0strodamus

Emsisoft Anti-Malware Not Detecting Anything with Malware Defender Installed

Recommended Posts

Hi, I installed the trial version of Emsisoft Anti-Malware 5.0 in a Windows XP virtual machine with Malware Defender being the only other security application installed. I cannot get Emsisoft Anti-Malware to detect anything on file copy, move, or creation. It will detect items on a scan though. This includes the eicar.com file. I was also able to easily kill a2guard.exe via Process Explorer.

I was thinking of replacing avast! Pro with Emsisoft, but due to this behavior there is no way I could do that. Trying the same tests in a virtual machine without Malware Defender causes Emsisoft Anti-Malware 5.0 to behave normally. Is there anything I can do to get these two programs to play nice with each other? I think Emsisoft has done an excellent job with this new version, but I really don't want to give up Malware Defender.

Share this post


Link to post
Share on other sites

Our development team will investigate in that case. Thanks for letting us know.

You're very welcome! I'm hoping that your team will get this sorted and will eagerly await any updates. I'm very impressed with the behavior blocker and surf protection in this version. I really like the fact that the surf protection doesn't require a localhost proxy like most AV solutions. The behavior blocker doesn't appear to be using any kernel hooks which is pretty cool too. The options you have provided for advanced users (paranoid mode) is a nice touch. If the MD issues can be ironed out, you've got yourself a new customer here! :)

Darrell

Share this post


Link to post
Share on other sites

Couple of questions (considering both Malware defender and Emsisoft are running):

1. Does Malware defender detect anything in this scenario?

2. Can you please post the output of fltmc command? Goto run->cmd.exe->fltmc

Share this post


Link to post
Share on other sites

Couple of questions (considering both Malware defender and Emsisoft are running):

1. Does Malware defender detect anything in this scenario?

2. Can you please post the output of fltmc command? Goto run->cmd.exe->fltmc

Hi Ayush!

1. Yes, Malware Defender does detect everything that hasn't had a prior rule created.

2. The output of fltmc is a2injectiondriver: 0 instances, 0 frame; a2acc 2 instances, 0 frame.

After playing around with this some more today, I've observed the following things:

1. Disabling mdhook.dll does not help things with MD v2.6.0, but I can get a2guard to respond appropriately with MD v2.7.1.

2. If MD is stopped and then started with a2guard running, there is a VM reset error. If a2guard is exited, then MD can be started followed by a2guard without the error.

3. Running RkUnhooker with MD v2.6.0 and switching to the Processes tab results in no response from a2guard and all processes status is "Not accessible from User Mode". Doing the same with MD v2.7.1 results in a proper alert from a2guard and only the a2 and MD processes are not accessible.

I'm still running MD v2.6.0 on my real machine. Based on my VM experiences, it's looking like the only way to get these 2 to run together at all would be to "upgrade" to MD Free v2.7.1. I'm still not feeling comfortable enough to do this though; I'm afraid that there could be a total failure in a2guard which seems to only be exhibited by no alerts to rogue files / activity.

Thanks for looking into this. I'm still hopeful there's a way to run these together despite things looking more like the issue is on the MD side and the slowdown in MD's development since going free.

Darrell

Share this post


Link to post
Share on other sites

I installed Emsisoft Anti-Malware 5.0 trial today on a real machine under Windows XP SP3 and with both versions of Malware Defender, a2guard would not detect anything. I could manually scan eicar.com and it would be detected. However, if I zipped and extracted it there was no detection from a2guard. Likewise, clicking the processes tab in RkUnhooker generated no alerts from a2guard. It looks like I'm not going to be able to run Emsisoft Anti-Malware 5.0 and Malware Defender on my main machine after all. :(

Share this post


Link to post
Share on other sites

Maybe these are stupid questions for you but:

1. Do you use File guard with "Scan all files when accessed" option?

2. Do you know behavior blocker (Emsisoft AM) isn´t hips like MD is and it blocks only dangerous behavior?

Share this post


Link to post
Share on other sites

Hi zajic.v.pytli, welcome to the forum

I do not want ti interfere with the current case raised by the original poster, since as it was pointed it is under investigation and involves at leat 2 (two) security packages installed at the same time... but...

Please search this and our old forum for "Eicar" - you will find tones of info

- EAM does flag Eicar when used as a scan only (that was always the case);

- EAM does flag Eicar when you do Execute Eicar?(stressing!!!) it (have you tried that?)

- EAM currently (starting from v5) does have additional (optional) "onAccess" features

The only point is when you test it in order to be sure , please disable all other existing security, that can interfere (it depend how those are set... different story)

My regards

p.s. {added}

Please ask if you cannot find those threads with examples, using "Search"

- we will provide the links

Share this post


Link to post
Share on other sites

@zajic.v.pytli:

1. Yes

2. Yes

~~~~~~~~~~~~~~~~~~~

Any observations I've noted as to Emsisoft Anti-Malware 5.0 alerts failing will succeed when Malware Defender is not installed on the system - alerts due to manipulations with eicar.com and RkUnhooker occur normally. It is only after installation of Malware Defender that all alerts disappear. It doesn't matter whether or not Malware Defender is running or exited - Emsisoft Anti-Malware 5.0 will give no alerts when it should.

My observations are not being caused by a failure in configuration or understanding of when or how Emsisoft Anti-Malware 5.0 should be alerting me, but thanks for the suggestions.

I think is a major flaw in Emsisoft Anti-Malware 5.0 that I hope will be fixed. What if Malware Defender was actually malware that had initially evaded detection? Based on my observations, it would open the door to any and all subsequent malware. :o

Share this post


Link to post
Share on other sites

I think is a major flaw in Emsisoft Anti-Malware 5.0 that I hope will be fixed.

Actually it is a bug in Malware Defender that is fixed in version 2.7.1 which is why EAM 5.0 works flawlessly with MD 2.7.1 but not 2.6.0. So if you don't want to upgrade to MD 2.7.1 there is nothing we can do about it.

Share this post


Link to post
Share on other sites

Hi Fabian! Thanks for the reply.

Are you sure this was fixed in Malware Defender version 2.7.1? According to the developer there were no changes between versions 2.6.0 and 2.7.1, other than the main icon and copyright information as posted at Wilders. Also, I tried to install both Malware Defender 2.7.1 and Emsisoft Anti-Malware 5.0 on a real machine and as I noted in post #6, the problem still existed. I can't really explain why I was able to get the two to co-exist in a virtual machine, but not on a real machine.

What if Malware Defender was malicious software? How would the user ever know they were infected with the entire alert system of Emsisoft Anti-Malware 5.0 being broken? This doesn't inspire much trust in the protection that Emsisoft Anti-Malware 5.0 provides IMHO. I'm hoping that your team will continue to investigate this and provide a viable solution.

Share this post


Link to post
Share on other sites

Just curious. Which malware defender are you talking about? Your link leads into the emptiness (page not found)

Share this post


Link to post
Share on other sites
Just curious. Which malware defender are you talking about? Your link leads into the emptiness (page not found)

Hi xjps, welcome to the forum,

That's absolutely True, about what you are saying

Let's hope it is not MD 2009, which is a complete rogue as we all know about ;)

Cheers!

Share this post


Link to post
Share on other sites

It's not MD 2009!! :P

The developer sold the program and was hired by the company that bought it. They released it as freeware and it is available at 360.cn or you can get the version I'm running at download.com. The version at download.com is only a trial version with no way to pay for it now AFAIK.

I'll update my signature.

Share this post


Link to post
Share on other sites

You are {N}0stradamus aren't you :)

(I am not going into any religious or other “political" issues here since it's prohibited)

...But your signature has so many advertised security … :blink:

I cannot remember I've seen so much ever!

In any case,... whether “that” is legit or not … please disable those all & test EAM – that's the only way to test what you wanna test

On the other hand, as Fabian Wosar said - resolving problems like that - involves 2-3 (or more) parties and that is not necessarily can be resolved ...

Every Security Software has incompatibilities list

& anyway … any new update/upgrade can bring new issues.... etc. and so on...

Please choose the security Pack you gonna use

Cheers!

Share this post


Link to post
Share on other sites

Are you sure this was fixed in Malware Defender version 2.7.1? According to the developer there were no changes between versions 2.6.0 and 2.7.1, other than the main icon and copyright information as posted at Wilders.

There are code changes between 2.6.0 and 2.7.1. I don't have the time to actually reverse it to see what was done and to provide an actual complete change log. But they are there.

Also, I tried to install both Malware Defender 2.7.1 and Emsisoft Anti-Malware 5.0 on a real machine and as I noted in post #6, the problem still existed. I can't really explain why I was able to get the two to co-exist in a virtual machine, but not on a real machine.

I have absolutely no problem with both of them. I installed EAM, than installed MD. Both are running flawlessly. I didn't even had to change the configuration of MD. Though it may be a good idea to put a2service.exe into the trusted applications category. Primarily because otherwise MD will alert on every quarantine that we try to delete executable files.

What if Malware Defender was malicious software? How would the user ever know they were infected with the entire alert system of Emsisoft Anti-Malware 5.0 being broken? This doesn't inspire much trust in the protection that Emsisoft Anti-Malware 5.0 provides IMHO. I'm hoping that your team will continue to investigate this and provide a viable solution.

Every security vendor on earth will confirm that once Malware reaches kernel mode the game is over. No exceptions. The main issue is that once Malware obtains access to kernel mode it can essentially do everything the security software can do. Including removing protection put in place by security software or interfering with inter mode communication.

Share this post


Link to post
Share on other sites

@Lynx: Some things are even beyond {N}0stradamus' predictive powers. ;) I guess you don't spend much time in the Wilders forum or you would see that my setup is not that unique. You've got almost as many security applications as I do - a resident A/V, firewall, HIPS, sandbox (I think CIS has one built in, doesn't it?). All of my tests were done on virtual and real machines with only Emsisoft Anti-Malware 5.0 and Malware Defender - none of the other apps listed were installed. I've been a Malware Defender customer since version 2.0, so trust me it's not a "different MD". :)

@Fabian Wosar: I'll take your word for it that there are more code changes to the latest version of Malware Defender than have been posted. One interesting thing is that in my testing Malware Defender was always installed first. I'll try installing Emsisoft Anti-Malware 5.0 first and see how that goes. I agree with your point regarding malware gaining kernel access being game over for any antivirus. I just found it interesting how Malware Defender caused your product to stop alerting for everything. Of course, I have no idea of how other vendor's products would react (other than avast! and Avira which I have used without any issues alongside Malware Defender). I'll try your suggestions and want to thank you for taking the time to test this on your side and for posting insightful replies to my inquiries.

Darrell

Share this post


Link to post
Share on other sites

Thanks Darrell (0strodamus) for your reply

Naah! I don't have as much security as in your signature :)

& definitely no Comodo's crappy so called "sandbox", which is NOT

v3.14 Firewall only as it 's stated and that is the only Comodo's product I am using - it is working & strong enough ... tested all others ... not interested ever

As for visiting Wilders ... well ... sometimes but I do not like that arrogant prejudice forum ;)

Some posts there make me puke :lol: Cheers!

@Fabian Wosar: I'll take your word for it that there are more code changes to the latest version of Malware Defender than have been posted. One interesting thing is that in my testing Malware Defender was always installed first. I'll try installing Emsisoft Anti-Malware 5.0 first and see how that goes. I agree with your point regarding malware gaining kernel access being game over for any antivirus. I just found it interesting how Malware Defender caused your product to stop alerting for everything. Of course, I have no idea of how other vendor's products would react (other than avast! and Avira which I have used without any issues alongside Malware Defender). I'll try your suggestions and want to thank you for taking the time to test this on your side and for posting insightful replies to my inquiries.

Darrell

Share this post


Link to post
Share on other sites

They released it as freeware and it is available at 360.cn or you can get the version I'm running at download.com. The version at download.com is only a trial version with no way to pay for it now AFAIK.

I'll update my signature.

You got me ;) .............almost

360.cn goes to a Chinese website where I can't download from because my FW blocks it.

download.com = Cnet has seen better times, although publishing fake Ashampoo Win Optimiser and jv16 power tools wasn't one of those. Their link still goes to Torchsoft which is known for their excellent registry editor and ASCII art studio.

Although Fabian Woser seems to have found the MD you mean I'd strongly suggest to stick to a little more established programmes like MByte's <-free ;)

Share this post


Link to post
Share on other sites
...You got me ;) .............almost...

Although Fabian Woser seems to have found the MD you mean I'd strongly suggest to stick to a little more established programmes like MByte's <-free ;)

Hi xjps,

Sure... you cannot get "that Software" from the advertised site - that was clearly established already

At the same time:

- the developers are involved & answered some important questions regarding MD;

- "stick to a little more established" program , like MBAM :blink: ...hmm.. :rolleyes: ... wouldn't that be a bit of an add as well?

And my advice - stay away from both whether it's MD or MBAM ... well sure the latter can help in extremely rare occasions

So basically let's stop ADDs here & listen to Emsisoft developers

& sure ... some predictions from {N}0stradamus :P

My regards

Share this post


Link to post
Share on other sites

I'm not "advertising" anything. Are you "advertising" Comodo firewall and AVG antivirus here just because they're in your signature or you ask a question related to their interaction with an Emsisoft product?? And I didn't post here to "almost get" anyone. Malware Defender IS an established program and well regarded by those in the know. Fabian Woser seems to have found the MD I mean because he's not a noob like you guys are proving to be. I didn't come to this forum to be assaulted by other posters lack of knowledge and/or experience. I'm not sure how you ended up on the Staff as a moderator if this is how you treat all of Emsisoft's potential customers. :wacko:

Can a more responsible moderator please lock this post because I've gotten the answers to my questions thanks to Christian, Ayush, and Fabian.

Darrell

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.