Emsisoft Anti-Malware & Emsisoft Internet Security 12

Emsisoft Anti-Malware & Emsisoft Internet Security 12.1.1 released
December 15, 2016
http://changeblog.emsisoft.com/2016...e-emsisoft-internet-security-12-1-1-released/

 

Updated itself an hour ago, thanks.

 

Only 5 of my ports are stealthed. All the others tested on Shields Up (1050) are blocked but not stealthed. This is something new on my system with EMIS.

NE1 else or just me

 

I am using a laptop via a Sprint wifi hotspot and have Emsidoft Internet Security running. I did the common ports test at Shields Up and it shows about nine ports stealthed and seventeen say "closed." I don't think I have run Shields Up since I got Emsisoft so I don't know if this result is different from what it would have been in the past. I also don't know if the wifi hotspot is affecting the results somehow.

 

As mentioned on official support forum (but not in English), Emsisoft 12 stops Forza Horizon 3 from running. The Forza game will exit automatically shortly after started as long as Emsisoft 12 is installed.

Adding the game folder to "Exclusion" in Emsisoft's settings and the game works. However, I do hope Emsisoft can investigate this, as the game was working totally fine with Avast, Symantec Endpoint Protection and various other AV softwares.

 

My issue was a temporary glitch of some sort. When connecting via a router, rather than ethernet, all ports were stealthed. But when I tried direct ethernet connection again, all ports were also stealthed. Dunno what the glitch was, but I believe it is more likely that it had something to do with my PC config rather than EMIS.

 

Must be some quirk in how the game operates that causes certain AVs to block it, The same issue has been reported to exist with at least Avast.

https://forum.avast.com/index.php?topic=191315.0

Weird you had no problem while running Avast but do with EMIS. Maybe Avast fixed it's issue.

Have you reported the issue on the Emsisoft Forum? Try False Positives Forum:

https://support.emsisoft.com/forum/58-false-positives/


I had a similar issue with another game when using Kaspersky IS. But that appeared to be a firewall issue, since the game would start but could not connect to the online game servers. I was not able to cure the problem by any known firewall tweak. Had to drop KIS.

 

I tried Avast for a short period of time in Nov or so and I didn't remember any Forza crashes (well one possibility is that I didn't play Forza during that time).

Should it be posted in false positives forum? The game starts and stops and Emsi just remains silent. Also there are already reports in "other language" support forums.

 

i am running EIS for more than 24 hours in my own laptop Dell latitude E 6430 Windows 7 Professional 64 b . I see the CPU never downed below 25 %
is this normal? DO i have to wait till it settles down a bit more?

 

i uninstalled it a saw that it went down considerably .... installed back again and i see it spikes up to 45 to 56 %

 

not really but i did uninstall a few of the programs i doubted

 

I saw some videos about the BB giving alerts about ransomware, but does this mean that all files are saved from being encrypted? The reason I ask this, is because I know a lot of behavior blockers have got difficulties to block the malicious process as soon as possible. RansomFree uses the honey pot method which isn't foolproof, but still interesting. And AppCheck seems to be more successful, but isn't bulletproof either.

 

That's cool, but I'm trying to figure out if the BB can block ransomware on its own, so without the help of signatures. That's exactly what tools like WAR and HMPA and newcomers like RansomFree and AppCheck are trying to do.

 

No, we do not save all files. There are file types we deem less important (executables, temp files, link files, stuff like that), because they are easy to replace (reinstall the program) or they are of no use to the user. We do save all files we consider to be documents, though. The list is too long to post here, but I put it on Pastebin: https://pastebin.com/jsNyPHr8

Also keep in mind, that ransomware is often just "malware". Meaning the majority of ransomware is blocked by EAM before it even gets to the file encrypting part, because of other activity we flag (code injection, hidden installation, C2 communication etc.). As an additional "just in case" security measure EAM also prevents the shadow copies from being deleted:



I hope nobody will ever see that message, but it is there, so if we do fail for some reason, we at least try to increase your chances of bringing your files back.

 

Any discounts on EIS?

 

OK, thanks for the info. So basically when ransomware comes to the second stage of the attack, which is encrypting files, EIS will also give an alert about file modification, but won't be able to stop all of the damage? And yes, you're correct, most ransomware variants don't immediately start with the encrypting of files, they first perform other suspicious behavior which should be caught, that's exactly what I explained in another thread, see links.

https://www.wilderssecurity.com/thr...i-ransomware-beta.383333/page-12#post-2620486
https://www.wilderssecurity.com/thr...i-ransomware-beta.383333/page-12#post-2620520
https://www.wilderssecurity.com/thr...i-ransomware-beta.383333/page-12#post-2621815

 

The moment it tries to touch your documents (as by the definition I gave above) and certain other criteria are met, it will alert about it. It obviously won't cry about every application that writes to a document file for example. There are other factors that need to be fulfilled as well.

 

Yes, but what still isn't clear if EIS will stop all files from being encrypted. That's exactly what you criticized RansomFree for, not that I blame you, because it's a fair point. Like I said, I believe HMPA uses a rollback feature to tackle this problem that all behavior blockers have, but I don't know how it works exactly.

 

As I said before, certain file types we deem unimportant like link files or executables. Those may get encrypted. But we will prevent any documents from being encrypted, right from the very first one on. No rollback necessary.

 

OK thanks, got it.

 

The folder for the "rollback feature" contains previous versions of files which are about to be changed, so files can be rolled back. You'll find "general descriptions" of how it works in the HMPA-thread.
#8736 #10401
Edit: Correction

 

QUOTE="markloman, post: 2565073, Actually, the C:\Windows\CryptoGuard folder contains temporary previous versions of files (documents, photos, etc.) that are about to be changed on the disk. When your files are attacked (en masse encrypted) by crypto-ransomware, CryptoGuard will rollback the previous versions from the CryptoGuard folder so you never loose any files. You do not loose max. 3 files, you should not loose any at all.[/QUOTE]