Emsisoft Anti-Malware & Emsisoft Internet Security 10 available

Discussion in 'other anti-malware software' started by emsisoft, May 10, 2015.

  1. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Thanks, we will look into it.
     
  2. andrewf

    andrewf Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    25
    Hello,

    Would it be possible to get a2service.exe dump while the issue happens on your system?
    (Please make sure to disable self-protection and reboot prior to reproducing the issue)

    If so - please email the dump or dump download link to af (at) emsisoft [dot] com

    Thank you in advance,
     
  3. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    798
    Should I use Task Manager to create the dump or some other specialized tool?
     
  4. andrewf

    andrewf Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    25
    Task manager should work just fine.
     
  5. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    798
    Unfortunately, I can't seem to disable self-defense. Even after unchecking the option
    Capture3.PNG
    and rebooting the system, both Task Manager and Process Hacker are unable to create a dump- there's no HDD activity after invoking the dump command. Even trying to terminate the process/service is unsuccessful which would indicate self-defense is still enabled. Any suggestions?
     
  6. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
  7. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    798
    No go. After adding PH to exclusions as such:
    Capture5.PNG
    and rebooting for good measure, PH didn't create a dmp file after waiting 15+ minutes with no HDD activity (just endlessly "Creating the dump file")

    I've also had several instances where the UI would open as an unresponsive black/white screen and I've also had this message appear several times during normal usage with no apparent error shown in the interface or otherwise
    Capture4.PNG
    :/
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,761
    I have just tried updating EIS in another snapshot, but instead of just a application restart, it required a reboot. That is when I got the BSOD, while it was shutting down. It then gave the various reboot, options to continue, so I chose the normal boot, but I got the BSOD again. Then tried safemode with networking, but still a BSOD. Tried the safe mode option only, and this time I got back in. However, I then tried to restore to an earlier date, but that failed. I managed to get a minidump, which I copied and saved to my separate data drive.

    ScreenShot_EIS_restart required_01.gif ScreenShot_EIS_restart required_02.gif ScreenShot_EIS_restart required_03.gif
     
  9. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Can you please send the minidump to fw@emsisoft.com? Thanks.
     
  10. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Can you check the module list of Process Hacker to make sure that the a2hooks32.dll isn't loaded? You may also want to disable the File Guard before creating the dump, just to make sure you don't create any dead lock situations, where Process Hacker suspends the service to create the dump, but the file system transactions involved are suspended until the service scanned them.
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,761
    You should have it....I am off to bed, now.
     
  12. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    798
    At first a2hooks32.dll was loaded, but after restarting PH it wasn't, without changing anything in EIS. I have PH scheduled to run elevated at system start, so it's possible the whitelist isn't applied in a timely manner on boot.
    Anyway, I've managed to get a dump and sent it to af [at] emsisoft com (uploaded it to Google drive, 221MB zip)
     
  13. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    You're right, it could. But it didn't. :) I know that because of my HIPS.

    So, I did a bit more testing and may have found a bug in the behavior blocker. That, or something which could certainly be improved.

    I tried the macro/PowerShell attack again, and again it got through. Strange! So I looked in the Application Rules and I notice that the instance of PowerShell that I added last time is no longer there. It looks like this exact instance of PowerShell is automatically removed from my Application Rules every time windows reboots:
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe

    I have 6 other instances of PowerShell in the Application Rules, but those are not the ones invoked by the macro, and they are in different locations. Apparently this \SysNative\ folder is causing trouble. When I search my drive for PowerShell, the exact instance in the \SysNative\ folder do not show up, nor can I find the folder itself, apparently because "SysNative is a symbolic link to System32". But if so, how can I be protected from the PowerShell attack, just like I were in the old version of Emsisoft Antimalware? When adding the relevant instance of PowerShell to my Application Rules it just disappears after the first reboot...

    Fabian, can you take care of this please? Or should I report it somewhere else?
     
  14. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    The white-list is only taking effect if EAM or EIS are started. That means, any processes that are started before EAM or EIS are always being monitored.

    In any case, thank you for the dump.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I don't believe that EAM BB rules support symbolics. Try using C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe instead. Also don't forget a rule for the SysWOW64 folder if your using x64 Windows.
     
    Last edited: Aug 8, 2015
  16. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    C:\Windows\SysNative is not a real directory. It is a virtual directory that is only available to 32bit processes. That is why you can't find it anywhere. Whenever you create a rule for C:\Windows\SysNative\ it will automatically replaced with C:\Windows\System32. So looking in your rules for C:\Windows\SysNative won't bring up anything.

    We will look into it. It is unlikely to be fixed before version 11 though.
     
  17. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Those instances of PowerShell were already added...
     
  18. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Thanks for looking into it!

    Back to the most important point: How about the behavior blocker issue I previously described? Would you consider adding the option to disable the whitelist? How else can the issue be addressed?

    Again, these are the issues as I see them, about now having to manually add components such as PowerShell:
    Issue 1: It's time-consuming.
    Issue 2: If mistakes are made during fine-tuning, such as what just happened to me, or if the user does not add all processes that could be used by an attacker, then the user will end up with less security than expected.

    Until this is addressed, it still looks like we are getting less protection from the behavior blocker in the new version of Emsisoft Antimalware.
     
  19. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    No, we will not re-introduce paranoid mode. As mentioned before: We want less popups. Not more. I already explained several times what the real fix is that we plan to implement in one of the next updates:

    Attribute malicious activity of host processes like RunDLL32, CMD, PowerShell, VBScript etc. not to the host process, but to the script or code using the process.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Fantastic if this could be done. Will be difficult to accomplish.

    I was thinking along the lines of adding policy based default rules to the behavior blocker. Something along the lines that PowerShell could run but only in its default restricted interactive mode which by definition would block all script execution. Would also give the user the flexibility to modify if they had a need to use PowerShell.
     
  21. hjlbx

    hjlbx Guest

    If you desire to block scripts then simply use an anti-executable such as NoVirusThanks Exe Radar Pro.

    I can't speak for Emsi, but I would bet that they do not implement anti-executable-like alerts and functionality into EIS\EAM - along the lines of those by NVT ERP or VS.

    Instead, I would expect EIS\EAM will essentially behave as they do now, except that instead of an alert for the interpreter (e.g. cmd.exe), the alert will be for the file using it - for example, a malicious script named 1.js that uses cmd.exe to create an auto-start entry, or connect surreptitiously to the internet, or attempts to connect to a know malicious URL.

    In the case above, as a generalized example...

    Behavior Blocker alert - 1.js - Autorun - Allow\Block
    Firewall alert - 1.js - Protocol Port IP address - Allow\Block
    Surf Protection alert - known malicious URL (wouldn't attribute to 1.js) - Allow\Block
     
    Last edited by a moderator: Aug 9, 2015
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I believe Emsisoft's goal as previously stated is to remove all decisions since they seem to be espousing to "the user is an idiot" security software development model.
     
  23. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,761
    In view of the fact, that I have one snapshot presently borked because of an update that went wrong, I am now reluctant to update the my last remaining EAM snapshot. It is a pity that when you update you cannot stop the versions from updating to the most recent non-beta version.

    ScreenShot_EAM_out-of-date_01.gif
     
  24. hjlbx

    hjlbx Guest

    I think Emsisoft designs their software in such way that it provides a high-level of protection even for the less IT-literate... during typical use by a relatively low risk-prone computer user... without overwhelming them.

    Emsisoft, I think, expects that there will be cases where the user will be required to make decisions. However, it is also true for the vast majority of users, that it would be optimum if EAM or EIS protected the system at a very high level with as little user interaction or decision-making as possible.

    I find EAM and EIS to reflect a very balanced, conservative approach to new features.

    They are aware that EAM and EIS do not adequately protect against scriptors and other malwares that abuse interpreters - and are in the process of remediating this weakness. Their solutions, in my experience - and I have used just about everything from Avast to Zemana, have always turned out to be top-of-class...
     
    Last edited by a moderator: Aug 10, 2015
  25. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Actually, the old version of Emsisoft COULD protect against what you describe (assuming you are referring to the issue I brought up with macro/PowerShell), it's just the new version that can't.

    Just to make it clear that I am not here to talk badly about Emsisoft, I will point out that I agree to the above. Emsisoft Antimalware is a great product. Test's have for years shown that their signaturebased AV is among the best, and their behavior blocker (which I have tested myself) is also really impressive.

    But there is always room for improvement. :)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.