Emsisoft Anti-Malware & Emsisoft Internet Security 11 has been released

That would just trigger the bug again. The problem only happens when you changed the default size and state of the EAM/EIS window by for example maximizing and closing it. When we pre-load the UI the old values are being restored, making the window show up. If you want to fix it permanently until an official fix is released, just open the UI, restore it to its default size, don't maximize it or anything, then close it and it should stick even after a reboot.

 

I guess I should have stated originally use the old settings "as a general reference" i.e. previous whitelist settings, etc.; that's what I meant.

I tried that originally. It didn't work for me.

 

Did not work for me either.
Acadia

 

Me either.

 

Emsisoft just released another work-around and for now it has fixed the problem on my system.
http://support.emsisoft.com/topic/19983-strange-update-behavior/
post number 23

 

Glad to hear that work-around worked for you.

In my case, I was having occasional update issues prior to this latest GUI problem. Additionally, my original install dates back to when EAM was only running in 32 bit mode and installed in the C:\Program Files (x86) folder. So it really was time to "bite the bullet" and reinstall it and clear out all traces of old versions dated back to the old A2Squared days.

Since the reinstall, EAM has been running 100% trouble free.

 

FYI - Emsisoft has issued a beta update for the blank EAM GUI screen at boot time issue.

Details here: http://support.emsisoft.com/topic/19983-strange-update-behavior/?p=148592

 

This has now been released fully for all users. (http://changeblog.emsisoft.com/2016...e-emsisoft-internet-security-11-6-1-released/)

 

Something strange happened . I got a popup from EAM asking if i want to enter a license or continue with a 30 day trial , even though it was a licensed version running. I selected enter license , and it showed me my license number by itself , and I selected it .

Was this normal ?

 

No. But I won't worry about it unless it happens again.

 

Does the behaviour blocker detect this hotpatching technique?
https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/

 

http://arstechnica.com/security/201...-used-windows-own-patching-system-against-it/Based on this excerpt from the article:

Hotpatching technique

For hotpatching, the sample goes through the following steps:

1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “\knowndlls\mstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.
​

I would say no.

For starters, knowndlls and knowndlls32 reside in the global root which is part of kernel space. I have run previous tests for knowndlls modification and EAM failed.

-EDIT-

This technique on works on pre-Win 8 OSes:

The hotpatching capability was removed in Windows 8, and subsequent versions of the operating system do not support it. It wasn't often used, and saving a few reboots is arguably not that useful, especially if it means handing hackers a convenient tool for attacking running systems. Nonetheless, an attack that uses a well-intentioned operating system to evade detection is a relative novelty.

Ref.: http://arstechnica.com/security/201...-used-windows-own-patching-system-against-it/​

 

To my knowledge the samples aren't public. Without the samples your guess on whether or not we block it is as good as mine.

 

Emsisoft Anti-Malware & Emsisoft Internet Security 11.7 released
May 3, 2016
http://changeblog.emsisoft.com/2016...are-emsisoft-internet-security-11-7-released/

 

Fabian Wosar,

Emsisoft Referral Program - Users can add months -

What happens on Emsisoft reinstall?

What happens on OS reinstall?

 

Emsisoft launches ransomware decrypter page
http://www.softwarecrew.com/2016/05/emsisoft-launches-ransomware-decrypter-page/

https://decrypter.emsisoft.com/

 

Fabian,

Behavior Blocker options needs little change.

Current options are -
Display Alerts
Recommended Action
Always Allow
Always Quarantine

Recommended action on behavior alert is mostly quarantine so 2nd & 4th option are kinda same.

I think Always Block too should be there.

 

I asked the same and their answer was that recommended action could be changed in the future so they will leave it as it is...

 

If recommended action will always be block in the future then fine. If not then Always Block should be there in the options.

 

Maybe I am missing something here, but is not "always quarantine" the same as always block?

 

Dunno for sure, I know nothing for sure, but I am guessing that "Always Block" would leave the malware in place on your system but always block it from executing. Quarantine would remove it to an isolated location and lock it in a cage. The effect would appear to be the same, but I do not know how an always blocked exe. or whatever could be unblocked if it were detected by behavioral analysis in the event blocking it was a FP. From quarantine you can put it back or delete it.

But maybe I am missing something here too and there is no diffference

 

Not sure what you are asking, but removing EMIS or EAM from your system does not suspend the timeframe of your subscription. Neither would it take away added months from a referral. Your subscription is X years purchased + Referral months, and runs from the date you first activated your license key, no matter if you uninstall or re-install the program.

 

Appears Emsisoft didn't think this one all the way through. Quarantining per se applies to file protection. Whereas the other alerts apply the behavior blocker processing.

Additionally in an Emsisoft behavior blocker rule using the GUI, you have the option to block all activity.

Excluding Emsisoft per se, normal behavior blocker activity is to alert for unknown suspicious process and then let the user decide what to do e.g. block, etc.. along with specifying a recommended action.

Problem is the AV labs want all user interaction removed in the decision process or the vendor will be penalized. Worse if the vendor makes the decision and it is wrong, the vendor is penalized as a false positive determination. The result is a lose-lose situation for vendor as far as AV lab test scores are concerned.

I believe the "always quarantine" default action is a compromise in that the software is isolated from the system but can be recovered if later analysis deems it is safe.

 

I should have mention Block instead of Always Block as there is only Block Once option on BB alerts.

So I meant Block option too should be there in the BB auto-action options under BB module in the GUI.
Quarantine will quarantine the detected stuff.
Block will simply block in the original location.

 

Emisoft Referral Program
~ Referral Link Removed ~
http://blog.emsisoft.com/2011/10/20/tec111020/