Advice Request I am head of research at Emsisoft. Ask me anything! :)

[Fabian Wosar]

Hello everyone,

As mentioned in the current EAM release thread, I talked to @Jack and he allowed me to create an AMA thread for you to ask whatever you want really. If you ever wanted to see some internal tools, had some questions about malware research or Emsisoft products like the upcoming Emsisoft Cloud Console, are curious about crazy stories that I experienced during my work, or just want to know what my favourite type of pizza is: Feel free to ask away.

I will try to do my best to reply to as many questions in the next 24 hours as possible. Nothing is off limit with three exceptions:

• No questions about my whereabouts. I recently moved from Germany to the UK because of some real-life threats made against me by some less-than-pleasant people. It's actually one of the reasons I stopped releasing decrypters myself, although that is about to start up again.
• No questions about competing products. So no "What do you think of Malwarebytes/Kaspersky/Zemana/ESET/whatever?". It's just not my place to talk about these. Questions about types of products are completely fine though. Like for example "What's your take on NextGen AVs?".
• Some stuff may be covered by NDAs. Especially when it comes to things like testing companies like AV-Test or AV-Comparatives. So while I would love to tell you how much money you have to pay to participate in these test series, because I feel it is an important bit of information that consumers should know about, I, unfortunately, can't.

So, please ask away.

 

[Imranmt]

Can you stop trojan virus in real time to save my windows from getting infected?

 

[Vasudev]

Will EEK engine be updated to latest EAM engine with AI/adavnced analytics to stop current malware in the system from destroying/locking out the user?

 

[plat]

I have put on my reporter hat and the mike is live, Herr Wosar.

I've always admired your affinity for creating decryption tools, including that for the dreaded "Fabiansomware." How did you feel after that one was brought to your attention? Some people claim ransomware is not as much of a threat anymore in the Windows 10 environment. What is the biggest ransomware threat you are finding in the wild these days?

 

[Fabian Wosar]

Can you stop trojan virus in real time to save my windows from getting infected?

Probably depends on the malware. In general, malware detection belongs to a class of problem in computer science called the Halting Problem. The Halting Problem is provably undecidable. That means you can't decide with absolute certainty whether or not any given file is malware or not. Or to put it in more simple terms: No protection is 100% .

Will EEK engine be updated to latest EAM engine with AI/adavnced analytics to stop current malware in the system from destroying/locking out the user?

EEK and EAM both use the same version of the scan engine. The version number may be slightly different, but the features and functionality is always the same between them. The reason for the different version numbers is simple:

All the core components of EAM (behaviour blocker, file guard, surf protection, scan engine, etc.) are internally grouped together as a single component called the Emsisoft Protection Platform (EPP). That means that if we make changes to the behaviour blocker, for example, the version numbers of all these components is being bumped up to signify that they all belong together. So the scan engine version number may increase, even though nothing in the scan engine has changed.

For EAM we like to keep all the EPP components in sync when it comes to versions. So even though nothing has changed inside the scan engine with the exception of the version number, we still release the new executable. For EEK, which doesn't use all the parts of EPP, that's not always necessary. So that is why the version number may be different, but it is still the same scan engine.

 

[Deletedmessiah]

Outside of ransomware, what type of malware do you find to be most serious for home users nowadays?
Which countries has the highest number of Emsisoft users currently?

Also what is your favorite programming language?

 

[RoboMan]

What is your vision about the future of IoT in relation with cyberthreats? Do you think it will (or already is) pose a threat to enterprises and home users? Are you planning to do anything about it from Emsisoft? Oh and what's best penguins or polar bears?

 

[Fabian Wosar]

I've always admired your affinity for creating decryption tools, including that for the dreaded "Fabiansomware." How did you feel after that one was brought to your attention?

Insults and bad guys losing their sh*t over your work is the highest form of flattery in my opinion. Means you hit them where it hurt.

Some people claim ransomware is not as much of a threat anymore in the Windows 10 environment. What is the biggest ransomware threat you are finding in the wild these days?

It depends a little bit. Gandcrab is very active, same as STOP at the moment. Interestingly enough, one ransomware family that has been quite active for almost 7 years now is a ransomware family called Xorist. It's essentially a ransomware construction kit, that can be used by anyone to click together your own ransomware. It's floating around in a lot of hacking communities, so the entrance barrier is super low and there are a lot of opportunists out there who just give it a go.

 

[Lord Ami]

Few questions on top of my head right now

1. How difficult is it to set up honeypots these days? What I mean is:
A) Do malware authors make it more difficult as it used to be;
B) Are they as beneficial for creating protection/signatures compared to few years ago?

2. What do you see as the most difficult attack vector to cover these days? Scripts, macro exploits...?

 

[ng4ever]

Can you tell me why when I get the huge file size (full installer) of Emsisoft Anti-Malware EmsisoftAntiMalwareSetup64.msi it won't let me enter my license key ? When I try to click on this screen it won't let me enter it. I keep trying too.

Though when I use EmsisoftAntiMalwareWebSetup.exe file it works fine.

 

[Fabian Wosar]

Outside of ransomware, what type of malware do you find to be most serious for home users nowadays?

Definitely the bots. Trickbot and Emotet are going rampart. They are often the source of secondary infections as well. Other than that, home users are plagued with PUPs. If you ever had to fix the system of one of your family members, you know what I am talking about.

Which countries has the highest number of Emsisoft users currently?

The US.

Also what is your favorite programming language?

I am a C++ person. Although Python has some great uses as well. I hate everything related to Java and PHP.

What is your vision about the future of IoT in relation with cyberthreats?

IoT is difficult and I do not think there is ultimately a technical solution there. The biggest issue you are facing is planned obsolescence and the fact that vendors aren't liable for the security of their products. So it will probably continue to be a plague until the legislatures intervene and change both of these. For example, force vendors to provide security patches for their IoT devices for 3 years after the last production run.

Do you think it will (or already is) pose a threat to enterprises and home users?

Absolutely. It will get a lot worse when IPv6 becomes more readily available since it will potentially expose every single device directly to the internet instead of them hiding behind routers/NATs.

Are you planning to do anything about it from Emsisoft?

It's certainly on the list of things we keep a close eye on, but nothing that would be worth talking about at this point.

Oh and what's best penguins or polar bears?

The cute baby ones. For penguins: Definitely Gentoos. Accidentally also my Linux distribution of choice with Arch and Ubuntu as a close second and third.

 

[omidomi]

Hi
Emsisoft VPN ,dose it underway?
Whats your idea about changing one of the Emsisoft Engines from ehem engine to german one?
Can I ask how many users dose Emsisoft has?

 

[Fabian Wosar]

1. How difficult is it to set up honeypots these days? What I mean is:
A) Do malware authors make it more difficult as it used to be;

Not really. They continue to use the same tricks pretty much. It's rare that you see something truly new.

B) Are they as beneficial for creating protection/signatures compared to few years ago?

Definitely. Especially for ransomware. In a lot of cases, ransomware is being installed manually by people hacking the system via weak passwords and RDP. They know that we need the ransomware executable in order to do a proper analysis. So they take great caution to make sure we can't find them and securely delete them once they are done. Honeypots help a lot in those cases.

2. What do you see as the most difficult attack vector to cover these days? Scripts, macro exploits...?

Powershell. I have no idea what Microsoft was thinking when they unleashed that beast onto everyone's systems.

Can you tell me why when I get the huge file size (full installer) of Emsisoft Anti-Malware EmsisoftAntiMalwareSetup64.msi it won't let me enter my license key ? When I try to click on this screen it won't let me enter it. I keep trying too.

That looks really odd to me. I checked the bug tracker and there is nothing like that recorded. May I ask you to contact our support please so they can take the proper details and have our QA people look into it? You can email them at support@emsisoft.com.

 

[Fabian Wosar]

Emsisoft VPN ,dose it underway?

Not at the moment.

Whats your idea about changing one of the Emsisoft Engines from ehem engine to german one?

We actually wanted to use Avira first, but they didn't want to partner with us. That was a long time ago though. We haven't contacted or considered them again since then. It appears they greatly upped their OEM efforts, so I guess never say never. But there are no concrete plans at the moment.

Can I ask how many users dose Emsisoft has?

Eight figures. That's as concrete as I can get.

 

[Marko :)]

Do you have in plans to release a free, basic version of EAM (with real-time protection) just like Kaspersky did?

 

[SHvFl]

@Fabian Wosar
I assume you have some in house statistic on how your software performs against all type of malware. Based on those does it show you are doing better or worse than last year?
The reason I am asking is that my personal opinions is that detection got lower because bitdefender got worse and also eam bb seems weaker in my eyes. Maybe I am wrong though as i don't test thousand and thousand of malware so I would like to hear your opinion.

 

[Fabian Wosar]

Do you have in plans to release a free, basic version of EAM just like Kaspersky did?

We may. The problem is, that ultimately with these free AVs you as a user pay with your data. That's generally speaking something we don't feel very comfortable with. Especially given that not a lot of people are even aware of it.

Recently I was kind of surprised to see that an otherwise super privacy conscious user had Traffic Light installed for example. It doesn't seem to be common knowledge that Traffic Light and a bunch of other browser extensions (Comodo Online Security Pro, Norton Safe Web, Avira Browser Safety, Avast Online Security being the biggest ones) like it will literally send every single URL you visit in clear text off to the vendor's server. The privacy policies aren't always clear and kinda sketchy at times. I am sure that some people don't mind. But I am also sure that a lot of people do mind, but simply don't know.

 

[Fabian Wosar]

I assume you have some in house statistic on how your software performs against all type of malware. Based on those does it show you are doing better or worse than last year?

We are doing better overall. That being said, we are still not where we would like to be, which is 100% detection, 100% of the time at 0% false positives with no user intervention at all.

There are a bunch of new changes coming this year and some interesting new opportunities that are enabled by the new cloud console. Luckily you won't have to wait until an arbitrary release for those because the moment we think they are ready, you will get your hands on them due to our rolling release cycle.

I can show you a little bit of the cloud stuff if you want me to.

 

[SHvFl]

We are doing better overall. That being said, we are still not where we would like to be. There are a bunch of new changes coming this year and some interesting new opportunities that are enabled by the new cloud console. Luckily you won't have to wait until an arbitrary release for those because the moment we think they are ready, you will get your hands on them due to our rolling release cycle.

I can show you a little bit of the cloud stuff if you want me to.

If you can sure, that would be great, but if not no worries. I have the patience of a saint.
Good luck with your next major release.

 

[Paul Lee]

Life or death scenario: Gun to your head, you're in a hostage situation. They ask you to eat a slice of pineapple pizza. Eat it and you live, don't eat it and you die. Which one do you pick?