Insight into Zemana's strange cloud scanning..

Discussion in 'Zemana' started by Slyguy, Jun 20, 2017.

  1. Slyguy

    Slyguy Level 26

    Jan 27, 2017
    IT Security Engineer
    Other OS
    #1 Slyguy, Jun 20, 2017
    Last edited by a moderator: Mar 18, 2018 at 1:36 PM
    Here's something interesting people may want to test for themselves regarding Zemana.

    Install Zemana on a machine, then register for a (free) Screen Connect/Connectwise account. Go to the 'access' tab and build an executable for perpetual remote access. Download and run this on a machine with Zemana installed and then wait a couple of hours.

    Eventually, external connections to your Screen Connect account will show up. The reason is 'something' is executing the exact file you built for perpetual remote access and it's causing those machines to connect to your screen connect account! The assumption is, this is the variety of cloud scanning from Zemana.

    What's even more interesting, since this file is symetriclally keyed you can connect to Zemana machines once they've executed the file and are live.. What you will find is, this EXE is sent to a variety of Zemana owned computers and executed. Once executed this gives you 'detailed' insight into these Zemana systems used to scan a variety of free cloud based scanners. Details you will learn are;

    1) Public IP of the machine.
    2) OS operating on the machine.
    3) Hardware specifics of machine.
    4) Domains and Usernames of all of the machines.
    5) Screenshot of the desktop.

    This process can he easily duplicated yourself following my instructions above.. Here's one of the machines Zemana is scanning my files with;

    Hosts Connected:
    Guests Connected:
    Guest Last Connected:
    6h 54m
    Logged On User:
    Idle Time:
    6h 57m
    Operating System:
    Windows 7 Professional (6.1.7601)
    Intel(R) Atom(TM) CPU D525 @ 1.80GHz (4 virtual)
    Available Memory:
    2434 MB / 3070 MB
    Network Address:
    Client Version:

    So my question is, why such a varied number of worldwide systems in use with Zemana Cloud? I wonder if there is any relation to this and VT cracking down on the use of their service by companies? Also, I have some security concerns with the exposure of much of my system information (including Gateway IP) to a wide range of 'individual' systems.

    Finally, I sort of wonder if there is some risk with the exposure of these systems used for scanning this easily. SOME of the systems I have logged into or grabbed screenshots from appeared to have someone working at them and examining the processes of the files updated to the Zemana cloud. At the very least, all of this is interesting!



    Also with Zemana exposing their individual scanning locations like this, including gateway. An attacker could DDOS them and break the scanning of Zemana. I'm sure there could potentially be other vulnerabilities. Maybe someone should let them know? I stopped using Zemana a few weeks ago.
  2. Nightwalker

    Nightwalker Level 9

    May 26, 2014
    Windows 10
    What a great find, I will try it later, pretty bad vulnerability out there if I understood right.
  3. Slyguy

    Slyguy Level 26

    Jan 27, 2017
    IT Security Engineer
    Other OS
    I've reached out to Zemana (last week) and was told they would look into it and comment on it.

    So far, crickets. My guess, they didn't properly mask their distributed cloud scanning endpoints. Also, considering the distributed nature of it, I wonder if they are paying to play with Virus Total?
  4. kamla5abi

    kamla5abi Level 4

    May 15, 2017
    Windows 10
    Since they look like individual computers setup in many different areas, complete with what looks like someone actually using the desktop to look at analysis results, I would guess that they do not in fact pay to play ;) lol

    I'm trying to think of reasons why a security company would use a setup like this, other than pretending to be a "home user" (non commercial user) and using VT to decide which "cloud analyzed" files are classified as malware (by other AV companies lol). All the benefits of Google's VT cloud analysis and very low cost. The overhead costs are dramatically reduced this way ;) maybe that's why they can afford to giveaway so many 380 day licenses recently hahha
  5. l0rdraiden

    l0rdraiden Level 2

    Jul 28, 2017
    Still no news from Zemana?
    Trooper likes this.
  6. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    Washington DC
    Windows 7
    My thought: STAY AWAY!!!
  7. Slyguy

    Slyguy Level 26

    Jan 27, 2017
    IT Security Engineer
    Other OS
    Zemana declined to comment and has reviewed this thread.
    lowdetection, Svoll and l0rdraiden like this.
  8. shadek

    shadek Level 1

    Aug 20, 2017
    Windows 10
    Nothing new yet? My theory is that all their devs quit last year (they used to post on these forums and now they are not in the Zemana company anymore) so they have no one to develop their software anymore. No update for over 6 months.
  9. Opcode

    Opcode Level 24
    Content Creator

    Aug 17, 2017
    Windows 10
    1. Do they run the samples sent to the cloud with elevation as well?
    2. Do they protect the MBR of the systems?
    3. Do they protect against UEFI bootkit installation on the systems?

    Even if No to the first, bypasses are out there in the wild malware.

  10. roger_m

    roger_m Level 13

    Dec 4, 2014
    Windows 10
    An update should be released very soon. Their website lists a new version,, released on the 14th of this month. At the moment they still have the installer for the previous version on their website, but I have been able to find a beta of the new version.

    Zemana is still very much alive and well, they have just been slow at releasing updates. When I messaged them a few days ago, they told me they are currently working on updates. Also, if you have a look at their Instagram page they are regularly posting information.

    I have messaged them to find out when the new version listed on their website will be released and I guess I'll get a reply tomorrow.
    GonzitoVir and frogboy like this.
Similar Threads Forum Date
Misconfigured Server Gives Insight Into Cerber Ransomware Operation News Archive Jan 13, 2017
DDoS Predictions for 2016, IBM Insights News Archive Nov 30, 2015
Poweliks/Secure.InsightExpress Guide Troubleshooting Malware Removal Assistance For Windows Sep 5, 2015
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.