Farewell, Emsisoft Online Armor

[Alexstrasza]

Emsisoft Online Armor support roadmap

Emsisoft Online Armor sales have stopped, and support only lasts until May.

Those who are using Online Armor Premium can trade their keys for Emsisoft Internet Security.

Good bye Online Armor - you have served us well.

 

[TheSuperGeek]

It's sooooo bad. Online armor was a good product.
Why they do that ?

 

[Alexstrasza]

It's sooooo bad. Online armor was a good product.
Why they do that ?

You might want to read the link at the top of my post. Christian Mairoll has explained in details why he and co. decided to discontinue Online Armor.

IMHO Online Armor lacks several functionalities that make it suitable for the future, i.e. IPv6 support.

 

[aztony]

Another casualty in the software firewall space, joining PC Tools.

 

[TheSuperGeek]

Ok, i used Online Armor in past.
Now i use Comodo IS Free.

 

[Alexstrasza]

IMHO if Emsisoft did not buy Online Armor from Tall Emu then it would have died earlier.

 

[miketan77]

Em...farewell...HIPS...

 

[jasonX]

Disappointing..if configured right the HIPS is awesome. You can't block some nasty applications with EIS / EAM especially trigger mechanisms for launching another application with both. Only HIPS can do that. Good thing that Comodo is still there.

 

[noelis]

Not only Comodo....i hope that Agnitum (Outpost) survives Windows 10

 

[Alexstrasza]

Disappointing..if configured right the HIPS is awesome. You can't block some nasty applications with EIS / EAM especially trigger mechanisms for launching another application with both. Only HIPS can do that. Good thing that Comodo is still there.

I would like to see your proof that the Behavior Blocker did not block something that HIPS can, please.

I missed Online Armor, yes - but at least parts of its code lived on in Emsisoft Internet Security. To me it was the guy that introduced me to a wonderful vendor.

 

[Raul90]

I would like to see your proof that the Behavior Blocker did not block something that HIPS can, please.

I missed Online Armor, yes - but at least parts of its code lived on in Emsisoft Internet Security. To me it was the guy that introduced me to a wonderful vendor.

While I am also sad of this news I am confident that even-though I prefer HIPS (because I always want to have full control of my applications) I can do some workarounds.

I think I can answer that since I have proven it to Fabian Worsar when I beta tested EIS before http://support.emsisoft.com/topic/1...isoft-internet-security-90-public-beta/page-3

Also I think what jasonX is stating as "trigger mechanisms for launching another application" is similar to the nature of what he had tried in his Eset Smart Security trial of 2012 http://malwaretips.com/threads/block-a-browser-launch-from-a-shell-link-in-eset-hips.7172/.

In that post I made in the Emsisoft Forums, Fabian mentioned there the difference of the BB from the full blown HIPS.
http://support.emsisoft.com/topic/1...isoft-internet-security-90-public-beta/page-3

See post #115 / post#118

Raul90, on 27 May 2014 - 11:29 AM, said:
I see that when I repeat to click "View Website" there is still the pop-up with another port number. PuranDefrag triggers firefox.exe for a connection and continues to search for every port available(1031, 1053, 1059, 1061, 1087 and counting). Isn't it more simpler to block the "trigger" or PuranDefrag to start another application? Can that be done with EISv9..?

Fabian Wosar's reply
You could block Firefox from running, but not Firefox when started by PuranDefrag. The later is more of a HIPS feature, which we consciously decided not to implement due to the shear amount of complexity it adds for normal home users which EIS is targetting. If you want more control, I suggest staying with Online Armor.

post#120 #122 and #123

There it has been stated by Fabian himself that you can block the browser from running but not the trigger application(which in that case was PuranDefrag)

If you will read in detail the post's I did that is also related to the "behavior of an application trying to launch an application" -- that is the trigger mechanism that jasonX is mentioning. Something like I did with my Bitdefender tests(same principle). An application like a game or an exe when exited triggers the browser to launch and go/connect directly to home. On both trials that I did based on the same principle of trigger mechanism or "application like a game or an exe when exited triggers the browser to launch and go/connect directly to home" Bitdefender failed to block it. It's shown here.

Checking out BitDefender Internet Security 2014 performance
http://malwaretips.com/threads/checking-out-bitdefender-internet-security-2014-performance.25189/

Short trial of Bitdefender Internet Security 2015
http://malwaretips.com/threads/short-trial-of-bitdefender-internet-security-2015.41361/

To illustrate that trigger mechanism for you. I am posting the images of EAM(BB active) and OA Premium (HIPS active)with their respective rule.

In EAM with Behavioral Blocker active, the application rule for PuranDefrag GUI is "blocked" except that of the "install services and drivers". Also take note that "Dialer related Activity" is also set at "block". Now when you launch PuranDefrag>About Puran Defrag there is a button there that says, "View Website". Clicking that still launches the default browser (which is Firefox.exe). See image below.

To compare with the power of OA Premium HIPS. In OA>Programs>PuranDefragGUI>Advanced Options> there is permissions there on the top which says, "Start Applications". Look closely as this is where you can block "any" application that is triggered by PuranDefragGUI.exe. All you need to do is "Add" the application there in "Allow Except" or just tick "Block All".

Now same launch trigger mechanism as used with EAM, launch PuranDefrag>About Puran Defrag>click "View Website". OA HIPS blocks the firefox.exe launch dead cold as seen in the OA History. No browser launch is seen.
See image below.

I missed Online Armor, yes - but at least parts of its code lived on in Emsisoft Internet Security.

Have not used Online Armor before...? Seems you do not know OA HIPS capability. The guys here who have been part of the testing/development of EIS (Umbra guru is one) can say it is different from OA. EIS has it's BB that is different from OA's HIPS. This example that I showed you shows that HIPS power and it's difference from BB. It is in the preference of the user or how does he wants his applications controlled. As shown in EAM's BB/Application Rule you cannot block that trigger mechanism there. You can only do that with something like OA's HIPS. In Comodo you can also do that but it's different but it's also in the HIPS. Kaspersky and Outpost Firewall Pro can do that also. As Fabian mentioned there,

The later is more of a HIPS feature, which we consciously decided not to implement due to the shear amount of complexity it adds for normal home users which EIS is targetting. If you want more control, I suggest staying with Online Armor.

Now to my opinion, the only workaround you can do so BB can block that browser launch is to assign a different browser(say, Opera) as "default browser" and block that in BB -- "Always block this application" -- (impossible to run). So when you click "View Website" in the PuranDefragGUI the browser(Opera is blocked thus connection to home is also blocked). But doing that does not block the "trigger mechanism" but what you did was block a "specific application" from running via BB. All default browser launch whether it be legitimate or not is and will be "blocked". That is entirely different from the HIPS block where you can still use the browser. It only blocks the trigger as specified in "start applications" Allow Except -- firefox.exe.

Maybe you can show us here how can EIS block that same trigger mechanism since you are a user of EIS. That I'd like to see for myself.

 

[Raul90]

Additional info on Online Armor ceasing development:

http://blog.emsisoft.com/2015/03/31/emsisoft-online-armor-support-roadmap/

Free upgrade to successor Emsisoft Internet Security!
We are happy to exchange any actively used license keys of Emsisoft Online Armor to Emsisoft Internet Security for free. Please contact our support team for an individual swap offer. If the available upgrade options don’t satisfy you for any reason, we’ll of course offer a proportionate refund for the amount paid.

It's only mentioned there that exchange can be accommodated with any actively used license keys of Emsisoft Online Armor. So the question remains for "unused" licenses.

For licensing issues the users of OA might wanna send an email to:

helpdesk@emsisoft.com
support@emsisoft.com

These are the one's I use and the service is superb!

 

[Alexstrasza]

I have used Online Armor before, yes - the free version mainly, just to try out how it is.

However I am part of the user base that got annoyed with HIPS due to its many alerts - it was able to block the "trigger mechanism" as you say, because HIPS monitor anything and everything that goes on a system. This is where user knowledge come into play, and why inexperienced users should not use HIPS (I was one of them at the time).

Behavior Blocker only stops known malicious activities, so the protection will be less than HIPS - but with considerably less alerts (especially if you join the AMN). So if you want more control then HIPS is the way to go, as you can choose to allow or block specific activities on the system. I don't want alerts being shoved in my face every time I do something, so I will choose the Behavior Blocker. Thanks.

Oh, and by the way you can no longer choose "always block" for an application in EAM/EIS v10. The most that you can do is to quarantine the app.

These are the one's I use and the service is superb!

I don't disagree with you on that.

 

[Raul90]

...it was able to block the "trigger mechanism" as you say, because HIPS monitor anything and everything that goes on a system.

OA will not automatically do that for you. It will depend on how you reply to the alert/pop-ups shown. If there is no setting in the "Advanced Options" a alert/pop-up will be shown (if HIPS is active). So if "it was able to block it" it was because you have replied "Block" to the pop-up. Most of the users who do not like the HIPS just turn it off.

In my personal opinion "less alerts" is healthy just to an extent of people who doesn't want to be bothered (closely going to those who do not want to give a damn about what's going on inside or beyond his system all the time --install and leave people). That is what Emsisoft is geared towards --decide for the user, let it be easy for the user. Well the more install and leave people will love it. It is "unhealthy" for the user as he will not learn the ropes or better yet understand the program better. Most of the install and leave people scratch their heads when they encounter something wrong and cry wolf because they did not understand the application more. With AMN or any related community based alert reduction like that of Kaspersky Security Network the program will now decide for you "almost always".

As with the examples I posted in the Emsisoft forums and here(and other security applications), there are some programs that are nasty enough to circumvent the normal settings and call home "even" when not needed. Most of them do it silently (including legit applications) without your knowledge. The only thing that will alert you is the pop-ups. Now if that is decided upon by the program then it's "call-home-always" --default allow connections for them. That eats bandwidth and ram. That is why most Kaspersky users do not allow rules to be dictated by KSN or Kaspersky Security Network (an AMN like).

Now if a legit program (popularity/file reputation passed etc) triggers another application to run chances are or most likely that trigger will not be blocked>application triggered will run(normally / silently with you not knowing it) -- default allow. Just my two cents.

Oh, and by the way you can no longer choose "always block" for an application in EAM/EIS v10. The most that you can do is to quarantine the app.

Well it's still in beta so I'll cross the bridge when I am there. I may not mind as long as when in quarantine the application isn't running full but very very limited. If not there's always an AE around somewhere. I may try it out soon. Nice chat here

 

[Alexstrasza]

HIPS has its own limitations - too many alerts will *train* the mind to automatically click "Allow" every time shows up (it is actually supported by neuroscience), thus defeating the main reason why HIPS is used in the first place.

It is "unhealthy" for the user as he will not learn the ropes or better yet understand the program better.

I digress - a certain part of users actually resist learning about these as they do not understand how they work, and do not want to know. Please remember that not all people are tech gurus like us - most want a simple thing they can work with, and does not require too much attention. Even trying to teach safe surfing can be an exercise in futility.

Well it's still in beta so I'll cross the bridge when I am there. I may not mind as long as when in quarantine the application isn't running full but very very limited.

When I say "Quarantine program" I actually mean the quarantine meant for malware - the executable is placed into Emsisoft's quarantine. Which means if you see a suspicious process running in the list of processes monitored by the BB, choose Quarantine program and bam! It's gone from your system (that sounds weird by the way).

 

[jasonX]

I would like to see your proof that the Behavior Blocker did not block something that HIPS can, please.

I missed Online Armor, yes - but at least parts of its code lived on in Emsisoft Internet Security. To me it was the guy that introduced me to a wonderful vendor.

Proof has been given by Raul90. Same trigger-mechanism that I am talking about when I did an Eset trial.

Can you show your proof that Emsisoft Behavioral Blocker can block that same trigger-mechanism as proven and as shown above. Waiting....waiting...

You may have tried out (just tried out) OA free version but you did not understand it's HIPS and did not learn it well to grasp the old school power of it. It may be old school and it has limitations as you say, but blocking that trigger-mechanism is a classic example of the limitations of BB also. It might be good for you to be controlled by your software because you do not want to fuzz about it but a lot do not let a software decide for himself. I am the owner I am the user I want full control of my applications. OA is dead. But there's always Comodo and Outpost. Period.

 

[hjlbx]

Emsi Behavior Blocker cannot block one application from launching another.

The Behavior Blocker does not have the same granular control as HIPS.

It only monitors for aggregate suspicious behaviors - and then notifies the user. Then once notified it is up to the user to decide what action to take.

Classical HIPS used by knowledgeable, experienced, attentive user will always be more secure than any Behavior Blocker.

 

[Alexstrasza]

The "trigger-mechanism" that you mention is not malicious - Emsisoft's Behavior Blocker only watches for malware-like behavior. If you can explain how opening a new window can be considered a malicious action, then I'd be happy to listen.

You want full control of your software, yes - but that is not applicable for everyone. So don't try to apply your thinking to others.

 

[hjlbx]

For typical user Behavior Blocker is better suited to their limited understanding, experience and non-motivation to learn security software.

Typical user is apt to turn HIPS off - if they can figure out how to do it. Instead, they are more likely to uninstall AV with HIPS.

 

[jasonX]

Emsi Behavior Blocker cannot block one application from launching another.

The Behavior Blocker does not have the same granular control as HIPS.

It only monitors for aggregate suspicious behaviors - and then notifies the user. Then once notified it is up to the user to decide what action to take.

Hi hjlbx Yeah I know that as a long time user of it's HIPS. I like the granularity. I was under the impression of what Alexstrasza meant to state that BB can do block that trigger-mechanism the same as HIPS can. Bu then again OA is dead now Kaspersky can block that too! Nice and sweet! Love your posts about Kaspersky

The "trigger-mechanism" that you mention is not malicious - Emsisoft's Behavior Blocker only watches for malware-like behavior. If you can explain how opening a new window can be considered a malicious action, then I'd be happy to listen.

You want full control of your software, yes - but that is not applicable for everyone. So don't try to apply your thinking to others.

Hmmmm...It is you who was asking for proof in the first place. There wasn't any mention if it was malicious or not. Just plain trigger-mechanism blocking. Even you did not mention "malicious" in your very first quote/reply to my post. Now that the proof has been shown you state that..

So don't try to apply your thinking to others

...where's the justice in that...?

I throw that quote back to you. Don't try to apply your thinking to others especially that what you asked for proof has already been shown and proven while you in return cannot. Sorry.