Fabian Wosar

Emsisoft Employee
  • Content Count

    4405
  • Joined

  • Days Won

    1

Everything posted by Fabian Wosar

  1. Ich glaube Du bist Dir nicht im klaren darueber, was Behaviour Blocking ist. Natuerlich kann Behaviour Blocking bzw. Verhaltensanalyse nur Verhalten feststellen, das letztlich auch stattfindet. Bedeutet: Dazu muss die Anwendung gestartet und ausgefuehrt werden. Wir schreiten dann ein, sobald etwas verdaechtiges passiert. In diesem Fall handelt es sich dabei um einen informativen Alarm (gelb). Ein Autorun Eintrag an sich ist letztlich nichts schlimmes oder sonderlich bedenkliches. Jede Menge Anwendungen registrieren sich im System, so dass sie beim Boot automatisch gestartet werden. Der Grund wieso sie in Quarantaene landet, ist letztlich Deine selbst vorgenommenen Aenderungen an der Konfiguration. Statt einen Alarm anzuzeigen (Standard) hast Du EAM/EIS gesagt, nicht nachzufragen und einfach alles direkt in Quarantaene zu verschieben. Ich wuerde Dir empfehlen die Standard Einstellung zu benutzen. In dem Fall kannst Du dann bei der Installation direkt sagen, dass das so okay ist.
  2. Kannst Du bitte die entsprechenden Log Eintraege aus dem Dateiwaechter Log posten? Danke.
  3. We aren't aware of any fileless infection at the moment that isn't blocked or detected by EAM.
  4. This is to be expected and not a bug. We scan many files in parallel to take advantage of modern multi-core CPUs. This means, unlike a lot of other applications, we do use all the resources provided by your CPU to finish scans quicker. So while other programs are capped at for example 25% CPU because they can only fully utilize one CPU core of a quad core system at a time, we are not. This is not due to poor coding on our part, but due to outdated and improper design of other, similar applications. If for any reason you do not want EAM/EIS to use all your CPU cores, you can adjust the performance settings and limit it to only certain cores or reduce the priority of our scan threads so they do not get in the way of other applications you run. Since we do scan multiple files at a time, it also means that we will need a lot more memory. If we are scanning 8 100 MB files at a time for example, we need 800 MB just to store the files' content. Again, you can adjust this value by tweaking the number of threads (which equals the number of files scanned in parallel) in the performance settings.
  5. EAM/EIS was still in the enumeration phase and the scan hasn't even started yet at that point. Therefore it can neither be paused nor stopped. Your stop request is queued though which will cause the scan to be stopped on the next opportunity. In general both the stop and pause function are not intended to work immediately. They are requests to the scan engine to perform these actions at the next opportune moment. The reason for that is that the scan engine needs to make sure things will be cleaned up properly and you don't stop it while it is holding important locks for example which could cause freezes. So in general it will always finish what it is doing at the moment (like finish scanning the files it working on for example, or finish obtaining the list of objects to scan) before it will actually adhere to the requests. I suggest to better reflect that inside the GUI we should disable the controls after they have been pressed once (at least in case of the stop) so people don't spam buttons.
  6. That's unfortunately. We got reports back from various other users though with the same issue that it is working correctly now. So I am going to close this issue as solved
  7. Can you please perform an online update and then enable Secure Boot again to check that the problem is fixed with the latest update?
  8. We are following the Microsoft guidelines. If other products choose not to do that, that is fine but ultimately their business. Microsoft specifically asks AV vendors not to meddle with Windows Defender as it is supposed to disable itself the moment any other AV becomes active. If it doesn't work for whatever reason on your system, I suggest filing a support request with Microsoft.
  9. Das ist korrekt. Wir aktualisieren derzeit in Version 11 nur die Signaturen fuer Surf Protection und die Zertifikatsliste in Vorbereitung auf Version 12. Letztlich sind die Dateisignaturen in Version 11 ziemlich restriktiv, was effiziente und vor allem langwierige Erkennung unmoeglich macht. Wir koennen also entweder Signaturen generieren fuer die alte Engine, die Minuten spaeter bereits unbrauchbar oder ueberfluessig sind, oder aber unsere Resourcen dazu nutzen die neue Datenbank fuer Version 12 aufzubauen. Wir haben uns fuer letzteres entschieden.
  10. People upload a lot of logs that may or may not contain private information. Therefore only employees are allowed to download attachments uploaded to the beta forum, similarly to the way the malware removal and submission sections are set up.
  11. The submit feature has been abused by people in the past far too many times. In the end, 99.99% of the files people submit through it are just garbage. Are there a handfull of people who may have used it for its intended purposes? Yes. But the overwhelming majority just uploaded a bunch of garbage, combined with support requests etc. and just got upset if nobody replied to them. It's simply not worth the trouble it causes.
  12. Just because some product calls it ransomware doesn't mean it has to be. There are dozens of reasons why this could have happened. The most likely one, given the fact that none of the files were even encrypted, is that the ransomware's C2 servers simply have been taken down already. So the file would never actually encrypt anything, which is kind of what we are looking for. There are also several ransomware families out there that simply will not attempt to encrypt any files if the system is running EAM. Cerber being one of those families for example.
  13. Okay, thanks for checking. Just wanted to make sure it's not the same issue as here: http://support.emsisoft.com/topic/25232-not-working-file-guard/
  14. Are you using UEFI in VMware with Secure Boot enabled? What happens when you try to start any of the drivers by running the following command: sc start epp
  15. To be more precise: Do you run a fresh install of Windows 10 AU (no upgrade) on a system using UEFI with Secure Boot on?
  16. Wildcards in exclusions will be a feature in version 12. Beta will start soonish (weeks, not months).
  17. Can you post a screenshot of your behaviour blocker log and your whitelist dialog, please?
  18. Zum AV-C Test: Bei dem Test gab es ein Problem mit dem Testsetup. Es ist nicht ganz klar ob entweder das automatische Testsystem von AV-C oder EAM versagt hat. Allerdings gab es 13 Samples die als nicht erkannt klassifiziert wurden. Weder AV-C noch wir konnten das Problem reproduzieren, weshalb nach einem Nachtest alle "misses" in "user decisions" umgeklariert wurden. Allerdings ist auch die Klassifizierung irrefuehrend. Das Problem ist, dass unsere Cloud die meisten Anfragen automatisch haette beantworten koennen. Allerdings wurden alle Nachtests ohne Cloud durchgefuehrt, weil wir halt schummeln und alle Dateien in der Cloud haetten Blacklisten koennen und AV-C keine Moeglichkeit hat, unsere Cloud zum Zeitpunkt des Originaltests zurueck zu drehen. Fehlalarme wurden durch Setups verursacht die Double Signed sind. EAM hatte in dem Fall Probleme die digitalen Signaturen korrekt zu erkennen. Das Problem wurde mittlerweile allerdings behoben.
  19. Du pickst Dir einen der Gruende aus fuer abweichende On Demand Performance von dreien die ich Dir genannt habe. Welche zu dem Zeitpunkt exakt zutreffend waren, kann Dir niemand beantworten, da zu dem Zeitpunkt an dem wir die Samples erhalten haben, bereits alle erkannt wurden. Generell ist es ausgesprochen schwierig die Zeit zurueckzudrehen um z.B. den exakten Cloud Status zur Zeit des Scans zu replizieren und nachzuschauen, wieso Produkt X ein Sample erkannt hat, wir aber nicht.
  20. Wenn ich mich richtig erinnere 3 Samples die zur selben Familie gehoeren und im Latein-Amerikanischen Bereich verbreitet sind wurden nicht erkannt. Die Downloader basierten auf Java. Der Command Line Parser verstand die Syntax nicht, mit der die Applets ausgefuehrt wurden. Entsprechend wurde das Verhalten Java zugeordnet, welchem wir explizit vertrauen. Die Malware die von den Downloadern heruntergeladen wurden, wurde erkannt und blockiert, allerdings hat AV-T das nicht akzeptiert. Das Problem wurde mit Version 11.8 behoben, was sich dann auch in den Juni Ergebnissen wiederspiegelt. Unterschiedliche Scan Settings, unterschiedliche Signaturen (wir hinken z.B. ca. 15 Minuten hinter BD hinterher, was bei stuendlichen Updates von BD bedeutet, dass 25% der Zeit wir "veraltete" Signaturen haben verglichen zu BD), sowie zusaetzliche Scan Technologien (Stichwort: Cloud) machen durchaus Unterschiede. Generell ist die Aussagekraft von On-Demand Scan Tests fuer uns aber eher irrelevant.
  21. Microsoft does not want users to run more than one anti-virus applications. That is why they asked their AV partners to implement a certain switch that all AVs that want to be listed as compatible to Windows 10 AU need to adhere to. If you enable Windows Defender, EAM turns off. If you enable EAM, Windows Defender turns off. If you run Kaspersky and EAM for example, once Kaspersky updated to be fully Windows 10 AU compliant, Kaspersky will turn off the moment you turn on EAM and vice versa. That's all.
  22. We have been on top of Redstone for the past couple of months now. Both EAM and EIS have been working without any issues. That being said, as Peter mentioned, there is no final release yet. So we don't know if Microsoft is throwing one of their infamous curve balls like suddenly breaking NDIS5 as they did with Windows 10
  23. Patch just means that a problem or bug was fixed. It's definitely a bug. Then we agree to disagree. Well, all it should tell you is that someone tries to create hype for their Black Hat talk. The actual problems they found haven't been published at all. Just a lot of "look at me, we are going to release something at our talk at Black Hat".
  24. You are aware that the issue found is not a vulnerability in itself, right? The only way it could ever play a role is if an application would be already vulnerable to something else as it only makes exploitation easier, not allow exploitation to take place in the first place.
  25. Check here: http://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking