Advice Request I am head of research at Emsisoft. Ask me anything! :)

[Andy Ful]

EAM actually already does that. It doesn't matter for EAM whether you copy the interpreter or not. Some malware was using that for rundll32.exe as a bypass for some AV in the past and we decided to handle this type of behaviour for all "host processes" as we call them internally. You can obviously still copy the file and break the signature so EAM no longer detects it, but by doing so you also cause EAM to no longer trust it.

Other than that messing with INF is a very, very bad idea. Every single hardware driver (including Windows Update) relies on it. In most cases, they will probably invoke the Setup API directly, but you never know. At the very least INF files don't get executed automatically on double click.

We can skip the INF files, because they can be run by the user only with a right-click Explorer context menu or by a command line, so they are not as dangerous as other scripts.
I am not sure if my arguments have convinced you, but thanks for the interesting discussion and answering my questions.

 

[Fabian Wosar]

I am not sure if my arguments have convinced you, but thanks for the interesting discussion and answering my questions.

Not really, for two reasons:

I know our users. They would be wholly overwhelmed by such a feature. We had similarly advanced features in the past, usually disabled by default and Online Armor was pretty much all about putting the users in control. So I know first hand how these turned out as I was closely involved with customer support at the time.
The other way bigger issue is that we don't have a dedicated enterprise version. Meaning: The same version is used both by home as well as by business users. Given the prevalence of scripting in enterprise environments that is a disaster waiting to happen.

In general, I agree that given the right user and circumstances, like one knowledgable person and one lesser knowledgable one sharing the same system, such a feature can make sense. That's why OSArmor exists in the first place after all. However, I would also argue that someone who is capable of using OSArmor to its fullest potential also probably wouldn't need it for themselves.

 

[sepik]

Hi Fabian Wosar,
I'm not tech-savvy, but i do like to ask about EAM self protection mechanics. Does it start in "early boot stage"? Ring 0 or what is the term for that?
If i'm right, AV is useless if malware can disable it during early boot stage?
For example, i'm using third party firewall, which starts way before windows own firewall. So basically malware that starts before windows own firewall can make an outbound connection?

Kindest regards,
-sepik from Finland

 

[Andy Ful]

Not really, for two reasons:

I know our users. They would be wholly overwhelmed by such a feature. We had similarly advanced features in the past, usually disabled by default and Online Armor was pretty much all about putting the users in control. So I know first hand how these turned out as I was closely involved with customer support at the time.
The other way bigger issue is that we don't have a dedicated enterprise version. Meaning: The same version is used both by home as well as by business users. Given the prevalence of scripting in enterprise environments that is a disaster waiting to happen.

In general, I agree that given the right user and circumstances, like one knowledgable person and one lesser knowledgable one sharing the same system, such a feature can make sense. That's why OSArmor exists in the first place after all. However, I would also argue that someone who is capable of using OSArmor to its fullest potential also probably wouldn't need it for themselves.

Well said.
Please forgive me for putting here the off-topic note.
I understand the pressure of the AV market, but I am a patient guy. I wish that the times will come when it will be profitable to make a true "Home user AV", without looking at enterprises. There are maybe some signs of such a switch on the OS market, due to Chromebooks. This probably will force MS to create the true "Home user OS" (not bloated with enterprise dangerous features).
If an AV (OS) will be created from scratch to suit the home users' needs, then it will be also much safer for them. No need to fight the enterprise ghosts.

 

[oldschool]

However, I would also argue that someone who is capable of using OSArmor to its fullest potential also probably wouldn't need it for themselves.

This appears ironic, but is likely true. The irony leads one back to the subject of "security fatigue" plaguing average users. Thus, the wisdom in @Andy Ful 's wish for an OS strictly for the average home user. We can dream ... !

 

[Andy Ful]

This appears ironic, but is likely true. The irony leads one back to the subject of "security fatigue" plaguing average users. Thus, the wisdom in @Andy Ful 's wish for an OS strictly for the average home user. We can dream ... !

The more people will dream, the better will be results.
I wish the Emsisoft team to make money on such dreams.

 

[Burrito]

Emsisoft Internet Security – Test und Erfahrungen (03/2019) (translated.... so English is a little off..)

Fabian,

As reflected with your presence on the board, the experience of subscribers as reflected in comments here at MT, and this nice review (above) -- Emsisoft has exemplary customer service.

Assuming Emsisoft continues to grow and prosper, will it make it more difficult to deliver the same level of customer service?

 

[Fabian Wosar]

I'm not tech-savvy, but i do like to ask about EAM self protection mechanics. Does it start in "early boot stage"? Ring 0 or what is the term for that?

Yes, we protect our processes using a kernel mode driver.

If i'm right, AV is useless if malware can disable it during early boot stage?

It's protected during the boot process as well. We are also currently looking into adopting protected processes. On Windows 10 at least. They will become a requirement soonish.

If an AV (OS) will be created from scratch to suit the home users' needs, then it will be also much safer for them. No need to fight the enterprise ghosts.

I think it would be a lot more interesting for both home users as well as enterprise users if we would extend the control over scripts. I mean, blocking all the macros in Office is one thing, but it would be nicer to have the ability to block only the dangerous stuff, wouldn't it?

Assuming Emsisoft continues to grow and prosper, will it make it more difficult to deliver the same level of customer service?

Providing quality customer service is a daily challenge. We expanded the team multiple times over the past years and compared to a lot of other companies, we spend quite a bit of our revenue on customer support. I don't see that changing and David, who is responsible for all customer support at Emsisoft, and his entire team are doing a wonderful job.

 

[Andy Ful]

...
I think it would be a lot more interesting for both home users as well as enterprise users if we would extend the control over scripts. I mean, blocking all the macros in Office is one thing, but it would be nicer to have the ability to block only the dangerous stuff, wouldn't it?
...

Yes, It would be interesting for me too, but hardly for the home users.
This would be like trying to convince Inuits from Alaska that:

1. They need a piece of the jungle.
2. It is interesting to investigate the malaria disease.

I think that Microsoft could do it. The Windows world is very strange.
:notworthy:

Edit.
Thist post is still funny when "a peace of the jungle" is replaced by "a piece of the jungle" which should be probably replaced by "a small part of the jungle".

 

[sepik]

Fabian "Fab"(Fabulous) Wosar,
Because of you, just bought a EAM, not for me, but for my mum
Im Gdata man, just because no national backdoor(s), no privacy problems.
-sepik

 

[vaccineboy]

Hi @Fabian Wosar , just curious:

• Do you share your own signatures with BitDefender?
• Of the whole EAM, roughly how many % is your own sig?
• What is the difference between other components of EAM and BD? (of course I'm asking about the similar components of the two, like behavior blocker, and not about components that one has and the other doesn't)
• In your experience, recently, what is most effective component of EAM (sig or BB or other)?

Thanks.

EDIT: Thank you all the experts for the wonderful discussion in this thread. I'd like to ask (pls tell me if I'm off topic):
As my family use Windows 7 for purely office works (MS office, with my wife being an accountant so she needs some excel addons, and PDF editor), if I disable all script stuffs in SysHardener, will it affect our work (my concern really is only my wife)?

 

[Aleeyen]

I think the name EAM should be changed, many users get confused and think that it is just a companion AV. They actually compare it with ZAM, MBAM.
I have seen in many forums people asking which one of the three is better i.e. EAM, ZAM and MBAM, they want to keep it alongside some other AV.

 

[Azure]

I think the name EAM should be changed, many users get confused and think that it is just a companion AV. They actually compare it with ZAM, MBAM.
I have seen in many forums people asking which one of the three is better i.e. EAM, ZAM and MBAM, they want to keep it alongside some other AV.

Emsisoft - Anti-Malware: Lightweight Malware Protection for the Home

Emsisoft Anti-Malware for best real-time protection against ransomware and other malware with dual scanner, behaviour blocker and more advanced features.

www.emsisoft.com

"You might ask...
- Why is it called "Anti-Malware" and not "Antivirus"?
Our lab has determined that classic viruses only make up less than 0.5% of total threats (in 2016). Using "Antivirus" would therefore be wrong by definition. We're perfectionists so we have elected to use the broader term "Malware" as it stands for all kinds of online threats."

 

[Fabian Wosar]

Yes, It would be interesting for me too, but hardly for the home users.

It would be a decent compromise between "block all scripts" and "allow all scripts". Essentially: "Block potentially dangerous scripts." The reality is, that pretty much all malicious scripts use the same couple of COM components and it would be relatively easy to recognise whether a script is trying to use them. Even just blocking certain script functions are an option.

Do you share your own signatures with BitDefender?

We don't.

Of the whole EAM, roughly how many % is your own sig?

It's an unfair comparison. We don't create signatures for things detected by BD already. So obviously BD will have way more signatures than we do. At the moment EAM has 12801426 signatures overall. 74897 of which belong to EAM.

What is the difference between other components of EAM and BD? (of course I'm asking about the similar components of the two, like behavior blocker, and not about components that one has and the other doesn't)

We only use the BD scan engine and even there we use different settings. So Yeah, pretty much all of them are different.

In your experience, recently, what is most effective component of EAM (sig or BB or other)?

Probably signatures, due to the massive prevalence of PUPs. About 80% of all detections are PUP related. Of those, more than 75% are issued by our scan engine compared to Bitdefender. Even if we look at all detections overall categories combined, our own scan engine and signatures are responsible for more than 60% of all detections compared to a little bit under 40% who are triggered by Bitdefender.

As my family use Windows 7 for purely office works (MS office, with my wife being an accountant so she needs some excel addons, and PDF editor), if I disable all script stuffs in SysHardener, will it affect our work (my concern really is only my wife)?

Should probably be okay. Fully disabling macros in Office may cause a lot of issues with various templates though.

I have seen in many forums people asking which one of the three is better i.e. EAM, ZAM and MBAM, they want to keep it alongside some other AV.

That distinction never made sense to me. Outside of Africa and some poor Asian regions, viruses are dead. Like literally. Every single "AV" out there is an "anti-malware". The distinction is pure marketing effort and usually used as an excuse not to perform as good as "AVs" do. Viruses are such a small issue in almost all countries, that you will be hard pressed to see the tiniest blip they represent on a pie chart. We are talking less than 0.1% here.

 

[Andy Ful]

It would be a decent compromise between "block all scripts" and "allow all scripts". Essentially: "Block potentially dangerous scripts." The reality is, that pretty much all malicious scripts use the same couple of COM components and it would be relatively easy to recognise whether a script is trying to use them. Even just blocking certain script functions are an option.
...

After some years of fighting the malicious scripts, the average AV detection is still very poor. I am afraid that such a compromise is harder than it seems. Microsoft is trying to find the way out via Constrained Language Mode for PowerShell, WD ASR rules, AMSI, etc. Some other vendors implemented modules which can restrict script Interpreters (Kaspersky Application Control, Eset HIPS, etc.). These are pretty good compromises. If you are planning to add something like that to EAM, then I keep my fingers crossed and wish you success.
I would still insist that avoiding malaria disease is much better than healing it with good medicine. But, I know that the world cannot be perfect.

 

[Local Host]

After some years of fighting the malicious scripts, the average AV detection is still very poor. I am afraid that such a compromise is harder than it seems. Microsoft is trying to find the way out via Constrained Language Mode for PowerShell, WD ASR rules, AMSI, etc. Some other vendors implemented modules which can restrict script Interpreters (Kaspersky Application Control, Eset HIPS, etc.). These are pretty good compromises. If you are planning to add something like that to EAM, then I keep my fingers crossed and wish you success.
I would still insist that avoiding malaria disease is much better than healing it with good medicine. But, I know that the world cannot be perfect.

Same applies to trying to cure malaria in Iceland (nothing there to cure), there's no need to sacrifice usability in Home Systems when the specific Malware you fear won't reach our system in the first place.

It could however reach happy clickers systems, but then, there's nothing stopping them from running the script anyway by allowing it or even disabling the Anti-Malware as already said by Fabian.

So either way, such system is useless in the bottom line. Not to mention even if the script is ran, the Anti-Malware can easily stop and quarantine the payload, we talking Home Systems not Enterprise after all.

 

[Andy Ful]

...
It could however reach happy clickers systems, but then, there's nothing stopping them from running the script anyway by allowing it or even disabling the Anti-Malware as already said by Fabian.

It is good to read all the posts in the discussion. Both Fabian Wosar and I agree from the beginning that if the user is motivated to run something, then he/she will do it anyway. Furthermore, we both agreed in what circumstances the option to block scripts would make sense.

So either way, such system is useless in the bottom line. Not to mention even if the script is ran, the Anti-Malware can easily stop and quarantine the payload, we talking Home Systems not Enterprise after all.

That is simply not true. Please, read carefully the posts (mine and Fabian Wosar).
You are right that cautious user has only little chances to be infected. You are also right that enterprises have more chances to be infected via scripts, than home users. You are wrong when saying that malicious scripts are not a problem for home users.
If you are not convinced then open a new thread or PM me, and we can discuss this topic, without bloating the Emsisoft thread.

 

[shmu26]

Yes, It would be interesting for me too, but hardly for the home users.
This would be like trying to convince Inuits from Alaska that:

1. They need a peace of the jungle.
2. It is interesting to investigate the malaria disease.

I think that Microsoft could do it. The Windows world is very strange.
:notworthy:

LOL
Andy and the fabulous Fabian are the runaway winners of the humor prize.

 

[Andy Ful]

LOL
Andy and the fabulous Fabian are the runaway winners of the humor prize.

Yeah, the post can be funny, when one use the words "peace of the jungle".
Anyway, I like the idea of compromise between "block all scripts" and "allow all scripts".

 

[SumTingWong]

Which coding language is the hardest? C, C++, Javascript, Python?