pallino

Behavior blocker - monitoring files

Recommended Posts

Fabian Wosar    421
2 hours ago, pallino said:

In general, why check for reputation if then nothing is done with it?

 

Because it makes sense to display the reputation in an overview screen.

2 hours ago, pallino said:

In the case above, why did BB check in "background"for reputation and after getting the bad reputation didn't do anything with it, alert nor block the malware?

1

It didn't. If it had, it would have blocked it. We reworked the overview screen to display processes that finished checking already immediately. That is why processes now pop up over time instead of the screen being empty for a minute and then populate all at once. Your process was simply checked as one of the first.

 

Share this post


Link to post
Share on other sites
pallino    4

Fabian,

In the case above BB checked for the reputation since when I disconnected from internet and checked the protection tab BB showed the bad reputation.

BB didn't block it as the malware was still in memory.

Emsi firewall alerted and outbound connectios were blocked.

Why did BB check but not block the file?

It seems something went wrong, or?

 

Thank you

Share this post


Link to post
Share on other sites
Fabian Wosar    421

We do cache results. So if you ever had the file checked before, the returned verdict will be remembered, internet connection or not.

Share this post


Link to post
Share on other sites
Stjepan    1

I found this topic and it is very interesting. Simply you want to say that EIS allowed program with bad reputation to run even if it doesn't doing any harmful things but it is in memory and using 40 % of Cpu?! Nobody can tell with 100 % that this program is not doing any damage to computer and point is that Eis MUST quarantine such things as few people said ASAP. You can't say, this program is not contacting to their servers and Eis/BB because doesn't do anything and leave the program in memory. This is ridicolous and I can't believe that one of the best company in security world gives such funny answers, don' t want to say something worse. Any good security program need to protect their user with blocking and quarantine ANY harmful behaviour, explanation that you can't submit every program to analysis because of privacy policy is really funny. As I mentioned in other topic, BB is not protecting computer as HIPS and in this particular case this is obvious, you can't allow program with bad reputation to stay on computer and in memory, simply you CAN'T. I hope that you would change how BB is working on Eis and resolve this. Thank you.

Share this post


Link to post
Share on other sites
Fabian Wosar    421

Using CPU is not malicious. You watching a Youtube video causes a tonne of CPU usage by Chrome. Should will auto-quarantine Chrome now? You are also missing the whole cause and effect chain here. You assume we know the file has a bad reputation right from the get go, but we don't. The only reason we know it has that bad reputation is because you triggered a reputation check manually by looking at the list, as we do not do indiscriminate and automatic reputation lookups of all the programs you start. The only way to trigger an automatic reputation lookup is the application doing something to the system, that we consider suspicious and if that reputation check comes back as "bad", we do quarantine the file automatically.

Share this post


Link to post
Share on other sites
Stjepan    1
1 hour ago, Fabian Wosar said:

Using CPU is not malicious. You watching a Youtube video causes a tonne of CPU usage by Chrome. Should will auto-quarantine Chrome now? You are also missing the whole cause and effect chain here. You assume we know the file has a bad reputation right from the get go, but we don't. The only reason we know it has that bad reputation is because you triggered a reputation check manually by looking at the list, as we do not do indiscriminate and automatic reputation lookups of all the programs you start. The only way to trigger an automatic reputation lookup is the application doing something to the system, that we consider suspicious and if that reputation check comes back as "bad", we do quarantine the file automatically.

I understand you but point of security solution is that when unknown program starts and if it have bad reputation that is automatically quarantined, you can't give permission to unknown program to get in the memory and do who knows what, simply you can't. When program do something harmful and BB will react only in this situation, then it is too late.. If the point of BB is that it doesn't react until unknown program want to do some damage and even don't do automatic lookup with cloud or Antimalware network but when I manually go to BB event log and see that program have bad reputatation but EIS didn't react at all then BB is useless. BB and EIS must protect me if file is bad before it enters in memory and do automatic analysis and if it is bad, block it immedieatly. Stories about privacy policy and more hardware and CPU consumption are at least unserious. These two things can't be excuse to automatically block files with bad reputation, to do automatic analysis and in the end to not give access to memory and my potentially important things on my computer. You don't want to confess that Hips is better solution then BB because it is working on different way (HIPS wouldn't allow unknown program with bad reputation to even run) and it is more secure. You need to simplify Hips questions and integrate it into Eis, not removing strongest part in your program and replace it with BB. I don't argue with you and don't want to tell that Eis is and Emsisoft as company are not great but you need to solve this 2 things. Have you in plan to add sandbox or something like that in EIS? Thank you very much, please answer me on my post about buying a license for Eis, I don't know where is the problem.

Share this post


Link to post
Share on other sites
Fabian Wosar    421
2 hours ago, Stjepan said:

I understand you but point of security solution is that when unknown program starts and if it have bad reputation that is automatically quarantined, you can't give permission to unknown program to get in the memory and do who knows what, simply you can't.

Of course we can, and we do. There are plenty of applications out there that do what you want. We simply aren't one of them then. We have no plans to report back every single application you start to our servers to check its reputation.

2 hours ago, Stjepan said:

When program do something harmful and BB will react only in this situation, then it is too late.

The BB intercepts the malware when it is about to do something harmful. Meaning: The BB will not let the malware do something harmful to your system. It steps in the moment it attempts to. At that time, nothing bad has happened to your system yet

2 hours ago, Stjepan said:

BB and EIS must protect me if file is bad before it enters in memory and do automatic analysis and if it is bad, block it immedieatly.

The BB can't protect you before a file enters memory and starts executing because by the very definition of the word "behaviour" the file has to exhibit behaviour that can be monitored first, which implies that it actually gets the opportunity to run.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.