pallino Posted March 2, 2015 Report Share Posted March 2, 2015 Dear EMSI Team, what's the difference between (EMSI) behaviour blocker and (Emsi) HIPS (e.g in OA)? I read that the level of protection offered by BB and Hips is the same/comparable, but what are the differences in the two technologies? thank you! Link to comment Share on other sites More sharing options...
Siketa Posted March 2, 2015 Report Share Posted March 2, 2015 Maybe you will find an answer here.... http://blog.emsisoft.com/2012/07/10/tec120710/ Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 2, 2015 Report Share Posted March 2, 2015 Siketa already posted the explanation I would have posted instead. So you will find the answer in the blog post Siketa linked . Link to comment Share on other sites More sharing options...
pallino Posted March 2, 2015 Author Report Share Posted March 2, 2015 Thank you for your answer! Are both based on the same technology or are they two completely different approches? Is Emsisoft’s Behavior Blocker an evolution of EMSI's Hips that checks all active processes and modifications affecting system security and alerts only if different suspicious behaviours are detected and a certain critical value is hit that clearly indicates malware? OA HIPS instead alerts the user of every security-related modification of his system unlessi it's whitelisted? So more control/protection but with way more (FP) alerts? Is this correct? thank you! Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 3, 2015 Report Share Posted March 3, 2015 Are both based on the same technology or are they two completely different approches?The way events are gathered is similar, but the way the systems come up with decisions are fundamentally different. Is Emsisoft’s Behavior Blocker an evolution of EMSI's Hips that checks all active processes and modifications affecting system security and alerts only if different suspicious behaviours are detected and a certain critical value is hit that clearly indicates malware?No, it is not. Both are actually unrelated to each other as they both were developed by completely different and independent companies originally. OA HIPS instead alerts the user of every security-related modification of his system unlessi it's whitelisted? So more control/protection but with way more (FP) alerts? Is this correct?Pretty much, yes. Link to comment Share on other sites More sharing options...
pallino Posted March 5, 2015 Author Report Share Posted March 5, 2015 One more doubt about BB.... How does Emsisoft’s Behavior Blocker react when it detects a suspicious behavior? Does it alert the user and ask what he want to do or does it first check the Emsisoft Anti-Malware Network (so it checks EMSI database to see how other users decided in the same situation/for the same program. If enough users (90 percent by default) took a specific action, it automatically applies that action)? If it checks what other users decided and applies the same action, can this be avoided so that the user can decide alone in all alerts (or even better, can he see what other did but still be able to take his own decision? thank you Link to comment Share on other sites More sharing options...
Peter2150 Posted March 5, 2015 Report Share Posted March 5, 2015 Hi Pallino I have tested EIS against real malware and both the AV part and the BB. It has caught everything. I don't rely on the Network, as it doesn't matter to me personally what other users do. Pete Link to comment Share on other sites More sharing options...
Siketa Posted March 5, 2015 Report Share Posted March 5, 2015 pallino, first it checks AMN and then alerts you. Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 5, 2015 Report Share Posted March 5, 2015 The Emsisoft Anti-Malware Network is queried first. If you want to make all decisions on your own, just disable the community based alert reduction in the Behavior Blocker options. Link to comment Share on other sites More sharing options...
pallino Posted March 6, 2015 Author Report Share Posted March 6, 2015 All, thank you for your answers! I also prefere to decide on my own...at the end. As said, best would be to get a suggestion based on the Emsisoft Anti-Malware Network and to ask the user if it accepts it (will this be available in the future?). Just to be sure, - Emsisoft Anti-Malware Network = EMSI database about how other users decided in the same situation/for the same program. - as Fabias said, first Emsisoft Anti-Malware Network is quered. What happends then? If enough users (90 percent by default) took a specific action, it automatically applies that action? Is this correct? Thank you Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 6, 2015 Report Share Posted March 6, 2015 - Emsisoft Anti-Malware Network = EMSI database about how other users decided in the same situation/for the same program.Originally, yes. It has become a lot more powerful these days and for the vast majority user decisions aren't consulted at all. It will instead say outright allow or block that application. That is the reason why for 99.9% or all requests, the percentages defined in the settings are completely irrelevant and why those settings will be removed soon. Link to comment Share on other sites More sharing options...
pallino Posted March 8, 2015 Author Report Share Posted March 8, 2015 Thank you. So now in the future the decision is/will be taken based on EMSI's database of programs, on the level of danger of the detected behavior, or on what? So Emsisoft Anti-Malware Network = ? Will EMSI AM and IS not check the Emsisoft Anti-Malware Network anymore or will it change its meaning? thank you as usual for your answers! Link to comment Share on other sites More sharing options...
Fred Singh Posted March 8, 2015 Report Share Posted March 8, 2015 why those settings will be removed soon Another positive step IMHO Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 8, 2015 Report Share Posted March 8, 2015 The way decisions work doesn't change from the way it is done already. Over the past two years we managed to make the reliance of Emsisoft Anti-Malware Network on user decisions pretty much obsolete, so for 99.99% of all files we don't even return them to the client when it requests information from the Emsisoft Anti-Malware Network. Instead we can definitely tell the client that a file is malicious or trustworthy, which are seperate return codes independent of those user percentage values you can configure. As a result, all those GUI controls are kind of pointless and just outdated, because chances that you will ever encounter a file where any of the options you can change there are relevant is pretty much none. 1 Link to comment Share on other sites More sharing options...
gricardo21 Posted March 9, 2015 Report Share Posted March 9, 2015 The way decisions work doesn't change from the way it is done already. Over the past two years we managed to make the reliance of Emsisoft Anti-Malware Network on user decisions pretty much obsolete, so for 99.99% of all files we don't even return them to the client when it requests information from the Emsisoft Anti-Malware Network. Instead we can definitely tell the client that a file is malicious or trustworthy, which are seperate return codes independent of those user percentage values you can configure. As a result, all those GUI controls are kind of pointless and just outdated, because chances that you will ever encounter a file where any of the options you can change there are relevant is pretty much none. so it means that EAN is no longer based on users decisions? instead your own black list? Link to comment Share on other sites More sharing options...
Fabian Wosar Posted March 9, 2015 Report Share Posted March 9, 2015 so it means that EAN is no longer based on users decisions? instead your own black list?Pretty much, yes. Link to comment Share on other sites More sharing options...
Recommended Posts