Emsisoft Anti-Malware

Fabian

You say that: "Also keep in mind that running EIS alongside any other AV or firewall is not supported at all." What do you mean by that? That running EIS with another security suite that has a firewall is incompatible with also running EMIS 9 Or that you just don't " support that", whatever that means.

To be perfectly honest I believe that EMIS 9 is a far superior to almost every other Security Suite, but I got fed up with almost all my ports being only blocked rather than stealthed, as they are supposed to be - I know that peeps on the EMIS Forum site have made suggestions on how to fix it by setting up a public network, because I am for some reason running on a private as opposed to a public network, but I don't like to mess around with network's and net connections having suffered disasters doing so in the past. Also, although it is my understanding that stealth or blocked really doesn't makes much difference since many excellent firewalls, such as Kaspersky's, don't fully stealth and others claim that full stealth is just a marketing gimmick. I also know that you and Christian are always at the ready to help. But it still bothers me to not be fully stealthed and I just did not want to deal with it for a while.

I am currently using NS 2015 which is OK and I like because it doesn't interfere with anything on my PC but have far less confidence in it than I do in EMIS 9. If I ran NS 2015 and EMIS 9 together to get full stealth from NS 2015 would my PC explode or something What if I turned off one of the firewalls? I'd use the Windows Firewall for stealth but EMIS, as most other products, seizes control of Windows FireWall. I do like NS 2015 for many reasons. e.g., it's light and it causes no problems for me, but from all I have read and seen, in my gut I know it can't match EMIS 9. Guess I am paying the price for being lazy

I also have tried Bitdefender Total Security 2015, which IMHO comes closer to EMIS in protection, but it causes problems for me in browsing the net. On many pages I see nothing until I stop the loading and reload the page. After a while it gets VERY annoying. Something like Chinese Water Torture-first the little water drops are just a nuisance, but over time have a far more serious effect. Other than that BD TS ran very well on my system. I think it's the best BD yet.

And what does "not supported at all" actually mean.

 

Marginal if any improvement at all from adding cache.000 file. Apps were still "sputtering" while EAM first update running after first boot for the day.

 

Does it make a difference when you disable the "Protect the computer even if no user is logged on" option under Protection/File Guard?

 

It means, if there is any problem in EIS that is caused by you using a different AV or IS on the system, we will not fix it and only suggest to get rid of the other AV or IS.

 

While we're on a related subject, would it be possible to see an option to postpone the first update of the day to, say, 5 or 10 minutes after boot up?

I dislike the fact that EAM aggressively tries to perform its first update of the day while the rest of the system hasn't even loaded up yet.

 

You read my mind perfectly. Thanks for the comment. Also, I have noticed that EAM appears to controlling network/firewall traffic until this first update starts?

 

Will try that and report back tomorrow. Note that this behavior appears to be related only to first cold boot of the day. If I shutdown the PC for an hour or so during the day and then start it up again, I don't see the hit on performance.

I also have another issue that may be remotely related to this. I recently noticed that svchost.exe -netsvcs is using peak private bytes of 2 GB!, peak working set of 1.5 GB!, and currently shows over 1.3 MB of page faults! This occurs immediately after a cold boot. I checked it out with process explorer and did not see anything running that appears to be malware related. The only dial out service this process does at cold boot is for Win Updates as far as I can determine. I have Customer Experience totally disabled in Task Manager. Also after the initial boot, the svchost.exe -netsvcs settles in at using only 25 MB.

-EDIT- Also is Emsisoft aware that when updating, multiple connections are being made to the same two IP addresses; one is Emsisoft and the other is a U.S. based IP which I assume is where the BD signatures are being downloaded from? I can have as many as 15 or more connection attempts in a single update session. Never saw any software that updates like this.

 

Would also like to see all the IPs from the "aggressive" list from this site added to EAM's web protection:

https://sslbl.abuse.ch/blacklist/

 

You will see connections to update.emsisoft.com which does the licensing checks and provides the signed update list and connections to dl.emsisoft.com which actually hosts the update. The first server is located in Germany. The other server is an alias for the CDN provider we use (Edgecast) and will point towards a server near you to allow for optimal download speeds. It will use up to the number of connections you defined in your update settings in parallel.

 

I have been in my other snapshot for the last 16 hours or so, and I am running EAM v9. The monitor for KPCD is working, and is monitoring network traffic.

Spoiler: screenshots

 

Personally I find such a delay to be kind of a crude solution because it requires manual tuning by the user. Instead we will monitor system load during boot and will wait with the first update until system load went down and the system finished booting. Would that be an acceptable solution for you?

 

Absolutely, that works too because it achieves the same goal - easing the system load at boot time. Thank you, Fabian.

 

Let's see if we can get it into the 10.0 release. Otherwise it will come with a later release .

 

Fabian,

If I created a hosts file in MVP format e.g.

0.0.0.0 xxx.xxx.xxx.xxx
0.0.0.0 xxx.xxx.xxx.xxx
.
.
.

Would this import the IP addresses into EAM web filter hosts file? I believe the EAM hosts file will block IP addresses?

 

What I was referring to is that I will connect multiple times to those domains in one update session. Example - one download of let's say 5000K then later another download of 40K, etc. Don't know why multiple connections are needed to the same IP address?

 

I have just updated EAM v9, but I blocked some change as per the 2nd screenshot as shown in the following:

Spoiler: screenshots

 

Back after the insistent request for a reboot...

 

It's fixed now.

 

It's a simple speed optimizations that is also used by a lot of download accelerators. By downloading multiple files in parallel it is more likely that we can use your full bandwidth. Also keep in mind that it is rare that just one file is being updated on your system. For each file being updated we also start at least one connection.

 

This import worked great in MVP format. I love this EAM feature; the ability to block by IP address. Who needs PeerBlock when you have EAM ..........

BTW - I added the IPs from the regular SSL blocked IPs list from this web site: https://sslbl.abuse.ch/blacklist/ rather than the aggressive list per web site recommendations. There are approx. 174 bad SSL site IPs on the regular list.

 

That option has always been set off since I am the only user of my PC.

I set the simultaneous download connections to 1. That at least allowed me to open Internet Explorer in a reasonable time without totally locking up as occurred previously.

Again as suggested previously, a slight delay of 5 min. or so after boot to initiate a sig update will eliminate most of these issues.

 

If this feature/"un-feature" of delayed updates is introduced at boot I hope that there will be an option for turning it OFF since what exactly I like of EAM is the timely update as soon as you boot. Something you find more rarely in AV software nowadays. Here there is no impact whatsoever on the functioning of the system.

 

Has the Quick Scan changed? In the past it would scan about 59,000 files on my computer. Just ran one a short while ago and it scanned only 1900 files. It was very fast, but is this what it's supposed to be doing? I have version 9.0.0.5066.

 

+1

 

Just add an option to the existing Settings -> Updates for delayed updating at boot/resume from sleep modes where a user could enter a time interval in minutes. If is blank(default), then updates would occur immediately.