Jump to content

EAM v10 Behaviour Blocker


Recommended Posts

Exploring the new BB panel, when I first went there around ten programmes were listed with no reputation value shown.  I right-clicked each one in turn and chose 'Lookup  online', and after a while the browser located a   http://www.isthisfilesafe.com/?md5=????  page for each of them showing mainly a mix of 'Trusted' and 'New' statuses.

 

For one program, 'rxapi', which is part of the ooREXX runtime environment, there is no info at all on the page, at:

http://www.isthisfilesafe.com/?md5=EAB4342818FB59B0E8EE2DA7E8C8D7D6

and yet the BB panel now shows that this is a  Good reputation program.  How did the BB make that decision?

 

I also noticed that several of the other originally no-value-for-reputation programs now display one.  Does that mean that the BB was in the process of checking all of their statuses when I first displayed the BB panel, or does it mean that my 'Lookup online' action forced a decision?

Link to comment
Share on other sites

The reputation rating in the Behavior Blocker dialog is calculated using different layers.

 

The first check is done locally only. The software checks if the exe file is digitally signed by a trusted vendor. We maintain a blacklist of certificates of questionable vendors, which is constantly updated just like malware signatures.

If the first check doesn't give a clear result, the file hash is submitted to the Emsisoft Anti-Malware Network database. That database mostly contains known malicious files. Which means almost all real threats would be detected at this point.

If the second check also doesn't give a clear result, the file is most likely not wide spread and possibly never went through all sorts of antivirus labs. That doesn't mean it's good or bad, it just means you need to do your own deeper research. E.g. upload it to virustotal.com or google for further details on the hash. The isthisfilesafe.com website will tell you if we have ever seen that file before and if the behavior blocker has ever come up with a bad result.

  • Upvote 1
Link to comment
Share on other sites

What you've described makes sense but doesn't explain why the BB marked this particular file Good.  It's not digitally signed, and submitting the hash to your database surely can't decide anything (bearing in mind that there's no data on the related webpage).  I totally understand that I can research it myself.  What I don't understand is why, with no info available saying that the file is thought to be ok, EAM marked it Good.

Link to comment
Share on other sites

What you've described makes sense but doesn't explain why the BB marked this particular file Good.  It's not digitally signed, and submitting the hash to your database surely can't decide anything (bearing in mind that there's no data on the related webpage).

Keep in mind that the website only displays information about files that we have a complete set of file information for. It is possible that files are allowed in the cloud and not show up on the site due to that like in your case.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...