(Emsisoft) New in 2019.8: One-click network lockdown

[DDE_Server]

In this month’s software update we’ve made some improvements to the main screen of Emsisoft Anti-Malware and added a number of handy tools for your added security.

New network lockdown feature

This new feature allows you to instantly take your devices offline by clicking the on/off switch. Use it in an emergency situation if you suspect that a malware infection has taken place, or simply block hidden programs from accessing the Internet without your consent (e.g. if you’re on a metered connection).

Note that Emsisoft protection updates will still be let through and the connection to Emsisoft Cloud Console will remain intact to allow your admins to investigate the issue. Network lockdown can also be enabled remotely from the Cloud Console, either for single devices or all devices of a particular group.

New firewall status display

The overview screen now shows your current firewall status, be it the Windows built-in firewall or a third-party product. The status display also allows you to turn your firewall on or off with just a click.


New Network Lockdown and Firewall status display

Quick access via systray context menu
All 2019.8 improvements in a nutshell
Emsisoft Anti-Malware

• New network lockdown feature.
• New firewall status display.
• New display of workspace connection on overview screen.
• Improved traffic relay feature.
• Improved logs.
• Several minor tweaks and fixes.

MyEmsisoft/Cloud Console

• New network lockdown feature for single devices and groups of devices.
• New license re-assign and merge feature to move personal licenses to workspaces.
• Improved workspaces list dashboard for managed service providers: Search box, expanded device list, reports drill down, etc.
• Improved single workspace dashboard for admins.
• Improved login security and additional system hardening.
• Improved exclusions, now supporting quick import of lists of paths.
• Improved user interface in many sections.
• Several minor tweaks and fixes.

 

[ZeroDayDefender]

I wish they would bring the firewall back or implement a default deny such as what secureaplus has or even a sandbox like Comodo firewall

 

[plat]

I found this interesting even though it's like five years ago:

Emsisoft Help

support.emsisoft.com

The head developer has stated that the Behavior Blocker worked better without the proprietary firewall.

Source

In a search, Emsisoft reps have stated sandboxing is not a consideration as the focus is on the Behavior Blocker technology and monitoring activity via whatever firewall is running on your system.

That network lockdown feature looks great for enterprise in a ransomware or worm scenario. Any way to test this in a comparative study for endpoints or is it too user-defined? Emsi doesn't participate in much comparative studies nowadays. Would be interesting nonetheless. :emoji_ok_hand:

Edited to add "worm"

 

[Azure]

I wish they would bring the firewall back or implement a default deny such as what secureaplus has or even a sandbox like Comodo firewall

Doubt that it ever be implemented. Fabian did talk a little of his opinion of default deny.

Advice Request - I am head of research at Emsisoft. Ask me anything! :)

Why would I want to work for a company that doesn't allow its employees to create useful tools for malware victims outside of their normal workplace? ;) Were you ever approached by other Anti-Virus companies for hiring?

malwaretips.com

 

[plat]

Any way to test this in a comparative study for endpoints or is it too user-defined?

Ask and ye shall receive, lol! Here is a new AV comparative, and the latest results are within. Emsisoft for enterprise is among the test subjects. Interesting! Not sure if the very latest features above are included, though.

AVLab Cybersecurity Foundation

AVLab Cybersecurity Foundation was founded in 2012. Visit our Advanced In The Wild Malware Test to learn how we test modern antivirus technology.

checklab.pl

Source

 

[show-Zi]

Network lockdown may be an interesting feature depending on future developments. For example, isn't it technically possible to detect a suspicious communication and automatically disconnect it?

 

[ZeroDayDefender]

Network lockdown may be an interesting feature depending on future developments. For example, isn't it technically possible to detect a suspicious communication and automatically disconnect it?

I believe the web shield already does that

 

[show-Zi]

I believe the web shield already does that

Please tell me if I misinterpret.:emoji_pray:
I thought web shield was a feature that didn't connect to suspicious destinations. Is the behavior of trying to connect to the web from a strange port also monitored?

 

[ZeroDayDefender]

Please tell me if I misinterpret.:emoji_pray:
I thought web shield was a feature that didn't connect to suspicious destinations. Is the behavior of trying to connect to the web from a strange port also monitored?

I think it will block malicious connections from applications

 

[ForgottenSeer 58943]

Network lockdown may be an interesting feature depending on future developments. For example, isn't it technically possible to detect a suspicious communication and automatically disconnect it?

It's really a useless feature right now. By the time any user shuts anything down the damage is probably already done. Routers like Gryphon can instantly block the internet from any infected/suspicious device/IoT on a network, which is superior to this. I suppose other routers also do it. This actually looks like Emsisoft is pushing toward something like WhitelistCloud from VoodooShield, as it does this, but is automated on unclassified/unknown file activity.

There is a good bit of security to be gained by having a method to slice off the internet. Whether that method is a hardware or software switch, generally speaking, your NIC should be severed from the LAN/WAN unless explicitly needed. I used to work at a location I won't mention. We had dead-man-switches on every system. If you didn't push a button every 30 minutes your system was totally disconnected and isolated from the LAN/WAN.

Right now I use a software method to sever the lan/wan from connectivity when the systems are sleeping/locked/shutoff/hibernating.

User Log In

Wireless AutoSwitch will automatically disable all wireless cards when on a LAN / wired connection in Windows. Try it free for 30 days!

www.wirelessautoswitch.com

You can edit the text file config for Wireless-AutoOff and add your wired NIC into it to control them. That way, until I click the icon on the desktop there won't be any active internet connection. If I walk away and the system locks, the internet connection will drop with it.

It's good that Emsisoft added this, but it would be improved with the following features;

1) Option to completely block all application/os traffic if the system is locked. After X amount of time of inactivity, etc.
2) Auto-Block of unclassified, unknown, potentially harmful applications until released/quantified.

 

[Pkjfkknm]

This actually looks like Emsisoft is pushing toward something like WhitelistCloud from VoodooShield, as it does this, but is automated on unclassified/unknown file activity.

Emsisoft BB perform file rep query since Mamutu
since over decade ago
use own cloud databases

 

[Pkjfkknm]

2) Auto-Block of unclassified, unknown, potentially harmful applications until released/quantified.

emsisoft do this already
others do it too
can set any firewall to autoblock unknown process
all can do it even windows firewall
automated

"In addition, whenever the Behavior Blocker sees any application it doesn’t know to be trustworthy attempting to create new firewall rules or change the firewall status, it will attempt to auto-resolve the situation by blocking the attempt:

If you have auto-resolve disabled, it will simply ask.

In version 2017.8, we extended our Behavior Blocker technology to protect the exposed Windows Firewall functions from malicious usage. This gives you control over which of your applications are allowed to create Windows Firewall rules for you and which aren’t. This is what we refer to as “Windows Firewall Fortification”.

This is where the intelligent outbound firewall that is part of our Behavior Blocker comes in, which will prevent malicious applications from communicating with the internet automatically while not getting in the way of benign applications. "

[

 

[ichito]

In/out traffic can be disabled...but Emsi servers are still connected in both ways? So...what actually is disabled in such case...and what is still enabled?
BTW...it's a bit weird "invention" because a lot of old firewall aps in the past offered it normally...OA also.

 

[bribon77]

I do not see the grace, to this application. Although it may be important, but if I want to disable everything I can do it without a program.

 

[DDE_Server]

I do not see the grace, to this application. Although it may be important, but if I want to disable everything I can do it without a program.

i agree with you if i want to disable the internet connection i may press on wifi button or unplug the ethernet cable and it all done

 

[Azure]

i agree with you if i want to disable the internet connection i may press on wifi button or unplug the ethernet cable and it all done

Can you guys still do that while at the same time allow Emsisoft to receive updates?

 

[DDE_Server]

Can you guys still do that while at the same time allow Emsisoft to receive updates?

i didnot try it yet i will try and till you

 

[show-Zi]

I thinking 'users who can decide to push the network lockdown switch have the knowledge to do it in other ways'.
Emisi tends to rely on users to make decisions in ambiguous situations, but I think there are situations where forced intervention is required.

 

[ForgottenSeer 58943]

i agree with you if i want to disable the internet connection i may press on wifi button or unplug the ethernet cable and it all done

 

[show-Zi]

Bad example

This should not be done