Windows Defender Shows a Warning with a Third Party Antivirus

In recent Windows Updates, there have been some changes to how Microsoft’s own Antivirus, Windows Defender behaves on your system. The theory is, that if you have no antivirus, or Windows Defender is turned of, then it will remind you that this is the case, so that you at least have some kind of antivirus running.

Confusion has arisen with some customers thinking that this means they must uninstall their ESET protection. Let us be clear – Windows Defender is better than no protection, but is NOT better than your ESET protection – not even close. Windows Defender is NOT AS GOOD as ESET. There – we said it another way as well.

So – how do you get Windows Defender to quit bugging you?

Windows Defender may show you an Exclamation Mark - or Warning!

Windows Defender may show you an Exclamation Mark – or Warning!

Well – first off – you will NOT get Windows Defender to turn green unless it is the primary (only) antivirus – it will always stay ‘yellow’ – but we can help you get rid of the warning messages.

First – turn on Periodic scanning

Turn on Periodic Scanning - but do not be tempted to uninstall your SUPERIOR Antimalware solution from ESET.

Turn on Periodic Scanning – but do not be tempted to uninstall your SUPERIOR Antimalware solution from ESET.

Now you should start a ‘quick scan’ – the Exclamation mark will remain until Windows Defender has completed some type of scan.

If you are using PC cleaner solution – such as ‘ccleaner’ – we recommend that you upgrade to the latest version and then UNCHECK the Windows Defender option – because cleaning up the Windows Defender scan results, will cause the warning from Defender to come back!

In ccleaner - remove the checkmark next to 'Windows Defender'

In ccleaner – remove the checkmark next to ‘Windows Defender’.

If you continue to have problems with Windows Defender, please contact us for support.

Ransomware: To pay or not to pay?

Towards the end of July 2016, Kevin Townsend brought it to my attention that Europol, the European Union’s law enforcement agency, had announced an initiative to address the ransomware problem. No More Ransom is intended to provide information and help victims recover their data without paying a ransom to the criminals. As well as being quoted by Kevin in his article linked above, I commented on the No More Ransom portal at more length for AVIEN, where I maintain information resources on ransomware and on tech support scams.

Subsequently, however, Kevin came back to me when he was researching another article based on research commissioned by Malwarebytes indicating that:

39% of enterprises were hit by ransomware last year … Of those, 40% paid the attackers in order to retrieve their data.

Picking up on the suggestion that ‘40% of corporate victims pay up’, he said:

Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?

You can read a brief extract from my response to that question in Kevin’s article, as well as the replies of other commentators such as Jérôme Segura and Graham Cluley. However, here’s my full response (slightly re-edited for clarity):

In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the wellbeing of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In other words, you’re providing sustenance to a protection racket.

On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time the security industry can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – if they decide to pay up rather than commit financial suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the board of directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark and sinister alleyways. However, the attacks will remain economically viable as long as people aren’t willing or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – which is not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

We sometimes hear of instances where organizations pay ransomware even though they do have backups because it’s the cheaper option. That’s not only irresponsible (because there is no doubt that it encourages criminality) but it suggests something significantly wrong with the backup strategy they have in place. A deterrent that you can’t afford to use is of little practical use.

Most security bloggers will advise individuals and businesses not to pay the ransom, taking the same view as Europol, as quoted in another article.

If your own business data are at stake, or even your personal data such as photographs which are irreplaceable by any other means, you might feel differently. It seems to me, though, that there is a certain amount of recent softening on that hard-line view. Martijn Grooten pointed out for Virus Bulletin that:

… Paying the ransom should always be the last resort … but sometimes … the only sensible business decision left is to pay the criminals …

As you may have gathered from the above, I’m pretty much in agreement. Ryan Naraine also admits to a shift in his viewpoint. He described in How to avoid becoming the next victim of ransomware, how he was forced to acknowledge that some institutions have real difficulty in resourcing the sort of security that defeats ransomware and have no choice but to pay up after a ransomware incident simply in order to stay in business. Specifically, he quotes from a healthcare organization’s IT administrator, who pointed out that:

We have no computers to use. All our backups are encrypted. It’s a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom …”

It’s worth pointing out that in such a case an organization is not only obliged to meet statutory obligations but also has a duty of care to the people who use their services. In the event of a failure to protect their data, irrespective of whether that failure is down to technological shortcomings or human error, and where there is no other way of retrieving those data, that duty of care might – and perhaps should – outweigh the point of principle stressed by Europol. Healthcare is not the only area in which such a conflict may arise with a serious impact on the individual, of course, but healthcare organizations have been heavily and publicly hit by ransomware over the last year or so.

Nevertheless I’m going to repeat my own advice that an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering. It’s worth remembering that paying the ransom doesn’t get the data back, either. And there’s unlikely to be a money-back guarantee, as pointed out in an advisory issued by the FBI that also takes a strong ‘no pay’ position.

The agency also offers a series of basic tips on reducing the risk from ransomware that will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I’m still mildly amused, though, by the advice to:

Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

Since it’s a bit tricky to back up data without connecting to the system used for primary storage, I suspect that what they meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted by the ransomware. The expanded tips given in an FBI brochure are somewhat clearer on that point.

By David Harley

WARNING: Windows 10 Anniversary Edition – DO NOT REMOVE YOUR ANTIVIRUS!

This week, Microsoft issued the Windows 10 Anniversary Update, which changes the way in which security status is presented to home users.

Windows Defender now displays a user’s protection status as “off” if any non-Microsoft antivirus protection, including ESET, is in use. Additionally, Windows Defender advises the user to remove their non-Microsoft antivirus protection.

This is a very different stance to Microsoft’s position in the past, where Windows Defender played well with others, and if you ran ESET (or any other) antivirus with Windows Defender, they co-existed relatively well together. Computer Security Solutions always recommended turning off the real-time protection of Windows Defender, so that you didn’t have two programs scanning the same file when you accessed it – but leaving Windows Defender “on” for a “second look” during an overnight scan was not a problem. Even though we have never heard of Microsoft’s product finding something that ESET didn’t (quite the reverse) – we felt it was OK to leave Defender on “just in case”.

Well now that Microsoft has changed the way the defender works, our advice has to change – because Microsoft is going to recommend that you remove ESET (and any other 3rd-party antivirus), and keep their Windows Defender as a single product.

This is actually quite a BAD IDEA – because in independent test, ESET’s protection technologies used in NOD32 Antivirus, Smart Security, CyberSecurity for Macintosh, ESET Endpoint Antivirus, ESET Endpoint Security, and just about every ESET product, will out-perform Microsoft in every available metric.

Before we even get to important factors, such as system performance hits, or Memory usage, or malware detection – you need to consider that ESET (which you have bought and paid for a license to run and operate) – has a much larger feature-set:

Comparison Chart of Security Features - ESET vs Microsoft Windows Defender

Comparison Chart of Security Features – ESET vs Microsoft Windows Defender


But when it comes to metrics which matter – ESET outperforms Microsoft where it counts…

ESET beats Microsoft in Malware Detection:

Detection of malicious software - AV Comparatives - ESET Scores 99.4%, while Microsoft Scores 98.1%

Detection of malicious software
AV-Comparatives, March 2016

ESET beats Microsoft in Impact on System Performance:

Impact on system performance* AV-Comparatives, April 2016 *Lower impact score is better

Impact on system performance*
AV-Comparatives, April 2016
*Lower impact score is better

ESET uses far less memory than Microsoft:

Memory usage during System Idle* Passmark, February 2016 *Less megabytes is better

Memory usage during System Idle*
Passmark, February 2016
*Less megabytes is better

ESET has much faster scan-times than Defender:

Scan time in seconds* Passmark, February 2016 *Lower impact score is better

Scan time in seconds*
Passmark, February 2016
*Lower impact score is better


We Strongly recommend that you keep your ESET product and disable Windows Defender – to learn how to do this with a step-by-step guide on how to do this, just visit this ESET Support Article – How to Disable Windows Defender.

ESET releases new decryptor for TeslaCrypt ransomware

Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.

We have been covering this malware for a few months now, sometimes along with Locky or being spread by Nemucod. Recently, TeslaCrypt’s operators announced that they are wrapping up their malevolent activities:We must stress that ransomware remains one of the most dangerous computer threats at this moment, and prevention is essential to keep users safe. Therefore, they should keep operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).

We also advise all users to be very careful when clicking on links or files in their email or browsers. This is particularly true when messages are received from unknown sources or otherwise look suspicious.

For more information about how to protect yourself against these and other ransomware threats, please check this: 11 things you can do to protect against ransomware.

Critical fixes for Windows, Flash and Java

Window, Java and Flash Updates!

Window, Java and Flash Updates!

Window, Flash and Java Updates![/caption]Windows users and those with Adobe Flash Player and/or Java installed, it’s time to update again!

Microsoft just released 13 updates to address more than three dozen unique security vulnerabilities.

Adobe issued security fixes for Flash Player that plugs at least 22 security holes in the widely-used browser plugin.

According to Krebs:

One big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. 20.0.0.306. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

Patch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Check out the Krebs On Security Article for Tutorials

Retailers targeted by sophisticated ModPOS malware

Point of Sale System - modPOS Malware Attacking POS

Point of Sale System – modPOS Malware Attacking POS

CSO Online is reporting that the ModPOS malware has already hit multiple national retailers and compromised millions of cards, according to new research released this morning, but there are likely to be more infections still out there since this particular malware is extremely difficult to detect.

“The way that the malware is able to hide itself makes it extremely difficult for retailers to detect with existing capabilities,” said Stephen Ward, senior director at Dallas-based cyber threat intelligence firm iSight Partners, Inc.

It took months for researchers to get a clear view of this malware and reverse engineer it, he said, and then the researchers have spent a month informing retailers about how to spot it.

This POS malware is sophisticated with a VERY extensive toolkit:

As its name suggests, ModPOS is a highly modular malware that targets point of sale systems with keylogging, RAM scraping, credential theft and network reconnaissance functions.

“What we’re seeing is shell code which consists of up to 600 functions, which is astronomical,” said Maria Noboa, iSight’s senior threat analyst. By comparison, typical shellcode would have just a handful of functions, she said.

ModPOS malware is basically a rootkit:

The ModPOS framework also involves hacked kernel drivers and that, Noboa said, is what makes this malware family very dangerous.

“They are essentially rootkits,” she said. “Difficult to detect.”

It isn’t all bad news though:

The one bright spot about this malware, so far at least, is that its creators are not selling it on underground forums or otherwise distributing it to the public.

“We have researchers around the world looking for any sign of people trying to share the code,” she said.

So far, there haven’t been any.

“This gives us an indication that the authors are holding it close to their chest because it’s a profit center for them,” she said. “We categorize this as author-slash-operator because we believe that the people who wrote the malware are the ones operating it.”

Isn’t EMV the answer? Maybe – maybe not…

EMV is not enough

Many retailers are currently in the process of converting to EMV, which allows them to accept more secure chip-based payment cards at the point of sale terminal.

That could help companies defend against ModPOS — but only if they do it right.

“There is a tendency to think that if you have EMV terminals set up, you’re good to go,” Noboa said. “But it has to be implemented correctly, with true end-to-end encryption in place, including encrypting data in memory. That’s key here, because point-of-sale malware capitalizes on data in memory. If it’s not encrypted, ModPOS can still grab that data in clear text.”

In addition, the rest of a company’s infrastructure might still be vulnerable to attackers, she added, including other databases, intellectual property, financial documents.

“The modularity allows them to use it as a Swiss Army knife,” said Ward.

Original Article.

ESET Offers Free Android Stagefright Detector

ESET®, a global pioneer in proactive internet security for 25-years, today announced the availability of a free Android app – ESET Stagefright Detector – which helps users determine if their Android device is affected by the critical Stagefright exploit. The app is available in the Google Play Store now.

ESET makes available a free Android Stagefright Detector

ESET makes available a free Android Stagefright Detector

First discussed at Black Hat 2015 last week, the Stagefright vulnerability allows attackers to gain control of Android phones via the Stagefright library, an open-source media player used by 95 percent of Android devices. The vulnerability gives attackers access to most of the victim’s phone data including email, photos, and personal information by simply sending an MMS (Multimedia Messaging Service) message to the victim’s Android smartphone.

ESET StageFright Detector works with Android 4.0 and older versions of the Android operating system which includes {insert names of the Android OS versions… using the names would be appropriate for SEO and for a more general audience}. The new ESET app alone cannot repair the vulnerability, however once users activate the app and determine whether their Android smartphone is vulnerable they can click on the “Learn More about Stagefright” icon. This takes users to the ESET Knowledgebase article which provides safety steps to protect their data.

ESET recommends all Android smartphone users follow these steps to ensure their data is safe:

  • Enable automatic updates on their device(s) to ensure they receive the latest patches from the device manufacturer or carrier
  • Block MMS from unknown senders
  • Disable automatic MMS retrieval in the Messaging setup
  • Use a browser that is not vulnerable to Stagefright (for example, Firefox 38+)

 

ESET discovers another porn clicker in Google Play

2015-05-30 14_55_52-Android Apps on Google PlayRecently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Original ESET Article

And they say that antivirus isn’t required on a Macintosh

For years and years, Apple maintained that an antivirus program was not required and Macintosh – and for many years, if you were careful – is was *largely* true.

Mac OSX Malware is no longer a fantasy - it's real!The amount of Macintosh threats were minimal – and the cybercriminals simply didn’t go after Macintosh computers because their numbers were relatively low.

As Apple’s market share increased, these cybercriminals turned their attention to Macs – because they cost more – the customer who buy them are typically well off to affluent – and because often-times, they were plain easy to infect – because they lived in a bubble where clicking on bad-links and programs simply had no ill-effects.

Those days are GONE – pure history.

New Macintosh threats appear on a very regular basis – and some range from fairly benign popups, to full-blown banker-trojans.

Want to see the list of recent MacOS-X Malware Threat – click here.

These days you need protection – get the ESET CyberSecurity for Macintosh Trial today!

Windows 7: Internet Explorer Security Settings are Blocking Downloads

If you are trying to download files – any files, and the Internet Explorer message pops up that your current internet settings prevent this file from downloading – try the following to reset your Internet Explorer Security Settings.

Here is a step-by-step guide – with screen-shots – click each image for a larger version and detailed instructions:

1. open Internet Explorer Settings:

open Internet Explorer

2. open Internet Options:

Select Internet Options from the Settings menu

3. Reset all zones – then click Apply and then OK:

Security Tab | Reset | Apply | OK

4. Click the settings Advanced Tab – reset advanced settings, Internet explorer settings:

4-reset-advanced-options

5. Check the box for “Delete Personal Settings” inside the Internet Explorer Reset Window – then click Reset

5-reset-internet-explorer-options

Then RESTART your computer. If you are still unable to download files or programs – call support.