pallino

Behaviour blocker -Anti-malware Network

Recommended Posts

Hello Emsi Team,

 

Can you pls explain how exactly Emsi behaves when a file not detected as malware by signature /heuristic is executed?

1- Emsi checks the network database every time an unknown file is run: if the file is found the "info" is used, if not BB monitors the file's behavior and if suspect it alerts the user. Since not found on the Anti-malware network database the "recommended action" is the one provided by 90% of users who have allowed or blocked it (does this still apply?)

2- the network database is checked not always but only when BB flags the file as suspicious.
After that the network "info" is used if available, if not BB will ask user what to do.

If memory serves, Emsi uses the second approach...why can't approach 1 be used/proposed as an option to advanced uses?

Thank you

Share this post


Link to post
Share on other sites

Currently the Behavior Blocker doesn't check an application until it attempts to do something that could be malicious. This is done for performance reasons, as checking every application each time they launch causes delays in launching programs, and can even cause some programs to crash or behave strangely.

When our software does monitor some sort of suspicious behavior from a running application, it attempts to prevent the behavior until the safety of the application can be verified, either by our Anti-Malware Network or by the user.

Share this post


Link to post
Share on other sites

GT500,

 

thank you. :)

 

- Isn't it possible to add an expert/advanced option where all files get checked the following way:

the file is known (sha, hash..), the  recommended action is chosen (BB of course always keeps checking for suspect action).  The file is unknown,  files get first checked by Emsisoft analysis system. I would love this and would feel way safer this way.....Do I need to way some time before being able to run the file? I wouldn't have any problem to wait a little for way more security.

 

thank you

Share this post


Link to post
Share on other sites

- Isn't it possible to add an expert/advanced option where all files get checked the following way:

Technically it would be possible, however Online Armor used to have an "Advanced Mode". We found that it complicated using the software as it hid many options from users, it complicated development of the software, and it complicated support for the software.

As for the difference in security, we wouldn't have made the change to only checking the safety of a file when it performs a monitored behavior if we felt it decreased the security of our customers. ;)

Share this post


Link to post
Share on other sites

I agree and understand that as it is it provides the best possible level of protection with the low as possible level of hassle (false alarms, delays, customer queries etc).

I would still love to know all files (or executable/dangerous files...wsf,.js.jve included) I run were or will be  firts analyzed by Emsi..I'll immediately buy a 5 year license if I had this option! :D:)

I think no many options should be "hidden", only this one "Do you want Emsi to upload and scan unknown files (executable) before allowing them to run?'. :)

I think advanced, security oriented (some of them maybe security paranoid) user will love it too..same for users with "important" data to be protected.

If one day you change your mind (as you did for the anti-exploit ;) ), pls let me know! :)

Share this post


Link to post
Share on other sites

I think no many options should be "hidden", only this one "Do you want Emsi to upload and scan unknown files (executable) before allowing them to run?'. :)

Just to make sure that the functionality is clearly explained, we don't upload any of your files to a server online for scanning. Our Behavior Blocker will send hashes (both SHA-1 and MD5 hashes are sent) that uniquely identify the file in question to one of our servers, as well as the full path and file name. This information is used in our database for IsThisFileSafe.com (minus the path since that can include personal information), and of course supplemented by data from VirusTotal.

Share this post


Link to post
Share on other sites

Arthur,

Thank you for remembering us this important quality of Emsi.

I still think that an advanced option to alert the user that the file was never seen before with an option to upload the executable file would be liked by many advanced users and would surely increase Emsi database as the detection rate.

Share this post


Link to post
Share on other sites

If you would like to check and see if a file has been seen before, then you can check our IsThisFileSafe.com website. You can search by name, MD5/SHA-1 hash, etc. There's also a link to check for a report on the file on VirusTotal.

If you want to submit a suspicious file, then you may do so at this link. This can also be done on the forums at this link if you would prefer.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.