Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: ZA Extreme - Rogue PDFs

  1. #1
    kathym Guest

    Default ZA Extreme - Rogue PDFs

    ZA Experts,

    I have ZA Extreme, Windows XP SP3. I just installed latest version 9.3.037 last night. I have virtualization enabled (before updating and now).

    I have been having some issues with rogue PDFs showing up at my doorstep - asking to be downloaded. I assume they are served via some 3rd party malicious code injected at a website I've visited. (I frequently clean my cache as well as use the Clean Up disk utility, as well as scan for viruses)

    ZA's Download dialog will reference the PDF file name and a domain I've never been to. (These domains are generally brand new... days old). Last night, upon returning to my PC after dinner, a Green screen was displaying from ZA. A rogue PDF must have arrived, "run" I assume, was initiated, and ZA must have scanned the PDF and determined it to be "safe"... The prompt left for me was "Do you wish to Open it?"

    Thus, I've been testing my setup and updated ZA* (although I have automatic update ON, I wasn't aware of an upgrade until I manually initiated product "update")

    I've also been experimenting with my IE8 addon settings. I tested my setup by downloading a few PDFs that I have created and uploaded to my own website. (Virtualization ON). When I go to my Temp>IswTmp>DwlRun directory, I can see the PDFs there.

    ***BUT, when I clear Virtualization - via ZA Toolbar > Settings > Clear Virtualization, the PDF files are still there. Aren't these supposed to be deleted, too?***

    Meanwhile, I updated my Firefox, looking forward to using it with "No-Script" -- however, upon its update, Firefox won't run. And from what I have read -- I will need to reinstall along with all the extensions I had. The reason I had not been using Firefox, was I mistrusted the ZA toolbar was really functioning properly with all the conflicts between these 2 programs.

    Sorry for the long post. Any advice is appreciated!
    Thanks,
    Kathy

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: ZA Extreme - Rogue PDFs

    Not really clear how the rouge can infect the system since changes to the system will be denided if based on drive by download (no user input). If however you have agreed to install anything on the system then its too late and virtualization will not save you....

    Please follow all steps as suggested here below to clean your system properly: Malware Clean-up Guidance

    And to maximise your protection see here:
    xyz was not detected. What I should do?

    Are you running the latest version of adobe reader X? If not, you should update.
    Latest version of Adobe contains a sandbox that will prevent by default the majority of infections. http://get.adobe.com/reader/

    P.S. If you are running forcefield with virtualization ON you do not need noscript. Otherwise no use to turn ON forcefield in ZA.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: ZA Extreme - Rogue PDFs

    Hello,

    Were looking into your main question.

    The second question about the addon no-script, we have had compatibility issues in the past with that firefox add-on and forcefield.


    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    kathym Guest

    Default Re: ZA Extreme - Rogue PDFs

    Hi Fax,

    Thanks for your reply.

    From what I can tell, my system is Not infected. I just now ran a scan which came up clean. I have not agreed to install (or even view anything) and have been using virtualization all along.

    But upon returning to my PC last night -- a green screen from ZA was displaying "safe to open" a PDF I never requested. In this instance I had no involvement. (BTW, I didn't open the PDF).

    I have Adobe CS3 which includes Acrobat Professional version 8 and it bundles in Reader. I have the latest updates for my product. Additionally, I have adjusted Security settings for it (including, not allowing Javascript). I have read however that the Sandbox feature is not so-good with Windows XP (which I have) and that Sandbox functions optimally with Vista. I have the latest Windows updates as well as Java (though it is disabled).

    Per the link you sent me, the only thing I haven't been doing is setting my updates to every 30 minutes... which will be disruptive.

    QUESTION 1:
    When I clear virtualization: shouldn't files in IswTemp > DwlRun be cleared out? (I tested this by viewing my own safe PDFs at my website, which upon viewing them added them to DwlRun Directory... but they did not delete after running "clear virtualization")

    QUESTION 2:
    Should Virtualization and my PC have stopped the rogue PDF from downloading to IswTmp>DwlRun folder? And is this folder ZA's "Sandbox" (granted, the file was never opened) ZA also scanned it and determined it "safe".

    QUESTION 3:
    If I opt to use Internet Lock as a habit, Is it possible to allow email to pass through, as well as ZA? Thoughts?

    QUESTION 4:
    If I CHOOSE to use Firefox and NoScript over ZA... and don't enable the ZA toolbar/virtualization in Firefox, will ZA Extreme provide any level of protection for this browser? I prefer that site by site, I can allow Flash and scripts. I remember earlier versions of ZA allowed this control. Now, I use ZA as my Virus protection. (no Mcafee, Norton, etc)

    Thanks again,

  5. #5
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: ZA Extreme - Rogue PDFs

    Hello,

    1. We don't know, its not a listed feature for Forcefield so probably not but were verifying still.

    2. No it does not stop it from being passed to the PC, it just puts the threat in a virtulized session and files to keep off main PC.

    3. Internet lock is not advised at all. It will cause your PC to loose internet connection and cash other components of the OS. This is an old relic feature from the 2.0 days and really only worked well on Win 95. Use at your own risk its also not supportable if you have issues with it.

    4. Mainly protection from AV, the OS firewall is what protects you.
    You should not buy security software to rely on 100% to protect you so you can roam the internt with no fear.

    Its still your responsibility to use common sense and not goto websites that are not main stream, filled with ads or porn or located in countries that are know for such bad websites.

    There is no software in the world that can protect you 100% so you can just surf anything you want or download anything you want.. You as the user have to be responsible also to have threat free experience on the internet. ( or as close as possible to threat free)


    Forum Moderator
    Last edited by Forum-Moderator; December 8th, 2010 at 01:12 PM.
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  6. #6
    kathym Guest

    Default Re: ZA Extreme - Rogue PDFs

    Hello Moderator,

    Thanks, and I am following up.

    I'm still a little unclear about this:
    Is the folder "Temp/IswTmp/DwlRun" ZA's virtualization sandbox?

    If I use Firefox and NoScripts -- Will I still get basic protection from ZA (Virus Scan and Program Control?) - just not virtualization?

    *****************************************

    Re: my expectations from ZA, I am aware that nothing is 100% and a user's responsibility and common sense is required. I think I have both responsibleness and common sense.

    All I'm really wanting to rely on is that "NO-Scripts" run on my PC without my permission. I don't think that is out-of line.

    I do spend alot of time online, and I look at a Google link before I click, and most of the sites I visit are mainstream sites and tutorials. I don't visit porn sites, nor poker, nor games, shareware, music, nor celebrity sites nor foreign domains. I don't click on ads, nor links in emails. I could go on.

    I have read that malicious PDFs are the number one growing vulnerability by the numbers.

    *************************************
    Also, Can you please advise me about the following: THANK YOU.

    AFTER I replied to Fax, I ran a SuperScan in Safe Mode.
    and Yes
    ZA DID detect 3 Trojans - but I'm thinking they are false positives.
    They are 3 instances of "Heur:TrojanWin32.Generic" The files I believe are legitimate exe files of a quality program I have purchased "Movavi Video Suite ver 8"

    Kaspersky advises to take heuristic-identified threats seriously, but w/o looking at them cannot tell me if they are legitimate, and from their site advises users to send them in for inspection.

    How do I do THAT?

    I read that Quarantined files aren't moved but extension is renamed. I do not see any files in the original path that appear to be the quarantined files.

    These 3 files: ChiliBurner.exe, ScreenCaptureME.exe, and VideoCaptureME.exe resided in Program Files>Movavi Video Suite 8 folder. I'm tempted to just restore them, but I want to understand how to submit them, if I want to play it safe.


    Kathy

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: ZA Extreme - Rogue PDFs

    Quote Originally Posted by kathym View Post
    I'm tempted to just restore them, but I want to understand how to submit them, if I want to play it safe. Kathy
    Hi!

    please review the board here, you will find some of the questions already answered. For example, How to diagnose and/or report antivirus/antispyware false positives .

    Btw, other users here reported no issues with forcefield latest version and no script latest version.

    Quote Originally Posted by kathym View Post
    All I'm really wanting to rely on is that "NO-Scripts" run on my PC without my permission. I don't think that is out-of line
    That is legitimate but not needed with virtualized environments. Actually sort of old fashion and time consuming. Most modern web pages needs script to run to be viewed properly and most infections comes from legit and safe sites and not new or malware sites. So, noscript has limited scope in this scenario where you already granted permission.

    Quote Originally Posted by kathym View Post
    I have read that malicious PDFs are the number one growing vulnerability by the numbers.
    Yes, for this reason Adobe has issued a new version of their Adobe products (version 10) that provide protection for this. A pity that you are running an old version that has not this feature.

    Fax
    Last edited by fax; December 8th, 2010 at 11:57 PM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #8
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: ZA Extreme - Rogue PDFs

    Here is some detailed info on how Forcefiled handles files that are downloaded in a browser.

    ForceField should not automatically download files it should be done only by user request.
    ForceField downloader works in real file system and it can not be controlled from virtualized browser. So even if some malware inside virtualized browser tries to start download, it will not be able to do it.
    Files in DwlRun are temporary and should be removed during ForceField restart. This folder is used by downloader to export files from virtual file system to real file system
    Clearing virtual cache does not remove downloaded files.

    Hope that helps explain how Forcefield is designed to work with downloaded files.


    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    kathym Guest

    Default Re: ZA Extreme - Rogue PDFs

    Hi Fax,

    Thanks again, but what I do not understand is *HOW* to upload the files in quarantine. My only options there are "Delete, Restore, or More Info"

    I had read in the forum before posting that the files aren't actually moved but renamed. If so, I cannot find these files in their original paths -- or any files that might be renamed versions.

    Do I need to "Restore" them before I can submit them? That doesn't make sense.

    Can you help me understand this?

    **********

    Regarding Reader, I am frustrated that Adobe bundles Reader updates with CS3, from what I can tell. So other people are using the free Reader version 10, and I am stuck with upgrading and patching an older version because I purchased CS3. Unlike Flash (also part of CS3), I have the latest version flash player accessed by my browser. But from what I read, my Reader is patched with the latest security updates for its version.

    I believe I had tried in the past to install Reader separately, and that it caused problems. If anyone has any advice about this (other than purchasing CS5) I would be grateful

    **********

    Regarding Noscripts and your comments: Thank you for mentioning that infections often come from legitimite sites. As it turns out, my PC was not infected, but it just didn't stop PDF/ZA dialog boxes greeting me, like an unwanted pop-up.

    Yes, it would be a hassle to have to allow a Script each and every instance. From my experiences though, I would like a little more control to allow only certain flash elements, and toggle JavaScript on/off. And I think I remember seeing this w/Google Chrome? Alot of sites are designed to degrade gracefully with Javascript off.

  10. #10
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: ZA Extreme - Rogue PDFs

    Quote Originally Posted by kathym View Post
    As it turns out, my PC was not infected, but it just didn't stop PDF/ZA dialog boxes greeting me, like an unwanted pop-up.
    As highlithed by the moderator that pop-up can only come from a user action. So, may be you have not realised but you have clicked on a link to download a PDF (probably by mistake?).... Actions by malware in the background cannot trigger that pop-up but will be blocked silently by default.

    Yes, you need to restore the file before submitting them. Restoring does not mean executing, the files cannot harm your system simply by restoring them.

    Submit the files to Kaspersky, a malware expert will answer you with a diagnostic (false positive or not).

    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Use of Rogue DNS Servers on Rise
    By SlyFox in forum Off-Topic
    Replies: 1
    Last Post: February 15th, 2008, 07:52 AM
  2. Video: Rogue antispyware applications
    By SlyFox in forum Off-Topic
    Replies: 0
    Last Post: February 13th, 2008, 03:42 AM
  3. Unable to download PDFs and get onto my GDS.
    By nzescapes in forum Access Issues
    Replies: 3
    Last Post: January 19th, 2008, 10:14 AM
  4. ZASuite Blocks PDFs
    By gravery in forum General - Questions that don't fit any other category
    Replies: 2
    Last Post: March 29th, 2006, 05:34 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •