Advice Request What's good about Emsisoft?

[ForgottenSeer 823865]

Not saying WD by itself is just a RT scanner with cloud lookup, no BB, no webfilter. It does what it is supposed to do, give free basic decent protection to average joe.

depends what you mean, eg GPO is well documented and has a good UI,

Average Joe don't use Win10 Enterprise, don't even know what is GPO...Average Joe want automated security software doing all by itself and stopping 200% of malware without user input. And if it failed because they happy click, they will blame the AV because "it didn't do what I paid for"

 

[bribon77]

I like Emsisoft, because it is not inflated, and does its job its configuration is more than enough to be protected. starting from the premise that there is no AV 100% and that everyone at some point fail and that we are not all HUB testers. For me it's good

 

[Solarquest]

Emsi is easy to use...setup, choose to enable Pup detection, run update and you're ready to go.
You can configure something but not really much, not deep.
Each module does what it is supposed to do, only BB covers BB, anti-exploit and anti-ransomware under one hood.
I personally liked it more in the past, e.g where BB offered more Infos in its main panel (now you have to select each process and check its property to see/trigger cloud reputation check).
Other options (or even modules) for advanced user would also be welcome but Emsi decided not to offer them to keep all simple for normal user.

 

[show-Zi]

This is my personal impression of emisi.
It's not a big company, so the software design philosophy is clear. I feel that the UI is lacking, but I think it is correct when considering general users as the target of the market.
The reliability of the support is also wonderful. They responded to my boring question after a few hours. In the case of a big company, there are cases where support is not contacted or left unattended.
I take the results of the detection test for reference only. I don't think emisi cares much about the detection test.

The only problem is that emisi's agents in Japan have not updated their HP for years.

 

[Digmor Crusher]

Probably the best customer service and respect for customers privacy in the business, and a darn good AV too.

 

[AlexCa]

For whatever is worth (i'm no expert in av's or av testing whatsoever), some months ago I was considering to subscribe to an AV, and did a test: wrote a simple program that would delete everything in the Desktop and Documents folder as soon as it was executed, without any warning or consent (something that i definitely wouldn't want to happen in my computer). Then I put some folders and files in the Documents and Desktop folders, and proceeded to execute the program. Tested with several AV's, and Emsisoft was the only one that, even though not totally, blocked it. The behavior blocker kicked in, and stopped it. Some files were still deleted, but still most were preserved. I was honestly very surprised that Emsisoft was the only one that stopped that action. I've tested this in a VM, by manually putting the program in the desktop and running it. Maybe in other scenarios (like if the file was downloaded from a website) the other AV's I've tried would block it too. Like I said, I'm no expert in AV testing and did this by curiosity while considering to buy an AV.

 

[notabot]

Out of the box, WD is garbage unless you know what you're doing. Out of the box Emsisoft is amazing. Each to their own though.

~LDogg

Out of the box, I'd ship it as is with BAFS

For whatever is worth (i'm no expert in av's or av testing whatsoever), some months ago I was considering to subscribe to an AV, and did a test: wrote a simple program that would delete everything in the Desktop and Documents folder as soon as it was executed, without any warning or consent (something that i definitely wouldn't want to happen in my computer). Then I put some folders and files in the Documents and Desktop folders, and proceeded to execute the program. Tested with several AV's, and Emsisoft was the only one that, even though not totally, blocked it. The behavior blocker kicked in, and stopped it. Some files were still deleted, but still most were preserved. I was honestly very surprised that Emsisoft was the only one that stopped that action. I've tested this in a VM, by manually putting the program in the desktop and running it. Maybe in other scenarios (like if the file was downloaded from a website) the other AV's I've tried would block it too. Like I said, I'm no expert in AV testing and did this by curiosity while considering to buy an AV.

Thanks for sharing this, it looks like Emsisoft's BB is working well!

 

[notabot]

regarding AMSI, at

Emsisoft Help

support.emsisoft.com

I see ,

we may make use of some AMSI features, however keep in mind that EAM needs to run on Windows 7 and Windows Server 2008 R2 as well, so there's not much point in implementing a bunch of features that only work on Windows 10. Most of what our protection does is done through API's that work on every version of Windows we officially support, that way the level of protection doesn't change based on the Operating System's features.

Doesn't sound to me like AMSI support is a core feature

 

[ForgottenSeer 823865]

Anyway, few uses AMSI, and if you worry about powershell, you have severals tools to block its scripts like SysHardener.

 

[notabot]

Anyway, few uses AMSI, and if you worry about powershell, you have severals tools to block its scripts like SysHardener.

I don't want to block the interpreters, I want them "covered" by an AV, hence my persistence on AVs having a good AMSI module.

 

[ForgottenSeer 823865]

I don't want to block the interpreters, I want them "covered" by an AV, hence my persistence on AVs having a good AMSI module.

In case of fileless malware, if you mind them, an AV with AMSI won't do much, the malware embarking its own interpreter and running it in memory. bye bye AVs.

 

[notabot]

In case of fileless malware, if you mind them, an AV with AMSI won't do much, the malware embarking its own interpreter and running it in memory. bye bye AVs.

That is clear, but if the malware has its own interpreter, which is injects into an existing exploited whitelisted app, whitelisting can't do much either,. Given that this is a risk that can't be mitigated in a satisfactory manner at this point, for the cases where the malware does use installed interpreters, I want to fallback on AMSI, not disable the interpreters via whitelisting/blacklisting.

 

[MacDefender]

For whatever is worth (i'm no expert in av's or av testing whatsoever), some months ago I was considering to subscribe to an AV, and did a test: wrote a simple program that would delete everything in the Desktop and Documents folder as soon as it was executed, without any warning or consent (something that i definitely wouldn't want to happen in my computer). Then I put some folders and files in the Documents and Desktop folders, and proceeded to execute the program. Tested with several AV's, and Emsisoft was the only one that, even though not totally, blocked it. The behavior blocker kicked in, and stopped it. Some files were still deleted, but still most were preserved. I was honestly very surprised that Emsisoft was the only one that stopped that action. I've tested this in a VM, by manually putting the program in the desktop and running it. Maybe in other scenarios (like if the file was downloaded from a website) the other AV's I've tried would block it too. Like I said, I'm no expert in AV testing and did this by curiosity while considering to buy an AV.

Just for fun I repeated that test today. Used Visual Studio to make two C# applications:

(1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one.
(2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item.

I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing.

All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item.

The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change.

I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP.

Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory....

I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files.

 

[ForgottenSeer 823865]

That is clear, but if the malware has its own interpreter, which is injects into an existing exploited whitelisted app, whitelisting can't do much either,.

Solutions that protect the memory (basically Anti-exploits) or prevent an app to modify the memory space of another are still relevant.

 

[notabot]

Solutions that protect the memory (basically Anti-exploits) or prevent an app to modify the memory space of another are still relevant.

They're not bulletproof, in another thread an AV dev explained to me why even stopping stack based exploit is not easy - I had thought otherwise due to the clear semantics but turns out even that is not as simple.

I'm not arguing if whitelisting is more secure btw, it clearly is more secure but I want to rely on AMSI, not whitelisting for fileless.

 

[notabot]

Just for fun I repeated that test today. Used Visual Studio to make two C# applications:

(1) Simulated ransomware: creates a simple password protected zip file of Desktop and My Documents then goes and deletes files one by one.
(2) Simulated generic malware: upon running downloads a second binary from my web server and executes that. The second binary copies itself to another location and then tries to register that as a startup item.

I had Symantec Endpoint Protection, F-Secure SAFE, and Emsisoft virtual machines around for testing.

All 3 flagged the second one — F-Secure and Emsisoft caught it as it attempted to download and execute the second payload. SEP flagged it after it attempted to register as a startup item.

The simulated ransomware test was super interesting. F-Secure flagged it as a DeepGuard detected cryptoransomware, and pointed out specifically it was because it was manipulating files in a protected folder. Emsisoft also flagged it as suspicious behavior (nothing specific) and started a 10 second countdown before deleting it. SEP was totally silent as was the default settings for Windows Defender.... that was kind of shocking to me since SONAR is regarded as a great behavior blocker. I even tried adjusting as many of the SONAR and heuristics/Bloodhound settings as I could find, no change.

I’m also not a malware tester, I am an application developer by day. But for me this definitely influences my decision — especially since the first test actually resulted in losing all my simulated files with Windows Defender and SEP.

Just as a disclaimer, I didn’t spend much time trying more creative ways of encrypting user data. Most real ransomware use more clever tactics than the first StackOverflow result for zipping up files in a directory....

I am also a bit disappointed in static heuristic analysis by all of these programs. Looking at the disassembly it is fairly obvious what it is doing — less than half a page of IL assembly and references to password protected encryption, getting My Documents location, looping through files.

This is actually quite useful & thanks for this ! I'm sure as well there are more advanced techniques but if other BBs don't catch these simple exercises, I'll lose confidence in them.
It's a shame there's standardised test suite to run against BBs - Your exercise shows most would fail even the first things one would test for.

So Emsisoft is the only product whose BB is not utterly broken

 

[ForgottenSeer 823865]

So Emsisoft is the only product whose BB is not utterly broken

Well-known fact, especially when you know its lead dev skills.

I miss my old Combo: Emsisoft AM + Emsisoft Online Armor.

 

[jasonX]

Well-known fact, especially when you know its lead dev skills.

I miss my old Combo: Emsisoft AM + Emsisoft Online Armor.

Now that is a great combo there! I remember it and I loved it too! Too bad OA wet pfft...

 

[MacDefender]

This is actually quite useful & thanks for this ! I'm sure as well there are more advanced techniques but if other BBs don't catch these simple exercises, I'll lose confidence in them.
It's a shame there's standardised test suite to run against BBs - Your exercise shows most would fail even the first things one would test for.

So Emsisoft is the only product whose BB is not utterly broken

I think F-Secure DeepGuard is also worth an honorable mention. I like that the company has a white paper that documents how their BB works and it makes a lot of sense. I don’t like that DeepGuard uses the delivery mechanism (download vs external drive vs magically showing up on disk) to influence how aggressively it monitors — I would like to be able to command it to be suspicious of a binary even if it’s just sitting on a local drive.

But yeah overall Emsisoft is my favorite. My main criticism of their BB is that the detection signatures are not specific. DeepGuard gives signature-like names like W32/Behavior.Cryptolocker!DeepGuard that make it super clear which engine flagged it and what it acted like. Emsisoft sometimes just says that it blocked suspicious behavior or “the anti malware network recognized this as DANGEROUS” and that’s great for an average joe, but as a technical user I would like a better explanation.

(BTW, Norton/Symantec is also fairly communicative and feature rich but after seeing many ways where SONAR/BB either reacts late or not at all, I don’t feel confident. New and emerging threats matter the most to me — for signature based detection I have no problem with uploading it to VirusTotal or trusting one of dozens of signature engines that scores 99.xxx% these days)

 

[Nightwalker]

This is actually quite useful & thanks for this ! I'm sure as well there are more advanced techniques but if other BBs don't catch these simple exercises, I'll lose confidence in them.
It's a shame there's standardised test suite to run against BBs - Your exercise shows most would fail even the first things one would test for.

So Emsisoft is the only product whose BB is not utterly broken

Kaspersky System Watcher (Behavior blocker module) is even better.