Emsisoft Anti-Malware question

  • Thread starter Thread starter rocky
  • Start date Start date
Status
Not open for further replies.
R

rocky

Thread author
I have Emsisoft Anti-Malware installed as only security program with windows firewall on win.7 x86. Out of curiosity I tried to run Zemana keylogger simulator and it ran with no reaction from Emsisoft Anti-Malware so now I'm not sure what to think. I have fallen into a hole and I can't really find a program I'm having alot of faith in.
 
Emsisoft full Compatible with Zemana AntiLogger ( no reaction )

PImzvUmE.png


You can use Zemana AntiLogger seamlessly as an important extra layer of security, in harmony with almost any antivirus or firewall software.

See the list here : http://www.zemana.com/product/antilogger/overview/

Press

 
  • Like
Reactions: marg and rocky
I think most antiviruses/antimalwares, if not all, white-listed Zemana's keylogger simulation test. So, don't lose faith if your antivirus/antimalware for not detecting and stopping the keylogger test.

I have ESET, but it doesn't block Zemana's simulation tests. Kaspersky doesn't block them either. :)
 
  • Like
Reactions: WinXPert, rocky and Deleted member 178
Thanks for the replies. I will install Zemana and give that a try. I appreciate the help!
 
I decided to give SpyShelter a try since I had never used it. It does block Zemana keylogger test. Thanks again for all the help!
 
rocky said:
Out of curiosity I tried to run Zemana keylogger simulator and it ran with no reaction from Emsisoft Anti-Malware so now I'm not sure what to think. I have fallen into a hole and I can't really find a program I'm having alot of faith in.
Click to expand...
Emsisoft Anti-Malware is very focused on behavior blocking. Behavior blockers in general can't be tested with leak tests like the Zemana test for example. You could even argue that a detection of such tools by a behavior blocker is a false positive. While HIPS only care about whether or not a certain API was called or a certain action took place, behavior blockers care a lot about the circumstances and combinations of events.

From a behavior blocker's point of view the Zemana leak test is nothing like an actual keyloggers. To name just a few things:
  1. A keylogger is usually invisible to the user. It doesn't have any GUI or a tray icon. The Zemana leak test though does have a GUI to display what was logged.
  2. Keyloggers also usually install themselves in the system and make sure they run automatically during boot. This leak test on the other hand is just started by the user. It doesn't install itself and never adds itself to the autoruns.
  3. Just collecting what you type alone is not very useful. Keyloggers always have mechanisms that allow them to save what you typed or to send out what you typed through the network. Leak tests usually don't do that.
  4. Keylogger executables often "look" fishy. No icons, no version information, no digital signatures, usage of obfuscators and packers. Leak test executables on the other hand usually have a nice shiny icon, have proper version information and some leak test providers even signed their leak test.
So when a behavior blocker sees the Zemana leak test call the SetWindowsHookEx API for example to install a window message hook it will notice that the application has the capability of logging keys, but all other aspects of the application point toward it being legitimate and not a keylogger, so it may decide not to issue an alert about it just yet.
 
  • Like
Reactions: marg, XhenEd, Malware1 and 1 other person
Fabian Wosar said:
Emsisoft Anti-Malware is very focused on behavior blocking. Behavior blockers in general can't be tested with leak tests like the Zemana test for example. You could even argue that a detection of such tools by a behavior blocker is a false positive. While HIPS only care about whether or not a certain API was called or a certain action took place, behavior blockers care a lot about the circumstances and combinations of events.

From a behavior blocker's point of view the Zemana leak test is nothing like an actual keyloggers. To name just a few things:
  1. A keylogger is usually invisible to the user. It doesn't have any GUI or a tray icon. The Zemana leak test though does have a GUI to display what was logged.
  2. Keyloggers also usually install themselves in the system and make sure they run automatically during boot. This leak test on the other hand is just started by the user. It doesn't install itself and never adds itself to the autoruns.
  3. Just collecting what you type alone is not very useful. Keyloggers always have mechanisms that allow them to save what you typed or to send out what you typed through the network. Leak tests usually don't do that.
  4. Keylogger executables often "look" fishy. No icons, no version information, no digital signatures, usage of obfuscators and packers. Leak test executables on the other hand usually have a nice shiny icon, have proper version information and some leak test providers even signed their leak test.
So when a behavior blocker sees the Zemana leak test call the SetWindowsHookEx API for example to install a window message hook it will notice that the application has the capability of logging keys, but all other aspects of the application point toward it being legitimate and not a keylogger, so it may decide not to issue an alert about it just yet.
Click to expand...
Your behavior blocker is amazing. I wish I could make one like yours aha :D Of course that isn't going to happen with me using .NET... Of course I will need C...
 
Status
Not open for further replies.

You may also like...