pallino

Behavior blocker - monitoring files

58 posts in this topic

Hello Emsisoft Team,

some days ago under the protection tab I saw that Emsi behavior blocker was monitoring 2 files; these files had a "bad reputation".

Why doesn't Emsi BB alerts and recommend to quarantine these files that were active in memory since they have a bad reputation (and in fact they were malware) as it does when suspicious activity is detected?

 

thank you

 

0

Share this post


Link to post
Share on other sites

Alerts are only displayed when potentially malicious behavior is detected, and only if the application is unknown (or at least if it doesn't have a good enough or bad enough reputation for an automatic decision to be made). If an application exhibits no malicious behavior, then it isn't doing anything harmful or dangerous. Also, if an application is known to be bad, then it should be automatically blocked and/or quarantined (assuming the settings haven't been changed).

Also note that applications that are running before Emsisoft Internet Security's protection starts may not be acted on by the Behavior Blocker, however I will have to verify that to be certain.

It might be a good idea to find out what these applications are that you are seeing. There are ways of getting more information when you right-click on an item in the Behavior Blocker list. Unfortunately I can't verify what options are in the menu at the moment (I apologize for that), so if there is an option to look the application up on VirusTotal or on our Anti-Malware Network website (IsThisFileSafe.com) then those would be the best options, since you can post the link to the reports here for me to review.

0

Share this post


Link to post
Share on other sites

Hello Arthur,

thank you.

In my case I was testing Emsi IS with default settings with all components updated and active. It was a malware. I started it and didn't get any alerts from Emsi. I checked under the protection tab and saw that BB was checking the reputation. After some time it showed "bad reputation" but it didn't block nor alert me even though the malware was in memory and active (>40% cpu).

Since there was a bad reputation, BB should have alerted and recommended to quarantine it, right?  ...or only if the bad reputation was "bad enough"?

What does it mean "bad reputation"? The file was already seen and analyzed by Emsisoft but no signature is available yet?

Similar to this is the firewall that blocks connections to a known malware site....it correctly blocks the connection and ask what to do; why does Emsi not also recommend to quarantine the program that tried to connect (unless it's a known browser)?

 

thank you

 

 

 

 

 

0

Share this post


Link to post
Share on other sites
9 hours ago, pallino said:

Since there was a bad reputation, BB should have alerted and recommended to quarantine it, right?  ...or only if the bad reputation was "bad enough"?

No, it would only do that if the program performed a behavior that the BB monitors for. If it does nothing that our BB monitors for, then no alerts would be shown.

As for reputation, if it is good enough then an automatic decision would be made, and if it is bad enough then an automatic decision would be made, and alerts would only be displayed for everything in between (where reputations are somewhere in between good and bad, based partially on the percentage of users who allow/block it, and supplemented with data from sources such as VirusTotal).

 

9 hours ago, pallino said:

What does it mean "bad reputation"? The file was already seen and analyzed by Emsisoft but no signature is available yet?

The reputation is generally based upon whether users decide to allow or block an application. It can be supplemented with data from other sources as well, such as VirusTotal, and of course our malware analysts can whitelist or blacklist things (although if they were to blacklist something, they'd be more likely to add a signature to our database to have the File Guard delete it).

 

9 hours ago, pallino said:

...why does Emsi not also recommend to quarantine the program that tried to connect (unless it's a known browser)?

The vast majority of the time, a program connecting to a malicious site is not actually malware. Aside from that, the Surf Protection is intended to prevent malicious files from being downloaded rather than try to stop an infection that is already on the system. It's not intended for cleaning up an infection, even if it can potentially be helpful in preventing malware from communicating with "command and control" servers or sending data back to its creators.

Also, keep in mind that if malware is trying to send data while running in the background, it would trigger the Behavior Blocker and either an alert would be displayed or it would be automatically blocked and/or quarantined.

0

Share this post


Link to post
Share on other sites

I just had another case.

https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/

Malware starts and stays in memory with high CPU usage (>40%).

No alerts from Emsi IS but under protection, BB tab I see it is being monitored and also that the file has "bad reputation.

This time I selected the file and checked online. On isthisfilesafe.com  it showed:  

status: not trusted  

Infection details & removal : this file is infected!

Why didn't behavior blocker alert me and/or quarantine it since it has "bad reputation"+ it is "not trusted" + "this file is infected"?

If a thief (the malware) with bad intentions is getting in my home (my pc) I don't wait to react till he/she does something bad, I kick him/her out asap...shouldn't Emsi BB do the same?

thank you for checking this issue.;)

 

 

 

 

 

 

1.JPG
Download Image

2.JPG
Download Image

0

Share this post


Link to post
Share on other sites
15 hours ago, pallino said:

Why didn't behavior blocker alert me and/or quarantine it since it has "bad reputation"+ it is "not trusted" + "this file is infected"?

Have you changed any of the Privacy settings in EIS?

eam_privacy_settings_amn.png

 

 

In this case EIS is supposed to automatically quarantine the threat, since it has a bad reputation on our Anti-Malware Network. Have you checked your Behavior Blocker logs to verify whether or not EIS has taken any action against the file in question?

0

Share this post


Link to post
Share on other sites

I didn't change any settings.

Emsi didn't do anything, just BB was monitoring the file...Nothing in the log.

Malware was in memory, active with CPU >40% in process explorer

0

Share this post


Link to post
Share on other sites

Today I had 2 new cases.

As for all cases before, Emsi IS 12 is with default settings, updated, active since a long time.

BB monitors files with bad reputation but doesn't block them nor alerts user.

  https://www.hybrid-analysis.com/sample/95170338ff95db78f6dd38f2a2d1d4cdf3123621f60686f47fddeb21896c3994?environmentId=100

In this case BB worked slowly but it did what we expected it to do.

It monitored the file, checked reputation, found that the file had a bad reputation and after some time it quarantined it.

 

The 2 malwares below were monitored but not blocked nor user was alerted even when these files have bad reputation and are not trusted+ infected on isthisfilesafe.com.

Nothing happened in the next 2 hours: both still in memory, high cpu, nothing from Emsi.

https://www.hybrid-analysis.com/sample/6692c2d08f94faa2e073981897465ff380fd4a6422d41f3b14fe5542da86d87e?environmentId=100
https://www.hybrid-analysis.com/sample/93890608a8e2f39564a1f72262ef002cdf32d574d1946b412934c4f9e2986d73?environmentId=100

Same as with  the one below before yesterday.

https://www.virustotal.com/en/file/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7/analysis/

 

Update: After 2.5 hours monitoring the file, BB quarantined the proforma_invoice.bat file (now it can be seen under the BB log tab).

The other file is still monitored.

Can you pls check why?

 

thank you

proforma.PNG
Download Image

emsi settings.PNG
Download Image

urgent.PNG
Download Image

Edited by pallino
update after 2.5 hours with new infos
0

Share this post


Link to post
Share on other sites

Edit: Our developers have told me that debug logs are not needed in this case. See below.

Lets get some debug logs for this issue:

  1. Open Emsisoft Internet Security from the icon on your desktop.
  2. In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
  3. At the bottom, turn on the option that says Enable advanced debug logging.
  4. Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
  5. Reproduce the issue you are having with known-bad applications running without the Behavior Blocker taking action.
  6. Once you have reproduced the issue, open Emsisoft Internet Security again, and click on the gray box for Support again.
  7. Click on the button that says Send an email.
  8. Select the logs in the left that show today's dates.
  9. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  10. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  11. Click on Send now at the bottom once you are ready to send the logs.

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

  • Security Center
  • Protection Service
  • Real-Time Protection
  • Firewall
  • Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).
0

Share this post


Link to post
Share on other sites

One of our developers let me know that this is expected behavior. The applications in question simply aren't doing anything that would cause them to be quarantined. They are almost certainly stuck trying to contact a C&C server that no longer exists, and thus they never actually do anything.

0

Share this post


Link to post
Share on other sites

Thank you for asking developers.

I think it's still very  weird.

- if the files have "bad reputation"+ are not trusted +infected they should be quarantined.

Anyway, even if they are still trying to connect and really cannot, why keep them in memory since they are malware????

Pls consider that one of them got quarantined at the end, but only after 2 5 hours.

Last, 5 cases in 3 days? All could not connect and all were really not harmful?

Below the first 2 files I didn't provide the link before.

https://www.hybrid-analysis.com/sample/997014f7acea58298a7cbd2e018122806926331bfb4510978328bc119a111a96?environmentId=100
 https://www.hybrid-analysis.com/sample/89f3967e149178dc830219d44e362597e38d7a9a8994465eeac660b62a7ef0bb?environmentId=100

 

And hybrid-analisys report of the one I found on the 31st.

https://www.hybrid-analysis.com/sample/af604014c4d43a4e8c3500345c74476fed37a8f75a86e0b4017c85035f9819b7?environmentId=100

 

 

0

Share this post


Link to post
Share on other sites
15 hours ago, pallino said:

Last, 5 cases in 3 days? All could not connect and all were really not harmful?

It's not that they weren't harmful, it's that they weren't doing anything potentially malicious while they were running on your computer. If they had attempted to perform any action that our Behavior Blocker monitors for, then they would have been quarantined immediately.

0

Share this post


Link to post
Share on other sites

OK, but I still think that since all are known to be malware (Emsi cloud)  they shouldn't be kept in memory but quarantined.

Any change for a new settings to allow BB to alert and then recommend to quarantine this kind of malware's?

Thank you

 

0

Share this post


Link to post
Share on other sites

Unfortunately more aggressive checking of running applications causes performance problems. We were forced to scale back lookups to verify the safety of running applications to only when they exhibit some sort of potentially malicious malicious behavior and when someone manually checks the Behavior Blocker list. Right now the Behavior Blocker only takes action when a program attempts to perform some sort of potentially malicious behavior, which is why you see them in the list marked as bad but no action is taken against them.

0

Share this post


Link to post
Share on other sites

> Unfortunately more aggressive checking of running applications causes performance problems.

That surely depends on the capability of the user's computer?  Wouldn't it be better if more agressive checking was something that people could turn on if they're willing to take the performance hit - which in nay case might not even be noticeable on some systems.

0

Share this post


Link to post
Share on other sites
5 hours ago, JeremyNicoll said:

> Unfortunately more aggressive checking of running applications causes performance problems.

That surely depends on the capability of the user's computer?  Wouldn't it be better if more agressive checking was something that people could turn on if they're willing to take the performance hit - which in nay case might not even be noticeable on some systems.

I completely agree. I also don't see "savings" in internet usage since BB/Emsi in all 5 cases above already connected to the cloud and verified the files...CPU, Emsi and Internet were already used

I don't understand why after this check, when a file is marked as bad/infected on the cloud BB cannot immediately quarantine the files.

Keeping something malicious that wants to do bad things in memory does not make any sense.

1

Share this post


Link to post
Share on other sites

As mentioned before: It is working as intended. Doing what you ask would require us to send hashes of every single application you ever start to our server for checking. We won't do that, as it is highly invasive to your privacy. We most likely will never do that.

1

Share this post


Link to post
Share on other sites

Fabian,

Why does your BB check the reputation of a file with your cloud (so the hash is generated anyway), find out it has a bad reputation (is not trusted/is infected on your cloud) and doesn't do anything with it?

It does not make any sense:

- the work was already done (hash, CPU usage, upload of hash, reputation scan etc )

-Why keep a malware in memory???

In all  these cases the BB checked for the reputation on its own!

 

 

1

Share this post


Link to post
Share on other sites

A while back, Arthur said: They are almost certainly stuck trying to contact a C&C server that no longer exists

So what does that mean?   Does malware typically use DNS to find the IP address of such a server, or are the addresses hard-coded?  Does "trying to contact" mean that the malware is sending something (a request for instructions?) but no server ever receives it?  If that's so, how does EIS distinguish between that something being sent, and any private information (eg machine configuration?) being sent?   I wouldn't want any malware doing anything at all on my machine.

1

Share this post


Link to post
Share on other sites

Because you force the BB to do the reputation check by going to the list. The BB does not do a reputation check before then and naturally doesn't know what is and isn't bad because the reputation check is only triggered on observing a malicious behaviour. Obviously, we could add that it asks you to quarantine then. But that is not what you want. You want us to check the reputation of every application you start indiscriminately and quarantine automatically, which is something we won't do for privacy reasons. Because then we would know at any time exactly what applications you are running. You may be fine with that, but a tonne of other people would not.

1

Share this post


Link to post
Share on other sites
2 minutes ago, JeremyNicoll said:

A while back, Arthur said: They are almost certainly stuck trying to contact a C&C server that no longer exists

So what does that mean?   Does malware typically use DNS to find the IP address of such a server, or are the addresses hard-coded?  Does "trying to contact" mean that the malware is sending something (a request for instructions?) but no server ever receives it?  If that's so, how does EIS distinguish between that something being sent, and any private information (eg machine configuration?) being sent?   I wouldn't want any malware doing anything at all on my machine.

Most common case: They use a DGA to generate domain names, then try to resolve those names. If they don't find a name that resolves or if all the names are blocked by surf protection, they will never do anything that the BB could flag.

1

Share this post


Link to post
Share on other sites

Fabian: > they use a DGA to generate domain names, then try to resolve those names.

Isn't a whole series of DNS lookups itself an indication that some app is attempting something that might be iffy?  Clearly good apps do that too - but more common apps doing so, ega browser, are going to be on the trusted apps list. 

 

0

Share this post


Link to post
Share on other sites

A ton of applications do excessive DNS lookups. Your graphics card driver for example if you are a NVIDIA user. For some reason they think it's a good idea to resolve LOCALHOST several hundred times per second on some systems. So no, the number of DNS requests definitely isn't a good indicator for maliciousness.

1

Share this post


Link to post
Share on other sites

> A ton of applications do excessive DNS lookups. ...

But wouldn't an NVIDIA driver be signed & therefore trusted?

0

Share this post


Link to post
Share on other sites

It's their shitty user application that does it. And no, NVIDIA doesn't sign all their components. That's why you get that autostart alert during every update. Because the component that does that isn't signed for example.

0

Share this post


Link to post
Share on other sites

Even if NVIDIA might not take much notice of Emsisoft complaining about that, isn't there any kind of AV-vendor consortium that could pressure huge companies to sign their stuff?  It must be a pain to you all.

0

Share this post


Link to post
Share on other sites
On 2/5/2017 at 11:22 AM, Fabian Wosar said:

Because you force the BB to do the reputation check by going to the list. The BB does not do a reputation check before then and naturally doesn't know what is and isn't bad because the reputation check is only triggered on observing a malicious behaviour. Obviously, we could add that it asks you to quarantine then. But that is not what you want. You want us to check the reputation of every application you start indiscriminately and quarantine automatically, which is something we won't do for privacy reasons. Because then we would know at any time exactly what applications you are running. You may be fine with that, but a tonne of other people would not.

I didn't ask to check for all files.

This time I provided 5 link of files that triggered a BB reputation check.

The reputation was bad and on isthisfilesafe.com it stated  all 5 were not trusted and infected.

All were active in memory for more than 1 hour, 40+ CPU usage.

No alerts from  BB; it monitored the files but didn't alert nor block them.

Because of this I asked to check why BB didn't block them since bad and malicious.

Again, it doesn't make any sense to keep known malware in memory, even less after you checked your cloud and know they are bad/infected.

0

Share this post


Link to post
Share on other sites
13 hours ago, pallino said:

This time I provided 5 link of files that triggered a BB reputation check.

1

They don't trigger a reputation check. You trigger it manually. If those files had triggered it, they would have been quarantined.

13 hours ago, pallino said:

The reputation was bad and on isthisfilesafe.com it stated  all 5 were not trusted and infected.

All were active in memory for more than 1 hour, 40+ CPU usage.

1

Which both doesn't qualify it as malicious behaviour, warranting an automatic cloud check and quarantining them.

13 hours ago, pallino said:

No alerts from  BB; it monitored the files but didn't alert nor block them.

 

Yes, simply because they didn't do anything malicious yet.

13 hours ago, pallino said:

Because of this I asked to check why BB didn't block them since bad and malicious.

1

They are no longer functional because their C2 server are taken down.

13 hours ago, pallino said:

Again, it doesn't make any sense to keep known malware in memory, even less after you checked your cloud and know they are bad/infected.

We don't know they are malware yet. To do that, we would have to look up every process indiscriminately via the cloud, which is something we don't want to do.

0

Share this post


Link to post
Share on other sites

I didn't trigger any reputation check at all.

I just saw BB didn't alert nor quarantine and saw under BB protection tab it was monitoring them and for 2 it was checking for reputation in that exact moment.

Then I checked online to see what the cloud said.

So again, since BB checked already and alone for reputation and it was bad, why keep a malware in memory?

2- it's confusing now: when should BB quarantine a malware? Only after a bad enough action or also after checking for reputation and getting a bad reputation for the file?

 

0

Share this post


Link to post
Share on other sites
8 minutes ago, pallino said:

I didn't trigger any reputation check at all.

I just saw BB didn't alert nor quarantine and saw under BB protection tab it was monitoring them and for 2 it was checking for reputation in that exact moment.

1

Which triggers the reputation check. ;)

Quote

2- it's confusing now: when should BB quarantine a malware? Only after a bad enough action or also after checking for reputation and getting a bad reputation for the file?

 

Reputation is checked in exactly two situations:

You go to the BB overview, which queries the running processes or an application shows malicious behaviour, which triggers a cloud lookup as well. Only in the latter case there is an auto-quarantine.

0

Share this post


Link to post
Share on other sites

As far as I understand what  pallino  is saying, having gone to the BB overview which forced a reputation check, none of the items thus identified as malicious were then quarantined.  Yes, ok, maybe they weren't at that moment doing anything actively malicious... but if you're not going to act on the bad reputations then, what's the point?  No-one wants unnecessary programs running, especially if they are using lots of CPU - it's going to be wasting power, generating heat etc if nothing else.   Would it be so hard for the BB to ask the user whether such things should be quarantined then?  And, if they are actually executing, terminate them? 

0

Share this post


Link to post
Share on other sites

Thank you, I learned something new.

If users check BB protection tab,  it triggers a reputation check (great feature, but few people know it).

Now, if the reputation is bad, why don't you quarantine the malware? .. Because it is still  not doing bad (enough) things?...Why wait?

 

 

0

Share this post


Link to post
Share on other sites
9 minutes ago, pallino said:

Now, if the reputation is bad, why don't you quarantine the malware? .. Because it is still  not doing bad (enough) things?...Why wait?

2

We could. But what good would such a function be? It would only be enabled if you have the screen open. That is why it makes no sense. What would make sense is to just check every process in the background permanently, but that is too big of an invasion of privacy for us to do.

0

Share this post


Link to post
Share on other sites
15 minutes ago, JeremyNicoll said:

As far as I understand what  pallino  is saying, having gone to the BB overview which forced a reputation check, none of the items thus identified as malicious were then quarantined.

4

It a purely informational screen. There isn't supposed to be functionality in there. The purpose is for the user to look up the status on the running processes.

15 minutes ago, JeremyNicoll said:

Yes, ok, maybe they weren't at that moment doing anything actively malicious... but if you're not going to act on the bad reputations then, what's the point?  No-one wants unnecessary programs running, especially if they are using lots of CPU - it's going to be wasting power, generating heat etc if nothing else.   Would it be so hard for the BB to ask the user whether such things should be quarantined then?  And, if they are actually executing, terminate them? 

 

We aren't Emsisoft Anti-CPU Hog. CPU usage is not a malicious behaviour. If we quarantined your video encoder or your browser while watching an 8k video on YouTube you wouldn't be happy either.

0

Share this post


Link to post
Share on other sites
38 minutes ago, Fabian Wosar said:

We could. But what good would such a function be? It would only be enabled if you have the screen open. That is why it makes no sense. What would make sense is to just check every process in the background permanently, but that is too big of an invasion of privacy for us to do.

Why do you need the screen open?

Even if the screen needs to be open, since the user triggered a reputation scan by opening the bb protection tab:

-the screen might still be open or you could keep it open till the reputation check is done (and informing the user about this)

- the user got suspicious and wanted to check for the file and expects  Emsisoft to take the best action, alert + quarantine the malware.

Since the work was already done and a malware is in memory I think most of Emsi user would like an easy  automated action from Emsisoft, alert window that informs file was quarantined because it is malware.

Keeping something malicious in memory is kind of just playing with fire... 

0

Share this post


Link to post
Share on other sites
3 minutes ago, pallino said:

Why do you need the screen open?

 

To trigger the scan.

3 minutes ago, pallino said:

Since the work was already done and a malware is in memory I think most of Emsi user would like an easy  automated action from Emsisoft, alert window that informs file was quarantined because it is malware.

2

I think we can argue about adding a way to quarantine selected processes from that screen. However, it is unlikely that we would do automatic quarantine in that particular case, because it would legitimately add nothing to the user's protection. Because they would have to have the screen open permanently for that, to trigger constant reputation checks of all processes.

0

Share this post


Link to post
Share on other sites

Good new then...I think if the scan was triggered and a bad reputation was detected, the malware should be quarantined.

I really think nobody would like to have a (active or not) malware in memory....no matter if just not doing any monitored bad stuff or not.

0

Share this post


Link to post
Share on other sites

What does it mean when BB in protection tab classifies a program as  with" bad reputation " but online, on isthisfilesafe the file is unknown?

How is this possible?

Just to be sure

Emsi anti-malware network=isthisfilesafe = list of programs already scanned by Emsi with special algorithms to detect if malicious +user database of most used action after being alerted by BB?

File reputation= determined according to Emsi anti-malware network=isthisfilesafe?

Thank you

0

Share this post


Link to post
Share on other sites

Hello Arthur,

 

Can you please check the question above?

Thank you

0

Share this post


Link to post
Share on other sites
11 hours ago, pallino said:

Can you please check the question above?

I'll ask our developers, and see if they have an answer for you. ;)

0

Share this post


Link to post
Share on other sites

The answer is essentially that not everything in the Anti-Malware Network is listed on IsThisFileSafe.com. Basically files are only listed if we have a complete set of information on them (file name, hashes, file details, etc).

0

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

The answer is essentially that not everything in the Anti-Malware Network is listed on IsThisFileSafe.com. Basically files are only listed if we have a complete set of information on them (file name, hashes, file details, etc).

Hello Arthur,

Thank you

0

Share this post


Link to post
Share on other sites

You're welcome. ;)

0

Share this post


Link to post
Share on other sites

Fabian, Arthur,

-When does BB monitor a file? What triggers the BB monitoring? 

What happens when BB monitors a file vs when it doesn't? If it doesn't and the file does something bad BB won't detect it if it is not monitoring it?

- when in the BB log we see that a rule was added for a program that is running in memory, what does this mean? Will BB still monitor it or alert if something suspicious happens because of the program?

Today I saw a malware that was in memory, no CPU usage... I disconnected the PC from internet, then I checked BB protection tab..The file had a bad reputation, so BB checked already before I opened the tab.

Apparently BB checks for reputation on the cloud not only when the user checks the BB protection tab, is this correct?

Since it knew the file was bad, I really don't understand why you want to keep it in memory and on the HD.

I really hope you will change this.

Thank you

 

 

 

0

Share this post


Link to post
Share on other sites

@Fabian Wosar may have to answer at least some of this. He's the real expert on our Behavior Blocker. ;)

I'll go ahead and answer what I can.

 

6 hours ago, pallino said:

when in the BB log we see that a rule was added for a program that is running in memory, what does this mean?

An Application Rule was created for the file. You can check these rules manually by opening EIS and clicking on Protection.

 

6 hours ago, pallino said:

Will BB still monitor it or alert if something suspicious happens because of the program?

That depends on the rule that was created. If the rule allows all behavior, then the program is considered "Trusted", and the Behavior Blocker will automatically allow anything that it does. If the rule was only for certain behavior, then any behavior not explicitly allowed or blocked by the rule will cause EIS to check the safety of the application again.

 

6 hours ago, pallino said:

Apparently BB checks for reputation on the cloud not only when the user checks the BB protection tab, is this correct?

Yes. There are two times when the reputation is checked:

  • When a program exhibits a behavior that the BB monitors for (what I would call a "potentially malicious behavior"), its reputation is checked to verify its safety.
  • When a user opens the Behavior Blocker list in EIS, the reputation of any unknown programs will be checked.

 

6 hours ago, pallino said:

Since it knew the file was bad, I really don't understand why you want to keep it in memory and on the HD.

If it had been determined to be bad automatically because it exhibited some sort of potentially malicious behavior, then it would have been acted upon automatically. The only reason why it wouldn't have been acted upon automatically in the scenario I just mentioned is if there was a rule explicitly allowing the program.

0

Share this post


Link to post
Share on other sites
10 hours ago, pallino said:

-When does BB monitor a file? What triggers the BB monitoring? 

 

All applications running within the user context are being monitored by default. So as long as a user started it or a process that the user started started it, it is being monitored.

10 hours ago, pallino said:

What happens when BB monitors a file vs when it doesn't? If it doesn't and the file does something bad BB won't detect it if it is not monitoring it?

 

When a process isn't being monitored, the process doesn't exist for the BB. No data is being gathered or processed for said process. Therefore, nothing will be detected by the BB.

0

Share this post


Link to post
Share on other sites

Fabian, Arthur,

Thank you!

Since in this case the sample was in memory, BB under protection tab showed it looked for its reputation and it was bad, why didn't it alert me and block it?

Normally I see a window where Emsisoft tells me a suspicious activity was detected and Emsi is checking the cloud.

This time nothing popped up...Did  BB miss it?

Last question...When Emsi firewall alerts the user about outbound connectios on unusual ports and the user chooses to block all connections, why doesn't the BB also ask the user if it wants to quarantine/kill the process?

Can you add this rule to help user kill/quarantine bad processes? 

Btw, the file Emsi BB let in memory even with bad reputation is

https://www.hybrid-analysis.com/sample/adcbe27a828b0e47b43153ac66252b15466afa75dd83208d63a60f6849c6ce90?environmentId=100

 

 

 

 

 

0

Share this post


Link to post
Share on other sites
1 hour ago, pallino said:

Since in this case the sample was in memory, BB under protection tab showed it looked for its reputation and it was bad, why didn't it alert me and block it?

1

Many different reasons. Most likely: It didn't do anything malicious because your system didn't meet the requirements or it was unable to talk to its C2 server.

Quote

This time nothing popped up...Did  BB miss it?

 

Not necessarily.

Quote

Last question...When Emsi firewall alerts the user about outbound connectios on unusual ports and the user chooses to block all connections, why doesn't the BB also ask the user if it wants to quarantine/kill the process?

2

We will discuss it internally.

 

0

Share this post


Link to post
Share on other sites

I'm happy you liked the idea. 😊

 

In general, why check for reputation if then nothing is done with it?

In the case above, why did BB check in "background"for reputation and after getting the bad reputation didn't do anything with it, alert nor block the malware?

I hope you also  discuss internally to allow BB to block Malware whenever a bad reputation is found. 😉

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.