Some general questions to experts about security that other users may also find useful.

Skepticism

Level 1
Thread author
Dec 18, 2017
4
Hello everyone.
This is my first time posting here and I apologize if you may encounter some grammar mistakes during the read, but english isn't my native language. Hope you understand.

So, why I'm opening a new thread? Well, yesterday something happened and, after searching around the web and in this forum, I didn't find all the answers I was looking for. So, since the Internet is (sometimes) a beautiful place to exchange knowledge and learn some more, here I am writing these questions.

Let's begin then:
Ok, yesterday I went back home and before going to sleep I decided to surf the web a bit (Firefox with uBlock Origin). It was a stressing day so why not... um, surf some... sites :p you know what I mean, maybe. Everything was going fine, but then a page opened itself (by a script I think?) when I clicked on the player. It was not a problem, since I was feeling protected enough, but then another one opened with a fake Firefox page asking for e-mail and password and the infamous "click CANCEL to continue". Of course I didn't type anything and I killed the firefox.exe just in case. But in that occasion, a thousand of questions came to my mind. I NEVER and I really mean NEVER took a virus, malware or other kinds of infections in my system (maybe only when I was a kid, without being aware of it). So I scanned my computer with Kaspersky Free: nothing found. Then, for a second opinion, I ran Emisoft Emergency Kit: nothing at all. Also I'm using Comodo Firewall (in conjuction with Kaspersky Free) with cruelsister1 famous configuration. Here then are some questions:

1. If Kaspersky and Emisoft Emergency Kit didn't found anything, does it mean that my computer is
completely clean or should delve deep even more with other softwares? So if two major softwares don't
find anything, there's a need to scan even more?
1a. And if a system is clean, can something infect you online and online only within the browser? what I
mean is, if Comodo don't warn me of an external attempt to access something, then what has been
executed is only an online script? (time to try out NoScript I think).
1b. Some softwares, like Kaspersky and others offer a web and mail protection. I always disabled such
things, but may they help against online threats that can infect your computer or if a user
configuration is already "protected" they are superflous?

Let's move on a bit, this time asking for containment and firewall(s) in general.

2. Firewalls software that sometimes have cointainment utilies (like Comodo) tend to monitor everything. But
when in these kind of programs a user create a folder (or a group of them) to execute trusted application,
there is a way that a virus or malware infection can KNOW that location who is not "guarded" and then
attack or use it? or it's just too fictional to be true?
2a. Another thing is that Comodo blocks one of my svchost exes in Firewall, but as I said earlier if a
computer scan don't find anything, does it mean that the problem is another or something malicious is
operating in backrgound still undetected and since it's a Windows process third party softwares have
difficulties to find the cause of it? (that process uses alone 140MB of RAM).

And I still have some more, but I think this is enough for now. Hope to not have bored you, since I'm very verbose, so thanks in advance. Also, but I don't think it matters much since these are question not much related to an OS, I'm using Windows 7 Ultimate 64bit.
 
D

Deleted member 65228

1. If Kaspersky and Emisoft Emergency Kit didn't found anything, does it mean that my computer is
completely clean or should delve deep even more with other softwares? So if two major softwares don't
find anything, there's a need to scan even more?
An on-demand scanner, whether you using one, several, or a thousand, won't detect all malicious software available in the world. Therefore, a clean verdict from the scanners does not mean that the system is undoubtedly clean... This neither means the on-demand scanners are not useful and that you are indeed infected. The likelihood is that you are fine after what happened and that the system isn't infected, and that it is simply paranoia talking (gets to the best of us sometimes).

You could request for malware removal assistance on this very forum by clicking here. You provide logs which you're instructed about generating and a staff member will check over the logs and determine whether anything is necessary to be done - bear in mind this is not full-proof just like on-demand scanners, nothing stops the logs from being tampered with on-the-go without you being aware. So it goes both in hand really. However once again, the likelihood is this would not be the case.

1a. And if a system is clean, can something infect you online and online only within the browser?
The short answer is Yes, the long answer is No. Or it could be the other way round.

Yes, it is possible to deploy an infection to the host environment from a malicious URL alone - No, it is not common for this to happen. It doesn't just "happen", especially since modern browsers like Google Chrome have their own sandbox container embedded which complicates things further even if an attacker can execute code within the browser process. It would require a zero-day exploit to do something like this properly, something that most will not be able to do... And I'd imagine they cost in the several's of thousands in higher-up prices, not cheap for malware authors.

It is however relatively easy to download content to the local host from within a website, and this is commonly done through drive-by-download attacks, but the malware downloaded won't just be "executed". The downloaded malicious content would need to somehow be executed (e.g. by the user). And security software like Kaspersky should be capable of blocking this anyway.

1b. Some softwares, like Kaspersky and others offer a web and mail protection. I always disabled such
things, but may they help against online threats that can infect your computer or if a user
configuration is already "protected" they are superflous?
They can be quite useful, but more is not always better. If they offer features you are interested in using and you feel they will assist you in some shape or form, then enable them. Mail protection would be handy for example if you are a regular user of e-mail.

2. Firewalls software that sometimes have cointainment utilies (like Comodo) tend to monitor everything. But
when in these kind of programs a user create a folder (or a group of them) to execute trusted application,
there is a way that a virus or malware infection can KNOW that location who is not "guarded" and then
attack or use it? or it's just too fictional to be true?
The answer is Yes but it depends on the scenario. Comodo for one have self-protection so as long as they protect a folder which will auto-allow any programs within, then there's no problem. Even if they don't, you have to ask yourself, how did a program manage to run outside of the sandbox in order to drop another program to a folder which is for trusted programs only? It'd also take dipping into Comodo internals to work out their rules system and comprehending the data correctly, you aren't going to find a sample in the wild to do anything like this for Comodo. Especially not succeed.

2a. Another thing is that Comodo blocks one of my svchost exes in Firewall, but as I said earlier if a
computer scan don't find anything, does it mean that the problem is another or something malicious is
operating in backrgound still undetected and since it's a Windows process third party softwares have
difficulties to find the cause of it? (that process uses alone 140MB of RAM).
You can check the file path of the process being blocked, could you let us know what it is? If you also receive this information, send us the command line information. 140MB does look like quite a lot for svchost.exe for one process alone but then again I've seen one using 200MB before on my own Host in rare instances. I'm sure it is fine though, and a Firewall is there to block connections - a trigger from svchost.exe doesn't necessarily mean malicious activity but at the same time you can't know unless you dig into it.

If you can't lose your paranoia then if you're up for it, just use a backup for recovery (revert to older environment state), or format and reinstall Windows. Make sure you always have an up-to-date image backup say on case you do get infected though, that is important for a secure configuration.

In regards to what you were saying about when you were browsing (I did understand haha), those sources are actually a massive attack vector when it comes to malware distribution/spam.

For the future, I recommend just make sure you have a good ad-blocker and be careful with your browsing. No matter what security you have, you're in the drivers seat as the first line of defense.

Personally I think you are likely fine and that the system is clean, and that you are just worried because of what happened with the pop-up. It is a normal reaction for how you are feeling right now. I'd try not to worry about it too much if I were you.

Keep yourself safe :)
 
F

ForgottenSeer 19494

When i used Comodo i always disabled the exceptions from the AutoSandbox... i mean the Downloads folder and the Comodo folder which are not virtualized by default.
 
  • Like
Reactions: Handsome Recluse
D

Deleted member 65228

You can check the file path of the process being blocked, could you let us know what it is? If you also receive this information, send us the command line information.
Send the details from Comodo logs as well. Would help if we can see why it was blocked by the Firewall.

Now I think about it, If another block occurs, also retrieve which modules are loaded within the targeted svchost.exe process and and post those here as well.
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
Hello Skepticism, look on this post: Block Iframes, JavaScript, Redirections

"Searching for 'watch Justice League movie online free' , I've found first google result: 123moviesfree.ac...
Clicked on this link (without adblocker, but with Policy Control enabled, with 'Object plugin-handled content' on Block third-party) - I've just had new window with this modal full-page blue proposition to make update of my Firefox Nightly, hahaha, very nice window...
- nothing clicked on the page, but I closed and reopened my Windows session to have my desktop.

Then changed (in Policy Control) the 'Object plugin-handled content' on Block all - so on 123moviesfree.ac... I have no more this modal new window. Easy, with Policy Control extension.:) "

- so recently we are suffering a massive attack with Firefox fake screen update ...
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
1 Even if a website forced your browser to download malware, that malware cannot run, unless you click on the file and willingly run it. I don't think you would do that.

2 There is such a thing as a browser exploit, by which malware invades your computer without clicking on a download -- but with a secure browser like firefox it won't happen, as things stand now. No promises for the future, but those attacks are not happening to people in the present.

3 There are all sorts of paranoid things that you could torture yourself by worrying about, but why?

4 The best way to remove nagging doubts is to do a system image restore. Get a good system image backup program (macrium reflect, aomei backupper, etc), make system images, and restore to a known good image, if you have a suspicion that your system was compromised.
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
On this 123moviesfree.ac we have today (I've checked Policy Control logs): script go.oclasrv.com/apu.php?zoneid=1306060
...and another script 77f24529d8427410.com/1306062/ - this is adware redirect, on Windows and on Mac:
Remove 77f24529d8427410.com virus from Mac OS
Identical to MyCouponize, 77f24529d8427410 adware has the way to infiltrate computers and laptops secretly and then ravaged web pages presented to the user. The really disturbing thing about this threat landscape is that prodigies at the cost of such programs are beginning to adopt more and more sophisticated strategies to achieve their goals. For example, there is an ongoing large-scale malware activity called mycouponize2mac. Because it is running in the background at the target host in sight of the victim, its main purpose is to promote more implementation code.
The adware focuses on the display of the visit web page and popup a new tab redirect to Google or Google. It generates a virtual layer that contains a variety of ads. These ads are posted above the original site content. They include deals, comparison shopping carts, deals, coupons, gifts, banners, text, and in-stream ads. The two particularly nasty behind-the-hyperlink texts are a cake click accident, and transitional ads assume the splash screen form that can sit backstage to ate mac’s resources. These items are usually labeled as “powered by mycouponize2. Long story short, whether mycouponize2 virus or its protection ads belong to the Mac, follow the steps below to get rid of them.
...read more...

Too I've found on google: Topic: MW:JS:GEN2?rogueads.unwanted_ads.1 « WordPress.org Forums

To be safe, download too another Firefox extension: Redirect Control, by hjgwmvya - indispensable, vital!
- here: Redirect Control – Add-ons for Firefox
 
Last edited:

Skepticism

Level 1
Thread author
Dec 18, 2017
4
Thank you everyone for you answers and feedbacks, now I really feel that registering to this forum was the right choice to know more about security and everything related to it.

@Opcode
Thank you for your long, informative and comprehensive answer. Yes, it's like "paranoia" struck me all of a sudden, but not because I was afraid of what happened (at least, not that much) but the first thing that came to my mind was "What if for all this years I underestimated some aspects of security?" and so all these questions rolled in my head at once.

1. No, I don't think I'm going to request a removal assistance, at least I doubt it's needed in this case (?). But now it's more clear to me
that despite being widely used and ok for most situations, even running 200 scans with as many different softwares, they can't never get you
100% sure when every single day new threats are created and others discovered and blocked. So if before I was 99% sure about those results,
now I should maybe lower the percentage to 95.
1a. Oh ok, this is very interesting indeed. Because it brings up something that I never put much focus on: the fact that behind every piece of
malicious code of any kind there's a world composed by single coders or teams that develops them (either for "personal" use and practice or
in order to sell the product to someone else) and are aimed SPECIFICALLY for different situations and objectives. So forgetting it, even for
one moment, can bring someone (like me) to ask too many question to himself when in reality the right one should only be "I'm important enough?".
Because it would be illogic for someone to spend huge amount of money or craft something complex in order to steal the photos of your last
vacation; but things are of course different if you are bank or a company that stores important and sensible datas of your clients. This is really
something I'm going to search and read more about.
1b. I see. So they act like extras that can be useful for someone but not for others. For example I can activate the e-mail scan on demand
if I'm going to browse my university mails and turn it off if I'm not using it.

2. So this is somehow connected to 1a and, if I understand correctly, despite granting access to a folder it doesn't mean that Comodo or other
containment programs just "forget" about them, but simply they let the user more control (and with less notifications) while stll keeping an
eye on.
2b. It's the firewall component that simply blocks the svchost.exe which contains services related to the connection. And it was like this ever
since I installed the OS which is pretty new by the way, because I just rolled back to Windows 7 after having tried Windows 10 (it simply
doesn't fit me very well, being more social oriented than 7). But now that I think more about it, it may be related to the fact that I'm using
a Wi-FI USB extender and so when Comodo see that the central router want to communicate with my pc (all the calls are inbound) it just block
them and, doing so, the services related to the connection use more RAM in an endless loop? I just kept it blocked until now because I wasn't
sure about it, asking myself "why if my connection works the router want to communicate with me?".

Again, thank you very much for the insights and useful suggestions.

@Peter2150
Wow, never thought about something like this. So can I simply run the broswer sandboxed and delete the container when I'm done?

@liubomirwm
Glad to read about others experience with Comodo and different approaches to it.

@Prorootect
Thanks also to your feedback, now I understand that is something that is happening more commonly than I thought. And it brings some more light to
what it was and why it happened.
 

Skepticism

Level 1
Thread author
Dec 18, 2017
4
@shmu26
1. I always thought it like that, this is why I asked my second question about infections that can happen only online.
2. I see.
3. Because as I said in the previous post, paranoia struck me all of a sudden when looking back and made me ask if I underestimated some aspects of security in
these recent years.
4. I'm pretty confident now that there's no need to it, after reading all your replies. But if something may seems wrong in the future I may revert back to an old image
that I have saved (the only reason I'm not doing it now is that, being the OS newly installed, it would mean to download all the programs and drivers installed in the
last few days again).
 

Skepticism

Level 1
Thread author
Dec 18, 2017
4
Strangely, when I tried to edit my previous message I got a warning saying that it may contain inappropriate content, so I'm going to write a new one instead (maybe because I'm a new user and to avoid spam?). If it's a problem, the moderators can merge all these three messages in one.

@Opcode
2a EDIT: I made a more in depth research regarding the svchost.exe problem and I think I'm restricting the area of what can it be the cause of its excessive use of RAM. First off I tried to let Comodo ignore the process, but nothing changed. Then, as it's very common, I tried to disable the Windows Update service despite knowing that the svchost that control "wauserv" is another... and in fact nothing again, so I set the service back to delayed start. At this point, I went to Resources Monitor and found the exact culprict: svchost.exe(LocalSystemNetworkRestriced). But this led me nowhere. This is a complete list of services under that specific svchost (which is now running at 160MB, a bit too much for my tastes...):
- Wlansvc
- UxSms
- TrWks
- SysMain
- PcaSvc
- Netman
- hidserv
- CscService
- AudioEndPointBuilder

I'm prone to assume that there is no infection taking place, neither it's a rootkit since the location of the .exe is within the Windows folder. Still, I'm scratching my head a bit but at least Comodo has nothing to do with it and what the firewall is blocking are some communications that my router is sending to my computer (same IP, only the last digit changes from 0 to 3) for... whatever reason, I don't know? Maybe the WIFI Extender. For now I reverted Comodo to block it, just to be completely sure.
 
  • Like
Reactions: vtqhtr413

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@shmu26
1. I always thought it like that, this is why I asked my second question about infections that can happen only online.
2. I see.
3. Because as I said in the previous post, paranoia struck me all of a sudden when looking back and made me ask if I underestimated some aspects of security in
these recent years.
4. I'm pretty confident now that there's no need to it, after reading all your replies. But if something may seems wrong in the future I may revert back to an old image
that I have saved (the only reason I'm not doing it now is that, being the OS newly installed, it would mean to download all the programs and drivers installed in the
last few days again).
Thanks for your answer.
You can learn a lot on this forum. But always keep in mind that security forums like this have a lot of super-paranoids. You don't have to do everything they do. And they are not always right, either. The real experts are not paranoids.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top