Advice Request I am head of research at Emsisoft. Ask me anything! :)

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Aleeyen

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,121
The most important and difficult question of all.
If you find it too difficult to answer you can take your time and answer it later. But you have to answer it, yes its really too much important.
And I warn you, you need to think a lot and provide the answer by any means. The question is when are you going to conduct a giveaway here at MT?
 

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Hello Fabian,
1. Do you guys plan to further improve update process of EAM? In the past a little freeze was more noticeable when EAM tries to update, I see that was improved, although still you can notice a freeze up of the program you currently use (Chrome, Media Player while watching a movie). It lasts for maybe a second or two, but still...
I have mediocre computer but I've also noticed this on my friend's PC with Ryzen 7, NVMe SSD and a bunch of RAM.

2. Does EAM always use the most recent/actual Bitdefender engine and how much performance improvement we can theoretically see if Bitdefender's engine is removed from EAM?

3. If we allow the suspicious behavior of a certain file (allow always, not allow once), will EAM notify the user if the same or similar behavior happens again but the file has changed in the meantime?
I am asking about the JDownloader actually, as I cannot modify its updater file (.jar) as I'm not that good in Java, enough not to break the updater's main functionality...
Asking this as I am a little skeptic about all programs that use jar files or use any kind of Java development kits in order to operate.

Thanks
 

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,041
I got two more for you, Fabian :)

1. What percentage of your time goes "waste" trying to implement/come up with systems that in the end are not so good and you'll have to quit on them?
Like you work really hard in this BB logic, consuming 2-3 days, but in the end you see it has X limitations and you just have to give up?

2. Is malware analyst's (or engineer's) work more like always experimenting or more like implementing known solutions? For example: BB for Ransomware. Do you have to start from scratch with new family, or you can use previous solutions, just fine-tuning them?
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
If you can sure, that would be great, but if not no worries. I have the patience of a saint.
Good luck with your next major release.
We no longer have major releases, to be honest. There are monthly releases. Some of them can change more than others though. :)

But yes. A lot of people noticed how the user interface in EAM changed a lot. Some people felt it was a little bit weird and didn't like it. Especially since people were wondering why we changed it in the first place and why the layout resembled that of a web page so much. The answer is quite simple: Because it is also a webpage.

Before I show you some screenshots: Keep in mind this is all still work in progress. Things may change. It may not look exactly like that. You know, the usual spiel. All these features will also be available to all users. Whether you have a single license just for yourself, manage the systems for your whole extended family, or are responsible for a company network. Doesn't matter. If you want, you can use it. No extra costs. That being said, you aren't forced to use it. We have no intentions to discontinue to the local user interface anytime soon.

But let's get to the good stuff. Over the past couple of months, we introduced a new customer portal called MyEmsisoft. In the past, all you could do there was essentially manage your licenses. But that is going to change once we introduce the new workplace feature:

210156


Think of workplaces as a group of computers. That can be your home or your company. Essentially when you buy a 3 PC license from us for example, you automatically get a workplace that you can assign 3 PCs to. Workspaces allow you to check and completely control any aspect of EAM in realtime from wherever you want.

This is my little test workspace for example:

210157


You can either join a workplace using an already installed EAM installation or you can generate a dedicated installer for it using the interface:

210158


You can create groups and settings templates for each group and use those to apply settings to the different systems. You can also lock down installations or make decisions online on the user's behalf. So instead of your mum calling you up asking for help, you can just help her right away from your phone. No remote admin or unclear descriptions necessary. Everything is syncing in real-time. Let's check out the details of one of the systems for example:

210159


Looks pretty much like the EAM GUI, doesn't it? You can make all the same changes as you can locally. You can adjust all the settings:

210160


You can turn protection modules on or off:

210161


Make changes to block lists for example:

210162


Plan new scheduled scans:

210163


Of course, you can check out the logs just as well:

210164


You are also able to do scans and manage the quarantine, although that's not in the current stable version at the moment so I can't show you screenshots of it just yet. The important thing though is, that EAM will have a permanent connection to the cloud in the future to exchange data in real-time. It will be perfectly capable of working without it (if you don't have Internet for example), but if you can use it, it allows for a number of interesting possibilities. The most obvious one is updates. Instead of polling for new updates once an hour, which potentially means you may not have the latest detection updates for up to 59 minutes, we can push new detections in real-time to your system. We can also query your system for more information, if the detection algorithms deployed in the cloud may think it would be beneficial. So instead of having a one-way communication between EAM and our backend servers, the backend servers can initiate communication and talk to your installation if required.

Keep in mind that is just the first step of the rollout. We will work to extend it over time. This includes things like reporting and statistics, but we will also use the ability to talk to clients to improve overall detection for example.

As always, we have the privacy of our users in mind. So all of this is done while ensuring your data stays private. For example, we don't upload any of your files to the cloud in the background unless you initiate it by pressing a submit button for example.

Overall, we are pretty excited about it.

Life or death scenario: Gun to your head, you're in a hostage situation. They ask you to eat a slice of pineapple pizza. Eat it and you live, don't eat it and you die. Which one do you pick? :giggle:
Honestly, I never had pineapple on a pizza. I was told it is actually pretty good. Just a couple of days ago, when ordering some food, I was toying with the idea of getting like a small Pizza Hawaii just to try it. But I chickened out. What do you think, should I give it a try? I am sick at the moment so I don't really feel like cooking anyway. :p
 

Paul Lee

Level 10
Verified
Well-known
Oct 14, 2014
497
We no longer have major releases, to be honest. There are monthly releases. Some of them can change more than others though. :)

But yes. A lot of people noticed how the user interface in EAM changed a lot. Some people felt it was a little bit weird and didn't like it. Especially since people were wondering why we changed it in the first place and why the layout resembled that of a web page so much. The answer is quite simple: Because it is also a webpage.

Before I show you some screenshots: Keep in mind this is all still work in progress. Things may change. It may not look exactly like that. You know, the usual spiel. All these features will also be available to all users. Whether you have a single license just for yourself, manage the systems for your whole extended family, or are responsible for a company network. Doesn't matter. If you want, you can use it. No extra costs. That being said, you aren't forced to use it. We have no intentions to discontinue to the local user interface anytime soon.

But let's get to the good stuff. Over the past couple of months, we introduced a new customer portal called MyEmsisoft. In the past, all you could do there was essentially manage your licenses. But that is going to change once we introduce the new workplace feature:

View attachment 210156

Think of workplaces as a group of computers. That can be your home or your company. Essentially when you buy a 3 PC license from us for example, you automatically get a workplace that you can assign 3 PCs to. Workspaces allow you to check and completely control any aspect of EAM in realtime from wherever you want.

This is my little test workspace for example:

View attachment 210157

You can either join a workplace using an already installed EAM installation or you can generate a dedicated installer for it using the interface:

View attachment 210158

You can create groups and settings templates for each group and use those to apply settings to the different systems. You can also lock down installations or make decisions online on the user's behalf. So instead of your mum calling you up asking for help, you can just help her right away from your phone. No remote admin or unclear descriptions necessary. Everything is syncing in real-time. Let's check out the details of one of the systems for example:

View attachment 210159

Looks pretty much like the EAM GUI, doesn't it? You can make all the same changes as you can locally. You can adjust all the settings:

View attachment 210160

You can turn protection modules on or off:

View attachment 210161

Make changes to block lists for example:

View attachment 210162

Plan new scheduled scans:

View attachment 210163

Of course, you can check out the logs just as well:

View attachment 210164

You are also able to do scans and manage the quarantine, although that's not in the current stable version at the moment so I can't show you screenshots of it just yet. The important thing though is, that EAM will have a permanent connection to the cloud in the future to exchange data in real-time. It will be perfectly capable of working without it (if you don't have Internet for example), but if you can use it, it allows for a number of interesting possibilities. The most obvious one is updates. Instead of polling for new updates once an hour, which potentially means you may not have the latest detection updates for up to 59 minutes, we can push new detections in real-time to your system. We can also query your system for more information, if the detection algorithms deployed in the cloud may think it would be beneficial. So instead of having a one-way communication between EAM and our backend servers, the backend servers can initiate communication and talk to your installation if required.

Keep in mind that is just the first step of the rollout. We will work to extend it over time. This includes things like reporting and statistics, but we will also use the ability to talk to clients to improve overall detection for example.

As always, we have the privacy of our users in mind. So all of this is done while ensuring your data stays private. For example, we don't upload any of your files to the cloud in the background unless you initiate it by pressing a submit button for example.

Overall, we are pretty excited about it.


Honestly, I never had pineapple on a pizza. I was told it is actually pretty good. Just a couple of days ago, when ordering some food, I was toying with the idea of getting like a small Pizza Hawaii just to try it. But I chickened out. What do you think, should I give it a try? I am sick at the moment so I don't really feel like cooking anyway. :p
Honestly, I've never understood the hatred for pineapples on pizza. I've personally never had it, but seeing as though I eat pretty much anything, I don't see why I wouldn't like it. Especially if it's pizza! :giggle:
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
The question is when are you going to conduct a giveaway here at MT?
I will ask marketing. :)

Has Emsisoft participated recently in any AV testing, official or otherwise, and if so, can you link us to results?
I think there is an AVLab.pl test being released soonish if it hasn't already. In general, testing is incredibly expensive (buying a pimped out Tesla 3 expensive) so we tend not to do it unless we actually have a good reason for it.

1. Do you guys plan to further improve update process of EAM? In the past a little freeze was more noticeable when EAM tries to update, I see that was improved, although still you can notice a freeze up of the program you currently use (Chrome, Media Player while watching a movie). It lasts for maybe a second or two, but still...
I have mediocre computer but I've also noticed this on my friend's PC with Ryzen 7, NVMe SSD and a bunch of RAM.
Yes, we will. :)

2. Does EAM always use the most recent/actual Bitdefender engine and how much performance improvement we can theoretically see if Bitdefender's engine is removed from EAM?
Scan times would be cut on average by 60 - 70%. And yes, we always use the most recent Bitdefender engine. We don't use the same settings as them though. For example: Bitdefender, like many other AVs as well, has invisible signatures. Think of it as a form of QA. If they are unsure on whether or not a new signature may cause false positives, they release it marked as invisible first. The scan engine then sends back information about all detections triggered by that signature. The server may tell the engine either to upload the file for further analysis, tell the engine to show the detection to the user or tell the engine to not show it. We have this stuff completely disabled as especially the upload stuff we don't feel particularly comfortable with. However, it also means we will have slightly worse detection rates from the Bitdefender engine as any product that has these features enabled.

3. If we allow the suspicious behavior of a certain file (allow always, not allow once), will EAM notify the user if the same or similar behavior happens again but the file has changed in the meantime?
I am asking about the JDownloader actually, as I cannot modify its updater file (.jar) as I'm not that good in Java, enough not to break the updater's main functionality...
Asking this as I am a little sceptic about all programs that use jar files or use any kind of Java development kits in order to operate.
Yes, it does. Essentially rules are bound to the exact version of the file that triggered them. If a single bit is changed, EAM will tell you about it when either previously allowed or completely new suspicious behaviours show up.

1. What percentage of your time goes "waste" trying to implement/come up with systems that in the end are not so good and you'll have to quit on them?
Like you work really hard in this BB logic, consuming 2-3 days, but in the end you see it has X limitations and you just have to give up?
Time is rarely wasted because at the very least you gained some experience and often found new angles of how to approach future problems. But yeah, it often happens that you start working on it and during the process, it turns out it doesn't work as you expected. I would say about 10 - 15% falls into that category. However, as mentioned before, I wouldn't call that time wasted.

2. Is malware analyst's (or engineer's) work more like always experimenting or more like implementing known solutions? For example: BB for Ransomware. Do you have to start from scratch with new family, or you can use previous solutions, just fine-tuning them?
It depends. If something uses something completely new, never to be seen before, then we may have to start from scratch. That is incredibly rare though. In most other cases, we will most likely just tune existing rules and routines to cover the new variants as well. The majority of the time our lab people spend tracking down new families and making sure they properly covered by adjusting existing detections or writing new ones.

There is also this wrong notion people have about signatures. Like they think it's a hash or just a pattern or string that you look for. That notion is completely wrong for almost every single AV out there. Sure, signatures can be hashes or patterns for example, but those are incredibly inefficient signatures as they either require you to read large portions (or even the entire!) file or they are trivial to circumvent. For the past two decades or so, signatures are more like little programs or functions that are being called based on filter criteria.

If you are curious, I can show a couple of screenshots of the tools we use to create our signatures for out scan engine for example and what signatures look like for a lot of other scan engines as well.
 

Marko :)

Level 24
Verified
Top Poster
Well-known
Aug 12, 2015
1,315
We may. The problem is, that ultimately with these free AVs you as a user pay with your data. That's generally speaking something we don't feel very comfortable with. Especially given that not a lot of people are even aware of it.

Recently I was kind of surprised to see that an otherwise super privacy conscious user had Traffic Light installed for example. It doesn't seem to be common knowledge that Traffic Light and a bunch of other browser extensions (Comodo Online Security Pro, Norton Safe Web, Avira Browser Safety, Avast Online Security being the biggest ones) like it will literally send every single URL you visit in clear text off to the vendor's server. The privacy policies aren't always clear and kinda sketchy at times. I am sure that some people don't mind. But I am also sure that a lot of people do mind, but simply don't know.
I am aware of that. But, could the free AV be paid off with some kind of (user and privacy friendly) ads inside the program and partnerships with other security related companies?

When I said "ads", I didn't think on those annoying banners or popups showing constantly, but rather nice, useful ads that don't follow you around. And when I said "partnerships", I specifically meant on something like offering products like LastPass that are actually useful and can help users, instead of web browsers and toolbars.
 

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,041
If you are curious, I can show a couple of screenshots of the tools we use to create our signatures for out scan engine for example and what signatures look like for a lot of other scan engines as well.
No need to ask twice :p

Talking about upcoming console - will it have 2FA? I believe it is a must for every such feature that controls computer's security.
 

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
No questions about my whereabouts. I recently moved from Germany to the UK because of some real-life threats made against me by some less-than-pleasant people. It's actually one of the reasons I stopped releasing decrypters myself, although that is about to start up again.
This sounds horrible, hope things goes much better in the UK. I have really nothing to ask, but im very happy to see youre hosting such a Q & A here on MT(y) EEK & new extension are products im using, really looking forward other softwares aswell, thanks.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
I am aware of that. But, could the free AV be paid off with some kind of (user and privacy friendly) ads inside the program and partnerships with other security related companies?
There's no such thing as a privacy-friendly ad in my opinion. Being privacy-friendly (or even user-friendly) is not in the interest of any advertiser. They want to "hack" your brain to influence your decisions.

We often do offer bundles. We had one with RoboForm recently I think. These types of bundles are usually two-sided. Meaning, when you buy EAM, you get RoboForm for free. But it also means, that if you buy RoboForm, you get EAM for free. So that's probably the closest you can get to your suggestion. Plus it doesn't involve banners. ;)
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
I think this is a great idea to start with: For the first time in my life I'm lost for words & can't think of a question. However the last licence I bought as I remember was in conjunction with the German company 'Softmaker' & I got a 3 user licence. Actually a couple of friends/relatives bought separate licences from you because they saw I was using it (Emsisoft) on all PC's & for reasons unclear they trust my judgement :eek: - Do you have any plans to do such things in the future?
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
Honestly, I've never understood the hatred for pineapples on pizza. I've personally never had it, but seeing as though I eat pretty much anything, I don't see why I wouldn't like it. Especially if it's pizza! :giggle:
Hawaiian Pizza for dinner it is then. I will report back. ;)

Talking about upcoming console - will it have 2FA? I believe it is a must for every such feature that controls computer's security.
Yes. We are not entirely sure which method to support yet though.

Does using the most recent engine mean using the most recent sigs? (Aside from the invisible sigs, which you already mentioned,)
In general, yes. There can always be syncing delays though. But those are on average less than 1 minute in our case.
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
Do you have any plans to do such things in the future?
We do have offers up the majority of the time. In fact, if you would like us to offer a bundle with a particular software you like very much, let me know and I will tell marketing to seek them out and with a bit of luck they may show up as a bundle offer in the future. :)
 

Fabian Wosar

From Emsisoft
Thread author
Verified
Developer
Well-known
Jun 29, 2014
260
What are the main languages EAM is written in?
It's a mix of Delphi (most of the UI and "business stuff"), C++ (most of the core detection components), C (drivers and parts of the behaviour blocker), assembly (some parts of the behaviour blocker). Server-backend uses C# and Python. There's also some PHP somewhere, but that one system is about to be replaced - thankfully. We also have and use our own domain-specific programming language for our signatures by the way.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
We no longer have major releases, to be honest. There are monthly releases. Some of them can change more than others though. :)

But yes. A lot of people noticed how the user interface in EAM changed a lot. Some people felt it was a little bit weird and didn't like it. Especially since people were wondering why we changed it in the first place and why the layout resembled that of a web page so much. The answer is quite simple: Because it is also a webpage.

Before I show you some screenshots: Keep in mind this is all still work in progress. Things may change. It may not look exactly like that. You know, the usual spiel. All these features will also be available to all users. Whether you have a single license just for yourself, manage the systems for your whole extended family, or are responsible for a company network. Doesn't matter. If you want, you can use it. No extra costs. That being said, you aren't forced to use it. We have no intentions to discontinue to the local user interface anytime soon.

But let's get to the good stuff. Over the past couple of months, we introduced a new customer portal called MyEmsisoft. In the past, all you could do there was essentially manage your licenses. But that is going to change once we introduce the new workplace feature:

View attachment 210156

Think of workplaces as a group of computers. That can be your home or your company. Essentially when you buy a 3 PC license from us for example, you automatically get a workplace that you can assign 3 PCs to. Workspaces allow you to check and completely control any aspect of EAM in realtime from wherever you want.

This is my little test workspace for example:

View attachment 210157

You can either join a workplace using an already installed EAM installation or you can generate a dedicated installer for it using the interface:

View attachment 210158

You can create groups and settings templates for each group and use those to apply settings to the different systems. You can also lock down installations or make decisions online on the user's behalf. So instead of your mum calling you up asking for help, you can just help her right away from your phone. No remote admin or unclear descriptions necessary. Everything is syncing in real-time. Let's check out the details of one of the systems for example:

View attachment 210159

Looks pretty much like the EAM GUI, doesn't it? You can make all the same changes as you can locally. You can adjust all the settings:

View attachment 210160

You can turn protection modules on or off:

View attachment 210161

Make changes to block lists for example:

View attachment 210162

Plan new scheduled scans:

View attachment 210163

Of course, you can check out the logs just as well:

View attachment 210164

You are also able to do scans and manage the quarantine, although that's not in the current stable version at the moment so I can't show you screenshots of it just yet. The important thing though is, that EAM will have a permanent connection to the cloud in the future to exchange data in real-time. It will be perfectly capable of working without it (if you don't have Internet for example), but if you can use it, it allows for a number of interesting possibilities. The most obvious one is updates. Instead of polling for new updates once an hour, which potentially means you may not have the latest detection updates for up to 59 minutes, we can push new detections in real-time to your system. We can also query your system for more information, if the detection algorithms deployed in the cloud may think it would be beneficial. So instead of having a one-way communication between EAM and our backend servers, the backend servers can initiate communication and talk to your installation if required.

Keep in mind that is just the first step of the rollout. We will work to extend it over time. This includes things like reporting and statistics, but we will also use the ability to talk to clients to improve overall detection for example.

As always, we have the privacy of our users in mind. So all of this is done while ensuring your data stays private. For example, we don't upload any of your files to the cloud in the background unless you initiate it by pressing a submit button for example.

Overall, we are pretty excited about it.
This is interesting but do you plan on securing the emsisoft account more with 2 step authentication now that you can control so many crucial stuff from there? Some other big players a while back when I tested didn't and it was hilarious as they even allow a wipe drive feature. JOY!
If you already did it sorry as I am not an eam user for a few months now (checked now but can't see 2-step) but if the new big stuff is interesting I might switch back to it.
I know if I don't use an emsisoft account and use google I could get 2-step but I am not a fan of interconnecting services.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top