I have observed it, that’s how I know. Once you download malware, the forensic service is active. It passes parameters to the remediation service so then that becomes active (this service will be merged with the rest soon). Finally when the forensic report is saved and there is no more activity, the notification appears.
Daily dose of testing:
I downloaded one safe (suspicious in nature file) to see if it will be flagged as FP. It wasn't.
I was a bit gentle to it in the beginning
It removed some dropped/downloaded malware.
Then I got uninterested in this anymore. About 7-8 infections were merrily running with heuristics set to max. So not always tweaking this and that helps.
In the Webroot case with tweaks and without, it’s just bad. And they are selling it for £65.
I’m getting my ZoneAlarm back now.
Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.
Additional script test (malicious document not emulated or cleaned, downloaded during the webroot time)
Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.
I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.
I've been using ZA in VM too for about a week. Have not tried to intentionally DL malware, but the files I have downloaded, I seem to get a quick response from ZA that they are good.
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo@Decopi@Shadowra
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo@Decopi@Shadowra
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
That shield is not in home products though and the foreign code shield is absent as well. Not sure also if they block connections system-wide (anti-bot). I didn't see any evidence that they do.
That shield is not in home products though and the foreign code shield is absent as well. Not sure also if they block connections system-wide (anti-bot). I didn't see any evidence that they do.
under "shields" in settings there was no such thing. There was something interesting under privacy, to add programme whose data you want to protect. It didn't seem to be doing anything, I added Edge, passwords were exfiltrated.
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo@Decopi@Shadowra
AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
Very weird... I've never seen anyone completely ignoring fileless malware in home solutions. I mean fair enough, nobody will start performing targeted attacks against them but if you have "evasion shield" then why should it be absent from home software... you never know what users will download.
Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
These inflated files in ZoneAlarm are handled by Behavioural Guard, there is one test from yesterday but many refuse to run when ZoneAlarm is installed and just terminate. Not sure if they are deterred by "forensics" that's in one of the processes name or something else. The ones that run (PrivateLoader by CozyBear I am talking about) download quite a lot of stuff including Amadey stealer and it is all detected. ZoneAlarm like Defender and many others has a scan limit (in Harmony it can be uplifted). Though boosting the limit is useless. Microsoft increased their scan limit from 700 MB to over a gigabyte and they now inflate them to 1.2 GB and they are not scanned again. Avast engine is better suited to these.
Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.
@Trident , please allow me simple questions from my very ignorant side:
1. If Sophos engine is capable of handling password-protected zips, can we infer that ZAESNG based on Sophos engine is capable to do the same? Or not necessarily? To be based on a Sophos and Kaspersky engine means to have same capabilities as Sophos and Kasperky engines have?
2. Here in this thread, are you always using ZAESNG in your tests? Or sometimes you use Harmony EndPoint?
3. Your attached forensic images are from Harmony EndPoint? Or from your ZAESNG at C:/Program Data/Check Point/Endpoint Security/Threat Emulation/Reports?
Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.
Yeah, it's another great way to test. Besides the fact of giving you a full and better comprehension, few samples every day also offer high quality tests because reflect zero-day-attack responses or at least reflect latest pest protection capabilities.
Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.
4. What about connections? Sorry to ask, it's not totally clear to me, "terminate" means that the stealer started (and only then was terminated). So, it sounds that the stealer wasn't stopped or blocked to run. If that is the case, did the stealer manage to make any connections? Or the stealer never ran at all, nor succeeded to make connections etc?
