Emsisoft Blocking Daum Player

Status
Not open for further replies.
phyniks

phyniks

Level 7
Thread author
Verified
Well-known
Nov 17, 2013
300
Suddenly, EAM blocked my Potplayer today....

Nice Behavior Blocker !!!!


capture-png.246441
 
  • Like
Reactions: Kent and nissimezra
phyniks

phyniks

Level 7
Thread author
Verified
Well-known
Nov 17, 2013
300
Yes
Alerted the program is trying to access data....or something like that
Restoring the program,EAM analysed Daum on execution and said it is safe!!!!
 
  • Like
Reactions: nissimezra
Y

yigido

I have PotPlayer and EAM too.
There is no alert for me. Are you using "Paranoid Mode", maybe this is why?
 
  • Like
Reactions: phyniks
juhful

juhful

Level 13
Verified
Well-known
Jun 22, 2013
632
Some false positives are the price you pay for protection, in the end the program will still work fine so not a big deal at all.
 
  • Like
Reactions: phyniks
D

Deleted member 21043

Hi @phyniks,

If you are certain that is the legitimate version of Daum PotPlayer, un-quarantine the file and create a new application rule to allow it to pass the behavioural engine (whitelist it from the behaviour detection).

Cheers. ;)
 
  • Like
Reactions: phyniks and yigido
Nightwalker

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Considering that PotPlayer can and do some background download traffic, we can say that Emsisoft BB did its job.
Anyway I am almost sure that Emsisoft ask first if you want to allow/block or quarantine it.
 
H

hjlbx

phyniks said:
Yes
Alerted the program is trying to access data....or something like that
Restoring the program,EAM analysed Daum on execution and said it is safe!!!!
Click to expand...

If an alert appeared then you must have selected "Quarantine."

The Behavior Blocker does not auto-quarantine files in EAM/EIS; user input is required at the Behavior Alert. Only the File Guard can be configured to auto-quarantine any detected items.

http://help.emsisoft.com/a2am/

Behavior alerts offer the following options:

    • Allow once - If you are sure the behavior is valid, you may continue the action.
    • Allow always - Allow this behavior now and in the future.
    • Block once - End this program now, but do not move it to quarantine.
    • Quarantine (recommended) - Stop the action immediately and prevent the program from being accessed again.

If a suspicious behavior is detected, then there is a query to the AntiMalware Network. If the query returns known_bad, then the file will be automatically quarantined. However, in that case the Detection would indicate "Bad Reputation" in the Quarantined item list.

Technically, it can be argued that this is a BB auto-quarantine since it is the BB monitoring that triggers the AMN query. It is not. The BB is designed to generate a large detail alert and then require user input...as opposed to auto-blocking a whole bunch of legitimate programs.

On your system the file was detected as "Behavior.TrojanDown" - which is nothing more than the BB detection of trojan-type download activity. Both malicious and legitimate programs can exhibit this behavior.
 
Last edited by a moderator:
  • Like
Reactions: phyniks, jamescv7 and Deleted member 21043
H

hjlbx

kram7750 said:
Hi @phyniks,

If you are certain that is the legitimate version of Daum PotPlayer, un-quarantine the file and create a new application rule to allow it to pass the behavioural engine (whitelist it from the behaviour detection).

Cheers. ;)
Click to expand...

Kram7750 refers to the "Restore" option within the Quarantine pane.

To establish that the file is legitimate (take these steps prior to restoring the file):

Right-click on the item in the Quarantine list and select "Save a copy."
Paste the file copy onto the desktop (a .dat file extension is added so that it cannot be executed).
Upload it to VirusTotal for additional scanning.

If VT returns less than 4 AV vendor detections, then it is probably safe to restore and modify its rules. (I use 4, which is conservative).
 
  • Like
Reactions: phyniks and Deleted member 21043
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Exclusion should not be the problem, EAM's configuration of BB is straightforward and the recommended settings will differ on the types of alert, therefore it should not be auto response as it must show for approval.
 
  • Like
Reactions: phyniks
phyniks

phyniks

Level 7
Thread author
Verified
Well-known
Nov 17, 2013
300
hjlbx said:
If an alert appeared then you must have selected "Quarantine."
Click to expand...
      • Yes, but BB found it as a Trojan and that's the point

        These days ,Lots of AVs have BB or something like that....do all of them found Daum as a Trojan?
 
H

hjlbx

phyniks said:

      • Yes, but BB found it as a Trojan and that's the point

        These days ,Lots of AVs have BB or something like that....do all of them found Daum as a Trojan?
Click to expand...

Hello phyniks,

You did the right thing by sending the file to Quarantine and then asking questions here. ;)

Once it is determined safe, then it can easily be restored.

The Behavior Blocker detected, and alerted to, Trojan download-type behavior; it did not identify the Daum PotPlayer file as a Trojan. Only the scanner or File Guard will identify a file as malicious - if there is a signature for it. Be mindful of the distinction between the detection of suspicious application behavior and the detection of a malicious file.

Other security software behavior blockers may or may not identify Daum PotPlayer activity as suspicious. I only use Emsisoft as it does a rather fine job for me...so I cannot comment as to whether or not any other BB would do the same as Emsisoft's BB. Some BB use heuristics for detections which is based on probabilities whereas Emsi's BB does not use heuristics.

Depending upon settings, many legitimate programs, such as Internet Explorer, will create an Emsisoft Behavior Blocker alert. Despite the alert they are safe, legitimate applications. The way that Internet Explorer is programmed, it sometimes exhibits suspicious behavior.

If you are sure that the file is safe, then when the alert appears, select "Allow." This will create a rule to allow only the Trojan.downloader-type behavior. The app will continue to monitored for all other suspicious activity - except Trojan.downloader-type behavior.

If you suspect that something is amiss with the app, then upload it to VirusTotal for scanning.

From which website did you download the Daum PotPlayer installer?

How long has it been installed on your system?
 
Last edited by a moderator:
  • Like
Reactions: phyniks
phyniks

phyniks

Level 7
Thread author
Verified
Well-known
Nov 17, 2013
300
thanks for your detailed answer,dear hjlbx
Emsi is installed for a week by now....
I ve white-listed lots of programs,I ve been using Daum every now and then and Emsi did nt alert,but suddendly(and just once) it got problem with Daum PP
 
Status
Not open for further replies.

Similar threads

Divine_Barakah
    • Like
    • Wow
Kerish Doctor is detected as malware by Emsisoft
Replies
21
Views
2,156
Emsisoft
Digmor Crusher
Digmor Crusher
brambedkar59
    • Like
    • +Reputation
Serious Discussion Emsisoft AM update thread
Replies
3
Views
805
Emsisoft
Gandalf_The_Grey
Gandalf_The_Grey
Bot
    • Like
Emsisoft 2023.10: See what users have installed with the Application Inventory
Replies
0
Views
328
Emsisoft
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top