pallino

EMSI behaviour blocker VS HIPS

Recommended Posts

Dear EMSI Team,

 

what's the difference between (EMSI) behaviour blocker and (Emsi) HIPS (e.g in OA)?

 

I read that the level of protection offered by BB and Hips is the same/comparable, but what are the differences in the two technologies?

 

thank you!

 

 

Share this post


Link to post
Share on other sites

Thank you for your answer!

 

Are both based on the same technology or are they two completely different approches?

 

Is Emsisoft’s Behavior Blocker an evolution of EMSI's Hips that checks all active processes and modifications affecting  system security and alerts only if different suspicious behaviours are detected and a certain critical value is hit that clearly indicates malware?

 

OA HIPS  instead alerts the user of every security-related modification of his system unlessi it's whitelisted? So more control/protection but with way more (FP) alerts?  Is this correct?

 

thank you!

Share this post


Link to post
Share on other sites

Are both based on the same technology or are they two completely different approches?

The way events are gathered is similar, but the way the systems come up with decisions are fundamentally different.

 

Is Emsisoft’s Behavior Blocker an evolution of EMSI's Hips that checks all active processes and modifications affecting  system security and alerts only if different suspicious behaviours are detected and a certain critical value is hit that clearly indicates malware?

No, it is not. Both are actually unrelated to each other as they both were developed by completely different and independent companies originally.

 

OA HIPS  instead alerts the user of every security-related modification of his system unlessi it's whitelisted? So more control/protection but with way more (FP) alerts?  Is this correct?

Pretty much, yes.

Share this post


Link to post
Share on other sites

One more doubt about BB.... :unsure:

 

How does Emsisoft’s Behavior Blocker react when it detects a suspicious behavior?

Does it alert the user and ask what he want to do or does it first check the Emsisoft Anti-Malware Network (so it checks EMSI database to see how other users decided in the same situation/for the same program. If enough users (90 percent by default) took a specific action, it automatically applies that action)?

If it checks what other users decided and applies the same action, can this be avoided so that the user can decide alone in all alerts (or even better, can he see what other did but still be able to take his own decision?

 

thank you :)

Share this post


Link to post
Share on other sites

Hi Pallino

 

I have tested EIS against real malware and both the AV part and the BB.  It has caught everything.  I don't rely on the Network, as it doesn't matter to me personally what other users do.

 

Pete

Share this post


Link to post
Share on other sites

The Emsisoft Anti-Malware Network is queried first. If you want to make all decisions on your own, just disable the community based alert reduction in the Behavior Blocker options.

Share this post


Link to post
Share on other sites

All,

 

thank you for your answers!

 

I also prefere to decide on my own...at the end.  As said, best would be to get a suggestion based on the Emsisoft Anti-Malware Network and to ask the user if it accepts it (will this be available in the future?).

 

Just to be sure,

- Emsisoft Anti-Malware Network  =   EMSI database about  how other users decided in the same situation/for the same program.

 

- as Fabias said, first Emsisoft Anti-Malware Network is quered.

What happends then? If enough users (90 percent by default) took a specific action, it automatically applies that action? 

 

Is this correct?

 

 

Thank you

Share this post


Link to post
Share on other sites

- Emsisoft Anti-Malware Network  =   EMSI database about  how other users decided in the same situation/for the same program.

Originally, yes. It has become a lot more powerful these days and for the vast majority user decisions aren't consulted at all. It will instead say outright allow or block that application. That is the reason why for 99.9% or all requests, the percentages defined in the settings are completely irrelevant and why those settings will be removed soon.

Share this post


Link to post
Share on other sites

Thank you.

 

So now in the future the decision is/will be  taken based on EMSI's database of programs, on the level of danger of the detected behavior, or on what?

So Emsisoft Anti-Malware Network = ?        

Will EMSI AM and IS not check the Emsisoft Anti-Malware Network anymore or will it change its  meaning?

 

 

thank you as usual for your answers! :)

Share this post


Link to post
Share on other sites

The way decisions work doesn't change from the way it is done already. Over the past two years we managed to make the reliance of Emsisoft Anti-Malware Network on user decisions pretty much obsolete, so for 99.99% of all files we don't even return them to the client when it requests information from the Emsisoft Anti-Malware Network. Instead we can definitely tell the client that a file is malicious or trustworthy, which are seperate return codes independent of those user percentage values you can configure. As a result, all those GUI controls are kind of pointless and just outdated, because chances that you will ever encounter a file where any of the options you can change there are relevant is pretty much none.

  • Upvote 1

Share this post


Link to post
Share on other sites

The way decisions work doesn't change from the way it is done already. Over the past two years we managed to make the reliance of Emsisoft Anti-Malware Network on user decisions pretty much obsolete, so for 99.99% of all files we don't even return them to the client when it requests information from the Emsisoft Anti-Malware Network. Instead we can definitely tell the client that a file is malicious or trustworthy, which are seperate return codes independent of those user percentage values you can configure. As a result, all those GUI controls are kind of pointless and just outdated, because chances that you will ever encounter a file where any of the options you can change there are relevant is pretty much none.

so it means that EAN is no longer based on users decisions? instead your own black list?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.