Assigned Zemana Quarantine Action

[SearchLight]

I just installed the latest version of ZAM 3.0 and tested it at the AMTSO website. I noticed that when I attempted to download EICAR, I noticed a pop-up that said ZAM detected a threat, Open Quarantine but when I click on that button, nothing happens. It seems that ZAM Blocked the file from downloading instead of Quarantine. Is this normal?

 

[SeriousHoax]

It seems like a normal behavior. It blocked the threat from downloading that's why nothing in the Quarantine folder.

 

[436880927]

Here's two potential explanations.

1. Zemana might be integrating with official mechanisms like IOfficeAntivirus and blocking the download as soon as it completes.
2. Zemana might be scanning before the file has finished downloading properly (downloading a file is a process which works by continuously writing more of the data being downloaded to disk until all of the data has been written to the disk - the browser will re-name the file on disk appropriately or copy it and delete the temporary file after the data has all been written). Zemana *can* intercept write operations via IRP_MJ_WRITE in their mini filter driver and scan data being written if they want to so it's viable explanation.

Also, I can tell you personally that Zemana were hard-coding EICAR signature in their file system mini-filter driver awhile ago. They probably still are.

If #1 is the case then it won't work for Firefox because Firefox dropped IOAV support a long time ago.

 

[SearchLight]

Thanks for the explanations. Makes sense but then their pop-up should differentiate between Blocked and Quarantined. Confuses the user.

 

[436880927]

OK.

Zemana Anti-Malware 3.0/+ uses amsdk.sys (zam.sys and zam64.sys seem to be gone now?).

amsdk.sys follows the File System Mini-Filter model.

1. Integrates with the Filter Manager (fltMgr.sys) via FltRegisterFilter & FltStartFiltering.
2. The registration instructs the Filter Manager that they want notifications for IRP_MJ_CREATE (Post).
3. The IRP_MJ_CREATE (Post) callback routine performs an EICAR scan check.

The callback routine is named ZmnMfPostCreateCallback (from a source file named MiniFilter.c according to logging info that is left in the code). It will call another routine to perform an EICAR scan - I have named this routine "ZamEicarScan" for the screenshot.

ZamEicarScan:
1. FltQueryInformationFile.
2. FltAllocatePoolAlignedWithTag.
3. FltReadFile -> into allocated pool memory.
4. memcmp - check for the EICAR signature ("X5O!P%@AP[4\\PZX54(P^)7CC)7")
5. Cleanup

Afterwards, if EICAR is to be blocked, FltCancelFileOpen is used to cancel the operation.

I haven't debugged it to ensure that the blocks are *always* coming from amsdk.sys so you can wait for Zemana to help you but this at-least confirms what I previously said about how they have EICAR hard-coded in their FS driver. However, I was wrong about it being done for IRP_MJ_WRITE so I did recall wrong - as we can see, it's post operation of IRP_MJ_CREATE.

 

[davisd]

but this at-least confirms what I previously said about how they have EICAR hard-coded in their FS driver

I feel for people using Zemana, not knowing and blindly trusting your chosen security vendor, to protect you from online threats.. this is just as dumb as it gets. "We tell you we use AI mechanics now to enchance users protection.." fk they can't even get their code right and must push Eicar in it. *Waiting for some exploits appearing in the news* maybe then users will open the eyes, until nothing has been happened, nothing will change.

 

[436880927]

I assume you're referring to how they are doing it in their driver ?

Flagging EICAR is normal behavior for AVs - it's a test file that is supposed to be flagged so consumers can verify that protection is functioning as intended.

However, I agree that what they are doing is silly. It's inefficient and lazy. The sensible thing to do would be to just include it with any other generic signatures being used and mark it with its detection name, assuming Zemana do have other generic signatures. Furthermore, it would be wise to handle data parsing tasks for the scanning operation in user-mode for security reasons because the data being scanned is non-trusted since it comes from unknown sources; if the EICAR check comes back as false then the driver will communicate with a user-mode service which is connected to the mini-filter via FltSendMessage.

 

[SearchLight]

The implication here is that Zemana is misleading Consumers about 3.0 detection capabilities by designing responses to typical malware that the consumer expects to see rather than legit ones?

 

[436880927]

The implication here is that Zemana is misleading Consumers about 3.0 detection capabilities by designing responses to typical malware that the consumer expects to see rather than legit ones?

No. I do not know the extent of what Zemana can or cannot do protection-wise and I don't care about that because I don't use it or work for them. I am not implying anything about their protection. You'll have to ask @davisd to clarify what he's talking about if you're asking him and not me.

Flagging EICAR is a normal thing for AVs. It's flagged for a reason - testing. Although, it is weird that they have hard-coded it in their driver... I do not understand why they have done this.

 

[boombastik]

@Opcode nice explanation. I don't like what it does.

 

[17410742]

although ZAM is still being classed as a complimentary second opinion scanner - the addition of the new AI engine still should put it up there with other products.

now version 3 is out of beta, id be interested how it does with the Malware testers on this forum who put products through their paces

im still really peeved i wasn't around to get a Lifetime licence that some people have.

 

[SearchLight]

although ZAM is still being classed as a complimentary second opinion scanner - the addition of the new AI engine still should put it up there with other products.

now version 3 is out of beta, id be interested how it does with the Malware testers on this forum who put products through their paces

im still really peeved i wasn't around to get a Lifetime licence that some people have.

You bring out a good point. Being always classified as a second opinion scanner the question should be is v3 mature enough now to stand on its own with its AI? If they rushed it out too soon, then maybe it should still be used as second opinion, although I hope that is or will no longer be the case. There is always ZAM 2.0 as standby.