Offline Sword

The behavior blocker panel confuses me

Recommended Posts

Emsisoft 10.0 has a new behavior blocker panel.
it enables us to allow/block some activities of applications.
But I find that this function is confusing.
In my opinion, the activities that can be controlled by the behavior blocker are not explicitly defined.
For example, I cannot understand what a "backdoor related activity" refers to.
I think a "backdoor activity" should be blocked, but what about a "backdoor related activity"?
What will happen if I block the "backdoor related activity" of a certain application?
It will stop the application from accessing the Internet? Or forbid the application to access some sensible areas in the local computer?
It seems that there is no such information provided to the users to help us determine whether an activity should be allowed or blocked.

 

  • Upvote 1

Share this post


Link to post
Share on other sites

"What will happen if I block the "backdoor related activity" of a certain application?

It will stop the application from accessing the Internet?"

 

if the program is trusted you can turn some settings off, but thats not recommendable for third party programs in my opinion... If you turn the backdoor related activity option "off", the program will still have internet access ...

If you want to disallow internet usage, you need to set the rule to "Block all" .

 

###

 

In my opinion (but this dont need to be the truth, so we wait until TEAM will answer, to be sure) backdoor related acitivity could be activity like invisible data-transfers to the internet, modification of files, extracts passwords, modifying registry etc ..

 

##

 

Please have a look @ how to use the new behavior blocker panel to quickly spot potential threats

 

http://blog.emsisoft.com/2015/05/21/how-to-use-the-new-behavior-blocker-panel-to-quickly-spot-potential-threats/

Share this post


Link to post
Share on other sites

I was trying to find the explanations for the things like...Backdoor related activity, Spyware related activity and all other stuff inside Custom monitoring. You have the option to allow or block, but there is no explanation in the help files for them, i think that this is what is confusing..at least for me, because I don't know what they do? I mean I can guess that the "Spyware related activity" means that some program is acting like a spyware, but it will be good that there is a good explanation for what each action is actually means.

  • Upvote 1

Share this post


Link to post
Share on other sites

I agree that at the moment the rule dialog is a bit confusing. That is why we will likely drop it entirely in one of the next versions and essentially reduce it to either allow or block the entire process. At the moment essentially every behavior corresponds to a group of actions and triggers the behavior blocker uses internally to detect malicious behavior. Setting a specific behavior to block will essentially instruct the behavior blocker to prevent any of the actions that make up the group. We do not document the exact actions we are looking for and we never will. Doing so will only make it easier for malware authors to get around the behavior blocker by specifically avoiding the actions and conditions we are looking for.

In general though the majority of all our users will never have to use the application rules as in almost all cases EAM/EIS will make the correct decision for them. At the moment they are only there to allow users to correct mistakes they made during rare manual decisions or in case they disabled all automatic decision making in EAM/EIS.

  • Upvote 1

Share this post


Link to post
Share on other sites

I agree that at the moment the rule dialog is a bit confusing. That is why we will likely drop it entirely in one of the next versions and essentially reduce it to either allow or block the entire process. At the moment essentially every behavior corresponds to a group of actions and triggers the behavior blocker uses internally to detect malicious behavior. Setting a specific behavior to block will essentially instruct the behavior blocker to prevent any of the actions that make up the group. We do not document the exact actions we are looking for and we never will. Doing so will only make it easier for malware authors to get around the behavior blocker by specifically avoiding the actions and conditions we are looking for.

In general though the majority of all our users will never have to use the application rules as in almost all cases EAM/EIS will make the correct decision for them. At the moment they are only there to allow users to correct mistakes they made during rare manual decisions or in case they disabled all automatic decision making in EAM/EIS.

 

Thank you for your response.

I do not think that dropping the rule dialog entirely is a good idea. Could you consider to provide a new rule dialog in a more granular manner, just like online armor?

I should say that I do not like the behavior blocker of online armor, since it lacks of intelligence and generates too many alerts. But I think the cloud-based behavior blocker of EAM/EIS is much more intelligent. In such case, adding a fine-grained behavior blocker will not disturb the users too much.

Share this post


Link to post
Share on other sites

I do not think that dropping the rule dialog entirely is a good idea. Could you consider to provide a new rule dialog in a more granular manner, just like online armor?

We will consider it.
  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.