Jump to content

Christian Mairoll

Emsisoft Employee
  • Posts

    1319
  • Joined

  • Days Won

    118

Posts posted by Christian Mairoll

  1. The statement on MalwareTips couldn't be further away from the facts.

    Our update system was actually one of the first in our industry which implemented advanced manipulation protection, 13-14 years ago, long before SSL became common and at a time when most AVs just had a plain and easy to manipulate file listings to get their updates.

    This is how we protect the update trust chain:

    1. Update files are encrypted when published, but that's mainly to protect our intellectual property, not to defend hackers.

    2. All files are hashed and named by their checksum on our servers.

    3. Updates are generally delivered as differential/fragment files that only match with non-manipulated older file versions already on your computer.

    4. The update API on our servers provide a list of hashes of all files of the product. The API output is digitally signed, so if it was manipulated, the software would stop the update right away.

    5. The software downloads all files that have different hashes than the locally existing files. At that point, any locally made manipulations would be overwritten.

    6. Downloads are through HTTPS, e.g. (https://dl.emsisoft.com/updates/CCB6E1DBF0D8220FEF38A77189CC7BB1.dat)

    7. After downloading, the software verifies if the hash in the earlier provided download listing matches the actual hash of the files. If there were any manipulations in the download process, e.g. through SSL interception, the files would be rejected at that point.

    8. Binary files are also digitally signed, which means if anything gets manipulated on client side, the software won't run anymore and Windows would immediately alert that it's down.

    Only if a file can be guaranteed to be and original from Emsisoft, is is being installed. Note that the described security model doesn't even need SSL to be bullet-proof. We just added SSL because it's freely available with our hosting provider.

     

    Btw. the download protocol can be viewed with tools like FiddlerTool (JSON/RAW view), so you can easily verify the above information by yourself. 

    We do, however have a Bug Bounty program. If anyone can get me a working proof that they were able to manipulate our updates, a big cash reward is waiting for them!

     

    • Upvote 1
  2. We're working on getting our name on that vendor listing page again (we've been there for Windows 7, but the requirements have changed significantly since). Unfortunately there are lots of political hurdles to pass, but we're confident that we will be there again, sooner or later. Being on that list has no advantage for our users though, it's a simple marketing opportunity that MS offers to selected vendors. To avoid bias and preference the list re-sorts randomly with each page refresh.

    To answer your question on WSC APIs: Yes, MS is aware of all AVs and they strictly limit access to those APIs to vendors that meet their (rather arbitrary and quite expensive) requirements. The chain of trust goes very deep into the Windows core though, so it can't be easily misused by fake AVs.

     

    • Upvote 1
  3. Introducing three new security management modes. Local-only for cloud-less protection, local and remote for maximum efficiency and convenience, and remote only for enterprises who require a trimmed down endpoint protection agent.

    The post New in 2020.5: ‘Local only’, ‘local + remote’ or ‘remote only’ security management appeared first on Emsisoft | Security Blog.

    View the full article

  4. Just a quick update on that problem. I reached out to the Mozilla support about the misleading wording of that warning message and they replied:

    Quote

    We are actually running some tests with updated wording. If all goes well we might have some updates on that soon enough.

    https://discourse.mozilla.org/t/after-a-year-and-10k-happy-users-addon-page-says-this-is-not-a-recommended-extension/55121/6

  5. Here is more on how the selection process works: https://support.mozilla.org/en-US/kb/recommended-extensions-program

    At the moment, there seem to be only 99 (!) extensions in their 'recommended' list. Which sounds to me like a huge monopoly game to push a few big players and keep doors closed for smaller vendors. They are currently actively discrediting thousands of harmless extensions. I wouldn't expect that the Emsisoft Browser Security extension will suddenly end up in their recommended list any time soon, sorry. Use Chrome...

     

  6. Turns out the addon store now tags all extensions that way, unless they are manually verified (which can neither be requested nor sped up, not even with money).

    The wording is strongly misleading. It basically only says that the extension is not in the group of their 'Recommended Extensions', it does NOT say that the extension 'isn't recommended to use'.

    Whoever invented that label at Mozilla deserves an award for broken UX design...

     

  7. To put things in perspective a bit: Within the first month after the launch of the Cloud Console we already accumulated more active users than for the entire life span of the on-premise Enterprise Console. The advantages of a cloud based solution clearly outperform the potential data safety risks for the majority of users.

    It just doesn't pay off for us as a rather small team to continue maintaining the on-premise product. I'm sorry if that's a disappointment for some customers, but at the end of the day we also need to make a reasonable income with our products to pay our wages. 

     

  8. At the end of the day, no technical or organizational measure can truly guarantee that your data will never be hacked or leaked, which is why we always design our systems with the expectation that it may get hacked one day. However, it's in our hands to reduce the potential surface for attacks significantly. In particular (among other general security principles), we make sure that:

    • Only one person in our company (that's me, as acting managing director) has full access to our main customer database servers, with one technical management person in backup for emergency situations only. Regular software developers don't have access at all. We manage our critical cloud servers by ourselves without third parties having access to them.
    • Developers can never access our production servers directly, all new code exclusively goes through our code repository and build processes that log all changes. So if someone would be tempted to sneak in bad code, we could easily trace it down to a person.
    • We do have strict data protection protocols in place with all our team members. The fact that someone works remote doesn't change anything from a legal perspective, they are still members of our team just like someone who would be sitting in an old-school office.
    • We design our software to only process the least amount of information required to achieve the software's purpose. We don't collect random data just because we can. Our software never sends any customer files to Emsisoft servers without the user's permission. We are only interested in executable files and don't send any files that contain personal information (documents, user data files, etc). In most situations, we don't even transfer files but work with calculated hash values and meta data only.
    • Our browser extensions don't submit the complete website addresses that a user visits, but only sends hashes of URL fragments that may or may not match. At no point Emsisoft knows if and which exact URLs are detected as malicious or fraudulent. So we're unable to create extensive user profiles based on web browsing habits.

    As I said before those are still no perfect guarantees but that's the best we can do. The fact that Emsisoft is a rather small team of 40 also somewhat reduces the risk for you as a customer, compared to many of our competitors that have more than 1000 people on their payroll and each of them posing a potential risk for data exfiltration. My observation is that business size and the unavoidable exponentially growing complexity of systems are one of the main reasons for security problems these days.

    Back to your initial concerns about cloud solutions: The main advantage of cloud based AV management solutions is that if it ever happens that your device gets infected, you still have an off-site record of what happened. Even if the entire devices gets encrypted or wiped, you still have a full action log stored in the Emsisoft Cloud Console, which potentially allows you to forensically trace an infection back to its origin.

    Hope that helps.

     

  9. Kurzer Zusatz aus unternehmerischer Sicht: Letztlich entscheiden unsere Kunden, wie lange wir Windows 7 noch supporten werden. Faellt die Anzahl der Nutzer bis Januar 2021 unter die Signifikanz-Schwelle, macht es betriebswirtschaftlich keinen Sinn, den Code dafuer weiter zu pflegen.

    Die Beibehaltung des Win7 Supports verlangsamt letztenendes unsere gesamte Produktentwicklung, da wir neue Funktionen vom Betriebssystem nicht verwenden koennen, oder aufwendige Workarounds bauen muessen. Resourcen, die wir eigentlich lieber in die Entwicklung neuer Sicherheitsfunktionen investieren wuerden, die allen zugute kommen. 

    Daher ist es auch immer eine Abwaegung der Interessen der Mehrheit unserer Kunden. Der Unmut Einzelner, die von solchen Entscheidungen unmittelbar negativ betroffen sind, ist natuerlich nachvollziehbar, aendert aber an der Situation leider nichts.

     

×
×
  • Create New...