Interesting AntiRansomware freeware

I have tested (in the past) several BB's like Maumutu - ThreatFire - Primary Response Safe Connect. Even with Mamutu 1n 'false positives' mode, it provided better protection as other BB's. I also tested Mamutu in paranoid mode against Threatfire with my custom rules and Mamutu outperformed ThreatFire (in protection).

@Fabian Wosar I assume BB of EAM is more or less the same as Mumutu. In what mode is the BB running in EAM (FP reduction or normal or paranoid)?

 

The alert levels between an actual HIPS and the EAM BB are not even in the same universe that's how far they are apart. Even the most primitive HIPS imaginable, a simple execution blocker, would still have more alerts than the EAM BB has on its worst days.

Oh, this is the part where you try to lecture the behaviour blocker developer what behaviour blocking really is. I was wondering when we would get to that. Oh boy, I am so nervous. Please be gentle, it's my first time, you know.

Yes, and where do you see which of those detections was the magic mystery cloud "behaviour blocker" so you can even compare the "behaviour blocker" performance of all products? Please, share the data so we can all look at it. Ideally, some breakdown what was blocked by which layer. Or is URL blocking behaviour blocking too now? Or like signature scanning.
As I said, better "whole package"? Definitely. BD and Avira, yes. Whether that is because of superior behaviour blocking or something different, you do not know. I know our result breakdown. And that is, that the biggest factor of why we perform as well as we do in the test is due to the quality of our behaviour blocker. Other people recognise this fact as well, which is why many users like our product. You don't like it, because of the way it works. That's okay. You don't have to.

I don't know. The second lowest amount of compromised systems without sending all your private and intimate data into a magic mystery cloud where every data engineer that feels underappreciated or underpaid can get their hands on it and sell it to the next highest bidder looks pretty advanced to me. But my priorities may be different than yours. I don't want my AV to know what my fetishes are! Mostly because my boss has access to that data. But I may be an unusual case.

Users will still end up complaining because things change and they need to do something to get them back to the way they used are to.

 

It's a lot more advanced than Mamutu was. We pretty much change the BB tuning and rules on a regular basis, often multiple times a month. But they are still built on a similar base. EAM uses default Mamutu settings, but mostly because the old options were replaced by more reliable systems.

 

No offense to the chiefs of Emsisoft but it's my belief mamutu was gobbled up to integrate into the Flagship Product to add and compliment to the core of what it offers in security (which is ideal by the way).

Obviously a choice business move that serves best for them as there are no individual Behavioral Blockers out in the open field anymore whatsoever.

 

It's the other way around. The behaviour blocker was in EAM first. Mamutu came much later and is essentially an EAM version with all signature based stuff removed, because we thought that people may want something like that to complement their AV. Turned out they don't. We kept it alive as a test platform for new BB releases, but so little people (<100) used it, it wasn't fit for that purpose either, so we killed it.

 

@EASTER

I had a free A2 license give away and Emsisoft released Mamutu as a proof of concept and test/trial to surf the wave of the BB hype. As with so many innovations BB turned into to a Hype-Hope-Help-Horror product maturity cycle and when all BB's were taken over by AV's, Emsisoft decided to stop offering a seperate BB. So as far as I know A2 with BB module existed before Mamutu was born (so other way around).

regards Kees

 

Okay It is fun to know that I was one of the 100 people using it. I changed my free A2 for Mamutu and had a license until its death (Mamutu also put less strain on CPU as other BB's). At that time my Wife's PC had Mamutu plus GesWall and I ran ThreatFire plus DefenseWall.

P.S. above post show I beat Fabian with one minute responding to Easter's post, but dev's posts are valued more, so it is shown above my post.

EDIT: now it shows a minute before my post, so mods have intervened and changed time tag

 

What an empty answer now you acuse other companies to steal data .. Lol does this arguments works with your customers? Are they scared kids?
I thought that a guy like you who knows about security knows how to protect confidentiality and privacy in a "cloud" environment... But better yet let's not lie to people and let's start saying that confidential or personal data is not uploaded unless we think that an executable has private data.

I wonder why you get so upset when I say that the BB of EAM is just another one and there is no proof to say anything different and you don't care at all if someone says that EAM has the best BB.

The day you decide to trust in your BB you will set it on auto decide until then just show that is not ready. And don't start again with the users say... Have you done a survey about this with this precise answer or is another empty statement?

Regarding the 5% of grey ware mention by VS is irrelevant, we don't know what is inside that 5% flagged by EAM and taking into account that is a test we can be pretty sure that won't be grey ware

 

Actually, I just showed one example of how data gets stolen. But yes, 20% of data breaches being inside jobs by disgruntled employees, my example was completely unrealistic and conjured up by the feverish mind of a paranoid old man. Where is my tinfoil hat?

I am sure Yahoo thought the same. Then they lost 1 billion data entries. And I am sure all the AVs that have been hacked in the past, like BitDefender, or Eset, or Kaspersky or an endless list of companies who thought they are doing it right and there is no way they could get hacked, still think they can hoard tonnes of data and keep it secure. That is until it turns out they can't.
Personally, I do not believe sensitive data can be kept in a secure and accessible way. If your systems need to operate on that data, it has to be accessible to them. These systems need to be accessible by humans to maintain them. So it is never a question if they leak in my mind, just a question of when.
The only way you can not lose data is to not have it in the first place. That is why we do not keep user data around. We do not want to know what you are doing on the system you have our product installed on, because if we did, we would be responsible for that data.

Yes, because SFX archives aren't a thing. And you don't think that it is just .EXE files, right? I mean all those script formats and Office documents with all those macros ... Not to mention that data doesn't necessarily mean files. It's your browser history, too. If I was to use a product like that, I am sure whoever sees the data figures I frequent medical websites about Hypothyroidism just because I like the words, not because I may have it.

I am not upset. It's more curiosity. Like Peter I wanted to know what all the behaviour blockers that fare better are, so I could look at them, maybe learn from them. But somehow you are underdelivering so far, misinterpreting data. It almost seems like you think that all the detections in the test you linked must be behaviour based detections, so the product with the biggest green bar must be the one with the best behaviour blocker. But as I said, it could also be the product with the most comprehensive URL blacklist. Or the product with the most kickass signatures. There are definitely a lot of great products out there, some of which are just as good or even better as EAM when it comes to keeping your system protected. But you specifically commented on one part of EAM, that I am just this very morning am working on, so I was curios. If you have great ideas, I have Visual Studio open, ready to hack away

We do surveys. Have been for years. Every time you uninstall we ask a couple of questions for example, like why did you uninstall. In some cases the feedback is even that we have too many alerts, so we follow up. In most cases, it turns out people enabled the privacy category in the surf protection, which is incredibly chatty because everyone tracks these days. I am sure there were some users who complained about the behaviour blocker alerts, but the vast majority doesn't. It's ranking not very high on the issues we are having.

 

Hm... using your provided test (Real-World Protection Test - July to November 2016) I count 515 FPs on 19 products which results in an average of 27,1. So the 25 FPs of EAM are below average.
And if you take into account that 23 of these FPs were user-dependent the actual "wrongly blocked score" (as AV-Comparatives calls it, read page 11 of their report) of EAM is 12,5 which again is under the average.

So how about you check your facts first or is this just

 

Emsisoft and VooDoo Shield, all you need, nothing is going to get by these two in my humble opinion.

 

Poland's AVLab tested EAM in December, 2016. Test report here: https://avlab.pl/sites/default/files/68files/Emsisoft_Ant-Malware_Business.pdf

 

"Lack of an answer makes me start to believe I am smelling salt."

 

Nice. I have forgotten about these tests. Thank you. 97% for microsoft looks good in real-world test (more like finding malware on purpose if you ask me, so not so real-world).So maybe if i don't plan to buy or sell or test malware windows defender will be protection enough for most people. Also user interaction should count as system compromised. in my opinion.
On topic if you use uefi+secure boot i think you are protected against mbr ransomware.

 

More false statements please review the file types that AV companies upload to their clouds and then comeback and talk.

Emsisoft is as dangerous for any user as it can be any AV you could be or anyone in your company an upset employee that has set backdoor to your products to spy users and sell data, you don't need a cloud to do that. Look what Kaspersky did with the cert thing intentionally or not, you don't need a cloud.

You can say they you have a secure development cycle I say that any AV vendor can have a secure cloud environment to which not even the employees can't access the files, or they are monitored, and the files aren't linked to users or many other controls that can be set but it looks like you can't see beyond a desktop AV in terms of security.

I never said that there are BB far better than EAM so I can't answer your question. I never said either that all the detections of the other av are only based on the BB but the fact is that they have a BB and globaly they get better results, so for sure there will be detections that relies on the BB if they have more or less is unknown and irrelevant because signature or heuristic detection could hide BB detections of any product. But I guess you know that do I still don't get why you try to look that you don't.

I guess you are acting like a troll using things that I haven't said

So you made up the survey thing that is what I can understand from your vague answer, since you confirmed that they prefer the popups

 

It doesn't say a lot if it's not compared with anything

 

Below the average in terms of the number of products tested. Is the 7th worst if I remember well

 

Maybe you want to read this: https://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf

I suggest the row "If "suspicious" files are transmitted: Are non-executable files (e.g. documents) transmitted?". Those are the ones that openly admit to it at least. So maybe you should reread the TOS of your favourite software again?

Of course, same goes for every software vendor. However, it is a difference whether you need to trust one development team or two. Twice as many opportunities for someone to be disgruntled.

They have to be accessible. Otherwise, systems can't work with them. Compromise the system, enjoy your free access. It's as simple as that. Often that isn't even necessary, though. Do you have a job in IT? If you do, look at your company and your employer. No matter what company it is, I can guarantee you AV companies aren't much better than that company. They aren't and they have proven that AV companies and people working at AV companies aren't better at security than any other IT-focused business time and time again. Now think of all the ways how you can in your company access data that you aren't supposed to access. A colleague has his password pinned to his monitor? The admin likes watching anime on the server during downtime? Boss's office is openly accessible? Nobody in the office at night but you have a key? Bring your device? Just a couple of ideas that will work in most companies, including AV companies.

So it was a different guest running around and saying - I quote:

Got me. I totally made it up.

 

A 2014 doc? No thanks, I prefer the actual file types published of the cloud products I know.
So what 5 products may send no exe files to the cloud? Don't use them, what all this has to do with the BB?

Lol so know we are moving from an upset employee to a hacker...
Again Fabian since they don't have private data and data is not linked to users your statements are irrelevant. And in the same way a hacker can hack they cloud can hack your company compromise the code or anything you want to imagine.
The situations you mention again are irrelevant for the security measures available to prevent it, assuming that they exist.

And regarding the survey, sorry but I don't see any specific mention to the BB pop-ups. I guess we have to believe that the users write on those fields that they loved to answer pop-ups.

I guess you have problems understanding written English

Where your beloved BB is mentioned in this sentence where I say better?

As I said before I wonder why you got so upset, maybe there is something to hide?

 

To maybe bring this "discussion" to a meaningful end:

guest, you made a claim about the BB of EAM being "mediocre". That's why Fabian responded asking for any data that supports your assertion.
Meanwhile he was also trying to tell you that often it's really difficult to clearly determine at which layer a malware has been blocked and which component (URL blocking, signature, heuristics, behaviour blocking, ...) was responsible. In the test you were referring to this for example was the case ("It is not very important at which stage the protection takes place. It could be while browsing to the website (e.g. protection through URL Blocker), while an exploit tries to run, while the file is being downloaded/created or when the malware is executed (either by the exploit or by the user).", page 5).
Please read the test procedure first before you make an assertion.

Also he was asking for any test/review where you can actually judge the performance of behaviour blockers. Can you please provide such data? If not stop being upset that Fabian defends his product.

Everything else does not really help in this discussion imo...

 

I guess I missed this totally off topic thread being such a pain. can someone tell me who is guest and why this thread with his post are so important? I don't know who this person is but he must be important other people would stop feeding if he was a troll.
this whole thread has gotten out of control and I been here a very long time. I am getting a hurting brain from reading these posts.