Emsisoft Anti-Malware 8.1 released

Discussion in 'other anti-malware software' started by emsisoft, Aug 19, 2013.

Thread Status:
Not open for further replies.
  1. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,051
    Location:
    United Surveillance States
  2. jack76

    jack76 Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    72
    Location:
    Helvetin Kylm
    Joke of the week :D
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,749
    Emsisoft Newsletter - August 19th, 2013
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Seems like lots suites performed good in the last banking test. Good!
    Keep up the good work Emsisoft!
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Your right. I didn't pay attention to the release dates and only saw a ref. to the MBAM shift in policy yesterday.

    Interesting how when crapware starts costing anti-malware industry money, something gets done.

    Time to sell your CBS stock I guess. Between Time-Warner pulling the plug on its video revenue and CNet's adware and spyware revenue headed to the dumper, CNN might end up buying CBS.
     
    Last edited: Aug 21, 2013
  6. Pars

    Pars Registered Member

    Joined:
    Oct 22, 2011
    Posts:
    20
    Location:
    Tehran, Iran
    very fast & powerful
     
  7. Pars

    Pars Registered Member

    Joined:
    Oct 22, 2011
    Posts:
    20
    Location:
    Tehran, Iran
    Last edited by a moderator: Aug 22, 2013
  8. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,293
    I dont know if it is by design but in my experience Emsisoft AntiMalware needs two updates to be really "up to date" ( same definitions as Bitdefender).

    For example if I turn my computer in the morning, the first update will be one or two updates behind Bitdefender, but after this inicial update I can do one more update (one moment after the first update) and now EAM will download more signatures and will have the same database as Bitdefender.

    Pardon me for my english, it is bedtime here :cool:

    Ps: I can compare the databases by looking at update.txt in Emsisoft Anti-Malware\Signatures\BD
     
  9. worgeordie

    worgeordie Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    12
    Location:
    Thailand
    Emsisoft 8.1 updated perfectly on 3 of my win 7 PCs, but on a Win XP sp2
    pc, the File Guard is not activated, and when I click to activate, nothing
    happens,thats on main page, when I go to file guard page ,click anything
    and nothing happens, everything else working great.

    Anybody have the same problem?, or know a fix for this.
    thanks regards Worgeordie
     
  10. Pars

    Pars Registered Member

    Joined:
    Oct 22, 2011
    Posts:
    20
    Location:
    Tehran, Iran
    Hi

    You must upgrade to SP3

    I think this link help you
    http://support.emsisoft.com/topic/6775-file-guardoff/#entry43521
     
  11. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,293
    Never mind , It is fixed.
     
    Last edited: Aug 24, 2013
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Fabian - I have found a few issues with EAM 8.

    Taskbar notification area in WIN 7 x64 SP1. EAM is creating multiple entries there. Appears to be a result when the software is updated via auto download? Also could be caused by explorer.exe crashes possibly since I have had more than a few which I also suspect where due to issues with garbage in the taskbar. At least it explains the iratic behaviour I have observed with the EAM shield disappearing at times and strange behavior in Action Center when displaying security status. I had other garbarge in taskbar notification area so I reset it and I am good to go PC-wise.

    EMET 4 conflicts. IE9 has been periodically crashing for sometime due to EMET.dll. I found a work around by excluding WIN 7 AppPatch folder where both EMET x86 and x64 dlls reside from EAM's File and Web Shield guards. I have also excluded the entire EMET x86 program folder from the above EAM shields. Also the above crashing occured regardless of various EMET various system mitigation settings.
     
    Last edited: Aug 25, 2013
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Looks like I will have to recant on this one.

    Set off all EAM whitelisting of the above and not a single IE9 crash. Also applies to explorer crashes I was getting.

    Appears clearing of the taskbar notification area did the trick. I did have a lot of questionable entries in there. Like quarantine.exe. What the heck that was is beyond me. Not of trace of it on my WIN 7 installation. I suspect a prior malware remenant perhaps.
     
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    For support, you are better posting these things in the Emsi forum. They will help you way faster than here.
     
  16. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Hi guys, I post this here as I would like more input then just from the Emsi forum, (I see Fabian visit here frequently, maybe he will comment as well)

    I did change the setup at one of my customers yesterday to Emsisoft, I wanted to beef up the protection from the former setup. (Testing now for 30 days)

    I wanted to show the employees some of the popups that could occur when using the product, and let them watch EAM on my VM.
    I had a folder with 200 fresh viruses, EAM did remove most of them with its guard and some more with a scan.
    This part was all fine as there was no user interaction to speak of.

    Now my intentions were to execute some of the leftovers so that they could watch and learn how to use the behavior blocker.
    The first file I picked generated a locked window from a ransomware... :rolleyes:

    A bit embarrassing, end of class, but here is the real question:

    From what I understand a ransomware does the same every time, it locks your desktop or access to execute your files. (Please correct me if I am wrong here)
    This would be a perfect "victim" for the BB, to catch such a behavior.

    I understand that a virus could "morph" around signatures, but can you really do the same with a certain behavior like this?

    Appreciate to hear your thoughts on this matter.

    /E
     
  17. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Without the file there is no way to tell what is going on. So I would appreciate it if you could upload the file to VT and share the hash.
     
  18. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Sent you a PM with the info Fabian.

    My question was more of a "Ransomware in general" as this has happened to me a couple of times before, that is why I raised the question.

    /E
     
  19. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Technically, a screen locker is just an application showing a full screen on-top window, capturing all the keyboard and mouse input. So do a lot of games. So based on that behavior alone, you will end up with tons of false positives.

    The way to solve it is to combine that trigger with other attributes. Properties like self installation or even the file's location. You run into issues though when the malware in question never actually does any of that on its own. There are a few Russian screen lockers for example, that will not change anything on the system. They are just executed by some other malware component and just display the screen doing literally nothing else.

    If you take such a sample, extract it to your Desktop, and just execute it as part of a test, a behavior blocker has no idea about the circumstances of how and where the file is executed, and will most likely let it pass.

    That being said, neither is the case for the files you send me. Both of them are blocked by the behavior blocker just fine:

    http://i.imgur.com/onPduqh.png
    http://i.imgur.com/X5xuMkZ.png

    Are you sure those were the files you tested? :)
     
  20. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Thanks for the explanation, and yes it was one of them.

    A year back I saw something strange happen with a Mamutu install, were the BB did react but I was not fast enough to read the warning and make a decision before the ransom took over, if you understand what I mean?

    I did run it on a VM with XP as OS if that could make a difference?


    /E
     
  21. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Definitely the lightest version released. Great job. :thumb:
     
  22. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    This behavior was not caused by you being too slow. But was a side effect of the way the community queries work. Essentially while the query was performed, the alert was already displayed. Once the query returned a result and the result would have caused Mamutu to act automatically, the alert dialog was closed automatically, leading to the behavior you describe of alerts popping up for a few seconds.

    Same setup here. You actually have to allow the file twice until the actual screen locker becomes active (code injection and autorun creation).
     
    Last edited: Aug 30, 2013
  23. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Actually it was not the alert dialog that did close to fast, it was the ransom taking over, on top of the alert dialog.


    Ok, strange?? As I did describe above could something similar happend here with this, the ransom window came up crazy fast.
    Could that lead to having the alert dialog behind it?

    /E
     
  24. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    The malware is suspended as long as the alert window is showing. More likely is that for some reason the behavior blocker wasn't functional at all in your VM for whatever reason.
     
  25. nsm0220

    nsm0220 Registered Member

    Joined:
    Aug 30, 2013
    Posts:
    138
    Location:
    USA
    btw i will be testing version 9 and fix the behavior blocker malware haves been trying bypassing it and a few did bypass it i was doing my test on it
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.