Emisoft Anti-Malware FPs

[Osaban]

Lately Emisoft is doing well in detection: MRG Flash tests, RAP report, although it failed the VB 100 December test, I got kind of curious, and decided to test it. I don't mean to test it against live malware, but on a machine that only a couple of years ago was infested with all sorts of baddies.

This machine had been scanned and cleaned by MBAM, Combo fix, Avira (as a program and rescue CD) VIPRE, Norton Power Eraser, DrWeb Cureit, McAfee Stinger, Kaspersky Virus Removal Tool and Hitman Pro.

I installed Emisoft as a proper 30 day trial, updated it and run a full scan that took ages, in the end the results were staggering: more than 40 issues categorized as high risk malware (virut family mainly) which were all quarantined. I honestly was expecting 1 may be 2 issues, it was a long and very detailed list of malware which by right clicking each line would give me the option (excellent procedure by Emisoft) to automatically send the sample to Emisoft for analyses, which I did for all of them.

One or two days later, I received 12 e-mails by Emisoft stating that 12 of those issues were FPs, and therefore I could safely restore them. Nothing about real malware. As I opened Emisoft's quarantine (while Emisoft was still updating) I could see virtually about 15 lines disappearing in real time from the list of malware, I thought that was quite impressive, the program being updated with my samples is acting straight away to restore the FPs. But then why the E-mails? The files were different, and when I tried to restore some of them, a dialogue window would ask me if a wanted to do it directly to the file as the program couldn't do it automatically. In the end about 6 files could not be restored by any means, and I thought that's not impressive at all.

Now from an initial detection of 40+ rated high malware issues, minus the FPs automatically/manually restored under Emisoft's guidelines, I still have 14 issues quarantined, and I suspect they are also FPs: Is it possible for Emisoft to detect 14 issues ignored by the 11 scanners mentioned at the beginning of this post? I'm impressed by Emisoft own infrastructure of communication and very prompt response, but I can't help thinking the program is a bit too trigger happy in terms of FPs.

I'm not complaining about Emisoft really, rather this little story proves once again that when a computer is heavily infected the only way to know it is clean beyond any reasonable doubt, is to re-install a clean copy of Windows. As for my malware/FPs I restored a recent image.

[Rilla927]

This is indeed a great program. I had the same problem. At least they got back to you in a email I would submit the file and never here from them again if it was a FP or not. So I uninstalled it.

[Thankful]

This is a hard program to analyze. As you can see, FPs can be a real pain. It has done extremely well in MRG testing and for ONE month with RAP testing. However, it does not have a history of performing well with VB100 (7 of last 9 tests were failures) or with AV-Test.org.
I wrote a response on their website here: http://support.emsisoft.com/topic/69...post__p__42011

[gugarci]

I love EAM but it does tend to have a bit more FP's than my other favorite Av Eset. Regardless of what security products you use, I have always double check all suspicious finding with other sources before I take action. You can use Malwarebytes, HitMan Pro, and sites like Virus Total, Jotti's Malware scan.

Also if your PC is working well and showing no sings of being compromised, I lean to the side of it being a false positive.

[Noob]

Impressive amount of FP's.
You could try asking them directly to analyze those files just to make sure.
Actually it seems that some of the files categorized as malware are common Windows Files which are found in my system also but are not detected as malware, go wonder, probably the files got infected?

Personally i've only had 2 FP cases with EAM, both which were fixed the same way as yours but without the e-mail part. I submitted them as FP's and in a 24 hours time frame they were removed de-quarantined.

[G1111]

Very few false positives here also. When I do get one I submit it and it is fixed.

[gugarci]

I had one a couple of days ago and it was fixed pretty quickly. But I was pretty sure it was a FP because I checked it out with other sources.

[Osaban]

I would like to stress again that It was not the intention of this thread to harshly criticize EAM. I believe that a severely infected machine can only at best be returned to a working condition but never truly cleaned by an AV. This is what happened to my son's computer, as we didn't have any recovery option (he lost the original Windows installation CD) I tried to clean it with any scanner I could lay my hands on.

The computer works (my son only uses it for games) but I'm fairly certain that a lot files haven't been thoroughly cleaned, and probably EAM caught some harmless leftovers from past malware.

On the other hand, EAM was very impressive in terms of lightness, system speed, and I have no doubts it has excellent detection and a great system in terms of quarantining and checking FPs.

Any AV should be installed on a clean machine, their first task is to block malware from infecting a system.

[Noob]

Dont worry D00d hahaha
We know this was just a constructive thread not destructive

[Thankful]

Had another FP yesterday. Too many for me. Uninstalled.

[fblais]

I think you can adjust the heuristics level so you can get less FPs.

[acr1965]

I had many FP's in earlier versions, but not this one.

[fblais]

Quote:

Originally Posted by fblais

I think you can adjust the heuristics level so you can get less FPs.

I was wrong.
That's not adjustable.

Quote:

Originally Posted by Thankful

As you can see, FPs can be a real pain.

You're right, I think only malware experts should use Emsisoft

[Atul88]

Quote:

Originally Posted by tpro

You're right, I think only malware experts should use Emsisoft

I am not a malware Expert , Used it for about 2 months & i loved it!!!
Yeh but its true that i was getting so many popups while opening some sites first times!!!

[Noob]

Hahaha you guys been getting some real bad experiences, luckily it has never happened to me wew

[Osaban]

As I'm testing Rollback Rx, yesterday I decided to install EAM on my my main machine which is the most protected and arguably the cleanest of my computers.

EAM flagged 3 issues, a rootkit in the MBR, and 2 trojans. I've sent an e-mail and so far I had no reply, but I know for sure that they are FPs. The trojans were spotted within Shadow Defender installers, and indeed those installers for some reasons are flagged by some companies as malware at Virus Total (they are FPs).

The rootkit is definitely an FP, it is some kind of process used by Rollback in the MBR which deals with the snapshot system. When I googled the rootkit name given by EAM, it produced several hits all having to do with Rollback and the interpretation by EAM.

Fair enough, but I didn't particularly agree with the answer by one of EAM developers who was saying that they won't account it as a FP on the grounds that with Rollback they are using "shady processes" in their program. I won't argue with what is considered "shady" in a perfectly legal software, but I wonder how many other processes are flagged as FPs simply because they might be used by malware. Too paranoid for my taste.

[Barthez]

Official Emsisoft forums have a sub-forum dedicated to false positives, from my experience I can say that they react quite fast. Link can be found in main program window (Support forum).

Guard → File Guard → Manage whitelist could be used to mark files, folders etc. of your choosing as safe. Maybe that would do?

HTH

[Fabian Wosar]

Quote:

Originally Posted by Osaban

Fair enough, but I didn't particularly agree with the answer by one of EAM developers who was saying that they won't account it as a FP on the grounds that with Rollback they are using "shady processes" in their program. I won't argue with what is considered "shady" in a perfectly legal software, but I wonder how many other processes are flagged as FPs simply because they might be used by malware. Too paranoid for my taste.

The reason why we detect Rollback Rx heuristically as a possible MBR rootkit is rather simple: Rollback Rx is a rootkit.

The very definition of a rootkit is that it hides modifications done to the system. Rollback Rx, like many tools of its kind, installs a custom boot loader into the system's MBR. It then goes ahead and hides this modification from the operating system, which is essentially the way almost every single bootkit (rootkit that infects the system's boot records like MBR or VBR) in existence operates.

During a rootkit scan Emsisoft Anti-Malware will perform a few tests that are commonly referred to as cross view comparisons. Cross view comparisons are designed to pick up on that hiding nature of rootkits. Essentially it works by obtaining two different views of the same object using two different methods and then comparing them. If both views are identical, everything is fine. If they aren't something is hiding modifications to that object. One of the cross view comparisons performed by Emsisoft Anti-Malware is performed on the system's MBR. EAM will essentially read the MBR twice using the Windows API and a special access mode we call direct disk access. Bootkits (and Rollback Rx for that matter) will easily fool the attempt to read the MBR using Windows API and redirect the access to a "clean copy", but they usually fail to intercept the MBR read access using direct disk access which therefore will return the actual MBR on disk. The result is that both views won't match and Emsisoft Anti-Malware will issue a heuristic detection pointing the user to a possible MBR rootkit.

Bottom line is, the detection itself works the way it was designed to work and there is no way for us to "fix" it.

[Atul88]

Quote:

Originally Posted by Fabian Wosar

The reason why we detect Rollback Rx heuristically as a possible MBR rootkit is rather simple: Rollback Rx is a rootkit.

Nicely said
I have felt that before with other programs!!

[Noob]

Woah that was a very technical explanation. With this said i guess this is a common procedure done to detect rootkits because i find it just a bit weird you had no problem at all to describe one of the methods EAM uses to detect rootkits

[alex_s]

Quote:

Originally Posted by Fabian Wosar

Bottom line is, the detection itself works the way it was designed to work and there is no way for us to "fix" it.

The way is very simple, actually. You can whitelist specific MBR modifications like you do it with the programs.

[gugarci]

Quote:

Originally Posted by tpro

You're right, I think only malware experts should use Emsisoft

You don't need to be an expert to use EAM. If your PC is working well and shows no signs of any infestation, regardless of what product flagged anything, assume it's a FP until you can verify it with other sources. I have always done this and I have never, ever, accidentally deleted anything. It's common sense.

If you feel fine and you decide to take your temperature for fun and your thermometer tells you your temperature is 105 would you rush out immediately to the hospital? Probably not.

All products have FP's. Recently MalwareBytes flagged about 10 files on my PC. I scanned them with other sources and they all came out clean. So I was 100% sure it they were FP's. I posted it on their forum, and the FP's were resolve quickly with the next definition file. It happens.

[Thankful]

Until you're actually infected and consider it a FP. This is a potential danger with a program such as Emsisoft. On the other hand, if you're using a program which doesn't have a history of FPs, such as MSE, you're much more likely to take any warnings more seriously.
Hopefully, Emsisoft has made real progress with FPs since they certainly spend a lot of time improving their program. It is one of the programs I am currently
using.

[Noob]

My PC usually only has legit software (I mean i know you guys use legit software but what i actually mean i don't use obscure or rare tools, ex. Adobe Reader, Windows Live Messenger, MS Office, mainly mainstream products) and as fas as my experience goes with EAM, there have been 2 or 3 FP cases but that's all