N0Heart

Emsisoft Conflict with Games

Recommended Posts

Hey guys! Hope this is the right place for this if not i do apologize and will remove. Recently been running into an issue with emsisoft silently blocking games from starting up. Launch the game comes up with a splash screen then it just goes away and the game doesnt start. but, when i turn emsisoft off the game launches fine. im not getting any notifications that anything is suspicious or being blocked. Have had this happen on Star Wars Squadrons & Assassins Creed Valhalla most recently. Im a little baffled and cant figure out what is blocking them. Please Help

Share this post


Link to post
Share on other sites

Unfortunately most game developers and publishers don't bother digitally signing their executable files, so it's difficult for Anti-Virus software to determine that the files are trustworthy when they execute and perform certain behaviors (such as direct access to input devices like the mouse and keyboard). This issue works itself out over time as information about a specific file appears in certain cloud databases or as files are whitelisted, however as soon as those files change (such as when an update for a game is installed) that breaks all forms of whitelisting and the issue starts again.

The easiest solution to this is just to add an exclusion for the folders the games are installed in. Here's a few examples of those folders:

Steam:

  • C:\Program Files (x86)\Steam\steamapps\common\


Uplay/Ubisoft Connect:

  • C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\


Origin:

  • C:\Program Files (x86)\Origin Games\


Here are instructions on excluding a folder from monitoring:

  1. Open Emsisoft Anti-Malware.
  2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
  3. Click on Exclusions in the menu at the top.
  4. The exclusions section contains two lists (Exclude from scanning and Exclude from monitoring). Look for the box right under where it says Exclude from monitoring.
  5. Scroll down to the box under Exclude from monitoring and click the Add folder button right below that box.
  6. Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
  7. Close Emsisoft Anti-Malware.

Note: If a program is still running when you exclude its folder, then you will need to close it and reopen it for the exclusion to fully take effect. In some cases you will need to restart your computer before this will happen.

Also note that if you have a game that is crashing and you want to make sure it isn't reacting badly to hooks from Emsisoft Anti-Malware, you will also need to exclude it from scanning. Some games do respond badly to hooks from third-party applications, and may crash or have performance issues.

Share this post


Link to post
Share on other sites

BTW: Open Emsisoft Anti-Malware, click on Quarantine at the bottom of the Scan & Clean tile, and make sure that no game files have been quarantined. If you find any game files in the Quarantine, then simply click on them in the quarantine list to select them, and then click the Restore button below the quarantine list on the left. You will be asked if you want to exclude the file, however this is unnecessary if you've already excluded the folder as instructed above and I don't recommend adding redundant exclusions as they can cause problems (especially if there are too many of them).

Note that restoring the files from the Quarantine isn't necessary if you have already repaired the games via their respective launchers, and the files have been re-downloaded.

Share this post


Link to post
Share on other sites

Why not change the way Emsisoft work with the game files? i mean it's not like every user of Emsisoft who is a gamer like to do all this so be able to play his game..
that basically makes people want to switch just sayin.

 

4 hours ago, GT500 said:

so it's difficult for Anti-Virus software

i mean i'm a gamer myself
never had such problem with AVs like Kaspersky Bitdefender Norton F-Secure even Comodo

i do play games tho and i have Emsisoft installed on my system i have no problem playing Dota2 and CSGO. 
maybe they have signed digitally but as i said maybe change the way Emsi works for gamers at least then you can release something like gamers antivirus 
🤔but you probably already discussed this matter with developers 

Share this post


Link to post
Share on other sites
19 hours ago, ParhaM said:

Why not change the way Emsisoft work with the game files?

How is it supposed to know a game is a game? The only way would be if we had people who spent all of their time whitelisting game executables as soon as they are released, and even if we did that there would always been at least a short period of time in between a new game update and the hashes for the new executables being added to our cloud database and during this time everyone would have the same issues with their newly updated game they they have right now.

 

19 hours ago, ParhaM said:

but you probably already discussed this matter with developers

Yes, both our malware analysts and the developers who maintain our scan engine and behavior blocker are well aware of this issue.

 

19 hours ago, ParhaM said:

never had such problem with AVs like Kaspersky Bitdefender Norton F-Secure even Comodo

Those are all large companies with significantly more resources than ours. They could afford to hire dedicated teams to manage game compatibility if they really thought it was necessary. By contrast Emsisoft is a small business, and we need to be more selective with how we allocate our resources.

  • Like 1

Share this post


Link to post
Share on other sites

Hi @GT500 Will behavior blocker work smarter than now in the future?
There is much software without digital signature and so them blocked by BB for suspicious behavior. I think this isn't ideal for the user experience.

Share this post


Link to post
Share on other sites

it's not like BB just block any application without digital signature
it just going to monitor their behavior if there is no digital signature

Share this post


Link to post
Share on other sites
15 hours ago, Batman said:

Hi @GT500 Will behavior blocker work smarter than now in the future?
There is much software without digital signature and so them blocked by BB for suspicious behavior. I think this isn't ideal for the user experience.

We use a number of mechanisms to try to determine the trustworthiness of applications (most of that involves our "Anti-Malware Network"). While we're always working on our detection technologies, I wouldn't expect to see any major changes in how our behavioral detection systems work in this regard. At least not in the near future.

 

14 hours ago, ParhaM said:

it's not like BB just block any application without digital signature

Applications have to actually do something to trigger behavioral detection, and many games actually do one or more things that our Behavior Blocker monitors for.

  • Like 1

Share this post


Link to post
Share on other sites

So what is actually happening when an executable IS properly signed, but still tries to perform malicous actions? E.g., when the developer got hacked and the bad guys were able to properly sign their malware or cloak the malware as a legit software update which has some bad stuff added?

Or does the digital signature just raise the threshold for the behavior blocker instead of keeping the whole process unmonitored? I mean there were some incidents in the past where browser developers got hacked and the hackers managed to push their malware as a signed automatic update.

Share this post


Link to post
Share on other sites
13 hours ago, tox1c90 said:

So what is actually happening when an executable IS properly signed, but still tries to perform malicous actions? E.g., when the developer got hacked and the bad guys were able to properly sign their malware or cloak the malware as a legit software update which has some bad stuff added?

Certificates that are used to sign malware are revoked as soon as they are reported so that they will no longer validate (Emsisoft Anti-Malware asks Windows to validate digital signatures before taking any action). Our malware analysts can also blacklist digital certificates used to sign software if they are found to be used in malicious software, and Emsisoft Anti-Malware will automatically block or delete any file that has a blacklisted certificate which exhibits potentially malicious behavior. Our cloud network (Anti-Malware Network) can also be used to allow for immediate detection of such threats without the need to publish a database update.

Normally when certificates are used in this manner, it's because criminals tricked a certificate authority into selling them a certificate for a legitimate company (such as Google, Microsoft, etc) by posing as representatives of that company. It happens frequently enough that there are checks in place to make sure the damage is minimal.

 

13 hours ago, tox1c90 said:

Or does the digital signature just raise the threshold for the behavior blocker instead of keeping the whole process unmonitored?

Digitally signed processes remain monitored. Only exclusions can prevent monitoring. No action is taken by the Behavior Blocker against software that is digitally signed, and no alerts/notifications are displayed by the Behavior Blocker for such software.

 

13 hours ago, tox1c90 said:

I mean there were some incidents in the past where browser developers got hacked and the hackers managed to push their malware as a signed automatic update.

This also happened with CCleaner. Note that I don't think any Anti-Virus software took action against the malware that was injected into CCleaner due to the digital signature, until it was reported and Anti-Virus software companies took steps to make sure the malware was detected.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.