App Review Emsisoft Internet Security - Behavior Blocker Only - ransomware test

[Evjl's Rain]

Is that with the same samples?

yes, exact same samples. I'm lazy to find new ones. There were 3-5 new samples if I'm not mistaken but those were blocked too

This is just like SecurityFirst. Are you even using the same music as him?

yes, because those are free soundtracks. NoCopyrightSounds
I don't wanna be blocked so I have to use these. There are a lot and I will replace them by new ones later

 

[Fabian Wosar]

I just skipped over your video:

In general, we don't care about certain file types, like .exe files or .lnk files and malware may be able to encrypt them without us intervening. This is mostly as a mitigation for false positives. The other two document files that were encrypted are encrypted copies. It's easiest to spot in the ".oops" case. You can clearly see both files coexisting there. The ransomware samples probably triggered the detection when they attempted to overwrite and get rid of the originals. Since we don't perform a rollback per se, encrypted copies will be left behind. Same with ransom notes really.

The lock screens are annoying and we really should display the warning windows on top of them. Will see what we can do about that.

 

[Sr. Normal 2.0]

Thanks for another great review Mr. Rainsomware . I love them

 

[Evjl's Rain]

Thanks for another great review Mr. Rainsomware . I love them

thank you I love this name

I just skipped over your video:

In general, we don't care about certain file types, like .exe files or .lnk files and malware may be able to encrypt them without us intervening. This is mostly as a mitigation for false positives. The other two document files that were encrypted are encrypted copies. It's easiest to spot in the ".oops" case. You can clearly see both files coexisting there. The ransomware samples probably triggered the detection when they attempted to overwrite and get rid of the originals. Since we don't perform a rollback per se, encrypted copies will be left behind. Same with ransom notes really.

The lock screens are annoying and we really should display the warning windows on top of them. Will see what we can do about that.

thank you. Hope you can improve the product
I was trying to do it quickly so I missed that. When I watched the video again, I saw file that was not encrypted.

overall, extremely impressive result for emsisoft's BB. Congrats

 

[askmark]

I just skipped over your video:

In general, we don't care about certain file types, like .exe files or .lnk files and malware may be able to encrypt them without us intervening. This is mostly as a mitigation for false positives. The other two document files that were encrypted are encrypted copies. It's easiest to spot in the ".oops" case. You can clearly see both files coexisting there. The ransomware samples probably triggered the detection when they attempted to overwrite and get rid of the originals. Since we don't perform a rollback per se, encrypted copies will be left behind. Same with ransom notes really.

The lock screens are annoying and we really should display the warning windows on top of them. Will see what we can do about that.

When the developer responds like this you know you've selected the right product. I could be wrong but I'd be surprised if Kaspersky would do the same.

 

[Rodney74]

put Dr.Web in your upcoming tests also
in the end you can creat a topic for compare results

I tried Dr. Web, I heard it was tough, and a good product. BUT man it slowed my PC way down.

 

[insanity]

Emsisoft performed really well. But I just wonder: when the EIS warning window pops up, is the malware already blocked? Or it is user dependent, so that you have to quarantine or delete the threat to stop it from running?

 

[Evjl's Rain]

Emsisoft performed really well. But I just wonder: when the EIS warning window pops up, is the malware already blocked? Or it is user dependent, so that you have to quarantine or delete the threat to stop it from running?

I think it's user dependent. I didn't see the text "Suspended" next to the malware process when the popup showed up + a few of them caused some damage before I click quarantine
not sure but this is what I observed

 

[ForgottenSeer 55778]

Emsisoft did well! Kaspersky's System Watcher is extremely underrated. Kapsersky, has a great behavorial blocker and rollback (like Webroot), along with a great cloud and TAM.

 

[insanity]

I think it's user dependent. I didn't see the text "Suspended" next to the malware process when the popup showed up + a few of them caused some damage before I click quarantine
not sure but this is what I observed

Honestly I don't like this. If the user takes a little bit longer to respond to the warning (eg. examining the threat, making a decision or simply distracted), all their files could be lost in the meantime. Personally, I believe an AV solution should always block (auto-decide) by default first. User-dependent choice is for advanced users in certain contexts.

 

[Nikos751]

@Evjl's Rain Great test! Thank you..
One question. One of the alerts states that the program is downloading data in an invisible way. Is this the BB too and not the firewall?

 

[Evjl's Rain]

@Evjl's Rain Great test! Thank you..
One question. One of the alerts states that the program is downloading data in an invisible way. Is this the BB too and not the firewall?

that was BB. Firewall was disabled
Probably those malwares using wscript.exe to download or donwloaded silently to a suspicious location
I just guess, I don't really know
Fabian can answer this more clearly

 

[Nikos751]

that was BB. Firewall was disabled
Probably those malwares using wscript.exe to download or donwloaded silently to a suspicious location
I just guess, I don't really know
Fabian can answer this more clearly

If you 're right, it's good that EAM integrates such functionality and it's not limited to EIS.

 

[Wave]

Honestly I don't like this. If the user takes a little bit longer to respond to the warning (eg. examining the threat, making a decision or simply distracted), all their files could be lost in the meantime.

This isn't the case at all! When Emsisoft Anti-Malware displays the alert for the user to respond to, the process being alerted about for the behavior which triggered the alert becomes suspended. This means that all the threads within the target process become suspended, which essentially means they are "frozen"; since all the threads are "suspended", it means they cannot execute any code until they are once again resumed.

A process is pretty much a container, the actual container (the process) doesn't execute the code for the program, but the threads within the process are responsible for executing the program's code... The same way that the heart is responsible for pumping the blood around our body but the body itself is a container for our internal organs, or how our brain allows us to function by sending signals to our muscles but the head is the protector for the brain.

Therefore, when Emsisoft Anti-Malware alert's are triggered, you can take all the time in the world to read the alert properly to understand what's going on and then respond to it.

Edit: This should be the case at least, just read what @Evjl's Rain said above... Hmm.... I'll do some testing to double check if they changed anything since I last tested?