PotentialUser

Emsisoft Not Listed by Microsoft as a Security Provider for Windows

Recommended Posts

Hello,

I hope you’re all doing well.  I‘ve known about Emsisoft for a few years now.  I’ve heard good things for the most part.  I’ve used most mainstream consumer AVs on the market but never Emsisoft.  As I was going to install EAM Home Edition today for the first time, I stumbled upon this:  https://support.microsoft.com/en-us/help/18900/consumer-antivirus-software-providers-for-windows

This is a list of recognized security vendors by Microsoft.  As you can see, most mainstream AVs are listed, the usual suspects being NortonLifeLock, McAfee, Kaspersky, ESET, Avast, etc.  Some rather obscure programs are also present such as TotalAV, Carbon Black, and PC Matic.  Oddly enough, I do not see Emsisoft on the list.  If you refresh the page, the security vendors list is scrambled into a different order but the exact same AVs are listed.  Emsisoft still does not show up.

While I’m sure being listed on this page is not a necessity for being a trusted security vendor, it is odd to see a company like Emsisoft not represented.  You’ve been in business for over 15+ years, released many anti-malware tools, decryptors, and provided insight into security attacks.  You’ve been featured in articles on well-known mainstream publications such as CNN and BBC (this one is mostly about Mr. Wosar — I’m a big fan).

I’ve also noted various “tech review” sites stating Microsoft’s Windows Defender often does not turn off when Emsisoft is first installed.  Now I don’t necessarily believe these review sites on most of their statements as they usually push some vendor from whom they get a cut.  But, after seeing this statement multiple times over, coupled with Emsisoft missing from the list, I’m beginning to think this may be because Microsoft doesn’t recognize Emsisoft as an official security partner.  Or at least not as much of a partner as the vendors listed in the link above.

I’m not saying Microsoft isn’t aware of the work you’ve done and continue to do, or that you don’t show up in the Windows Security Center.  I’m sure they are aware and your software is detected by Windows.  But it’s still possible you’re not as recognized as the other vendors listed which is why Windows Defender may fail to turn off more often when Emsisoft is installed.  And in my opinion, that’s unfortunate.  Emsisoft has done, and I’m sure continues to do, great work in the cyber security space.  But issues like these make it difficult for the average consumer to be aware of your products.

If there isn’t any real obstacle preventing you from listing your brand on that webpage by Microsoft, please consider getting it done ASAP.  You may be able to direct more users to your platform, especially considering the “Learn More” button under each listed vendor that re-directs to their website.  It may be a small gesture but any exposure is good exposure.

I welcome any and all feedback from the Emsisoft team.  Thoughts?

Share this post


Link to post
Share on other sites

See here

https://support.emsisoft.com/topic/32516-consumer-antivirus-software-providers-for-windows/

Also note that Emsisoft Browser Security is listed in the Microsoft store.

https://www.microsoft.com/en-gb/p/emsisoft-browser-security/9n8c87rfhdh4?activetab=pivot:overviewtab

In the many, many times I have uninstalled and re-installed Emsisoft Anti-Malware, Windows Defender has never failed to turn on and off (Windows 10) for me.

Share this post


Link to post
Share on other sites
Just now, stapp said:

See here

https://support.emsisoft.com/topic/32516-consumer-antivirus-software-providers-for-windows/

Also note that Emsisoft Browser Security is listed in the Microsoft store.

https://www.microsoft.com/en-gb/p/emsisoft-browser-security/9n8c87rfhdh4?activetab=pivot:overviewtab

In the many, many times I have uninstalled and re-installed Emsisoft Anti-Malware, Windows Defender has never failed to turn on and off (Windows 10) for me.


Thank you for the reply stapp.

It’s good to hear you haven’t run into any problems between Windows Defender and Emsisoft.  I’m also aware of the browser extension in the Edge Legacy store.  In fact, a new Edge-Chromium extension was also released recently by Emsisoft and is listed on the new Edge-Chromium web store.  But that doesn’t really have anything to do with the situation at hand.  Browser extensions are great but almost anyone can send in one to get approved and listed eventually.  What I’m asking about is Microsoft’s recognition of Emsisoft as a top-notch security vendor (which it already is).  I’ve also seen the older thread you’ve linked and I decided to make this post because the issue hasn’t been resolved.

If lesser-known vendors such as VIPRE, TotalAV, PCMatic, AhnLab and many others can do it, surely Emsisoft can.  Any monetary fee Microsoft charges would be, in my humble opinion, worth the trouble.  You’re being listed by Microsoft on their official support page as a security partner.  It doesn’t get much better than that.

Share this post


Link to post
Share on other sites
1 hour ago, PotentialUser said:

But it’s still possible you’re not as recognized as the other vendors listed which is why Windows Defender may fail to turn off more often when Emsisoft is installed.

Being on that list has nothing to do with Windows Defender. Windows shuts that off automatically when a third-party Anti-Virus that implements a specific Microsoft API (unfortunately I don't remember the name) is installed, registered with the Security Center, and turned on. Since Emsisoft Anti-Malware (EAM) registers itself with the Windows Security Center and uses the necessary API, Windows Defender is turned off automatically when protection in EAM is on.

If Windows fails to turn off Windows Defender, then that usually means EAM's registration with the Security Center failed or is corrupted, or the option to integrate with the Security Center in EAM's advanced settings is turned off.

 

1 hour ago, PotentialUser said:

If lesser-known vendors such as VIPRE, TotalAV, PCMatic, AhnLab and many others can do it, surely Emsisoft can.  Any monetary fee Microsoft charges would be, in my humble opinion, worth the trouble.  You’re being listed by Microsoft on their official support page as a security partner.  It doesn’t get much better than that.

Unfortunately being on a list of security software providers doesn't mean much. The only thing that would allow us to stand out would be our company logo, and the actual marketing value from that would be minimal (especially with multiple free Anti-Virus products listed). The list appears to be in random order, so in theory we'd show up at the beginning every now and then, but with very little brand recognition the odds are that we'd just get overlooked for more popular solutions, or for ones that say "free" below their logo.

Share this post


Link to post
Share on other sites
25 minutes ago, GT500 said:

Being on that list has nothing to do with Windows Defender. Windows shuts that off automatically when a third-party Anti-Virus that implements a specific Microsoft API (unfortunately I don't remember the name) is installed, registered with the Security Center, and turned on. Since Emsisoft Anti-Malware (EAM) registers itself with the Windows Security Center and uses the necessary API, Windows Defender is turned off automatically when protection in EAM is on.

If Windows fails to turn off Windows Defender, then that usually means EAM's registration with the Security Center failed or is corrupted, or the option to integrate with the Security Center in EAM's advanced settings is turned off.

 

Unfortunately being on a list of security software providers doesn't mean much. The only thing that would allow us to stand out would be our company logo, and the actual marketing value from that would be minimal (especially with multiple free Anti-Virus products listed). The list appears to be in random order, so in theory we'd show up at the beginning every now and then, but with very little brand recognition the odds are that we'd just get overlooked for more popular solutions, or for ones that say "free" below their logo.


Thank you for the information GT500.  I remember seeing you around on the Malwarebytes forums back in the day!  I never made an account there but lurked almost daily between the years 2011 - 2016.  Didn’t realize you also work for Emsisoft; what a happy surprise.

I wasn’t aware of this API from Microsoft to have Windows recognize a security vendor and disable Windows Defender.  That’s pretty interesting.  I take it Microsoft protects access to this API so they can control which software vendors can utilize it?  Otherwise fake AVs and crapware could potentially use the API to register their software and have Windows Defender disable itself?  

And if this is true, that would mean Microsoft is aware of Emsisoft at some level otherwise they wouldn’t have granted access to their API for EAM to use?  Is all of this correct?

And I take it your response means Emsisoft has no current plans to reach out for a spot on that list?

Share this post


Link to post
Share on other sites

We're working on getting our name on that vendor listing page again (we've been there for Windows 7, but the requirements have changed significantly since). Unfortunately there are lots of political hurdles to pass, but we're confident that we will be there again, sooner or later. Being on that list has no advantage for our users though, it's a simple marketing opportunity that MS offers to selected vendors. To avoid bias and preference the list re-sorts randomly with each page refresh.

To answer your question on WSC APIs: Yes, MS is aware of all AVs and they strictly limit access to those APIs to vendors that meet their (rather arbitrary and quite expensive) requirements. The chain of trust goes very deep into the Windows core though, so it can't be easily misused by fake AVs.

 

  • Upvote 1

Share this post


Link to post
Share on other sites
34 minutes ago, Christian Mairoll said:

We're working on getting our name on that vendor listing page again (we've been there for Windows 7, but the requirements have changed significantly since). Unfortunately there are lots of political hurdles to pass, but we're confident that we will be there again, sooner or later. Being on that list has no advantage for our users though, it's a simple marketing opportunity that MS offers to selected vendors. To avoid bias and preference the list re-sorts randomly with each page refresh.

To answer your question on WSC APIs: Yes, MS is aware of all AVs and they strictly limit access to those APIs to vendors that meet their (rather arbitrary and quite expensive) requirements. The chain of trust goes very deep into the Windows core though, so it can't be easily misused by fake AVs.

 


Mr Emsi himself!  It’s quite an honor to have you respond to my thread.  Thank you for the update and information.  I’m glad you take things like this seriously.  I was just reading another thread on the forums regarding the Firefox Addons page setting most extensions as “not recommended” instead of “not reviewed” which may signal negatively upon the Emsisoft Browser Security extension.  You were proactive in reaching out to Mozilla and getting them to admit to eventually changing the wording.  Definitely commendable and not something often seen by larger security vendors.

I will be purchasing EAM soon.  Excited to try your product as it is one of the few well-regraded programs I haven’t used.

I have another question on the side that you or @GT500 may be able to answer.  A user on another popular security forum (MalwareTips) stated Emsisoft does not encrypt updates (signatures, program updates, etc.) to the program:

Quote

Emsisoft downloads their signatures over plain unencrypted HTTP but we likely believe the signature database itself is signed and verified regardless of the method of transport. It does not allow an arbitrary attacker to inject false signatures and false updates into your machine.

Another user stated you do encrypt most of the communication between the program and your servers.  Which one is correct?

Link: https://malwaretips.com/threads/why-security-suites-use-an-insecure-connection.101229/

Share this post


Link to post
Share on other sites

The statement on MalwareTips couldn't be further away from the facts.

Our update system was actually one of the first in our industry which implemented advanced manipulation protection, 13-14 years ago, long before SSL became common and at a time when most AVs just had a plain and easy to manipulate file listings to get their updates.

This is how we protect the update trust chain:

1. Update files are encrypted when published, but that's mainly to protect our intellectual property, not to defend hackers.

2. All files are hashed and named by their checksum on our servers.

3. Updates are generally delivered as differential/fragment files that only match with non-manipulated older file versions already on your computer.

4. The update API on our servers provide a list of hashes of all files of the product. The API output is digitally signed, so if it was manipulated, the software would stop the update right away.

5. The software downloads all files that have different hashes than the locally existing files. At that point, any locally made manipulations would be overwritten.

6. Downloads are through HTTPS, e.g. (https://dl.emsisoft.com/updates/CCB6E1DBF0D8220FEF38A77189CC7BB1.dat)

7. After downloading, the software verifies if the hash in the earlier provided download listing matches the actual hash of the files. If there were any manipulations in the download process, e.g. through SSL interception, the files would be rejected at that point.

8. Binary files are also digitally signed, which means if anything gets manipulated on client side, the software won't run anymore and Windows would immediately alert that it's down.

Only if a file can be guaranteed to be and original from Emsisoft, is is being installed. Note that the described security model doesn't even need SSL to be bullet-proof. We just added SSL because it's freely available with our hosting provider.

 

Btw. the download protocol can be viewed with tools like FiddlerTool (JSON/RAW view), so you can easily verify the above information by yourself. 

We do, however have a Bug Bounty program. If anyone can get me a working proof that they were able to manipulate our updates, a big cash reward is waiting for them!

 

  • Upvote 1

Share this post


Link to post
Share on other sites
42 minutes ago, Christian Mairoll said:

The statement on MalwareTips couldn't be further away from the facts.

Our update system was actually one of the first in our industry which implemented advanced manipulation protection, 13-14 years ago, long before SSL became common and at a time when most AVs just had a plain and easy to manipulate file listings to get their updates.

This is how we protect the update trust chain:

1. Update files are encrypted when published, but that's mainly to protect our intellectual property, not to defend hackers.

2. All files are hashed and named by their checksum on our servers.

3. Updates are generally delivered as differential/fragment files that only match with non-manipulated older file versions already on your computer.

4. The update API on our servers provide a list of hashes of all files of the product. The API output is digitally signed, so if it was manipulated, the software would stop the update right away.

5. The software downloads all files that have different hashes than the locally existing files. At that point, any locally made manipulations would be overwritten.

6. Downloads are through HTTPS, e.g. (https://dl.emsisoft.com/updates/CCB6E1DBF0D8220FEF38A77189CC7BB1.dat)

7. After downloading, the software verifies if the hash in the earlier provided download listing matches the actual hash of the files. If there were any manipulations in the download process, e.g. through SSL interception, the files would be rejected at that point.

8. Binary files are also digitally signed, which means if anything gets manipulated on client side, the software won't run anymore and Windows would immediately alert that it's down.

Only if a file can be guaranteed to be and original from Emsisoft, is is being installed. Note that the described security model doesn't even need SSL to be bullet-proof. We just added SSL because it's freely available with our hosting provider.

 

Btw. the download protocol can be viewed with tools like FiddlerTool (JSON/RAW view), so you can easily verify the above information by yourself. 

We do, however have a Bug Bounty program. If anyone can get me a working proof that they were able to manipulate our updates, a big cash reward is waiting for them!

 


Thank you for the in-depth response!  It definitely was a great read.  I’m thoroughly convinced I’ll be making the right choice by purchasing EAM later tonight.  The lengths you all go to, to make your software bloat-free, secure, and accessible (customer support-wise) is nothing short of remarkable.

I have also gone ahead and posted your update process in a reply on the thread in MalwareTips.  Hopefully it can dispel any misinformation and highlight how seriously Emsisoft takes security.  If you can’t see it, it’s because I’m a new user on there.  My post needs manual approval by a moderator but it should show up soon enough.
 

Thank you and @GT500 for your time.  I appreciate all the help and information — I learned quite a bit today!

Share this post


Link to post
Share on other sites
9 hours ago, PotentialUser said:

Thank you and @GT500 for your time.  I appreciate all the help and information — I learned quite a bit today!

You're welcome. If you need anything else, then let us know. ;)

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.