Sign in to follow this  
bocl

How an automatic decision is made?

Recommended Posts

Hi,

 

From Mamutu "Help":

 

  • Intelligent alert reduction - Mamutu performs a technical analysis of
    the program file for a reported program to determine if this is a benign
    program. Good examples of false alerts are Explorer.exe (Windows Explorer),
    Internet Explorer or Firefox. When starting, all these programs exhibit behavior
    that is also used by Malware. For example, changing the browser settings or
    generating network traffic without a visible user interface. If intelligent
    alarm reduction is not activated, then warning alerts are generated each time
    these programs start. With activated intelligent alarm reduction, Mamutu
    recognizes that these are legitimate programs and does not generate warning
    alerts. The intelligent alarm reduction is deactivated by default because in
    rare situations it is possible that dangerous programs may also become active.
  • Community-based alert reduction -Mamutu relies on the intelligence
    of the masses. An online query to the Anti-Malware Network is made and the
    decisions of all Mamutu users on what to do with a reported program (allow,
    block, quarantine, exclude from monitoring) are displayed as a colored graphic.
    Mamutu uses this to provide a recommendation of how to proceed with the reported
    program.
  • You can use percentage threshold values to define whether a program is
    automatically blocked or permitted using community-based alert reduction. The
    default values are a threshold of 90% for each. If 90% of Mamutu users have
    allowed the program to start then it will be automatically allowed on your
    system and an application rule is created for future program starts.
  • Paranoid mode - Reports additional suspicious program starts and
    applications with a suspicious or Malware-similar file layout. The option is
    deactivated by default and is only recommended for advanced users.

 

So, in which situation is the white list /MD5 (which is downloaded regularly) used to automatically allow a behavior?

 

 

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

The white list is always used unless "Paranoid mode" is enabled.

Thank you for your answer;

 

You may need to modify the explanation associated with "Community-based alert reduction"; reading the "Help" it seems like a decision is made based on "....on the intelligence of the masses" 

 

It clearly says :"Mamutu relies on the intelligence of the masses.. An online query to the Anti-Malware Network is made and the decisions of all Mamutu users on what to do...Mamutu uses this to provide a recommendation of how to proceed." Not a word about "White List"

 

Further more, even though I selected  threshold of 90% for each, I never had a rule automatically created, even though the percentage was 100%; only the recomandation was "Allow" but the rule was never created automatically ,like it says here:

 

If 90% of Mamutu users have allowed the program to start then it will be automatically allowed on your system and an application rule is created for future program starts."

 

You may want to review this.

 

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

The help file is completely correct. Enabling or disabling that option does exactly what the help file advertises. You can actually turn off all alert reduction options and you will still end up using the white-list. The only option that has any influence on whether the white-list is used is the "Activate paranoid mode" option as I mentioned above.

Share this post


Link to post
Share on other sites

Thank you for your answer!


Let’s clarify a little bit, please!


If I select “Community-based alert reduction” (and I make this selection based on Help description:You can use percentage threshold values to define whether a program is automatically blocked or permitted using community-based alert reduction)  I expect that an application will be allowed or blocked STRICTLY BASED ON COMMUNITY ( based on my treshold) .

 

Where do you see “ WHITE LIST” mentioned here???


And really doesn’t make sense: if an application is white-listed  by EmsiSoftware  how is important what the community says????;
I understand if the application is unknown to Emsi, now maybe the community can offer some help but is virtually impossible that an application is known to community but unknown to Emsi.



So ,you have to decide  if in “Community-based alert reduction”  the decision is made based on your White List or based on o the intelligence of the masses.(as per Help)


Cannot be both…..

 

The logic dictates that should be like this:

 

Intelligent alert reduction -------------> based on behaviour AND White List

Community-based alert reduction ------------>based on behaviour AND  intelligence of the masses

Paranoid mode --------------> based on behaviour

 


Thanks,



Claudiu



 

Share this post


Link to post
Share on other sites

I expect that an application will be allowed or blocked STRICTLY BASED ON COMMUNITY ( based on my treshold) .

Then your expectations are off.

 

Where do you see “ WHITE LIST” mentioned here???

It isn't mentioned anywhere, because the option has no influence on whether or not the white-list is used.

And really doesn’t make sense: if an application is white-listed  by EmsiSoftware  how is important what the community says????;

If an application is white-listed the community is never asked.

Share this post


Link to post
Share on other sites



 

Hi Fabian,

Thank you for your answer!

 

Unfortunately,not only my expectations are off but also my patience is wearing thin...


Why I am getting this alert then????


As you can see, the community said "100% deny", "Create a rule for this decision" is checked, threshold is 90%;


Theoretically I should never been able to  see such an alertand instead a "Deny" rule for the detected item should be created.


This is the purpose of "Community-based alert reduction" , to reduce the number of alerts!!!!!


Clearly says in "Help":


"You can use percentage threshold values to define whether a program is automatically blocked or
permitted using community-based alert reduction.



 

See there, says AUTOMATICALLY!!!!!!!



 

So, why I am getting this alert then????



 

Thanks,


Claudiu



 

Share this post


Link to post
Share on other sites

As you can see, the community said "100% deny", "Create a rule for this decision" is checked, threshold is 90%;

Seems to be a bug. I will forward it to the developers maintaining Mamutu.

Share this post


Link to post
Share on other sites



 

Fabian,



 

With all due respect but I reported “bugs” like that more than 2 years ago and nothing happened!


In June 2010 Mamutu was on version 3.0.0.16, today, after 2 years and a half, is on 3.0.0.20.!!!

If there are any developers maintaining Mamutu, you better check on them!!!!



Personally, I believe that Mamutu  development has ceased long time ago and is only on artificial life support  and will soon be delivered only as part as the antimalware app.



Wish you all the best with Emsi!



Claudiu



 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.