Insight into Zemana's strange cloud scanning..

Discussion in 'Zemana' started by Slyguy, Jun 20, 2017.

  1. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    Fortinet Engineer
    Other OS
    Here's something interesting people may want to test for themselves regarding Zemana.

    Install Zemana on a machine, then register for a (free) Screen Connect/Connectwise account. Go to the 'access' tab and build an executable for perpetual remote access. Download and run this on a machine with Zemana installed and then wait a couple of hours.

    Eventually, external connections to your Screen Connect account will show up. The reason is 'something' is executing the exact file you built for perpetual remote access and it's causing those machines to connect to your screen connect account! The assumption is, this is the variety of cloud scanning from Zemana.

    What's even more interesting, since this file is symetriclally keyed you can connect to Zemana machines once they've executed the file and are live.. What you will find is, this EXE is sent to a variety of Zemana owned computers and executed. Once executed this gives you 'detailed' insight into these Zemana systems used to scan a variety of free cloud based scanners. Details you will learn are;

    1) Public IP of the machine.
    2) OS operating on the machine.
    3) Hardware specifics of machine.
    4) Domains and Usernames of all of the machines.
    5) Screenshot of the desktop.

    This process can he easily duplicated yourself following my instructions above.. Here's one of the machines Zemana is scanning my files with;

    Hosts Connected:
    Guests Connected:
    Guest Last Connected:
    6h 54m
    Logged On User:
    Idle Time:
    6h 57m
    Operating System:
    Windows 7 Professional (6.1.7601)
    Intel(R) Atom(TM) CPU D525 @ 1.80GHz (4 virtual)
    Available Memory:
    2434 MB / 3070 MB
    Network Address:
    Client Version:

    So my question is, why such a varied number of worldwide systems in use with Zemana Cloud? I wonder if there is any relation to this and VT cracking down on the use of their service by companies? Also, I have some security concerns with the exposure of much of my system information (including Gateway IP) to a wide range of 'individual' systems.

    Finally, I sort of wonder if there is some risk with the exposure of these systems used for scanning this easily. SOME of the systems I have logged into or grabbed screenshots from appeared to have someone working at them and examining the processes of the files updated to the Zemana cloud. At the very least, all of this is interesting!


    Svoll, AtlBo, chabbo and 8 others like this.
  2. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    Fortinet Engineer
    Other OS
    Also with Zemana exposing their individual scanning locations like this, including gateway. An attacker could DDOS them and break the scanning of Zemana. I'm sure there could potentially be other vulnerabilities. Maybe someone should let them know? I stopped using Zemana a few weeks ago.
  3. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    Windows 10
    What a great find, I will try it later, pretty bad vulnerability out there if I understood right.
    rockstarrocks, AtlBo and frogboy like this.
  4. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    Fortinet Engineer
    Other OS
    I've reached out to Zemana (last week) and was told they would look into it and comment on it.

    So far, crickets. My guess, they didn't properly mask their distributed cloud scanning endpoints. Also, considering the distributed nature of it, I wonder if they are paying to play with Virus Total?
  5. kamla5abi

    kamla5abi Level 4

    May 15, 2017
    Windows 10
    Since they look like individual computers setup in many different areas, complete with what looks like someone actually using the desktop to look at analysis results, I would guess that they do not in fact pay to play ;) lol

    I'm trying to think of reasons why a security company would use a setup like this, other than pretending to be a "home user" (non commercial user) and using VT to decide which "cloud analyzed" files are classified as malware (by other AV companies lol). All the benefits of Google's VT cloud analysis and very low cost. The overhead costs are dramatically reduced this way ;) maybe that's why they can afford to giveaway so many 380 day licenses recently hahha
  6. l0rdraiden

    l0rdraiden Level 1

    Jul 28, 2017
    Still no news from Zemana?
    Trooper likes this.
  7. Peter2150

    Peter2150 Level 6
    AV Tester

    Oct 24, 2015
    Washington DC
    Windows 7
    My thought: STAY AWAY!!!
  8. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    Fortinet Engineer
    Other OS
    Zemana declined to comment and has reviewed this thread.
    lowdetection, Svoll and l0rdraiden like this.
Similar Threads Forum Date
Misconfigured Server Gives Insight Into Cerber Ransomware Operation News Archive Jan 13, 2017
DDoS Predictions for 2016, IBM Insights News Archive Nov 30, 2015
Poweliks/Secure.InsightExpress Guide Troubleshooting Malware Removal Assistance For Windows Sep 5, 2015