Emsisoft Anti-Expolit Protection and App Container

[hjlbx]

this ?

You are using W10, that is why.

I am running W8.1. On W8.1 calculator.exe does not open the Windows Calculator App; they are two different applications on W8.1.

Cannot add Mail, Calendar, People, Calculator, etc, etc, etc Windows and Windows Store Apps to HMP.A.

Plus, Process Explorer is showing that Calculator.exe is running with AppContainer integrity - does that mean that it is actually running inside the App Container ?

 

[Deleted member 178]

so upgrade to Win10 ; why u stay on WIn8.1 ? it is less secure than win10...if you used Win7 , i could understand but Win8.1...

 

[hjlbx]

so upgrade to Win10 ; why u stay on WIn8.1 ? it is less secure than win10...

W10 smashed one system. It was perfectly fine until the upgrade. I have not been able to fix it. Microsoft says to fix it, pay us $199 and we will re-install W10 the "correct" way (it was updated via M$ GWX to begin with) ! Microsoft point finger at OEM, OEM point finger at Microsoft. Etc, etc, etc... you know routine.

 

[Deleted member 178]

normally your license should be validated by the server now, try a direct clean install from the latest ISO.

 

[hjlbx]

normally your license should be validated by the server now, try a direct clean install from the latest ISO.

I tried. No fix. And there are no down-grade rights... so I would have to "re-purchase" W7 or W8.1 to re-install Windows.

Hardware incompatibilities have been reported by M$ for W10. I am one of the lucky few...

There's also M$ reported hardware incompatibilities between W7, W8.1 and Intel SkyLake processors... LOL.

 

[hjlbx]

If I am going to pay for Windows then I want a version with AppLocker. That means W8.1 Pro...

Otherwise, you have to spend about $1000 US to get Windows 10 - Enterprise.

 

[Deleted member 178]

the incompatibility still exist even with the new November update?

 

[hjlbx]

the incompatibility still exist even with the new November update?

Yes. M$ has a write-up about it buried on their site. So, some users are screwed.

Their answer, of course, is take it to the nearest Microsoft store and pay for Windows 10 + installation @ $199. Even then there is no guarantee... LOL.

My unit probably worth half of that... so it gathers dust... LOL.

 

[cutting_edgetech]

I am referring to Windows and Windows Store type Apps.

EMET, HMP.A and MBAE do not cover App container - unless I am missing something.

EMET - add Windows App - no EMET protection
HMP.A - cannot even add Windows App to protections
MBAE - cannot even add Windows App to protections (as far as I remember)

Sorry, I misunderstood your question. I don't use any Metro, or Windows store apps. I'm on Windows 7X64 Ultimate. I will upgrade some of my machines to Windows 10 in May, or June. I take it that guarding App Container does not guard the Window Apps. I assume you already tried guarding App Container, and then checked one of the apps with Process Explorer to see if HMPA injected into it. If I was on Windows 8-10 machine I could be of more help. Sorry, good luck! Btw.. I would add your compression software like WinRAR, etc.. to HMPA's protection if you have not already. I remember WinRAR being exploited until it was discovered, and patched. Who knows how long the exploit had been used before it was discovered.

 

[hjlbx]

Sorry, I misunderstood your question. I don't use any Metro, or Windows store apps. I'm on Windows 7X64 Ultimate. I will upgrade some of my machines to Windows 10 in May, or June. I take it that guarding App Container does not guard the Window Apps. I assume you already tried guarding App Container, and then checked one of the apps with Process Explorer to see if HMPA injected into it. If I was on Windows 8-10 machine I could be of more help. Sorry, good luck! Btw.. I would add your compression software like WinRAR, etc.. to HMPA's protection if you have not already. I remember WinRAR being exploited until it was discovered, and patched. Who knows how long the exploit had been used before it was discovered.

Virtually everything is vulnerable. Disheartening, innit ?

But thanks for suggestion.

I think Emsisoft's Behavior Blocker, by design, might circumvent limitation of App Container and exploit protection - but I am not sure.

Hopefully, @Fabian Wosar can answer that question definitively.

 

[cutting_edgetech]

Did Emsisoft integrate exploit protection into EAM, and EIS? They were talking about adding an Anti-Exploit feature into EIS the last time I tested for them. I need to get a new beta test license. The only thing I dislike about EIS, and EAM is that it does not scan HTTP, or HTTPS traffic. It waits until the malware writes to the disk. I would prefer to block threats earlier in execution.

I like EIS UI for the most part. I don't like how the firewall does not show block, or use color coding in red to indicate that an application is not allowed internet access. The user has to click on the application to confirm that it has a block rule. I would like to see some color coding that visually assures that the application is not allowed internet access, and a little info about the rule without having to go into the config.

It's been a couple months since I tested Emsisoft. I would like to see their exploit protection, and BB working in harmony together. What do you think about scanning HTTP, and HTTPS traffic? Do you think they should, or do you think it will have too much of an impact on performance?

 

[hjlbx]

Did Emsisoft integrate exploit protection into EAM, and EIS? They were talking about adding an Anti-Exploit feature into EIS the last time I tested for them. I need to get a new beta test license. The only thing I dislike about EIS, and EAM is that it does not scan HTTP, or HTTPS traffic. It waits until the malware writes to the disk. I would prefer to block threats earlier in execution.

I like EIS UI for the most part. I don't like how the firewall does not show block, or use color coding in red to indicate that an application is not allowed internet access. The user has to click on the application to confirm that it has a block rule. I would like to see some color coding that visually assures that the application is not allowed internet access, and a little info about the rule without having to go into the config.

It's been a couple months since I tested Emsisoft. I would like to see their exploit protection, and BB working in harmony together. What do you think about scanning HTTP, and HTTPS traffic? Do you think they should, or do you think it will have too much of an impact on performance?

They won't implement HTTP\HTTPS scanning because they consider it an invasion of privacy. Impact on browsing is probably secondary.

Emsi is quite good in my experience. With the Anti-Malware Network and BB, it has always been one of the best security solutions with few - if any - hassles.

We have to remember, Emsi develops their products for the average user that is probably no where near the same level of paranoia as us security soft geeks... LOL.

However, I must admit, Emsi's web protections are not the most robust available. Adguard would be good compliment to increase web protections.

They have included exploit and vulnerable process abuse protections in their BB for at least a few months now.

Even for security soft geek, Emsi products are probably more than sufficient. Overkill actually.

 

[cutting_edgetech]

I was a Die Hard Online Armor user from 2005 until about 2015. I was really sad that they discontinued it. It was the lightest, and most none intrusive HIPS I have ever used. It felt as though it had no impact on my machines, and I was never able to bypass it's HIPS. The only thing it was lacking was memory protection. It only guarding against access to Physical Memory, and numerating. I tried exploits against it as well, and it caught the payload before they could every do anything. I tried many different droppers against it, and it caught them all. Well, I have gotten off topic. I should open another thread, or go to a HIPS thread for this conversion. Well, I got to get back to studying anyways.