Discussion in 'other anti-malware software' started by emsisoft, Aug 19, 2013.
Based on release dates, I would say MBAM is starting the trend.
Joke of the week
Emsisoft Newsletter - August 19th, 2013
Seems like lots suites performed good in the last banking test. Good!
Keep up the good work Emsisoft!
Your right. I didn't pay attention to the release dates and only saw a ref. to the MBAM shift in policy yesterday.
Interesting how when crapware starts costing anti-malware industry money, something gets done.
Time to sell your CBS stock I guess. Between Time-Warner pulling the plug on its video revenue and CNet's adware and spyware revenue headed to the dumper, CNN might end up buying CBS.
very fast & powerful
The most powerful
Only missing 3 cases of 1109
I dont know if it is by design but in my experience Emsisoft AntiMalware needs two updates to be really "up to date" ( same definitions as Bitdefender).
For example if I turn my computer in the morning, the first update will be one or two updates behind Bitdefender, but after this inicial update I can do one more update (one moment after the first update) and now EAM will download more signatures and will have the same database as Bitdefender.
Pardon me for my english, it is bedtime here
Ps: I can compare the databases by looking at update.txt in Emsisoft Anti-Malware\Signatures\BD
Emsisoft 8.1 updated perfectly on 3 of my win 7 PCs, but on a Win XP sp2
pc, the File Guard is not activated, and when I click to activate, nothing
happens,thats on main page, when I go to file guard page ,click anything
and nothing happens, everything else working great.
Anybody have the same problem?, or know a fix for this.
thanks regards Worgeordie
You must upgrade to SP3
I think this link help you
Never mind , It is fixed.
Yeah, very good results for EAM.
Fabian - I have found a few issues with EAM 8.
Taskbar notification area in WIN 7 x64 SP1. EAM is creating multiple entries there. Appears to be a result when the software is updated via auto download? Also could be caused by explorer.exe crashes possibly since I have had more than a few which I also suspect where due to issues with garbage in the taskbar. At least it explains the iratic behaviour I have observed with the EAM shield disappearing at times and strange behavior in Action Center when displaying security status. I had other garbarge in taskbar notification area so I reset it and I am good to go PC-wise.
EMET 4 conflicts. IE9 has been periodically crashing for sometime due to EMET.dll. I found a work around by excluding WIN 7 AppPatch folder where both EMET x86 and x64 dlls reside from EAM's File and Web Shield guards. I have also excluded the entire EMET x86 program folder from the above EAM shields. Also the above crashing occured regardless of various EMET various system mitigation settings.
Looks like I will have to recant on this one.
Set off all EAM whitelisting of the above and not a single IE9 crash. Also applies to explorer crashes I was getting.
Appears clearing of the taskbar notification area did the trick. I did have a lot of questionable entries in there. Like quarantine.exe. What the heck that was is beyond me. Not of trace of it on my WIN 7 installation. I suspect a prior malware remenant perhaps.
For support, you are better posting these things in the Emsi forum. They will help you way faster than here.
Hi guys, I post this here as I would like more input then just from the Emsi forum, (I see Fabian visit here frequently, maybe he will comment as well)
I did change the setup at one of my customers yesterday to Emsisoft, I wanted to beef up the protection from the former setup. (Testing now for 30 days)
I wanted to show the employees some of the popups that could occur when using the product, and let them watch EAM on my VM.
I had a folder with 200 fresh viruses, EAM did remove most of them with its guard and some more with a scan.
This part was all fine as there was no user interaction to speak of.
Now my intentions were to execute some of the leftovers so that they could watch and learn how to use the behavior blocker.
The first file I picked generated a locked window from a ransomware...
A bit embarrassing, end of class, but here is the real question:
From what I understand a ransomware does the same every time, it locks your desktop or access to execute your files. (Please correct me if I am wrong here)
This would be a perfect "victim" for the BB, to catch such a behavior.
I understand that a virus could "morph" around signatures, but can you really do the same with a certain behavior like this?
Appreciate to hear your thoughts on this matter.
Without the file there is no way to tell what is going on. So I would appreciate it if you could upload the file to VT and share the hash.
Sent you a PM with the info Fabian.
My question was more of a "Ransomware in general" as this has happened to me a couple of times before, that is why I raised the question.
Technically, a screen locker is just an application showing a full screen on-top window, capturing all the keyboard and mouse input. So do a lot of games. So based on that behavior alone, you will end up with tons of false positives.
The way to solve it is to combine that trigger with other attributes. Properties like self installation or even the file's location. You run into issues though when the malware in question never actually does any of that on its own. There are a few Russian screen lockers for example, that will not change anything on the system. They are just executed by some other malware component and just display the screen doing literally nothing else.
If you take such a sample, extract it to your Desktop, and just execute it as part of a test, a behavior blocker has no idea about the circumstances of how and where the file is executed, and will most likely let it pass.
That being said, neither is the case for the files you send me. Both of them are blocked by the behavior blocker just fine:
Are you sure those were the files you tested?
Thanks for the explanation, and yes it was one of them.
A year back I saw something strange happen with a Mamutu install, were the BB did react but I was not fast enough to read the warning and make a decision before the ransom took over, if you understand what I mean?
I did run it on a VM with XP as OS if that could make a difference?
Definitely the lightest version released. Great job.
This behavior was not caused by you being too slow. But was a side effect of the way the community queries work. Essentially while the query was performed, the alert was already displayed. Once the query returned a result and the result would have caused Mamutu to act automatically, the alert dialog was closed automatically, leading to the behavior you describe of alerts popping up for a few seconds.
Same setup here. You actually have to allow the file twice until the actual screen locker becomes active (code injection and autorun creation).
Actually it was not the alert dialog that did close to fast, it was the ransom taking over, on top of the alert dialog.
Ok, strange?? As I did describe above could something similar happend here with this, the ransom window came up crazy fast.
Could that lead to having the alert dialog behind it?
The malware is suspended as long as the alert window is showing. More likely is that for some reason the behavior blocker wasn't functional at all in your VM for whatever reason.
btw i will be testing version 9 and fix the behavior blocker malware haves been trying bypassing it and a few did bypass it i was doing my test on it