Insert Real Name

Behaviour Blocker Notifications

Recommended Posts

Is there any setting that adds the actual type of suspicious behaviour (e.g. "Code Inject" or "Direct Disk Access") in nice *black* *capitals* (not trendy grey, please!) to the toaster notification produced by the Behaviour Blocker?

Often there are programs that legitimately use e.g. direct disk access to check licensing, etc., and knowing the exact type of behaviour detected will help in accepting it or blocking it immediately.

Also, should those legitimate program executable behaviours be reported as a false postive, or does the false positive classification not apply to behaviour blocker detections that are resolved by a rule allowing the behaviour?

Share this post


Link to post
Share on other sites
On 12/10/2017 at 2:09 PM, Insert Real Name said:

Is there any setting that adds the actual type of suspicious behaviour (e.g. "Code Inject" or "Direct Disk Access") in nice *black* *capitals* (not trendy grey, please!) to the toaster notification produced by the Behaviour Blocker?

Currently there's no way to customize colors/fonts/etc. in the UI or notifications. If you'd like more detailed alerts rather than notifications, you can open Emsisoft Anti-Malware, click on Protection, click on Behavior Blocker in the lower of the two menus at the top, and change the setting at the bottom for Suspicious programs to Alert so that it shows full alerts and gives you a chance to decide what to do rather than automatically taking action if you don't notice what the notification is for in time.

 

On 12/10/2017 at 2:09 PM, Insert Real Name said:

Also, should those legitimate program executable behaviours be reported as a false postive, or does the false positive classification not apply to behaviour blocker detections that are resolved by a rule allowing the behaviour?

We don't consider Behavior Blocker action to be false positives, since the Behavior Blocker takes action in any case where the safety of a program can't automatically be determined.

Share this post


Link to post
Share on other sites

O.K., thanks very much for the explanations. I had set the Behaviour Blocker to auto-resolve, since I could always click on the toaster alert to allow/deny the Behaviour Blocker's decision, but the full Behaviour Blocker alert gives more information and more choices.

I've noticed that EAM classifies some programs using the Windows 7 standard file chooser dialogs (e.g. the latest version of DVDStyler) to be "Code Injectors". No doubt these programs may be doing that (perhaps the Windows API they use to handle file chooser dialogs are the origin), but an indication of their code injecting targets in the full alert dialog details section would be very welcome to help make a decision.

Maybe there should be a general preference choice: "Display more details in alerts"?

Share this post


Link to post
Share on other sites

We generally recommend taking the alerts on a "do I trust this application/publisher" basis. We don't like to give too many details about what is triggering the Behavior Blocker to make it harder for malware creators to figure out when and why alerts are triggered.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.