to paid services. Upstream has calculated that this fraudulent purchase of “premium digital services” would have cost users up to $91 million.

REvil Ransomware Affiliates Partner with Intruders Corporate

Experienced network intruders and ransomware groups have struck an alliance helping each other monetize their skills by spreading malware to company networks.
One access-as-a-service provider works with multiple ransomware collectives, including REvil/Sodinokibi, offering them access to large targets.
Symbiotic relationship
High-profile ransomware actors like REvil focus on companies and are in constant need of new victims to keep the business humming.
Experts in breaching corporate networks advertise their talent on underground markets or over secure messenger communication and are the perfect partner.
Intruders hack into the network of a company and then rent or sell access to a ransomware team. This mutually beneficial cooperation enables spreading file-encrypting malware even on more secure networks.
Research from Advanced Intelligence (AdvIntel) reveals the strong connection between the two types of cybercriminal operations.

Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users

A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit.
More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency.
Careful impersonation
The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians.
Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software.
Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal:
  • tor-browser[.]org
  • torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic
Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run.

What happened to Kaspersky Free antivirus ?

We’ve answered this one a bunch lately, so we decided to address it in a post. When a user tries to download Kaspersky Free antivirus, they find that they have downloaded Kaspersky Security Cloud — Free instead. Here’s why.

Back in 2017, we introduced Kaspersky Free antivirus globally, a solution that offered basic protection for PC users at absolutely no cost, so that no person would be left unprotected from cyberthreats. Under its hood thrummed the same engine as in our premium security products, which collect the majority of awards from independent test labs each year. And it really was free — no payment required, no third-party ads. And, no surprise, it became quite popular.
But every product must evolve to address users’ needs, which are constantly changing, and our free solution is no exception. With this evolution, it went way beyond being just an antivirus utility — so we stopped calling it an antivirus. We think its new name suits it much better; it’s functionally much closer to our full-fledged flagship Kaspersky Security Cloud than to a basic security solution. Now, let us take a quick look at how exactly Kaspersky Security Cloud Free has evolved far beyond Kaspersky Free antivirus.
What is the difference between Kaspersky Free antivirus and Kaspersky Security Cloud Free?
First of all, unlike Kaspersky Free antivirus, the free version of Kaspersky Security Cloud exists not only for Windows, but for other platforms as well. It helps protect both Android and iOS mobile devices.
Second, whereas our free antivirus solution was limited to an antiphishing engine and basic protection from malware, Kaspersky Security Cloud Free is a significantly more advanced multiplatform solution with a diverse spectrum of features, capable of adapting the protection it offers to your lifestyle. To learn about Kaspersky Security Cloud Free in detail, you can read this post, and here we’ll just quickly go through the most important features.
Just like the paid version, Kaspersky Security Cloud Free is different from other security solutions because of its adaptivity scenarios. For example, it helps you check if a service you use has leaked your account data, and it provides helpful advice that is relevant to you, specifically, because it relates to services that you actually use.
It also helps you keep your passwords strong and secure with Kaspersky Password Manager and protects your traffic with a VPN solution. On Android, it helps you manage app permissions and delete the apps you don’t use. The paid version has even more adaptivity scenarios, but the general idea is the same: Kaspersky Security Cloud helps you with the security you need when you need it.
But what if I am already a Kaspersky Free user?
No worries, your Kaspersky Free antivirus will work just fine. You won’t need to change your security solution and start using Kaspersky Security Cloud Free — although we’d strongly recommend it. The license will be renewed automatically. You can continue as if nothing has changed.

Our users are extremely important to us, and that’s why we won’t just shut down Kaspersky Free antivirus and force you to move to the newer solution. However, if you are already using Kaspersky Free, we suggest that you give Kaspersky Security Cloud — Free a try — it’s still just as free, but it provides more features and stronger security for different types of devices. And there’s no such thing as too much security in the modern world.
Machine learning–aided scams
The link for this post is here:

Windows 10 KB4520062 Update May Break Microsoft Defender ATP

Windows 10 KB4520062 Update May Break Microsoft Defender ATP

Microsoft says that Microsoft Defender Advanced Threat Protection (ATP) might stop running on Windows 10, version 1809 devices after installing the KB4520062 Cumulative Update.
The non-security KB4520062 optional update was released on October 15 and it is designed to fix an issue leading to black screens being displayed at startup during the first sign in after installing an update.
KB4520062 also addresses an issue affecting Bluetooth when using certain audio profiles for extended periods and one known to cause high power consumption for devices in Connected Standby mode.
Client and server platforms affected, no workaround available
Unfortunately, as Microsoft acknowledged today on the Windows 10 Health Dashboard, KB4520062 might also cause the built-in Microsoft Defender ATP anti-malware service to stop running and fail to send report data.
Some Windows 10 customers "might also receive a 0xc0000409 error in Event Viewer on MsSense.exe" according to the known issued published today by Microsoft.
Redmond says that both client and server versions were the October 2018 Update was installed are affected, the list including the Windows 10 version 1809, Windows 10 Enterprise LTSC 2019, Windows Server version 1809, and Windows Server 2019 platforms.
Currently, there is no workaround available for fixing the Microsoft Defender ATP and the company recommends users of platforms affected by this issue to not install the problematic CU.
Also, according to Redmond, a solution for this known issue should be available next month, to be pushed out as part of a future update.
"At this time, we suggest that devices in an affected environment do not install KB4520062. We are working on a resolution and estimate a solution will be available in mid-November," says Microsoft.
Uninstalling the KB4520062 update
Since an official workaround is not yet available for those who have already installed the KB4520062 cumulative update and no security mitigations were pushed with it, uninstalling it should fix the Microsoft Defender ATP issues it causes and not increase their devices' attack surface.
Microsoft says in the update's details from the Update Catalog that KB4520062 can be removed "by selecting View installed updates in the Programs and Features Control Panel."
Uninstalling the KB4520062 update
Uninstalling the KB4520062 update
The step by step procedure needed to uninstall this update requires you to open Control Panel, go to Programs > Programs and Features, and click on View installed updates in the left sidebar.
Next, right-click on the KB4520062 entry in the list and confirm when asked if "Are you sure you want to uninstall this update?". Next, you'll have to click 'Yes' when asked and then restart your device.

Meet The Linux Desktop That Will Embarrass Windows 10 And macOS in 2020

Meet The Linux Desktop That Will Embarrass Windows 10 And macOS in 2020
I cover the fascinating worlds of Linux & consumer PC hardware.

If you haven’t been paying attention to a little Linux desktop distribution called Deepin, it’s time to put it on your radar. Nevermind that Huawei chose Deepin to ship on their MateBook laptop lineup. Nevermind that Deepin Cloud Sync is a killer, forward-thinking feature that every Linux distro needs to adopt. Nevermind that its slide-out control center resembles something sexy and sensible straight out of the future. But looking toward 2020, Deepin is poised to be absolutely stunning.

This is without question the most beautiful desktop environment I’ve ever laid eyes on. I’ve gone from admiring it as an elevated Desktop Linux distribution to downright salivating over it. Every time I revisit the OS, I’m reminded of not just how elegant it is, but that it also boasts that “wow factor” that makes using it feel exciting and not merely a daily necessity.
For me, the UX is more intuitive and more enjoyable than macOS and Windows 10. And fortunately, a quick setting can also transform Deepin to resemble the traditional Windows or macOS desktop paradigms you’re already comfortable with.
Hell, even the installer is a breath of fresh air:

But let’s take a peek at what’s coming next.
This week, the Deepin Linux Youtube channel quietly released a preview of its Deepin v20 Launcher (just one component of the forthcoming OS), and it’s bound to turn some heads. Take a look:

It’s merely a tease ahead of this November’s expected Deepin v20 beta release, but the Deepin developers have apparently devoted most of 2019 working on the upcoming version. From the category-driven app browser and animations, to the basic desktop layout we see in the teaser video, things appear quite polished already.
The link:

ZONER AntiVirus for desktop

A reliable antivirus
ZONER AntiVirus in English

Zoner AntiVirus is a modern security solution for all your devices. It provides modern antivirus protection for your computer and Android smartphone. Free, no limits, no ads.

The application is free and designed for Windows 10. The download is currently beta version so it may contain minor errors,
Zoner AntiVirus for Windows focuses on detecting Zero-day vulnerabilities currently spreading across the Internet. It ideally complements system protection with security programs directly in Windows..

The ZAV technology

Zoner AntiVirus is a modern antivirus system developed for the OS Windows, Linux and Android. The ZAV core is robustly designed, high-performance, and can handle both large-scale mail servers of big corporations and home and business desktop computers.

  • Signature-based detection
  • Dynamic code emulation
  • Dynamic and static heuristic analysis
  • Run-time heuristic analysis
  • Targeted and generic decryptors
  • Decompressors of archive formats
  • Regular updates
ZONER Antivirus Technology
A Smarter Antivirus System
Zoner Antivirus is a modern multiplatform antivirus system developed for Windows, Linux and Android OS. The core/kernel? of Zoner AntiVirus is newly designed, high-performance, and can serve large corporate mail servers as well as desktop computers for home and business users.
Intelligent Threat Detection
Zoner AntiVirus kernel detection uses advanced heuristic features to detect threats. Heuristics detects suspicious files (and their startup behaviour) and also detects phishing attacks on users. The Zoner AntiVirus team focuses on developing heuristics instead of adding virus signatures, because using heuristics is more effective for detecting sophisticated masked vulnerabilities. An attacker can easily bypass signature detection, but the behaviour of the code tells the Zoner AntiVirus heuristic shield that it is malicious.
Protection Against New and Unknown Vulnerabilities
Zoner AntiVirus focuses on vulnerabilities from real internet traffic. A virus laboratory analyses samples from dozens of mail servers and analyses them for current threats with the help of smart heuristics.
Zoner AntiVirus (designed for desktops) is an ideal complement to antivirus protection integrated into the operation system (Windows OS). Because of its focus on Zero-day vulnerabilities, it detects current threats before their samples get into conventional large corporation antiviruses.
Zoner AntiVirus Protects Mail Servers webhosting relies on Zoner AntiVirus technology and uses it to protect its customers´ emails. You can find out more about mail protection against malware and phishing here.
By deploying antivirus protection on mail servers, the provider intercepts and blocks vulnerabilities while receiving mail, eliminating the vast majority of threats before they are delivered to users and endangering them. Viruses and malware will not reach the hosting users’ computer.

Desktop (beta)

STOP Ransomware Decryptor Released for 148 Variants


A decryptor for the STOP Ransomware has been released by Emsisoft and Michael Gillespie that allows you to decrypt files encrypted by 148 variants of the infection for free.
While the decryptor can recover files for 148 variants, it needs to be noted that anyone who was infected after August 2019 cannot be helped with this service. With that said, it may be possible to decrypt using an offline key, so even with these variants there may be some success.
STOP Ransomware
Last month we introduced you to the STOP Ransomware, which is the most widely distributed ransomware that is currently active. This ransomware is distributed by adware bundles that masquerade as software cracks, pirated games (warez), and free software downloads.
When a user installs one of these downloads, their computer will become infested with malicious browser extensions, click fraud trojans, adware, and the STOP Ransomware.
While the exact number of victims is hard to determine, there have been 116,000 submissions to ransomware identification site ID Ransomware related to this infection. This makes it the most submitted family of ransomware on the site followed by the Dharma Ransomware.
Top Detections at ID Ransomware
Top Detections at ID Ransomware
While there are some victims from the United States, most of the victims are from Europe, Asia, South American, and Africa. As expected, there are no victims from Russia, which is most likely due to language checks in the adware bundles.
STOP Heat Map
STOP Heat Map
The release of Emsisoft's STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer.
Since the STOP Ransomware was released, this infection has had the most requests for help decrypting files that we have seen since TeslaCrypt. This has led to a monstrous STOP Ransomware support topic at BleepingComputer containing 526 pages of support requests.
Volunteers at BleepingComputer have worked tirelessly trying to help these victims, but in many cases it was in vain. With the release of this decryption service, victims can finally get help in recovering their files.
All support for this decryptor will be handled in the BleepingComputer STOP Support and Help topic, so please post there with any issues.
How to decrypt STOP Djvu Ransomware encrypted files
Once again, if your files were encrypted after August 2019, then you are encrypted with a new version that the decryptor does not support and these instructions do not apply. You should instead download the decryptor to see if Emsisoft has been able to gain access to an offline key and if that will help with your files.
If you are using an older variant that you think is supported, before you can decrypt your files with Emsisoft's STOP Djvu Ransomware decryption service, confirm if you were encrypted with a supported extension. The list of supported extensions are:
.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .moka, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora

If you are infected with the .puma, .pumas, or .pumax extensions of the earlier STOP Ransomware variants, you can skip all of the following steps and instead download the STOP Puma decryptor.
In order to use the service, you first need to find some encrypted files and their originals that match the following requirements and train the decryption service using them.
  • Must be the same file before and after encryption
  • Must be a different file pair per file type you wish to decrypt
  • Must be at least 150KB
To be clear, for each file type (doc, docx, xls, xlsx, png, etc) you want to decrypt, you must also upload an encrypted and unencrypted pair in order to train the service. Once the service is trained with a file type, it can be used to decrypt all files on your computer of that same type.
The best way to find encrypted and unencrypted file pairs are to look for encrypted images or files that were downloaded from the Internet. That way you can download the original location so that you have an unencrypted version.
Once you have a pair of files, go to Emsisoft | STOP Djvu Decryption and upload the files using the page's form.
Emsisoft STOP Ransomware Decryption Service
Emsisoft STOP Ransomware Decryption Service
After pressing the SUBMIT button, it will change to a rotating circle to show that it is processing your files. Please be patient at this point as it may take some time to complete.
When done, the service will tell you if the files were properly processed, and if so, will provide a link to the decryptor.
Files Processed
Files Processed
Click on the link to download the STOP Decryptor and then double-click on it to launch the program. As this decryptor requires a working Internet connection, please make sure you are connected before proceeding.
When launching the program, it will display a UAC prompt asking if you would like to allow the program to make changes to your computer. At this prompt, you should click on the Yes button.
A license screen and a small instruction screen will then be displayed. Please read through both of these screens and acknowledge them to continue.
The main decryptor screen will now be displayed with the C:\ drive already selected to be decrypted.
STOP Decryptor
STOP Djvu Decryptor
Add the folders you wish to decrypt or go with the default selection of the entire C:\ drive and click on the Decrypt button.
The decryptor will begin to decrypt all file types that you used to train the service.
Decrypting Files
Decrypting Files
While decrypting, if the decyrptor is unable to decrypt a particular file type, you need to train the service by uploading encrypted and unencrypted pairs of those files. Once you do so, you then click on the Decrypt button again to have it handle that particular file type.

Millions of Amazon Echo and Kindle Devices Affected by WiFi Bug

Millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK that allows an attacker to perform a man in the middle attack against a WPA2 protected network.

KRACK, or Key Reinstallation Attack, is a vulnerability in the 4-way handshake of the WPA2 protocol that was disclosed in October 2017 by security researchers Mathy Vanhoef and Frank Piessens.

Using this attack, bad actors can decrypt packets sent by clients in order to steal sensitive information that is sent over plain text. While the WPA2 wireless connection of this network has been compromised by this attack, it is important to note that any encrypted traffic sent over the wireless network will still be protected from snooping.

In order to fix these vulnerabilities, hardware manufacturers needed to release new firmware for the affected devices.

In a report by the ESET Smart Home Research Team, the researchers have discovered that Amazon Echo 1st generation and Amazon Kindle 8th generation devices were still affected by the KRACK vulnerability.

Google Pixel 4 Face Unlock Works if Eyes are Shut

Google has confirmed the Pixel 4 smartphone's Face Unlock system can allow access to a person's device even if they have their eyes closed.

One security expert said it was a significant problem that could allow unauthorised access to the device. By comparison, Apple's Face ID system checks the user is "alert" and looking at the phone before unlocking. Google said in a statement: "Pixel 4 Face Unlock meets the security requirements as a strong biometric." Speaking before the launch, Pixel product manager Sherry Lin said: "There are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level - it's ours and Apple's."

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.

"The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver."

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

Waisman said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine.

"I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."

After the vulnerability became public, the researcher discussed the flaw on Twitter.

Notice of Absence

The driver flaw can be triggered when an affected device is within radio range of a malicious device. As long as the Wi-Fi is turned on, it requires no interaction on the part of the end user. The malicious device exploits the vulnerability by using a power-saving feature known as a Notice of Absence that's built into Wi-Fi Direct, a standard that allows two devices to connect over Wi-Fi without the need of an access point. The attack would work by adding vendor-specific information elements to Wi-Fi beacons that, when received by a vulnerable device, trigger the buffer overflow in the Linux kernel.

The vulnerability only affects Linux devices that use a Realtek chip when Wi-Fi is turned on. The flaw can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer. Based on links here and here, it appears that Android devices with Realtek Wi-Fi chips may also be affected.

Representatives of both Realtek and Google didn't immediately comment on this story.

While it's still not clear how severely this vulnerability can be exploited, the prospect of code-execution attacks that can be staged wirelessly by devices within radio range is serious. This post will be updated if new

Windows 10 64 bits Home security setup, suggestions for a simple setup.

:giggle: My youngest brother got my gaming desktop. In STOPtober I a gave quit with gaming and using a nearly 10 year old laptop on Linux (Manjaro) whit such low system specs it is impossible to play games.

I used to have two accounts on my gaming desktop. An Admin account which I used solely for gaming and a basic user account which I used for all other stuff. When I gave my brother my desktop I deleted the basic user account. I had not realized that he would use it for all other stuff, like surfing. He was tricked into "you are infected scam" and got a ransomware infection when following the repair instructions. Luckily he only uses it for school, surfing and gaming, so nothing is lost by reinstalling Windows again.

I have used Hard_Configurator to setup software restrictions policies and set Windows Defender to highest (including protected folders and enabled all Attack Surface Reduction Rules and network protection). I installed Chrome and set javascript to block with an allow rule for HTTPS://*. So with WD Network protection and Chrome Safe Browsing he now already has two URL-filers. I have setup his DNS to QUAD9 DNS in his wireless adaptor,.

Question to all:
I like to keep the security as simple as above (I added a few SRP allow rules for his games to update). So I only want to add two extensions maximum with additional URL filtering.

At the moment I am considering AVAST or AVIRA for malware blacklist with build in adblocking. Because he was a victim of a support scam I am inclined to reserve the second spot for NetCraft, but I am open to suggestions for the two Chrome extension spots.

Question to Dutch members and/or F-secure users
I could also install the Ziggo rebranded F-secure free antivirus. Is it any good (sometimes free rebranded versions of paid programs are older versions)? IS F-secure better than WD? On default settings WD seems to beat F-secure in tests, so with the tweaked Configure_Defender settings, I really have doubts on the added value of using Ziggo's F-secure free version. But I am interested to hear real user experience.

Thanks Lenny

Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS

kubernetes vulnerabilities

The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit.
A pair of bugs in the Kubernetes open-source cloud container software can be “highly dangerous” under some Kubernetes configurations, according to researchers.
The flaws, CVE-2019-16276 and CVE-2019-11253, have been patched in Kubernetes builds 1.14.8, 1.15.5 and 1.16.2.
Exploitation of the first issue, CVE-2019-16276, is “very simple,” according to Ariel Zelivansky and Aviv Sasson at Palo Alto Networks – and could allow an attacker to bypass authentication controls to access a container.
According to the bug report, the high-severity flaw, is a HTTP protocol violation in the Go language’s standard HTTP library, which is called net/http. The library is used for parsing HTTP requests.
This issue arises because in the HTTP specification, no whitespace is allowed in the request headers. The Palo Alto researchers noted in a posting on Wednesday that “HTTP requests are comprised of a field-name, followed by a colon, then its value…no whitespace is allowed between the header’s field-name and colon….the net/http library interpreted headers with this whitespace the same as valid headers, in violation of the HTTP RFC.”
The real-world effect of the bug becomes clear when you consider that the Kubernetes API server can be used for authentication and access control – as Palo Alto researchers pointed out, it can be “configured to work with an Authenticating Proxy and identify users through request headers.”

Source: Palo Alto Networks
Thanks to the bug, the proxy could ignore invalid headers and forward them to the Go server anyway, which would interpret these headers as valid. So, attackers could exploit the bug to authenticate as any user by crafting an invalid header that would go through to the server.
Palo Alto provided an example: “An attacker may send the following request to the proxy: ‘X-Remote-User : admin.’ If the proxy is designed to filter X-Remote-User headers but doesn’t recognize the header because it’s invalid and forwards it to the Kubernetes API server [anyway], the attacker would successfully pass the API request with the roles of the ‘admin’ user.”
Those using Kubernetes with an authenticating proxy should update to Go 1.12.10, which patches the issue, as soon as possible, as well as upgrading their Kubernetes builds, the researchers advised.
The second vulnerability, CVE-2019-11253, renders the Kubernetes API server vulnerable to a denial-of-service attack, according to the bug report. The attack can be aimed at the YAML/JSON parsing function with a method called “YAML/JSON bombing,” according to Zelivansky and Sasson, who rank the bug as high-severity.
YAML and JSON are a data-serialization languages commonly used for configuration files and in applications where data is being stored or transmitted. The idea behind YAML/JSON bombing is to crash the YAML parser in the Kubernetes API server by exponentially loading it with references, which authorized users can do by sending high volumes of malicious YAML or JSON payloads.
“Although it may be brought up depending on its restart policy and restart limit, the attacker may abuse the attack and deliver it continuously,” the researchers explained. “We recommend reviewing each role given to users, pods or anonymous users to determine if it is required, especially if it allows sending POST requests with a YAML file.”
Zelivansky and Sasson noted that this particular bug actually resides in the YAML parser library itself, which is a third-party piece of code incorporated into Kubernetes.
“Fortunately, another patch was written to resolve this problem at the go-yaml library level, preventing this attack in other projects that rely on its code,” they noted.
Affected users should upgrade to prevent attack, particularly given that cloud container technologies, which have become fixtures in much of today’s cloud infrastructure, are increasingly on cybercriminals’ radar. Earlier this week for instance, the “Graboid” worm was found infecting more than 2,000 unsecured Docker Engine (Community Edition) hosts, looking to mine the Monero cryptocurrency.
This isn’t the first flaw found in Kubernetes – last year a critical privilege-escalation vulnerability (CVE-2018-1002105) was uncovered that could allow an attacker unfettered, remote access for stealing data or crashing production applications.
Connor Gilbert, senior product manager at StackRox, told Threatpost that the discovery of more vulnerabilities underscores the need to pay particular attention to securing this threat surface.
“When you run containers, you absolutely must secure your control plane API surface,” he said. “Docker, Kubernetes, and similar tools are extraordinarily powerful, so it is critical to secure their API servers. Recent vulnerabilities in Kubernetes highlight just how important it is to have a multi-layered security approach, including authentication, authorization, network firewalls and ongoing monitoring.”
It’s also wise to remember that containers make it tough for legacy security systems to peer inside to scan for malicious activity, according to James Condon, director of research at Lacework.
“When it comes to containers, traditional endpoint solutions may or may not flag malicious files and activity,” he told Threatpost. “This could be due to the container’s isolated file system or that the malicious files may appear clean when code functionality is split across multiple files. Therefore, it is important to scan images pre-deploy, only use images you trust, utilize a runtime solution that has proper container visibility, and implement network security monitoring.

Chrome for Android Enables Site Isolation Security Feature for All Sites with Login

google chrome site isolation security

After enabling 'Site Isolation' security feature in Chrome for desktops last year, Google has now finally introduced 'the extra line of defence' for Android smartphone users surfing the Internet over the Chrome web browser.

In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser.

Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites.

Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains.

chrome site isolation

The feature gained attention in January 2018, when it was in the experimental zone and two critical CPU vulnerabilities were discovered, called Spectre and Meltdown, that allowed malicious websites to launch speculative side-channel attacks directly from the browser.

"Even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker," Google said. "This significantly reduces the threat posed by Spectre."
Soon after that, in July 2018, Google decided to enable the Site Isolation feature in Chrome for desktops and promised to the extent the same for Chrome users on Android to help them defend against even fully compromised processes.

Performance Tradeoff: Chrome for Android Only Isolates Sites with Login

Today, the tech giant has finally announced the availability of this feature with the release of Chrome 77 for Android, which has now been enabled for 99% of users who are running Android devices with a sufficient amount of RAM i.e., at least 2GB, with a 1% holdback to monitor and improve performance.

Most importantly, it should be noted that unlike Chrome for desktops, the site isolation feature in Chrome for Android doesn't sandbox all websites.

Instead, in an attempt to keep up with the device performance, the Site Isolation on Chrome 77 for Android has been re-designed to protect only high-value websites where users log in with passwords.

"We wanted to ensure that Site Isolation does not adversely affect user experience in a resource-constrained environment like Android," Google said today in its latest blog post.
"This is why, unlike desktop platforms where we isolate all sites, Chrome on Android uses a slimmer form of Site Isolation, protecting fewer sites to keep overhead low. This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites."
For example, when you visit a banking or e-commerce site within the Chrome browser on your Android phone and log in to your account, Chrome will observe a password interaction and automatically turn on the Site Isolation feature.
chrome site isolation
Eventually, the browser will render that site in its own dedicated renderer process, helping protect your sensitive information on that site from all other sites.

Moreover, Chrome will keep a list of your isolated sites stored locally on your device, which helps the browser to automatically turn on the feature whenever you revisit one of those sites.

However, if you want to forcefully enable this protection to isolate all websites without caring about the performance of your device, you can manually opt-in to full Site Isolation via chrome://flags/#enable-site-per-process setting page.
The Link :

Fake WordPress Plugin Comes with Cryptocurrency Mining Function

Malicious plugins for WordPress websites are being used not just to maintain access on the compromised server but also to mine for cryptocurrency.

Researchers at website security company Sucuri noticed the number of malicious plugins increase over the past months. The components are clones of legitimate software, altered for nefarious purposes.

One of the plugins discovered by Sucuri to have a double purpose is a clone of "wpframework." It was found in September and attackers used it to "gain and maintain unauthorized access to the site environment," the researchers say.

Ubuntu 20.04 LTS Codename and Release Date

This is a continually updated article about upcoming Ubuntu 20.04 LTS release. All the important develops associated with this release is added to this page.
Ubuntu 19.10 is about to be released today and we already have some updates on the upcoming Ubuntu 20.04 LTS release due in April 2020.
Ubuntu 20.04 is called Focal Fossa
As OMG! Ubuntu first noted, Ubuntu 20.04 has been codenamed “Focal Fossa”.
The codenames of Ubuntu releases are composed of two words starting with the same letter. First world is usually and adjective while the second word is usually an animal species.
Focal is a common English world meaning “center or most important part”. Fossa is a cat-like animal found in Madagascar.

Best practices for adding layered security to Azure security with Check Point’s CloudGuard IaaS

The cloud is changing the way we build and deploy applications. Most enterprises will benefit from the cloud’s many advantages through hybrid, multi, or standalone cloud architectures. A recent report showed that 42 percent of companies have a multi-cloud deployment strategy.

The advantages of the cloud include flexibility, converting large upfront infrastructure investments to smaller monthly bills (for example, the CAPEX to OPEX shift), agility, scalability, the capability to run applications and workloads at high speed, as well as high levels of reliability and availability.

However, cloud security is often an afterthought in this process. Some worry that it may slow the momentum of organizations that are migrating workloads into the cloud. Traditional IT security teams may be hesitant to implement new cloud security processes, because to them the cloud may be daunting or confusing, or just new and unknown.

Although the concepts may seem similar, cloud security is different than traditional enterprise security. Additionally, there may also be industry-specific compliance and security standards to be met.

Public cloud vendors have defined the Shared Responsibility Model where the vendor is responsible for the security “of” their cloud, while their customers are responsible for the security “in” the cloud.

Image showing teh Responsibility Zones for Microsoft Azure.

The Shared Responsibility Model (Source: Microsoft Azure).

Cloud deployments include multi-layered components, and the security requirements are often different per layer and per component. Often, the ownership of security is blurred when it comes to the application, infrastructure, and sometimes even the cloud platform—especially in multi-cloud deployments.

Cloud vendors, including Microsoft, offer fundamental network-layer, data-layer, and other security tools for use by their customers. Security analysts, managed security service providers, and advanced cloud customers recommend layering on advanced threat prevention and network-layer security solutions to protect against modern-day attacks. These specialized tools evolve at the pace of industry threats to secure the organization’s cloud perimeters and connection points.

Check Point is a leader in cloud security and the trusted security advisor to customers migrating workloads into the cloud.

Check Point’s CloudGuard IaaS helps protect assets in the cloud with dynamic scalability, intelligent provisioning, and consistent control across public, private, and hybrid cloud deployments. CloudGuard IaaS supports Azure and Azure Stack. Customers using CloudGuard IaaS can securely migrate sensitive workloads, applications, and data into Azure and thereby improve their security.

But how well does CloudGuard IaaS conform to Microsoft’s best practices?

Principal Program Manager of Azure Networking, Dr. Reshmi Yandapalli (DAOM), published a blog post titled Best practices to consider before deploying a network virtual appliance earlier this year, which outlined considerations when building or choosing Azure security and networking services. Dr. Yandapalli defined four best practices for networking and security ISVs—like Check Point—to improve the cloud experience for Azure customers.

I discussed Dr. Yandapalli’s four best practices with Amir Kaushansky, Check Point’s Head of Cloud Network Security Product Management. Amir’s responsibilities include the CloudGuard IaaS roadmap and coordination with the R&D/development team.

1. Azure accelerated networking support

Dr. Yandapalli’s first best practice in her blog is that the ISV’s Azure security solution is available on one or more Azure virtual machine (VM) type with Azure’s accelerated networking capability to improve networking performance. Dr. Yandapalli recommends that you “consider a virtual appliance that is available on one of the supported VM types with Azure’s accelerated networking capability.”

The diagram below shows communication between VMs, with and without Azure’s accelerated networking:

Image showing accelerated networking to improve performance of Azure security.

Accelerated networking to improve performance of Azure security (Source: Microsoft Azure).

Kaushansky says, “Check Point was the first certified compliant vendor with Azure accelerated networking. Accelerated networking can improve performance and reduce jitter, latency, and CPU utilization.”

According to Kaushansky—and depending on workload and VM size—Check Point and customers have observed at least a 2-3 times increase in throughput due to Azure accelerated networking.

2. Multi-Network Interface Controller (NIC) support

Dr. Yandapalli’s blog’s next best practice is to use VMs with multiple NICs to improve network traffic management via traffic isolation. For example, you can use one NIC for data plane traffic and one NIC for management plane traffic. Dr. Yandapalli states, “With multiple NICs you can better manage your network traffic by isolating various types of traffic across the different NICs.”

The diagram below shows the Azure Dv2-series with maximum NICs per VM size:

Image showing Azure Dv2-series VMs with number of NICs per size.

Azure Dv2-series VMs with # NICs per size.

CloudGuard IaaS supports multi-NIC VMs, without any maximum of the number of NICs. Check Point recommends the use of VMs with at least two NICs—VMs with one NIC are supported but not recommended.

Depending on the customer’s deployment architecture, the customer may use one NIC for internal East-West traffic and the second for outbound/inbound North-South traffic.

3. High Availability (HA) port with Azure load balancer

The Dr. Yandapalli’s third best practice is that Azure security and networking services should be reliable and highly available.

Dr. Yandapalli suggests the use of a High Availability (HA) port load balancing rule. “You would want your NVA to be reliable and highly available, to achieve these goals simply by adding network virtual appliance instances to the backend pool of your internal load balancer and configuring a HA ports load-balancer rule,” says Dr. Yandapalli.

The diagram below shows an example usage of a HA port:

Flowchart example of a HA port with Azure load balancer.

Kaushansky says, “CloudGuard IaaS supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard IaaS easily in HA mode.”

4. Support for Virtual Machine Scale Sets (VMSS)

The Dr. Yandapalli’s last best practice is to use Azure VMSS to provide HA. These also provide the management and automation layers for Azure security, networking, and other applications. This cloud-native functionality provides the right amount of IaaS resources at any given time, depending on application needs. Dr. Yandapalli points out that “scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs.”

In a similar way to the previous best practice, customers can use an Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of North-South (inbound/outbound) and East-West (lateral movement) traffic.

Learn more and get a free trial

As you can see from the above, CloudGuard IaaS is compliant with all four of Microsoft’s common best practices for how to build and deploy Azure network security solutions.

Visit Check Point to understand how CloudGuard IaaS can help protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security. If you’re evaluating Azure security solutions, you can get a free 30-day evaluation license of CloudGuard IaaS on Azure Marketplace!

(Based on a blog published on June 4, 2019 in the Check Point Cloud Security blog.)

The post Best practices for adding layered security to Azure security with Check Point’s CloudGuard IaaS appeared first on Microsoft Security.

Without encryption, we will lose all privacy. This is our new battleground

In every country of the world, the security of computers keeps the lights on, the shelves stocked, the dams closed, and transportation running. For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the US Intelligence Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher than war. Your bank balance, the local hospital’s equipment, and the 2020 US presidential election, among many, many other things, all depend on computer safety.
And yet, in the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world’s information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe.
In the simplest terms, encryption is a method of protecting information, the primary way to keep digital communications safe. Every email you write, every keyword you type into a search box – every embarrassing thing you do online – is transmitted across an increasingly hostile internet. Earlier this month the US, alongside the UK and Australia, called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this.


Backup4All 8.3 Lite Key Giveaway

  • Software version: v8.3
  • License is valid for a lifetime (for the current version)
  • No Free priority support.
  • Use it on one computer.
  • No free Minor updates (10.1, 10.2, …) & Major upgrades (11.0, 12.0, …)
  • Personal Use Only

Announcing Windows 10 Insider Preview Build 19002

Hello Windows Insiders, today we’re releasing Windows 10 Insider Preview Build 19002 (20H1) to Windows Insiders in the Fast ring.

IMPORTANT: As is normal with pre-release builds, these builds may contain bugs that might be painful for some. If you take this flight, you won’t be able to switch Slow or Release Preview rings without doing a clean-install on your PC.

If you want a complete look at what build is in which Insider ring, head over to Flight Hub. You can also check out the rest of our documentation here including a complete list of new features and updates that have gone out as part of Insider flights for the current development cycle.

Not seeing any of the features in this build? Check your Windows Insider Settings to make sure you’re on the Fast ring. Submit feedback here to let us know if things weren’t working the way you expected.

What’s new in Build 19002

Update on improving your Bluetooth Experience

With Build 18985 we announced we were working on improving our streamlined workflow for pairing your Bluetooth devices. We’re happy to share that this change is now rolling out to 100% of Insiders–thank you to those that have already tried it and shared feedback!

gif of our streamlined workflow for pairing your Bluetooth devices.

We also wanted to add two new peripherals to our supported device list:

General changes, improvements, and fixes for PC

  • We fixed an issue that could result in upgrades failing with error 0x8007042b.
  • We fixed an issue resulting in the acrylic effect in the Action Center only appearing after the Action Center opening animation had finished.
  • We fixed an issue where with multiple monitors and different DPIs, the File Explorer search box could become enlarged and offset.
  • We fixed an issue with the search indexer resulting in unexpected files being returned as search results when searching using French (France).
  • We fixed an issue for Japanese users where the user name in the Settings header wasn’t displayed in the correct order.
  • We fixed an issue resulting in clipboard history, WIN+(Period), and the touch keyboard displaying English text when being used with non-English display languages.
  • We fixed a race condition that could result in devices not reconnecting after toggling Bluetooth off and back on.
  • We fixed an issue resulting in the VPN sometimes not automatically connecting after waking your device from sleep.
  • We fixed an issue that could result in the brightness getting stuck at 0 or 100% and requiring a reboot before it could be changed.
  • Text cursor indicator works better in more experiences (e.g. Word, Run dialog, Outlook) now.
  • The Magnifier centered text cursor option should now work correctly when switching Magnifier modes.
  • We fixed the mouse pointer visual when using the Magnifier docked mode.
  • We fixed a bug where Narrator was not saying the state of Scan mode when Edge was opened or closed.
  • We fixed a bug in Narrator where Narrator sometimes say password twice when focus was in a password edit field.
  • We fixed a bug in Narrator where scan mode was getting stuck in edit fields in Firefox.
  • We’ve made some general improvements and bug fixes for the Windows Subsystem for Linux (WSL), please see the WSL release notes for details.
  • If you were one of the Insiders experiencing frequent explorer.exe crashes recently, please go to the Microsoft Store and check for Xbox game bar app updates (specifically version 3.34.4xx should have the fix). If you’re on this app version and still seeing explorer.exe crashes, please file feedback and we will investigate.
  • Just a heads up that we’re expanding the rollout of the Settings header to more Insiders, so it may now appear for you when it hadn’t before. As always, we welcome feedback about Settings – in the Feedback Hub you can share it under Desktop Environment > Settings.
  • [ADDED] For devices that were affected by the Dual Scan issue fixed in Build 18999, you will need to disable WSUS on the device or update from an ISO of Build 18999 or higher, which will be released in the coming weeks.
Known issues

  • We’re working on a fix for an issue that started with the previous flight where some devices are getting stuck during shutdown or restart and appreciate your patience. If you’re impacted by this issue, please see this forum post for workaround options.
  • There has been an issue with older versions of anti-cheat software used with games where after updating to the latest 19H1 Insider Preview builds may cause PCs to experience crashes. We are working with partners on getting their software updated with a fix, and most games have released patches to prevent PCs from experiencing this issue. To minimize the chance of running into this issue, please make sure you are running the latest version of your games before attempting to update the operating system. We are also working with anti-cheat and game developers to resolve similar issues that may arise with the 20H1 Insider Preview builds and will work to minimize the likelihood of these issues in the future.
  • We’re investigating an issue where initiating “Reset this PC” with the cloud download option isn’t working on this build or the previous one when started from Windows RE.
  • We’ve heard that Settings still isn’t available outside of launching via the URI (ms-settings:) for some Insiders and are investigating.
  • When using dark theme, the hardware keyboard text prediction candidate window is unreadable due to black text on a dark grey background.
  • When optional updates are available, Insiders with the Settings header may see the Windows Update indicator in a warning state, although the main page of Windows Update Settings shows that everything is up to date.
  • Bluetooth devices may not reconnect as expected after closing the device lid for certain devices. We’re working on a fix, but in the meantime, you can toggle Bluetooth off and back on in the Settings app or reboot the device and that should resolve the issue.
September Windows Insider Leaderboard now available

See if you topped our lists on the new September 2019 Windows Insider Leaderboard, and try to make next month’s by giving us feedback for new builds, getting upvotes on your feedback, and completing quests through the Feedback Hub!

Learn more about how you can be on the Leaderboard.

Learn more about the US 2020 Candidates with Bing

Are you keeping up with the US 2020 Candidates? Bing makes this easy. Learn more about these individuals through Bing’s carousel feature for both Democratic Candidates and Republican Candidates. Through the carousel, Bing provides you with news articles, opinions, special dates, and videos related to your selected candidate. Stay informed with Bing!

If you want to be among the first to learn about these Bing features, join our Bing Insiders Program.

But wait there’s more…

Shout out to the Windows Insider Cadenzza on Twitter who is lucky we released Build 19002 today instead of Build 19001, so he doesn’t have to delete his computer. We’re not sure how one deletes an entire computer, but we’re happy he doesn’t have to do this.

If you do that I'll delete my computer

— Cadenzza (@cadenzza_) October 8, 2019


The post Announcing Windows 10 Insider Preview Build 19002 appeared first on Windows Experience Blog.

What's good about Emsisoft?

Emsisoft seems quite popular in these forums. It also has a cloud console feature, which I consider a must have so I'm considering it.

I don't understand why it's praised though (not implying it's not good, just don't see data backing the claim),

1) its BB is praised, however how does it compare to ASR rules, is there a complete list of what it blocks? is there a test suite like MS's test suite for ASR?
2) To the best of my understanding, it doesn't look like it supports AMSI, so I wonder how it scores against fileless.
3) there's little data from testing Labs so it's hard to rank it against other products.
4) it's not a full suite, eg while it has exploit mitigation my understanding is that it offers no exploit prevention module similar to MS' Exploit Guard and while its BB can protect from ransomware it lacks something like Controlled Folder Access should malware get past the BB.

I'm not trying to discredit the product, after all I haven't used it but it's hard to evaluate it without lab results and it looks like it's missing features like AMSI.

Authy or Microsoft Authenticator 2FA?

Which 2FA application do you guys recommend for 2FA use? I have been using Google Authenticator but, because I swap phones couple times a year I cba to move all of them all the time, plus i will be doomed if I lose the I am looking for something like Authy or MS Authenticator that will sync

SHP Windows version 2.1.8

Intel driver update for Windows 10 causing display aberrations

While it seems that we are on the precipice of the Windows 10 November 2019 Update being rolled out to the general public in its finalized form, a good number of us may be using the May 2019 Update, particularly after Microsoft gave it the rubber stamp for broad deployment last month. However, it seems that an Intel display driver update delivered via Windows Update is causing problems that, at the time of writing, may mainly impact HP computers such as the ProBook 450 G6.

European Airport Systems Infected With Monero-Mining Malware

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.

The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.

"The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus," said Cyberbit.

Luckily, besides affecting the infected systems' overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport's operations.

Pen Testers Find Mystery Black Box Connected to Ship’s Engines

If an attacker wanted to sneak a monitoring device into a target network, how might they go about it?

As Naked Security reported last week, they could try soldering a tiny chip on to the circuit board of something like a firewall on the assumption that it will never be noticed. But there might be a much simpler approach – hide the device in plain sight, safe in the knowledge that its very conspicuousness means its legitimacy will probably never be questioned. This was the initial suspicion of a team from UK-based outfit Pen Test Partners when they noticed an unlabelled, “potentially toxic box” connected to the onboard LAN of a ship that the team was performing a security assessment on. Ship networks feature a lot of specialised equipment, of course, but every box should have a purpose. And yet, after enquiring about its origins, the message came back : Fleet management told us that shoreside had no invoice, record, or inventory listing for it. They were blissfully unaware of its existence. It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night that the crew covered it up. The assumption had been that it was meant to be there.
How many more mystery boxes might be quietly sitting connected to numerous other networks?