A way of testing viruscope recognition and reversal

In Explorer +++ you need to

  • move Explorer+++.exe to a new folder
  • create an registry autorun entry for Explorer++ using Explorer ++ or a copy of regedit running from Explorer++
  • in creating the autorun entry you must use the new folder as the path

This is working. I can make it do it myself!

Can you please make a test on VIRUSCOPE

I began to doubt this feature effectively, because I tested a lot of viruses did not move, even for a one-time

They have not added many recogizers (rules) yet. I don’t like it either but there is nothing to do but wait.

Hi Ahmad. I have tested extensively.

I don’t think you will get many detections from malware yet, as there are few recognizers.

Using explorer++ in the right way should get alerts. I have done so reliably using another explorer substitute.

But I think you have difficulty understanding how to do it. Google translate has limiations:)

If I get time I will post a video for you. That will allow me to try out Explorer++ as well.

Sanya if you are there, can you make VC trigger in Explorer++?

Best wishes


I haven’t tried, simply because I don’t understand how to make a file move itself since that action wouldn’t be allowed because that file is already running… ??? I assume there is a way but I guess I’m just not good at replicating malware behavior. 88)

Actually in admin mode you can just do it :slight_smile: Run ex++ as admin :slight_smile:

??? I’ll try it. ;D

Thank you very much
I will try again

Hmm no I still don’t understand. :embarassed:

Through explorer++.exe I cut it and pasted it in C:\Users\Sanya\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup … perhaps that’s not the autorun path or I’m just moving it in the wrong way? ??? Video? ;D

Was BB off? [edit: thanks for testing!]

I have used|: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for testing

Also try a menu based move if ex++ has it.

BB was off yes, explorer++ crashes in partially limited however I did try a right-click sandbox and still no pop-up from Viruscope. Will try that folder you said.


I had HIPS off as well, and the other two BB settings - it works :slight_smile:

It won’t work FV

Path was: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

If you use ignore once, you’ll have to restart explorer++ before it will redetect.

Everyone please turn Cloud Lookup Off or it will get whitelisted

Here is a video

I set CIS like that and did what you did and still no Viruscope pop-up? ???

Edit: Is it too late if the SHA1 of the file is matched with a file on the Comodo File Intelligence? That would mean they already have the file no?

If you don’t like videos, steps are:

  1. Check you have HIPS off, BB dis-abled and “detect programs…” and “show privilege…” also disabled (I don’t think HIPS off is needed but lets see!)
  2. Check you have Cloud Lookup off
  3. Run explorer+++
  4. Run Killswitch and check explorer+++ is running as unknown
  5. In explorer+++ navigate to explorer+++ directory and select explorer+++.exe
  6. From menu choose Edit ~ MoveTo and in move directory selection dialog navigate to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  7. Press OK, you should get VC alert
  8. Choose ‘Ignore once’ if you want to repeat experiment and re-start explorer+++

Oh… fail… the recognizer .dll was missing from my computer… ??? (I’ve noticed that it gets downloaded now and then… does it delete itself or what?)

Hi Sanya. Try the text instructions - I can never follw videos myself :slight_smile: - if no alert then you have a bug :slight_smile:

I’ll try to work that one out later. Maybe the update fail deletes it? I have not tried to update. Reinstall should fix…

So I updated the recognizer (since it wasn’t present on the system) and then I tried again but still no VC alert, I then reboot and tried again and now I get VC alert. So my thought is that updated recognizers don’t become active until system reboot… Just a theory.

Video of it working is available here: Testing Viruscope again. - YouTube



Thanks for the video.