Raynor

Feature Request: Behaviour Blocker: Do not allow skipping suspicious program warning

Recommended Posts

We are considering deploying EAM with EEC in our company in the near future.

One thing that I am really worried about is that (if i'm not mistaken) at the moment there is always
an option for users to skip the "suspicious program" alert popups of the behaviour blocker module.
In other words, users could always choose to manually allow the action taken by a suspicious program.

Why is this a problem? Well, users tend to be dumb, and clicking on "Allow" (or, as it is called starting
with EAM version 2018-02 "Wait, I think this is safe") would allow a malicious program to run and infect
our network, rendering the AV useless...

Believe me, people really do click on stuff without knowing what they're clicking. It's ridiculous but true!

We absolutely need to lock down all client PCs, with users not being given any way to manually allow suspicious program activity.

At the moment, the only two options for the behaviour blocker are "Allow" and "Auto resolve with notification".

I would kindly suggest to add a third option named something like "Always auto resolve (no allow option)" that
still shows the suspicious behaviour alert to client PC users, but provides them with no way to cancel the
auto resolve (quarantine, etc.) action.

This is the one and only issue that keeps me from being 100% certain that EAM is the best option for our network :unsure:.

 

If I got it all wrong, and there already is a way in EEC to configure the alert popup in the way described above,
I would like to apologize for wasting everybody's time :lol:

Thanks,
Raynor

Share this post


Link to post
Share on other sites

Or would assigning "read-only" access to all normal users via EEC actually do what I described above?

After all, the popup help for that setting states:
"[...] All alerts and events are handled automatically. Read-only notifications."

So, does this setting also apply for Behaviour Blocker Alerts?

Thanks,
Raynor

Share this post


Link to post
Share on other sites

Hi Raynor,

Excuse me for the delayed reply.

Quote

At the moment, the only two options for the behaviour blocker are "Allow" and "Auto resolve with notification".

Actually, since version 2018.2 there is a 3rd option in EAM and EEC: Autoresolve, notifications for threads only.
This settings suppresses the Anti-Malware lookup notification and only shows a notification when a suspicious program was moved to Quarantine.

https://blog.emsisoft.com/en/29745/new-in-2018-2-less-intrusive-smarter-notifications/

However, setting 'read-only' permissions for end-users  would be my advise anyways. An yep, EAM will run in auto-pilot mode for all alerts, also for the  Behavior Blocker ones.

 

I hope this helps.

 

 

Share this post


Link to post
Share on other sites

please note the EAM does NOT apply permissions for (local/domain) admin users.

if you want to limit admin users, you need to set a (limited) permission and set the 'Master password', which will lock the GUI completely.

 

Share this post


Link to post
Share on other sites
On 3/18/2018 at 10:49 PM, Frank H said:

Actually, since version 2018.2 there is a 3rd option in EAM and EEC: Autoresolve, notifications for threads only.
This settings suppresses the Anti-Malware lookup notification and only shows a notification when a suspicious program was moved to Quarantine.

https://blog.emsisoft.com/en/29745/new-in-2018-2-less-intrusive-smarter-notifications/

However, setting 'read-only' permissions for end-users  would be my advise anyways. An yep, EAM will run in auto-pilot mode for all alerts, also for the  Behavior Blocker ones.

I have now deployed EEC+EAM in our company.

The read-only GUI setting works fine, but I really can't seem to find a way to make the behaviour blocker quarantine notifications read-only.

Example: The behaviour blocker shows an alert because a suspicious program is trying to "change firewall settings".
Users are told that the program will be quarantined after a couple of seconds, but are ALSO given the choice of clicking
"Wait, I think this is safe"/"Thes program seems safe" (I can't remember the exact wording).

I want to take that choice away from users, and NOT allow them to skip the behaviour blocker messages.
They are the last line of defence, and I can guarantee that some users WILL allow new viruses to run by clicking "this is safe".
 

So, please let me ask again: Is there any way to make the behaviour blocker prompts read-only without the option of skipping
them ? I want them to work just as the normal "malware found" prompts (i.e. quarantining the program with no way around it).

In there is no way, please let me kindly suggest again that an option to make these prompts read-only be added.

Thanks and all the best
Raynor

Share this post


Link to post
Share on other sites
6 hours ago, Raynor said:

I have now deployed EEC+EAM in our company.

Thanks !

I've just tested this and when you set permissions to 'Read-only',  EAM will run in auto-pilot mode for regular user accounts and the [OK] and [Wait, i think this is safe] options should be hidden.

Which is not the case. I will file a bugreport and we will fix this.

Thanks for catching.

 

 

Share this post


Link to post
Share on other sites

Thanks!

By the way: The Surf Protection messages are also NOT read-only!
("always block" and "don't block" can be selected by the user)

 

Best regards,
Raynor

Share this post


Link to post
Share on other sites

The issue has been fixed in the upcoming EAM 2018.7 release.

Regarding this:

Quote

By the way: The Surf Protection messages are also NOT read-only!
("always block" and "don't block" can be selected by the user)

I just have tested this in EAM 2018.6 stable) and i do not see those 2 options when i visit a site that sit in our blocklist. i.e. malwaretest.emsisoft.com

I was logged in as a standard windows user and had 'read-only' permissions in EAM.

 

 

 

Share this post


Link to post
Share on other sites
On 7/26/2018 at 10:39 PM, Frank H said:

The issue has been fixed in the upcoming EAM 2018.7 release.

Regarding this:

I just have tested this in EAM 2018.6 stable) and i do not see those 2 options when i visit a site that sit in our blocklist. i.e. malwaretest.emsisoft.com

I was logged in as a standard windows user and had 'read-only' permissions in EAM.

 

 

 

Thanks for fixing!

About the second issue:

I saw these two options logged in as a local admin user with read-only permissions :)

 

By the way: Is there any behaviour blocker test file/exe available, similar to the

EICAR  AV test file ?

Share this post


Link to post
Share on other sites

I think @GT500 has a bat file that attempts to elevate itself to run under Admin auth, and I think that causes a BB alert.  I've also had some VBS scripts that use a windows api call to execute something else cause alerts, but I don't know if the latter always does.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.