Insight into Zemana's strange cloud scanning..

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,620
OS
Other OS
#1
Here's something interesting people may want to test for themselves regarding Zemana.

Install Zemana on a machine, then register for a (free) Screen Connect/Connectwise account. Go to the 'access' tab and build an executable for perpetual remote access. Download and run this on a machine with Zemana installed and then wait a couple of hours.

Eventually, external connections to your Screen Connect account will show up. The reason is 'something' is executing the exact file you built for perpetual remote access and it's causing those machines to connect to your screen connect account! The assumption is, this is the variety of cloud scanning from Zemana.

What's even more interesting, since this file is symetriclally keyed you can connect to Zemana machines once they've executed the file and are live.. What you will find is, this EXE is sent to a variety of Zemana owned computers and executed. Once executed this gives you 'detailed' insight into these Zemana systems used to scan a variety of free cloud based scanners. Details you will learn are;

1) Public IP of the machine.
2) OS operating on the machine.
3) Hardware specifics of machine.
4) Domains and Usernames of all of the machines.
5) Screenshot of the desktop.
Etc..

This process can he easily duplicated yourself following my instructions above.. Here's one of the machines Zemana is scanning my files with;

Name:
LUSER-PC
Hosts Connected:
Guests Connected:
Guest Last Connected:
6h 54m
Logged On User:
luser-PC\luser
Idle Time:
6h 57m
Machine:
WORKGROUP\LUSER-PC
Operating System:
Windows 7 Professional (6.1.7601)
Processor(s):
Intel(R) Atom(TM) CPU D525 @ 1.80GHz (4 virtual)
Available Memory:
2434 MB / 3070 MB
Network Address:
188.105.88.131
Client Version:
6.2.12963.6312

So my question is, why such a varied number of worldwide systems in use with Zemana Cloud? I wonder if there is any relation to this and VT cracking down on the use of their service by companies? Also, I have some security concerns with the exposure of much of my system information (including Gateway IP) to a wide range of 'individual' systems.

Finally, I sort of wonder if there is some risk with the exposure of these systems used for scanning this easily. SOME of the systems I have logged into or grabbed screenshots from appeared to have someone working at them and examining the processes of the files updated to the Zemana cloud. At the very least, all of this is interesting!

Thoughts?



Also with Zemana exposing their individual scanning locations like this, including gateway. An attacker could DDOS them and break the scanning of Zemana. I'm sure there could potentially be other vulnerabilities. Maybe someone should let them know? I stopped using Zemana a few weeks ago.
 
Last edited by a moderator:

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,620
OS
Other OS
#3
I've reached out to Zemana (last week) and was told they would look into it and comment on it.

So far, crickets. My guess, they didn't properly mask their distributed cloud scanning endpoints. Also, considering the distributed nature of it, I wonder if they are paying to play with Virus Total?
 
Joined
May 15, 2017
Messages
190
OS
Windows 10
Antivirus
Bitdefender
#4
I've reached out to Zemana (last week) and was told they would look into it and comment on it.

So far, crickets. My guess, they didn't properly mask their distributed cloud scanning endpoints. Also, considering the distributed nature of it, I wonder if they are paying to play with Virus Total?
Since they look like individual computers setup in many different areas, complete with what looks like someone actually using the desktop to look at analysis results, I would guess that they do not in fact pay to play ;) lol

I'm trying to think of reasons why a security company would use a setup like this, other than pretending to be a "home user" (non commercial user) and using VT to decide which "cloud analyzed" files are classified as malware (by other AV companies lol). All the benefits of Google's VT cloud analysis and very low cost. The overhead costs are dramatically reduced this way ;) maybe that's why they can afford to giveaway so many 380 day licenses recently hahha
 
Joined
Aug 20, 2017
Messages
14
OS
Windows 10
#8
Nothing new yet? My theory is that all their devs quit last year (they used to post on these forums and now they are not in the Zemana company anymore) so they have no one to develop their software anymore. No update for over 6 months.
 
D

Deleted member 65228

Guest
#9
1. Do they run the samples sent to the cloud with elevation as well?
2. Do they protect the MBR of the systems?
3. Do they protect against UEFI bootkit installation on the systems?

Even if No to the first, bypasses are out there in the wild malware.

Interesting.
 
Joined
Dec 4, 2014
Messages
812
OS
Windows 10
Antivirus
Panda
#10
Nothing new yet? My theory is that all their devs quit last year (they used to post on these forums and now they are not in the Zemana company anymore) so they have no one to develop their software anymore. No update for over 6 months.
An update should be released very soon. Their website lists a new version, 2.74.2.426, released on the 14th of this month. At the moment they still have the installer for the previous version on their website, but I have been able to find a beta of the new version.

Zemana is still very much alive and well, they have just been slow at releasing updates. When I messaged them a few days ago, they told me they are currently working on updates. Also, if you have a look at their Instagram page they are regularly posting information.

I have messaged them to find out when the new version listed on their website will be released and I guess I'll get a reply tomorrow.
 

upnorth

Level 24
Verified
Joined
Jul 27, 2015
Messages
1,342
#12
I dumped Zemana like a hot potato last year.. Sometime over summer I noticed a pronounced decline in detection capabilities. Then I inadvertently discovered how their distributed cloud scanning worked and some amazing holes in it to which they refused to discuss. I requested a refund on my 10 licenses, they gave me a partial refund and I walked away. I'm done with them.
 
Joined
Dec 4, 2014
Messages
812
OS
Windows 10
Antivirus
Panda
#13
Any new information about it :oops:?
No, their customer support is pretty bad. They told me again that they are working on a new version and
The improvements on the product are being done together with some other changes, so our users will be notified about everything in due time.
I replied, asking when the new version listed on their website, will be available to download and received no response.
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,620
OS
Other OS
#14
No, their customer support is pretty bad. They told me again that they are working on a new version and

I replied, asking when the new version listed on their website, will be available to download and received no response.
Meh.. Zemana bores me now.

I managed to get a partial refund on my licenses and walked away. I could care less about them ever again and switched to HMP for on-demand second opinion scanning.
 

Av Gurus

Level 29
AV-Tester
Verified
Joined
Sep 22, 2014
Messages
1,806
OS
Windows 10
#15
Here's something interesting people may want to test for themselves regarding Zemana.

Install Zemana on a machine, then register for a (free) Screen Connect/Connectwise account. Go to the 'access' tab and build an executable for perpetual remote access. Download and run this on a machine with Zemana installed and then wait a couple of hours.

Eventually, external connections to your Screen Connect account will show up. The reason is 'something' is executing the exact file you built for perpetual remote access and it's causing those machines to connect to your screen connect account! The assumption is, this is the variety of cloud scanning from Zemana.

What's even more interesting, since this file is symetriclally keyed you can connect to Zemana machines once they've executed the file and are live.. What you will find is, this EXE is sent to a variety of Zemana owned computers and executed. Once executed this gives you 'detailed' insight into these Zemana systems used to scan a variety of free cloud based scanners. Details you will learn are;

1) Public IP of the machine.
2) OS operating on the machine.
3) Hardware specifics of machine.
4) Domains and Usernames of all of the machines.
5) Screenshot of the desktop.
Etc..

This process can he easily duplicated yourself following my instructions above.. Here's one of the machines Zemana is scanning my files with;

Name:
LUSER-PC
Hosts Connected:
Guests Connected:
Guest Last Connected:
6h 54m
Logged On User:
luser-PC\luser
Idle Time:
6h 57m
Machine:
WORKGROUP\LUSER-PC
Operating System:
Windows 7 Professional (6.1.7601)
Processor(s):
Intel(R) Atom(TM) CPU D525 @ 1.80GHz (4 virtual)
Available Memory:
2434 MB / 3070 MB
Network Address:
188.105.88.131
Client Version:
6.2.12963.6312

So my question is, why such a varied number of worldwide systems in use with Zemana Cloud? I wonder if there is any relation to this and VT cracking down on the use of their service by companies? Also, I have some security concerns with the exposure of much of my system information (including Gateway IP) to a wide range of 'individual' systems.

Finally, I sort of wonder if there is some risk with the exposure of these systems used for scanning this easily. SOME of the systems I have logged into or grabbed screenshots from appeared to have someone working at them and examining the processes of the files updated to the Zemana cloud. At the very least, all of this is interesting!

Thoughts?



Also with Zemana exposing their individual scanning locations like this, including gateway. An attacker could DDOS them and break the scanning of Zemana. I'm sure there could potentially be other vulnerabilities. Maybe someone should let them know? I stopped using Zemana a few weeks ago.
Is this "situation" apply to the portable version or only to installed?
 

Similar Threads

Similar Threads