- Feb 7, 2014
- 1,540
Emsisoft Behavior Blocker vs Ransomware
- Thread starter Terry Ganzi
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
I wonder how Emsisoft would have performed in this review if the internet connection was disabled and there was no cloud for it to rely on - just the behaviour blocker working to try to protect the system.
- Jul 27, 2015
- 5,458
Leo from Emsisoft that made the video actually do mention in the beginning of the video ( 0:30 ) that it's just the behaviour blocker thats in use.
There is ofcourse samples out there in the wild or will very soon be that the behaviour blocker won't block but IMO that don't matter much as it always been and always will be a cat and mouse game. The important point is that Emsisoft and many other AV vendors finaly starts to integrate working protection that also covers ransomware and automatically becomes a wonderful nail in the eye.
Last edited:
To test only the Behavior Blocker, Leo would have to disable Anti-Malware Network queries. He did not do that for the test.
In my prior testing, the Behavior Blocker - with everything else disabled - alerts only about 50 % of the time.
Behavior Blocker at default settings works like this:
- File executed
- If not in Emsisoft list of safe applications, perform Anti-Malware Network (file reputation) query
- If not in Emsisoft Anti-Malware Network list, and file triggers Behavior Blocker, an alert will appear (Allow Once, Allow Always, Block Once, Quarantine)
- If on Emsisoft AMN as malicious, then will be auto-quarantined at default settings.
This has been reviewed before via video here at MT.
NOTE: The mechanics explained above might not be precise.
It is the file's behavior that triggers the Behavior Blocker to perform an AMN query.
Last edited by a moderator:
- Jul 27, 2015
- 5,458
Had to check the video again and your correct hjlbx! I see the popup where it contacts Emsisofts Anti-Malware Network but I also saw the same in the previous video review made by yigido so I'll guess we lack any genuine only Behavior Blocker test.
Turning off AMN essentially hobbles Behavior Blocker in some respects (auto-quarantine). User has to decide what to do. With AMN disabled, lots of users will think "Gee, this damn Emsi is crap."
It is most definitely not crap.
Emsisoft makes one of the very best security solutions.
I am only pointing out what is happening in the video review.
- Jul 27, 2015
- 5,458
Fabian Wosar gives a good answer in another thread that covers the exact same question...
- Mar 15, 2011
- 13,070
Actually if we should really understand the concept, indeed AMN defines to collect similar alerts to obtain better interaction response against alerts that can be suspicious compare on Mamutu before where clearly label users 'who response on the same alert' with percentage.
Still the BB in traditional has more room to improve at all, guess I'm not luckily to find good sample before to show the alert effectiveness.
Still the BB in traditional has more room to improve at all, guess I'm not luckily to find good sample before to show the alert effectiveness.
- Jul 22, 2014
- 2,525
Hjlbx,
Thank you for the input!
Now I have a doubt....
If a file is run and is not recognised as safe, will it be sent to AMN in all cases or only if detected as suspicious by BB?
Do you or other here at MT know how AMN works now with version 11?
Are files checked against Emsi/Emsi users database of safe/unsafe files or are these also scanned/run at Emsi lab in special systems or sent for a deeper analysis?
In your own test BB alerted in ~50% of cases...did you test Emsi 10 or 11?
P.s . according to Fabian's answer posted above BB should block all ramson also without cloud /AMN ..not ~50%...
I also would really like to see another BB test without AMN....maybe Cruelsister has interest/time for it?
Thank you
Last edited:
Hjlbx,
Thank you for the input!
Now I have a doubt....
If a file is run and is not recognised as safe, will it be sent to AMN in all cases or only if detected as suspicious by BB?
Do you or other here at MT know how AMN works now with version 11?
Are files checked against Emsi/Emsi users database of safe/unsafe files or are these also scanned/run at Emsi lab in special systems or sent for a deeper analysis?
In your own test BB alerted in ~50% of cases...did you test Emsi 10 or 11?
P.s . according to Fabian's answer posted above BB should block all ramson also without cloud /AMN ..not ~50%...
I also would really like to see another BB test without AMN....maybe Cruelsister has interest/time for it?
Thank you
It was 9.
Out of a sample of a hundred various malwares, the BB blocked better than 50 %.
I don't care what Emsisoft says. The AMN is a file reputation lookup database. If you disable cloud even Internet Explorer and other safe applications trigger the BB.
Anyone who has experimented with Emsi and paid close attention understands what I am talking about.
The BB does as well as it does, because AMN is Virus Total based...
- Jul 22, 2014
- 2,525
Hjlbx,
"The BB does as well as it does, because AMN is Virus Total based."
Are you sure?
I thought and read in the past AMN was a Emsi/user based reputation list...
Unfortunately I m on mobile and don't remember my psw to ask on Emsi forum...
"The BB does as well as it does, because AMN is Virus Total based."
Are you sure?
I thought and read in the past AMN was a Emsi/user based reputation list...
Unfortunately I m on mobile and don't remember my psw to ask on Emsi forum...
I doubt AMN uses Virus Total, at least exclusively. Since I do recall someone posting a link of a file that Emsisoft finds malicious yet when you search Virus Total it shows that Emsisoft considers it clean.
- Jul 22, 2014
- 2,525
I also don't think AMN uses VT even if at www.isthisfilesafe.com there is a link to check files with VT.
I think if a file is suspicious for BB it it checked on the cloud with AMN; if the file is found the recommended action is taken, if not a BB alert is displayed and the user has to decide (one option is recommended).
3 doubts:
- what files are checked by BB: all, all the ones not in the "safe" list, only the unknown files or only some types of files?
- When is AMN checked in Emsi 11?
Only if and when BB detects a file as suspect (as I think it was and still is) or also when unknown files are run?
-Is AMN still a reputation database, a database with a "trust index" of files and is it still also used to recommend the option on BB alerts based on Emsi's users decisions?
I found two interesting but older article about AMN/cloud scanning and BB.
I hope Emsi team will update these two articles to include changes implemented since 2012.
Buzz word: “cloud anti-virus” – what is it all about?
Efficient protection against new malware: Emsisoft’s Behavior Blocker
I think if a file is suspicious for BB it it checked on the cloud with AMN; if the file is found the recommended action is taken, if not a BB alert is displayed and the user has to decide (one option is recommended).
3 doubts:
- what files are checked by BB: all, all the ones not in the "safe" list, only the unknown files or only some types of files?
- When is AMN checked in Emsi 11?
Only if and when BB detects a file as suspect (as I think it was and still is) or also when unknown files are run?
-Is AMN still a reputation database, a database with a "trust index" of files and is it still also used to recommend the option on BB alerts based on Emsi's users decisions?
I found two interesting but older article about AMN/cloud scanning and BB.
I hope Emsi team will update these two articles to include changes implemented since 2012.
Buzz word: “cloud anti-virus” – what is it all about?
Efficient protection against new malware: Emsisoft’s Behavior Blocker
Last edited:
- Jun 29, 2014
- 260
BB doesn't check files but processes. So forget about files. In general we check all processes that belong to a user session. So literally everything you start or that an application your started starts. Any white or trusted processes lists only take effect in case the BB actually saw something odd going on.
Only when the BB is about to ask the user for a decision, we will check the cloud first if there is an automatic decision available. That is also why any claims that the BB with AMN is in some way more effective than without is completely ill-informed non-sense. All the cloud adds are more autonomous decisions.
No, we worked a lot on the backend systems since then. New files we see are nowadays classified almost exclusively using statistical models as well as various vendor sharing feeds. It is one of the reasons why the percentages are gone from the configuration, because in more than 99% of all cases the cloud returns a definitive verdict and not based on decisions other users made.
The false positives would be outrageous if we would just blindly trust VT. Obviously we get tons of samples from VT, the same way every other participating vendor does. It doesn't mean however that we actually just blacklist everything we got via their sample feeds.
- Dec 15, 2015
- 29
Kudos to Emsisoft for making their behaviour blocker so good at actually blocking these things. A lot of software would fail horribly.
The fact it was blocked so quickly is either a plane and simply default policy in the settings of the application, I've never used Emsisoft myself so I; unfortunately don't know where that would be.
There was an enterprise antivirus displayed at RSA Conference a year or two ago that was very good! Demonstrated a targetted attack by a hacking group on a network and it blocked every malicious file...
Without any signatures, automatically and quickly.
The people demonstrating the software (forgot the software name!!) claimed it used mathematical equations to figure out whether malware was good or bad before it ran. I'm not sure whether they were being broad or what, but it did very well.
I'm writing this because I believe a similar technology could potentially be in Emsisoft. If it is this is a huge feat and definitely should be considered a great security product.
I also understand there is probably some emulation, access restrictions and behaviour analysis at play which should be expected from a good behaviour blocker.
The only thing I could see making this better would be a sandboxing feature wiping any previously executed changes to files, registry and settings during the malware execution. And also allowing a safe environment separated from all the other programs running in the system, limiting possible damage.
The fact it was blocked so quickly is either a plane and simply default policy in the settings of the application, I've never used Emsisoft myself so I; unfortunately don't know where that would be.
There was an enterprise antivirus displayed at RSA Conference a year or two ago that was very good! Demonstrated a targetted attack by a hacking group on a network and it blocked every malicious file...
Without any signatures, automatically and quickly.
The people demonstrating the software (forgot the software name!!) claimed it used mathematical equations to figure out whether malware was good or bad before it ran. I'm not sure whether they were being broad or what, but it did very well.
I'm writing this because I believe a similar technology could potentially be in Emsisoft. If it is this is a huge feat and definitely should be considered a great security product.
I also understand there is probably some emulation, access restrictions and behaviour analysis at play which should be expected from a good behaviour blocker.
The only thing I could see making this better would be a sandboxing feature wiping any previously executed changes to files, registry and settings during the malware execution. And also allowing a safe environment separated from all the other programs running in the system, limiting possible damage.
- Jul 22, 2014
- 2,525
Fabian,
Thanks for stepping in.
I used files but ment processes, thanks for highlighting it.
Thanks from all users for providing decryption program for randamant ramsom, on top for free!!
I have a doubt about Emsi's modus operandi...
If a process is started it is checked by file guard ( Bit and Emsi signatures and heur engine); if BB doesn't alert, process is still monitored by BB but can do his "work"; if not, AMN is checked.
If a match is found an automated decision it's applied, if not a BB alert window with options is shown, correct?
What happens with the process/ file that originated it if a match on AMN is not found?
Will this automatically and always be uploaded for further analysis or when does this happen?
When it is quarantined and user decides to upload it?
Thank you
Btw..Merry Christmas! !!
Similar threads
