Advice Request Why are we even messing with anything other than WD these days?

Please provide comments and solutions that are helpful to the author of this topic.

roger_m

Level 42
Verified
Top Poster
Content Creator
Dec 4, 2014
3,189
Once I was finished installing software, it was time to lock the system down, so I installed VS. WLC immediately found and infection, and it turned out to be a particularly difficult infection to remove (it took me a couple of hours to figure it out).
How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.
 
F

ForgottenSeer 72227

I had already spent around 15 or so hours installing software and configuring my system, and I had it "just right". The last thing I wanted to do was to reformat again.
Just for curiosity sake, do you typically make system images for your computers? I guess you could always do a clean install, once configured the way you want it, just make a system image of that. Something happens, just restore that image, pretty much bringing you to that point again without having to spend another 15h configuring it.

PS: I know you are very technically adept :) I'm just curious if you take system images, or just back up your data?
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.
I've never got infected using Windows the last 3-4 years, and I often run unknown software without taking any security measure aside from the AV itself.
Well that was in the past, now I'm an "enlightened" Linux user 🤣
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
The worst thing that ever made it’s way on my PC with WD was mild adware, and that was 6-7 years ago when it was MSE on Win7. So I guess WD never failed me. I don’t download a lot of esoteric files or anything. Just a boring user, which WD (or rather MD) is good for.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Yes, I do not have any license. It would be easier for me to have one (instead of installing a trial several times). You know my email. Thank you.:)(y)
...

Enterprises have many more vectors of attack as compared to home users.
Nowadays, most attacks start from emails with phishing links. The second initial vector is related to email attachments. Both vectors often use documents as payloads. One popular method uses the MS Office old equation editor exploit. But, there are several exploiting possibilities too, because many enterprises do not update properly MS Office.
.

But it seems that exploits in Enterprises are especially popular in successful attacks on servers. Here is the useful report (not new):
Such malware is not used to attack home users. Servers use different Windows editions (often different OS too, like Linux servers) and different software as compared to home users. Furthermore, the attacks are often targetted to enterprise servers and not home users. Here is a useful reference for Windows Server 2008:

The cybercriminals are not stupid. Using well known (not new) exploits is the simplest way to bypass enterprise security and obtain persistence, so they are often used in attacks. The popularity of the WannaCry ransomware family is the simplest example of it.
Cool, I will email you, I checked and have a couple of different options that might work for you.

I agree with pretty much this entire post. I am just saying that we do not have the luxury of choosing the attack vector that is going to nail us... the attacker gets to choose that. So instead of guessing and ending up in tears, it is best to cover all vectors. I have read several places that approximately 20% of all enterprise attacks spill over into consumer land. Whether this is true or not, I have no idea. And 20% is not a huge number, but it is significant.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.
Yeah, I was surprised it happened so quickly as well... otherwise I would have taken stronger precautions.

In all fairness, you are scanning with a blacklist scanner. and it is going to miss a lot more than WLC ever would (especially with a dwell time of 150-800 days). While reading your post, I just now realized that I did not start noticing this issue until several months ago when WLC was released. Remember, this all just came up recently and I am just now putting two and two together.

Anyway, you might try scanning your computer with WLC and see what it finds. If it detects any items as Not Safe, it would be wise to investigate. If all of the items are detected as Safe, there is a great chance your computer is perfectly clean.

If you are interested, here is a link... it uninstalls perfectly too.


So instead of scanning your system for malicious files, WLC scans your system for safe files. The reason whitelist scanners are not used to scan the drive is because if you were to scan the entire drive with a whitelist scanner, there would be tons of false positives. But a year ago or so I realized, well, we can at least scan the running process with a whitelist scanner, and maybe even eventually a smart scan that scans the running processes and common malware locations.

Anyway, if you or anyone else scans their computer with WLC, please let us know! You might be surprised what it finds.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Just for curiosity sake, do you typically make system images for your computers? I guess you could always do a clean install, once configured the way you want it, just make a system image of that. Something happens, just restore that image, pretty much bringing you to that point again without having to spend another 15h configuring it.

PS: I know you are very technically adept :) I'm just curious if you take system images, or just back up your data?
Yeah, exactly, I spent all of that time creating a "golden image" so I could create an image with EaseUS Todo Backup, which I did. Before Windows 7 I used to reimage my box every 2-3 months with Norton Ghost (it was amazing). But since Windows 7, pretty much every install has lasted the life of the computer. My previous image was a Windows 8.1 image that lasted almost 4 years. And actually I have been reading that there have been issues with cloning and SSD's, and that clean installs are recommended for SSD's (directly from Samsung). So I have a golden image that will get me by in a pinch, but if anything happens I will ultimately reformat the drive anyway.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
The worst thing that ever made it’s way on my PC with WD was mild adware, and that was 6-7 years ago when it was MSE on Windows 7. So I guess WD never failed me. I don’t download a lot of esoteric files or anything. Just a boring user, which WD (or rather MD) is good for.
Yeah, the only other infection I ever had was a PUA codec scam. This recent infection was not terrible, but it was persistent and well hidden.

Infections in general are not all that common, but when they happen to you they can be devastating. Believe me, I have seen how shocked people are and how violated they feel after being infected. It is the same way with car wrecks. Most likely you are not going to be involved in a car wreck anytime soon... but car wrecks can be devastating, so it is wise to take the appropriate precautions just in case.

On side note... although my personal real life experiences with malware have been extremely limited, every week or two I have terrible nightmares that my computer was infected and I lost all of my data... source code and everything.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Yeah, I was surprised it happened so quickly as well... otherwise I would have taken stronger precautions.

In all fairness, you are scanning with a blacklist scanner. and it is going to miss a lot more than WLC ever would (especially with a dwell time of 150-800 days). While reading your post, I just now realized that I did not start noticing this issue until several months ago when WLC was released. Remember, this all just came up recently and I am just now putting two and two together.

Anyway, you might try scanning your computer with WLC and see what it finds. If it detects any items as Not Safe, it would be wise to investigate. If all of the items are detected as Safe, there is a great chance your computer is perfectly clean.

If you are interested, here is a link... it uninstalls perfectly too.


So instead of scanning your system for malicious files, WLC scans your system for safe files. The reason whitelist scanners are not used to scan the drive is because if you were to scan the entire drive with a whitelist scanner, there would be tons of false positives. But a year ago or so I realized, well, we can at least scan the running process with a whitelist scanner, and maybe even eventually a smart scan that scans the running processes and common malware locations.

Anyway, if you or anyone else scans their computer with WLC, please let us know! You might be surprised what it finds.
Malwarebyte blocks the 'suspicious download' :ROFLMAO: :ROFLMAO: :ROFLMAO:
Everybody is flagging everything as unsafe these days.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
It's running a scan now. It's been over an hour so far. I'll post again when it's finished.
It must have hung up on something, the scans are usually really quick. You might want to exit out of WLC and open it again. If the problem persists, there is a log in C:\ProgramData\WhitelistCloud\DeveloperLog.log that we can look at. I thought I updated the stand alone version to work with the new webserver and to accept files above 100mb, but I should double check.

Malwarebyte blocks the 'suspicious download' :ROFLMAO: :ROFLMAO: :ROFLMAO:
Everybody is flagging everything as unsafe these days.
Thank you for letting me know! Yeah, we are moving toward zero trust and we do not even realize it ;).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,603
Back to the topic.:)
As one could see from my discussion with @danb, the WD free (default settings with BAFS + SmartScreen) cannot be especially effective in enterprises. They have much bigger attack area due to exploits and local network vulnerabilities. Several effective solutions are known which include among others:
  1. Software/system updates (can be painful due to backward compatibility and costly because of software licenses).
  2. Using strong security with ATP and Network Intrusion Detection including behavioral analytics (deep packet inspection).
  3. Data encryption and backup.
  4. Applying the principle of least privilege (or more restrictive strategies like 0-tolerance policy).
  5. Security training courses for staff.
  6. etc.
See for example how Microsoft Treat Protection can fight the attacks on the servers:
 
Last edited:
May 14, 2020
62
WD is very nice for default protection but I find that the Windows Security application is very buggy, also just today I was installing COMODO Firewall as a supplement to WD, it detected PUA:Win32/FusionCore, I knew what it was, the installer bundles a bunch of crap nobody needs, but the installer won't work without the two DLLs that WD detected, so I ignored them, after installing CF, I didn't really like it and I got rid of it, I decided to quarantine the two DLLs that WD detected, but apparently the files are gone from my AppData\Local\Temp folder, but WD still detects it, the worst thing is that when I tell WD to "Start Actions", it just goes in a loop where it tells me to run a quick scan, finds the same nonexistent threat, I press Start Actions and it does this all over again, I even use the repair upgrade option with the Media Creation Tool, and it still does the same thing. I really want to like Windows Defender, but I just can't, not with all these bugs.

TL;DR: WD keeps detecting the same nonexistent threat, even after a repair upgrade.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,603
WD is very nice for default protection but I find that the Windows Security application is very buggy, also just today I was installing COMODO Firewall as a supplement to WD, it detected PUA:Win32/FusionCore, I knew what it was, the installer bundles a bunch of crap nobody needs, but the installer won't work without the two DLLs that WD detected, so I ignored them, after installing CF, I didn't really like it and I got rid of it, I decided to quarantine the two DLLs that WD detected, but apparently the files are gone from my AppData\Local\Temp folder, but WD still detects it, the worst thing is that when I tell WD to "Start Actions", it just goes in a loop where it tells me to run a quick scan, finds the same nonexistent threat, I press Start Actions and it does this all over again, I even use the repair upgrade option with the Media Creation Tool, and it still does the same thing. I really want to like Windows Defender, but I just can't, not with all these bugs.

TL;DR: WD keeps detecting the same nonexistent threat, even after a repair upgrade.
It can be a bug, but for DLLs in the Temp directory, it can be a true detection if some background process tries constantly to drop a DLL there. Is this issue present after the reboot? The issue can be also related to the conflict between WD and CF when they both try to remediate the detected DLL (CF can put this DLL in the sandbox or block it via HIPS). Generally, such problems are common when one uses two security solutions.
 
Last edited:
May 14, 2020
62
It can be a bug, but for DLLs in the Temp directory, it can be a true detection if some background process tries constantly to drop a DLL there. Is this issue present after the reboot? The issue can be also related to the conflict between WD and CF when they both try to remediate the detected DLL (CF can put this DLL in the sandbox or block it via HIPS). Generally, such problems are common when one uses two security solutions.
The two DLLs detected by WD were a part of the CF installer, if CF detects a PUA in its in own installer and tries to sandbox, well that would be counter intuitive... And even after uninstalling and deleting the installer and reboot and a repair upgrade with the Media Creation Tool, WD still detects the DLL files, the funny thing is is that when I run a custom scan, and choose any where besides my AppData\Local\Temp folder, it still detects the two nonexistent threats, the only way I got rid of the issue was just putting the detection as an allowed threat.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,603
The two DLLs detected by WD were a part of the CF installer, if CF detects a PUA in its in own installer and tries to sandbox, well that would be counter intuitive... And even after uninstalling and deleting the installer and reboot and a repair upgrade with the Media Creation Tool, WD still detects the DLL files, the funny thing is is that when I run a custom scan, and choose any where besides my AppData\Local\Temp folder, it still detects the two nonexistent threats, the only way I got rid of the issue was just putting the detection as an allowed threat.
Interesting. Could you post here the link to the installer? I will try to test it on my machine.
 
May 14, 2020
62
Interesting. Could you post here the link to the installer? I will try to test it on my machine.
http://download.comodo.com/cis/download/installs/2000/partners/cmd_fw_installer.exe taken directly from here, steps to reproduce the problem: When I ran the installer for the first time, WD sent a notification that a PUA was detected, I ignored it because when I tell WD to remove the threat, the installer breaks, as in it will get to a black box with "Please wait" and then the installer just seemingly terminates itself. After installing CF and playing around with it, I went back to WD and told it remove the threat, and it goes in the loop that I told you in my original comment, I uninstall CF, same thing, and basically I from here I did everything I did in my original comment and still haven't found a solution besides adding it as an allowed threat. Maybe I'm doing something wrong...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,603
...
I have read several places that approximately 20% of all enterprise attacks spill over into consumer land. Whether this is true or not, I have no idea. And 20% is not a huge number, but it is significant.
It is probable. But, such attacks have a much lower impact on the home users, except those who use unsupported Windows versions or unpatched system /software (especially MS Office, Java, Adobe). Anyway, It does not mean that one could ignore such malware. There are many "spray and pray" spam campaigns that can hit the home users even on updated Windows 10.(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top