Insert Real Name Posted December 10, 2017 Report Share Posted December 10, 2017 Is there any setting that adds the actual type of suspicious behaviour (e.g. "Code Inject" or "Direct Disk Access") in nice *black* *capitals* (not trendy grey, please!) to the toaster notification produced by the Behaviour Blocker? Often there are programs that legitimately use e.g. direct disk access to check licensing, etc., and knowing the exact type of behaviour detected will help in accepting it or blocking it immediately. Also, should those legitimate program executable behaviours be reported as a false postive, or does the false positive classification not apply to behaviour blocker detections that are resolved by a rule allowing the behaviour? Link to comment Share on other sites More sharing options...
GT500 Posted December 12, 2017 Report Share Posted December 12, 2017 On 12/10/2017 at 2:09 PM, Insert Real Name said: Is there any setting that adds the actual type of suspicious behaviour (e.g. "Code Inject" or "Direct Disk Access") in nice *black* *capitals* (not trendy grey, please!) to the toaster notification produced by the Behaviour Blocker? Currently there's no way to customize colors/fonts/etc. in the UI or notifications. If you'd like more detailed alerts rather than notifications, you can open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the lower of the two menus at the top, and change the setting at the bottom for Suspicious programs to Alert so that it shows full alerts and gives you a chance to decide what to do rather than automatically taking action if you don't notice what the notification is for in time. On 12/10/2017 at 2:09 PM, Insert Real Name said: Also, should those legitimate program executable behaviours be reported as a false postive, or does the false positive classification not apply to behaviour blocker detections that are resolved by a rule allowing the behaviour? We don't consider Behavior Blocker action to be false positives, since the Behavior Blocker takes action in any case where the safety of a program can't automatically be determined. Link to comment Share on other sites More sharing options...
Insert Real Name Posted December 13, 2017 Author Report Share Posted December 13, 2017 O.K., thanks very much for the explanations. I had set the Behaviour Blocker to auto-resolve, since I could always click on the toaster alert to allow/deny the Behaviour Blocker's decision, but the full Behaviour Blocker alert gives more information and more choices. I've noticed that EAM classifies some programs using the Windows 7 standard file chooser dialogs (e.g. the latest version of DVDStyler) to be "Code Injectors". No doubt these programs may be doing that (perhaps the Windows API they use to handle file chooser dialogs are the origin), but an indication of their code injecting targets in the full alert dialog details section would be very welcome to help make a decision. Maybe there should be a general preference choice: "Display more details in alerts"? Link to comment Share on other sites More sharing options...
GT500 Posted December 14, 2017 Report Share Posted December 14, 2017 We generally recommend taking the alerts on a "do I trust this application/publisher" basis. We don't like to give too many details about what is triggering the Behavior Blocker to make it harder for malware creators to figure out when and why alerts are triggered. Link to comment Share on other sites More sharing options...
Recommended Posts