Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Curson

Pages: [1] 2 3 ... 167
1
UCheck / Re: UCheck Command Line add -ignore flag
« on: January 11, 2021, 10:15:46 pm »
Hi mabrochu,

Welcome to Adlice Forum.
That's a great idea. I will add it on our roadmap right away.

Regards.

2
Bonjour,
Quote
A quand scan des supports externes avec adlice diag ?
Cette fonctionnalité est prévue, mais j'ignore quand elle sera implémentée.

Meilleures salutations.

3
RogueKiller PREMIUM / Re: Scan with shell extension not working
« on: December 31, 2020, 03:42:52 pm »
Hi Crsness,

Could you please try reinstalling RogueKiller using the installer HERE ?

Regards.

4
UCheck / Re: Software Request
« on: December 28, 2020, 03:56:06 pm »
Hi Harry,

Thanks for your feedback.
Let my answer your questions point-by-point.
Quote
I am new here and am getting ready to evaluate Aldice Diag Technician and am looking around on these blogs and I see that you ("Kevin") have made requests to include certain programs in what I believe he means to be a white-list
It was not a whitelist request, it was a request to include them in Adlice UCheck database so then can be updated automatically.
For more information, see UCheck: Software list.

Quote
For example, CPUID, used by many apps is considered by "some" experts to be problematic in certain undisclosed ways which I won't disclose why here.
You probably thing about the CVE-2017-15302 vulnerability, present in older version. If we exclude all software that had thich sort of vulnerability in the past (exploitable kernel-mode driver), that's many. However, please keep in mind that such mean of exploitation is restricted since Windows 10 1803.
Additionally, we plan to add detection of documented vulnerable driver in RogueKiller in the future.

Quote
And certainly anything from iobit in my opinion.
This is our team opinion, too. No product from Iobit will be included in UCheck.

Quote
That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DL
Yes, this is indeed a possibility.
That's why we encourage software developpers to publish their products along with their respective hashes (GPG signing would be the best, but most users do not know how to use it).

Quote
But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules.
YARA rules will not help here, since we can assume that the malware writer took care to make it blend with the regular PE. However, Diag will probably detect it using its heuristic layers (usually MalPE).

Quote
They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.
Adlice products and MalwareBytes products do not share the same source code at all. They are completely different products.
Suspicious pattern are detected using the MalPE module (heuristic using AI).

Quote
We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened
.Access to our source code requires 2FA tokens and since we are a small team, any change not make by us will be obvious (git).

Quote
It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc.  Again, at some point it comes down to risk management and what is acceptable risk.
When pulling from their repos, we conduct basic code analysis as we cannot review all changes. As you said, it all comes down to what is acceptable risk.

Quote
Just my own opinion.  I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me.  I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ).  I expect it will be a very good and certainly affordable addition to my process however questions remain.
Again, thanks for your feedback.
If you have any questions left, please don't hesiatate to open a new thead.

Regards.

5
RogueKiller / Re: no pup detection?
« on: December 07, 2020, 09:40:49 pm »
Hi,

Don't worry about that.
We will figure it out ourselves.

Regards.

6
Hi Faergor,

I've looked at the website and it does not contain any hidden scripts or malicious content.
Your system is safe.

Regards.

7
RogueKiller / Re: no pup detection?
« on: December 01, 2020, 11:35:31 pm »
Hi,

Thanks for your feedback.
We were indeed missing some PUP detections. They will be added to our signature database as soon as possible.

If you are active on MalwareBytes forum, could you please ask them about the following detection ?
Code: [Select]
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}I'm not sure, but this looks like a false positive to me.

Regards.

8
RogueKiller / Re: no pup detection?
« on: November 30, 2020, 06:55:30 pm »
Hi,

RogueKiller also detects PUPs.
Could you please attach both reports with your next reply ?

Regards.

9
RogueKiller / Re: Persistent bing.
« on: November 28, 2020, 01:09:37 pm »
Hi Ajohin,

That's strange.
Could you please attach RogueKiller JSON report with your next reply ?

Regards.

10
RogueKiller / Re: Persistent bing.
« on: November 28, 2020, 12:45:35 pm »
Hi Ajohin,

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit.
For more information, please refer to RogueKiller Documentation.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

11
RogueKiller / Re: Firefox false/positives, GUI submit, Forum topic
« on: November 28, 2020, 12:42:22 pm »
Hi Pkshadow,

The file prefs.js is often targeted by malware in order to do browser redirections, display ads, etc, that's why it's classified as a PUM (Potentially Unwanted Modification). In the near future, PUM entries will be able to be excluded from the scan, so you won't be bothered by it anymore.
Your feedback about RogueKiler GUI is interesting. Could you please open a Support Ticket so that the concerned developer will be notified ?

Regarding your issue with posting in the False/Positive thread, it don't know why you couldn't. Anyway, I think your post cover a broader topic than just false positive, so creating a new thread is fine.

Regards.

12
UCheck / Re: Software request
« on: November 20, 2020, 08:36:48 pm »
Hi,

You are welcome.

Regards.

13
Other Software / Re: Erreur non bloquante au demarrage de Loganalyzer
« on: November 17, 2020, 05:46:03 pm »
Bonjour,

Bienvenue sur le Forum Adlice.

LogAnalyzer a été créer pour fonctionner sur une ancienne version du .NET Framework. Comme il n'est plus mis à jour depuis longtemps il est possible que des problèmes de compatibilités apparaissent lorsque le système utilise une version récente du Framework, ce qui est le cas ici.

Comme il s'agit d'une erreur non-critique, vous pouvez continuer à l’utiliser, mais le logiciel sera incapable de déterminer sur quel système il est exécuté (erreur sur System::Version()).

Meilleures salutations.

14
Malware removal help / Re: Help Identifying a Hidden.ADS Stream
« on: November 14, 2020, 02:40:56 am »
Hi YetAnotherGuy,

You are very welcome.
Thanks for the kind words.

Regards.

15
UCheck / Re: Software Request
« on: November 13, 2020, 09:47:31 pm »
Hi Kevin,

Sorry for the delay.

CPUID HWMonitor,  TreeSize Free, OBS Studio, OneDrive, AutoIt and 1Password are now supported.
It was not possible to add the others you requested because there was either no changelog available or it wasn't possible to install them without user interaction.

Regards.

Pages: [1] 2 3 ... 167