- Apr 1, 2017
- 1,760
I see that and I must share it with yours
Bypassing Emsisoft (Video)
- Thread starter Sunshine-boy
- Start date
- Status
- Nov 19, 2014
- 2,345
So i open a random email i got from a random sender, then i open the random attached excel file i got from the random email of the random sender, and then i click enable macros in the random excel attachment i got from the random email of the random sender and after all of this the issue is Emsisoft not protecting me?
Did i get it correct? Emsisoft failed to protect me?
Did i get it correct? Emsisoft failed to protect me?
- Mar 22, 2017
- 587
That's pretty much the result. It's called penetration testing (a similar platform is Metasploit) and uses vulnerabilities in your system to execute payloads with malicious intent. Basically, it captured your screen, pressed keys (keylogger), passwords... and Emsisoft apparently did nothing, because they were also exploited.
Last edited:
- Jun 24, 2016
- 2,400
Yes, this test is more like a penetrating a noob user, but whatever, Emsisoft clearly failed to protect the daily regular ordinary user, which may be why it was catalogued as "user dependant".
- Mar 22, 2017
- 587
Thing is, many if not most of the users are this noob... But, there are some basic things to follow, and this will usually not happen in the real world.
I mentioned some of them here: Q&A - Lowest overhead, cheapest security for the average/beginner user with entry level PC/laptop
No security software is perfect in the end...
- Feb 21, 2017
- 613
I see that and I must share it with yours
a friend from me also bypassed emsisoft ( disable real time protection )
THats why i stopped using and supporting it.
- Nov 19, 2014
- 2,345
It was sarcasm because this is a failed user and not really a product bypass. Next time i will /s
- Mar 22, 2017
- 587
It was sarcasm because this is a failed user and not really a product bypass. Next time i will /s
I think it's both... anyway, i'm sure this vulnerability will get patched
- Nov 19, 2014
- 2,345
Agreed but you need to be really naive to actually launch it.I think it's both... anyway, i'm sure this vulnerability will get patched
- Mar 22, 2017
- 587
You're right... But you would be amazed how many naive users are out there... They really can drive you really crazy as well
)
- Nov 19, 2014
- 2,345
Those users would not be protected anw. Emsisoft at best case scenario if a program used something from windows would give them an alert and they would still click allow. You can't protect the user who doesn't know what he is doing except if you have a default deny system so that he can't run anything not already there.You're right... But you would be amazed how many naive users are out there... They really can drive you really crazy as well
- Mar 22, 2017
- 587
And because that user will never adopt a default-deny system... malware is thriving, AVs are blamed, and we all have a job
)
- Jan 4, 2016
- 1,022
Mhm... Let's see if it's able to compromise default-deny protected systems
- Jan 4, 2016
- 1,022
Heyy.. He already replied... In a few days we'll see a video
- Oct 22, 2016
- 409
Me too is such a thing happened But the email I opened I was not there with a macro file, but a word file with the instructions to follow. It said to start from a Linux distro and delete the entire System32 folder. Windows is corrupted and my security system failed to warn me.
- Oct 22, 2016
- 409
However, I posted on the forum Emsisoft. Let's see what they respond.
- Oct 22, 2016
- 409
Also other software "would be" vulnerable ... Webroot SecureAnywhere, Symantec Endpoint Protection, Panda 360, Sophos, and Avast
You guys... watch a "bypass" video and then always start nonsense. Emsisoft was not exploited. The term exploit means something entirely different than bypass.
The video creator used PowerShell Empire (it's been Open Source forever on GitHub and powershellempire.com) to distribute a weaponized document via an email. If you don't know how PowerShell Empire works, how the WinWord macro managed to do what it did, then you should research it before belly-aching.
The video creator's whole point is to demonstrate a user-precipitated worst-case scenario as a means to promote his IT security consultancy. At least part of his focus is on educating users "Don't do what I just did in this video..."
In the one posted educational video he basically states "No security software is 100 % effective 100 % of the time. Users need to be educated to avoid these common pitfalls that can result in a 'bypass.'" So his point is about the user following recommended IT security best practices as part of the overall protection effort - no matter what security software is installed. It's about the user learning to protect themselves.
From what I can tell his target audience is Enterprises and not home users.
Grab some popcorn, sit back, relax, the sky is not falling, it's an hour long...
For those that have the inclination and capacity to learn, every bit of user awareness helps.
The video creator used PowerShell Empire (it's been Open Source forever on GitHub and powershellempire.com) to distribute a weaponized document via an email. If you don't know how PowerShell Empire works, how the WinWord macro managed to do what it did, then you should research it before belly-aching.
The video creator's whole point is to demonstrate a user-precipitated worst-case scenario as a means to promote his IT security consultancy. At least part of his focus is on educating users "Don't do what I just did in this video..."
In the one posted educational video he basically states "No security software is 100 % effective 100 % of the time. Users need to be educated to avoid these common pitfalls that can result in a 'bypass.'" So his point is about the user following recommended IT security best practices as part of the overall protection effort - no matter what security software is installed. It's about the user learning to protect themselves.
From what I can tell his target audience is Enterprises and not home users.
Grab some popcorn, sit back, relax, the sky is not falling, it's an hour long...
For those that have the inclination and capacity to learn, every bit of user awareness helps.
Last edited by a moderator:
- Mar 22, 2017
- 587
The term "exploit" means exploiting a vulnerability you have in your code, one that will permit executing other malicious code in form of a payload (usually). I've worked with Metasploit for some very long time, never did work with Empire though.
In the first part of the video, there's a module name (a listener) launched named EmsiBypass. Then an agent connects back to the listener from the victim machine, result of opening that excel. The agent should have been blocked in the first place. Then, the user launches another agent using the connection already made by the first agent, an attack that bypasses UAC and launches another module with elevated privileges, that does collect credentials, captures the screen and logs keys.
It may be that Emsisoft was not directly exploited (but for sure not excluded, a payload can exploit other vulnerabilities as well and that is not something visible in the video, only by analyzing the code), but for sure it failed miserably if credentials were collected, screenshots and keys were logged. So I wouldn't jump to the conclusion that this is nonsense, but rather also verify that it is. Did you do that (verify that it's a bypass that has nothing to do with Emsisoft, by analyzing the code)? First I would check the code that presumably just bypasses Emsisoft. Just because it is named "Emsisoft bypass" doesn't mean it's not exploiting an Emsisoft vulnerability.
I find it very strange to bypass a security product on multiple levels. Might be just a bypass, but it may very well be an Emsisoft exploit as well.
In the first part of the video, there's a module name (a listener) launched named EmsiBypass. Then an agent connects back to the listener from the victim machine, result of opening that excel. The agent should have been blocked in the first place. Then, the user launches another agent using the connection already made by the first agent, an attack that bypasses UAC and launches another module with elevated privileges, that does collect credentials, captures the screen and logs keys.
It may be that Emsisoft was not directly exploited (but for sure not excluded, a payload can exploit other vulnerabilities as well and that is not something visible in the video, only by analyzing the code), but for sure it failed miserably if credentials were collected, screenshots and keys were logged. So I wouldn't jump to the conclusion that this is nonsense, but rather also verify that it is. Did you do that (verify that it's a bypass that has nothing to do with Emsisoft, by analyzing the code)? First I would check the code that presumably just bypasses Emsisoft. Just because it is named "Emsisoft bypass" doesn't mean it's not exploiting an Emsisoft vulnerability.
I find it very strange to bypass a security product on multiple levels. Might be just a bypass, but it may very well be an Emsisoft exploit as well.
Last edited:
- Aug 2, 2015
- 4,286
Agreed, the user got the user infected in this instance, Not a EmsiSoft exploit, goes to show that even a top rated software like EmsiSoft
can't protect against user stupidity
Last edited:
- Status
