HP Forums
Emu48 : Malware infection or more false positives? - Printable Version

+- HP Forums (https://www.hpmuseum.org/forum)
+-- Forum: Not HP Calculators (/forum-7.html)
+--- Forum: Not quite HP Calculators - but related (/forum-8.html)
+--- Thread: Emu48 : Malware infection or more false positives? (/thread-15737.html)

Emu48 : Malware infection or more false positives? - Jonathan Busby - 10-14-2020 10:32 PM

Due to my move to Colorado, I had to pack up my Intel NUC Linux system. I was running Windows 10 in a VM on that system and I had Emu48 installed with no problems. Today, I installed Emu48, downloaded directly from Christoph Gießelink's web site, and I got the usual, but innocuous, "Windows protected your PC" warning -- this is just Microsoft's "SmartScreen"'s essentially reporting that the executable isn't known to Microsoft due to its hash code being unknown, the executable not being digitally signed or having an invalid or otherwise untrusted / unknown digital signature with respect to Microsoft's database of executables etc. Anyways, I'm running Windows 10 Pro x64 and this is the first time I've installed Emu48 on this particular Windows machine. After installing Emu48 with no problems and then configuring it and using it successfully, I tried to save Emu48's system state to an e48 file, but the file save dialog box locked up. After a few moments, I received a notification from Acronis True Image 2021 that the Emu48 executable had been "paused" because of a "Possible ransomware attack" or something to that effect. The "affected files" were just a bunch of Windows 10 icon cache files in my user profile directory. I let Acronis True Image block the Emu48 executable and then I did some further investigation : First, the installer file found on http://www.hpcalc.org and on Christoph Gießelink's own web site are the same. Secondly, I also have the latest version of ESET NOD32 Antivirus installed on this Windows 10 system as well as the latest version of Malwarebytes Premium and they detected nothing. Thirdly, I submitted both the installer and the Emu48 executable to VirusTotal and only *one* of the dozens of malware / virus protection / scanning engines / apps detected said files as "malicious". This leads me to believe that Acronis True Image's supposed "advanced" ransomware detection engine, which various technical reports cite as having a very low false positive rate, is indeed generating bogus results.

In the same vein as the above, a few weeks ago, after an update to Malwarebytes, Malwarebytes started blocking access to http://www.hpcalc.org and flagging it as a "trojan". I emailed Eric Rechlin and he reported that I was at least the fourth person in the past few months to report such behavior. I then had to whitelist http://www.hpcalc.org.

In conclusion, I really think that Emu48 being reported as being infected with ransomware is another bogus false positive, but I just wanted to be sure.

If anyone else can reproduce this behavior or has experienced anything similar I'd appreciate hearing about it ( I'm paranoid as *nothing* like this ever happens to me on Linux, and, I have been burned by Windows before with a rootkit infection ).



RE: Emu48 : Malware infection or more false positives? - CMarangon - 10-15-2020 03:54 AM


In the worse situation all you need to do is save data and reinstall Windows 10.

Please see your e-mail or private message page in this forum.
I sent you a private message.

Sincerely yours,

Carlos (BR)

(10-14-2020 10:32 PM)Jonathan Busby Wrote:  -----------I DELETED TEXT Because it was too LONG ---------


RE: Emu48 : Malware infection or more false positives? - Jonathan Busby - 10-16-2020 05:18 PM

(10-15-2020 03:54 AM)CMarangon Wrote:  Hello!

In the worse situation all you need to do is save data and reinstall Windows 10.

First, I seriously doubt that the Emu48 installer executable available from http://www.hpcalc.org and Christoph Gießelink's own web site would *both* be infected with malware, although anything's possible.

Secondly, I've put both files and their embedded Emu48 executables through Malwarebytes and ESET NOD32 as well as Virustotal's dozens of virus scanners, and the only positive result for malware was from just *one* detection engine on Virustotal, so, I think that result is probably bogus ( also, it was from some obscure virus scanner that I'd never heard of ).

Thirdly, if this is a worst case scenario, and my machine was infected by ransomware, then I'd surely know it by now. Also, due to how most ransomware works, just "save data and reinstall Windows 10" would not work as the data would have all been encrypted, with the encryption key being held by the author of the ransomware -- in essence, all my data would be toast.

As it is now and as far as I can tell, nothing has been maliciously altered on this Windows 10 machine. Still, I'd appreciate it if some else who's running Windows 10 Pro x64 and also Acronis True Image 2021 would try installing the latest version of Emu48 and then try saving Emu48's state to a file to see if Acronis True Image behaves the same -- it would really ease my mind Smile