Emsisoft Anti-Malware & Emsisoft Internet Security 10 available

Discussion in 'other anti-malware software' started by emsisoft, May 10, 2015.

  1. Petrovic

    Petrovic Registered Member

    Joined:
    Mar 14, 2014
    Posts:
    81
    Location:
    Russia
    Emsisoft Anti-Malware & Emsisoft Internet Security 10.0.0.5561 released.
    This is a maintenance release for improved usability, speed, detection and stability.

    This update will require a computer restart.
    • Improved: Behavior Blocker performance.
    • Improved: Display of the scan-type on the Current Scan screen.
    • Improved: Stability of the Surf Protection / Import hosts file functionality.
    • Improved: Minor GUI improvements.
    • Fixed: Startup/shutdown delays in Windows 10.
    • Fixed: An occasional crash in the trial version dialog.
    • Fixed: Occasional crashes: “SaveAutoUpdateSettings” and “Argument out of range”.
    • Fixed: An issue where access to Windows file-shares was blocked when File Guard was running in “Thorough” mode.
    • Fixed: Cancelling an update in initializing phase resulted in a “connection error” log entry.
    http://changeblog.emsisoft.com/2015...isoft-internet-security-10-0-0-5561-released/
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I have just updated EIS in another snapshot, and as reported earlier, this too has become non-functioning right click scanning. I guess I just have to scan with my remaining context menu scan options, i.e. SAS and HMP.
     
  3. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Fabian: I just did the update to V10.0.0.5561 and then attempted to put the computer into sleep mode. It was successful. Go figure.
     
  4. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    @Fabian Wosar
    I see an issue with the latest versions of Emsisoft Antimalware and I'd love to hear your opinion.

    If I understand it correctly, the default settings of the behavior blocker is to NOT monitor a bunch of known applications. After upgrading to the latest version I noticed that powershell.exe is no longer monitored by default. I can only assume the reason is that PowerShell is a component of Windows. However, although PowerShell is ironically used by relatively few users, it is often used by hackers. I know this better than most since MY computer got hacked this way! (note: the guy doing it is a friend working with penetration testing who asked for permission first and was kind enough to not make his payload persistent on my PC).

    After installing Emsisoft Antimalware in Paranoid Mode his attack, where he used PowerShell would be stopped by the Behavior Blocker. Awesome!!! :)

    But now I have updated to the latest version of Emsisoft Antimalware, and I no longer get a pop-up when I run the exact file (an Excel file with a macro) that was previously used to hack my PC.

    So... the old version in Paranoid Mode stops the attack, then new version does not.

    I can still make the Behaviour Blocker stop the attack if I ask it to specifically monitor powershell.exe on my PC. But what if I did not know about this hacking-trick where powershell is used? Or what if some other Windows-component is exploited in a similar way?
    Apparently there is no way to tell the behaviour blocker to simply monitor ALL processes as it seemed to do previously. But if you don't know what process a hacker will exploit on your system, then the safest approach would really be to have everything monitored, just like with previous versions of the behaviour blocker. Is that no longer an option? Would you consider bringing such an option back?

    Any comments please?
     
  5. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany

    No. The fact whether or not an application is known has no influence on whether it is monitored or not.


    Paranoid Mode disabled the filters that automatically allowed operating system components to do whatever they want. That is why you used to get a warning, but no longer get a warning now. In both cases the process was monitored.


    The solution is not to bring back an option, that has been misused by plenty of users for years. The solution is to make the behavior blocker smarter. For example, in case of PowerShell any behavior should ideally be attributed to the script PowerShell is executing and not PowerShell. Because even if PowerShell is trusted, the script is not and will continue to trigger an alert. We are currently adding such a feature to EAM.

    Also keep in mind that Windows 10 introduces some neat little features that allow AVs to intercept PowerShell script execution and scan unobfuscated scripts before they are executed, which greatly improves the security of PowerShell. We plan to add support for those new Windows 10 APIs in the next major version.
     
  6. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Really fast response, much appreciated. Especially since I suppose this is not even your official way of providing support. I wish most other AV's out there would offer a similar stance towards their support.


    Thanks for the clarification, but in that case it confirms my fear that security has been lowered, since I am no longer protected against attacks such as what I experienced. Apparently the behavior blocker will no longer react when an attacker utilizes an operating system components as part of the compromise. At least that is how I interpret your reply.


    Just to make sure I expressed myself clearly, I am not necessarily talking about having any .vbs file execute PowerShell. In the example with a macro there is no new executable file to manipulate PowerShell. It was simply done using a macro with a script that would execute PowerShell. And PowerShell would then contact the hackers PC to get the actual payload which would then execute on my PC.
    So there really is no specific file to monitor rather than monitoring PowerShell, not unless you would first allow the actual payload to be downloaded and executed on the PC and then monitor that. Is that what you are suggesting as a better approach?
     
  7. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    266
    From the manual --
    Does this single auto-update setting control both signature and program version updates (in EAM)? For instance -- If a user wanted to delay updating to the latest version, could he?
     
  8. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    No. We only ever support the latest version of our software, so program updates are mandatory.
     
  9. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    266
    Thank you.
     
  10. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    While I am waiting to hopefully receive a reply from Fabian Wosar I have done some testing. I was concerned that the lack of Paranoid Mode had made the behavior blocker less effective, but so far it does not look like it.

    The behavior blocker generally does not react to the different kinds of HIPS testing tools, but it is claimed that this is because it is not actual malware, which I believe might make sense. However, I also have some test results from the old version with paranoid mode enabled where I used real malware (some RAT's downloaded from a hacking-forum).

    I have now run the same RAT's against the new version of Emsisoft Antimalware and compared the results. Interestingly, I get the exact same results as previously and about all the RAT's are blocked by different behavior blocker alerts.

    So at least that is an indication that the lack of Paranoid Mode is probably not a concern. The behavior blocker still seem to do its job, and as a second layer of protection, I currently believe it to be quite effective. So still recommended in my book.

    With that said, the described lack of pop-up for PowerShell is still a bit concerning, and I recommend that users go into the settings of the behavior blocker and make sure powershell.exe is protected at all times. Apparently that is no longer the case with default settings. I can only hope Emsisoft will listen and have it fixed soon, because Powershell is used by hackers quite often.
     
  11. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    PowerShell doesn't just connect somewhere. It has to get its instructions from somewhere. Either a code snippet was supplied via command line or it was executing a script. Both can be attributed.

    I think the better approach would be to just uninstall PowerShell if you don't use it: Control Panel\Programs\Programs and Features\Turn Windows features on or off. Just uncheck Windows PowerShell there and you don't have to worry about it.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    What version of Windows does that work for? PowerShell is not listed in the "Turn Windows features on or off" on my Windows 7X64 Ultimate.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Mine either
     
  14. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    +1
     
  15. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    It could be that it is only available on Windows 8 and 10. I haven't actively used Windows 7 for a few years.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  17. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    You don't need a HIPS to do that. EAM and EIS can do the same. Just create a rule like this:

    upload_2015-7-30_15-13-50.png

    That will cause EAM to block any attempts for PowerShell to run. That being said, if it is available on your version of Windows, you may just want to uninstall PowerShell completely.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I don't want to block it outright. Some valid app though unlikely might need to run it. My HIPS rule is "ask."
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Ok, thanks.
     
  20. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Agreed! As mentioned, the code was supplied via a macro in an office document which was executed. Initially, no new executable was used (I know this because of my HIPS). I believe my friend used Metasploit, and he talked about using a Meterpreter. I'm not technical enough in this area to explain it in more details, but I'm sure my description is sufficient to make penetration testers and hackers nod their heads.

    That's the attack that the old version of Emsisoft Antimalware would block, but not the new one.

    I wonder how many other Windows components could be utilized the same was as PowerShell. Uninstalling or blocking them individually seems like a cat-and-mouse-game.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Your friend probably used this: https://www.youtube.com/watch?v=T94rkAROdbM . Note: We are talking exploits here. Emsisoft doesn't protect against exploits.
     
    Last edited by a moderator: Jul 31, 2015
  22. molhopicante

    molhopicante Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    135
    Today I upgraded one of my PCs to Windows 10 for testing purposes.

    EIS not start and give me an error.
     
  23. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Be Thankful.

    Downloading Windows 10 rendered my PC unbootable by any method and irreparable.
     
  24. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    I had the same problem. Remove and reinstalled EIS fixed it. It is working perfectly now:)
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    See PM
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.