notabot

Level 15
Kaspersky System Watcher (Behavior blocker module) is even better.
Kaspersky is probably the best product overall, given default settings. The main reason I'm not considering it is lack of cloud dashboard for remote administration, which Emsisoft does offer.
I had used Kaspersky during the '00s and for a brief period in one of my laptops during '14-'15, it's an excellent product but here I'm really working backwards from a requirements list, and K doesn't tick a major box (cloud dashboard).
 

notabot

Level 15
I think F-Secure DeepGuard is also worth an honorable mention. I like that the company has a white paper that documents how their BB works and it makes a lot of sense. I don’t like that DeepGuard uses the delivery mechanism (download vs external drive vs magically showing up on disk) to influence how aggressively it monitors — I would like to be able to command it to be suspicious of a binary even if it’s just sitting on a local drive.

But yeah overall Emsisoft is my favorite. My main criticism of their BB is that the detection signatures are not specific. DeepGuard gives signature-like names like W32/Behavior.Cryptolocker!DeepGuard that make it super clear which engine flagged it and what it acted like. Emsisoft sometimes just says that it blocked suspicious behavior or “the anti malware network recognized this as DANGEROUS” and that’s great for an average joe, but as a technical user I would like a better explanation.

(BTW, Norton/Symantec is also fairly communicative and feature rich but after seeing many ways where SONAR/BB either reacts late or not at all, I don’t feel confident. New and emerging threats matter the most to me — for signature based detection I have no problem with uploading it to VirusTotal or trusting one of dozens of signature engines that scores 99.xxx% these days)
F-Secure unfortunately doesn't have a cloud console, which while not interesting for all users is a hard requirement as not all family machines are close-by.
 

Slyguy

Level 43
Also I would like to add that I really respect Emsisoft's decentralized development. In an age of govt, criminal, corporate and military espionage it is wise to be how they are to be honest and makes it much less likely they'll suffer something like a backdoor and/or update channel compromise.
 

Huchim

Level 5
Verified
Malware Tester
Interesting topic, I haven't tried Emsisoft since they deprecated the Internet Security Version, I have just 1 question: Does the user get windows firewall alerts for example when a VPN start for first time? I consider it annoying, also, you notice some high price by your region localization? Here it is more expensive than any other AV (Latin America)
 

notabot

Level 15
Interesting topic, I haven't tried Emsisoft since they deprecated the Internet Security Version, I have just 1 question: Does the user get windows firewall alerts for example when a VPN start for first time? I consider it annoying, also, you notice some high price by your region localization? Here it is more expensive than any other AV (Latin America)
I'm not sure, with a VPN the user no longer sits behind a NAT, so they need public network settings, not private ones. I don't use a VPN but if I were, it would be a hard requirement for the firewall to switch to private and ask for new rules.
 

rockstarrocks

Level 19
Verified
Here is what's good about Emsisoft (using for about 1.5 yr):
1. Stays out of my way (pretty light weight in terms of system responsiveness, app launch and boot times, not in terms of ram usage which is not a big issue tbh. Uses about ~300MB on my system idle.)
2. Provides one of the best customer support.
3. They are really strict about privacy issues.
4. Less buggy than other AVs (For my system i.e. your mileage may vary. Especially Bitdefender, it took them more than 1 year to fix the update bug.)
5. No useless features (AKA bloatware like system optimizer, privacy cleaner, etc)
6. Really straightforward beautiful UI (subjective), no digging deep in the settings to change something (although they have really dumb down the advanced settings, but it's ok for average Joe I guess)
7. Doesn't do MITM web scanning (positive for me cause I have to disable it on every other AV. You can use browser extension if you really need to do that)
8. Really good against PUPs (Ocassionally there are some FPs but they are pretty obvious so not a big deal)


Interesting topic, I haven't tried Emsisoft since they deprecated the Internet Security Version, I have just 1 question: Does the user get windows firewall alerts for example when a VPN start for first time? I consider it annoying, also, you notice some high price by your region localization? Here it is more expensive than any other AV (Latin America)
I haven't seen a single firewall alert from EAM since I started using it.
 

notabot

Level 15
Here is what's good about Emsisoft (using for about 1.5 yr):
1. Stays out of my way (pretty light weight in terms of system responsiveness, app launch and boot times, not in terms of ram usage which is not a big issue tbh. Uses about ~300MB on my system idle.)
2. Provides one of the best customer support.
3. They are really strict about privacy issues.
4. Less buggy than other AVs (For my system i.e. your mileage may vary. Especially Bitdefender, it took them more than 1 year to fix the update bug.)
5. No useless features (AKA bloatware like system optimizer, privacy cleaner, etc)
6. Really straightforward beautiful UI (subjective), no digging deep in the settings to change something (although they have really dumb down the advanced settings, but it's ok for average Joe I guess)
7. Doesn't do MITM web scanning (positive for me cause I have to disable it on every other AV. You can use browser extension if you really need to do that)
8. Really good against PUPs (Ocassionally there are some FPs but they are pretty obvious so not a big deal)



I haven't seen a single firewall alert from EAM since I started using it.
Thanks for the detailed response!
 

DDE_Server

Level 8
Here is what's good about Emsisoft (using for about 1.5 yr):
1. Stays out of my way (pretty light weight in terms of system responsiveness, app launch and boot times, not in terms of ram usage which is not a big issue tbh. Uses about ~300MB on my system idle.)
2. Provides one of the best customer support.
3. They are really strict about privacy issues.
4. Less buggy than other AVs (For my system i.e. your mileage may vary. Especially Bitdefender, it took them more than 1 year to fix the update bug.)
5. No useless features (AKA bloatware like system optimizer, privacy cleaner, etc)
6. Really straightforward beautiful UI (subjective), no digging deep in the settings to change something (although they have really dumb down the advanced settings, but it's ok for average Joe I guess)
7. Doesn't do MITM web scanning (positive for me cause I have to disable it on every other AV. You can use browser extension if you really need to do that)
8. Really good against PUPs (Ocassionally there are some FPs but they are pretty obvious so not a big deal)



I haven't seen a single firewall alert from EAM since I started using it.
I am using it for almost 2years and have the same opinion :) :)
 

Cortex

Level 12
Customer support, t's simplicity added with it can be setup quickly & should you wish to remove it has the best AV uninstaller there is - The ethics of the company for me is a huge plus point, for me & it seems others its a good choice & probably my favorite AV.
 

Fabian Wosar

From Emsisoft
Verified
Developer
Excessive reply incoming. I would say I am sorry, but I am not really. :p

1) its BB is praised, however how does it compare to ASR rules, is there a complete list of what it blocks? is there a test suite like MS's test suite for ASR?
There's no public list and it would be difficult to come up with one, as a lot depends. Think of it more as a point system where different actions and attributes of the application increase or lower the rating. There are some more specific rules that target specific exploits or behaviours (like Office applications trying to run script interpreters for example), but they aren't public. We do have plans to give users more insights into how the behaviour blocker came up with its decision, but there are more important things on the list for now.

2) To the best of my understanding, it doesn't look like it supports AMSI, so I wonder how it scores against fileless.
AMSI is fully supported. So is IOfficeAntiVirus.

3) there's little data from testing Labs so it's hard to rank it against other products.
We kind of dropped out of them, mostly because we disagree with a lot of the politics and pricing going on. You can literally buy a Tesla Model 3 for what some of the test labs demand a year (~50k US). A lot of test labs also adhere to AMTSO, which is problematic on a completely different level. Again, lots of politics and general bullshit going on.

4) it's not a full suite, eg while it has exploit mitigation my understanding is that it offers no exploit prevention module similar to MS' Exploit Guard and while its BB can protect from ransomware it lacks something like Controlled Folder Access should malware get past the BB.
We don't have either, but you can continue to use both features when using EAM. In general we try not to duplicate features too much.

Cheap and efficient enough for the needs of average joe.
I can assure you BitDefender is not cheap. :p

Thanks for this. Did they score among eg top 3 in their latest lab score?
We usually list reviews here:

It's mostly AVLab/CheckLab and VB100 at this point.

Does Window's Exploit Guard still work when Emsisoft is installed then?
It does.

Also Windows Firewall is very good but it lacks a good UI, also being able to administer it via Cloud Console for all my machines would had been a 5-star feature on its own right.
Who knows ...

Has quality dropped since the focus to the average consumer then? or the product remains good?
That probably depends on who you ask. The metric we look at the most are numbers of infected customers. We track these numbers both via support requests but also through data that Microsoft makes available to their partners (MSRT but also through other telemetry they collect). Those numbers have been consistently low for us, much lower than the industry standard. I can't really share the exact numbers, due to NDAs, so feel free to dismiss this as marketing if you don't think I am a credible source or spin things a certain way. But you can check out all those malware removal communities (including our own forum) to look for users who had EAM installed at the time of their infection and you won't find many.

i wish if they add some thing like "Trusted application module" in kaspersky to have the capability to work as default deny solution
@Fabian Wosar is it may be added n the near future ??
We are at the moment toying with the idea of allowing users to enable cloud lookups for all applications they run. So before an application is allowed to run, EAM would query our cloud backends to see if we know this file is good, bad, or is currently unknown. It's something a lot of users have requested over the years but we have been hesitant mostly because of privacy concerns. That being said, it would be a natural progression to have an option that allows you to limit the system to only run known good applications.

Also, does Emsisoft install any kernel-level code, or it leverages on Windows APIs 100% and it doesn't come with its own kernel module ( I'd view being 100% userspace software as a huge plus ).
Obviously, we have our own drivers. That's just a requirement really because a lot of the interesting APIs to watch file system actions or filter network traffic only exist in kernel mode. We do limit ourselves to official APIs as much as possible, but that is not always possible (especially when it comes to some of the exploit mitigation stuff). We are a lot less hacky than most other products, which is probably the reason why we haven't bricked systems so far after a Windows update made some changes to undocumented kernel structures or threw assumptions about memory layout out the window. The number of undocumented thinks we use can probably be counted on one hand (mostly in relation to intercepting APCs).

With the focus towards the median user, does it feel like a black box?
Each component is configurable and you can finetune certain aspects. I think most people would probably criticise that how certain decisions came to be isn't always transparent to them. At the moment those insights into decisions are hidden behind labels. For example, the log may say Behaviour.CryptoMalware was the reason a certain file was quarantined by the behaviour blocker, which probably gives you an idea that the BB thinks the application looks like ransomware, but doesn't necessarily explain to you why it thinks that it is.

I take the results of the detection test for reference only. I don't think emisi cares much about the detection test.
We do care more about prevention tests and real-life infection statistics than we do about simple detection tests, correct. That doesn't mean that we don't care about detection tests at all.

Doesn't sound to me like AMSI support is a core feature :unsure:
Trust me, it is:

1571914343278.png


I threw the Get-MpThreatDetection in there just so you can see that it wasn't the Windows Defender AMSI provider who blocked it. ;)

Here are the commands in case you want to try it yourself:
Code:
[string] $EncodedEicar = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo='
$EicarCommand = [system.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($EncodedEicar))
Invoke-Expression $EicarCommand
This is essentially completely harmless code. All it does is put the EICAR test file into a string and tries to execute it. Every AV with AMSI support should block it, provided they detect EICAR. If they don't, PowerShell will throw an error that this isn't valid PowerShell code (which is true). Makes for a low risk test anyone can perform at home.

I want to fallback on AMSI, not disable the interpreters via whitelisting/blacklisting.
AMSI is unfortunately trivial to bypass. Not saying it is bad because of it, just making sure you are aware of its limitations.

So Emsisoft is the only product whose BB is not utterly broken :unsure:
I wouldn't go that far. But we are somewhat decent.

But yeah overall Emsisoft is my favorite. My main criticism of their BB is that the detection signatures are not specific. DeepGuard gives signature-like names like W32/Behavior.Cryptolocker!DeepGuard that make it super clear which engine flagged it and what it acted like.
We have similar labels inside the log file.

Interesting topic, I haven't tried Emsisoft since they deprecated the Internet Security Version, I have just 1 question: Does the user get windows firewall alerts for example when a VPN start for first time? I consider it annoying, also, you notice some high price by your region localization? Here it is more expensive than any other AV (Latin America)
Price has always been a big contention point, especially in some low income areas. Ultimately it is true that we aren't the cheapest option, but in return you actually get someone to talk to if you ever have any issues.

I haven't seen a single firewall alert from EAM since I started using it.
EAM doesn't issue firewall alerts on its own. It will only alert you if an application that is not trustworthy tries to mess with the Windows Firewall. Other alerts that may be the result of suspicious network acitivty will be masked as behaviour blocker alerts, as the behaviour blocker is essentially also an application based firewall that just makes decisions on its own.
 

notabot

Level 15
Excessive reply incoming. I would say I am sorry, but I am not really. :p


There's no public list and it would be difficult to come up with one, as a lot depends. Think of it more as a point system where different actions and attributes of the application increase or lower the rating. There are some more specific rules that target specific exploits or behaviours (like Office applications trying to run script interpreters for example), but they aren't public. We do have plans to give users more insights into how the behaviour blocker came up with its decision, but there are more important things on the list for now.


AMSI is fully supported. So is IOfficeAntiVirus.


We kind of dropped out of them, mostly because we disagree with a lot of the politics and pricing going on. You can literally buy a Tesla Model 3 for what some of the test labs demand a year (~50k US). A lot of test labs also adhere to AMTSO, which is problematic on a completely different level. Again, lots of politics and general bullshit going on.


We don't have either, but you can continue to use both features when using EAM. In general we try not to duplicate features too much.


I can assure you BitDefender is not cheap. :p


We usually list reviews here:

It's mostly AVLab/CheckLab and VB100 at this point.


It does.


Who knows ...


That probably depends on who you ask. The metric we look at the most are numbers of infected customers. We track these numbers both via support requests but also through data that Microsoft makes available to their partners (MSRT but also through other telemetry they collect). Those numbers have been consistently low for us, much lower than the industry standard. I can't really share the exact numbers, due to NDAs, so feel free to dismiss this as marketing if you don't think I am a credible source or spin things a certain way. But you can check out all those malware removal communities (including our own forum) to look for users who had EAM installed at the time of their infection and you won't find many.


We are at the moment toying with the idea of allowing users to enable cloud lookups for all applications they run. So before an application is allowed to run, EAM would query our cloud backends to see if we know this file is good, bad, or is currently unknown. It's something a lot of users have requested over the years but we have been hesitant mostly because of privacy concerns. That being said, it would be a natural progression to have an option that allows you to limit the system to only run known good applications.


Obviously, we have our own drivers. That's just a requirement really because a lot of the interesting APIs to watch file system actions or filter network traffic only exist in kernel mode. We do limit ourselves to official APIs as much as possible, but that is not always possible (especially when it comes to some of the exploit mitigation stuff). We are a lot less hacky than most other products, which is probably the reason why we haven't bricked systems so far after a Windows update made some changes to undocumented kernel structures or threw assumptions about memory layout out the window. The number of undocumented thinks we use can probably be counted on one hand (mostly in relation to intercepting APCs).


Each component is configurable and you can finetune certain aspects. I think most people would probably criticise that how certain decisions came to be isn't always transparent to them. At the moment those insights into decisions are hidden behind labels. For example, the log may say Behaviour.CryptoMalware was the reason a certain file was quarantined by the behaviour blocker, which probably gives you an idea that the BB thinks the application looks like ransomware, but doesn't necessarily explain to you why it thinks that it is.


We do care more about prevention tests and real-life infection statistics than we do about simple detection tests, correct. That doesn't mean that we don't care about detection tests at all.


Trust me, it is:

View attachment 228463

I threw the Get-MpThreatDetection in there just so you can see that it wasn't the Windows Defender AMSI provider who blocked it. ;)

Here are the commands in case you want to try it yourself:
Code:
[string] $EncodedEicar = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo='
$EicarCommand = [system.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($EncodedEicar))
Invoke-Expression $EicarCommand
This is essentially completely harmless code. All it does is put the EICAR test file into a string and tries to execute it. Every AV with AMSI support should block it, provided they detect EICAR. If they don't, PowerShell will throw an error that this isn't valid PowerShell code (which is true). Makes for a low risk test anyone can perform at home.


AMSI is unfortunately trivial to bypass. Not saying it is bad because of it, just making sure you are aware of its limitations.


I wouldn't go that far. But we are somewhat decent.


We have similar labels inside the log file.


Price has always been a big contention point, especially in some low income areas. Ultimately it is true that we aren't the cheapest option, but in return you actually get someone to talk to if you ever have any issues.


EAM doesn't issue firewall alerts on its own. It will only alert you if an application that is not trustworthy tries to mess with the Windows Firewall. Other alerts that may be the result of suspicious network acitivty will be masked as behaviour blocker alerts, as the behaviour blocker is essentially also an application based firewall that just makes decisions on its own.
Thanks for the very detailed response Fabian ! much appreciated !

Does your AMSI module block obfurscated/encrypted/high entropy scripts? also a couple of questions specific to Python AMSI

1) does your module cover/include python?
2) while other runtimes covered by have a de facto installation point as they usually come from microsoft, python typically has no default installation point (is Visual Studio, python org install python runtime at diff points by default) and also there are venvs with which we end up with an interpreter per project effectively - does your AMSI module deal with these Python idiosyncratic factors (incl venvs), or it would only work with what interpreters are pointed to by global environment vars?

Also regarding Javascript, would AMSI be turned on if someone has installed node.js runtimes on their machine, or it would only work with the default microsoft interpreter?

I realize AMSI has issues, but it is what it is, whitelisting interpreters is unfortunately not an option so even if flawed I want to be sure it works as well as possible.

Features like: Windows Firewall Config via web dashboard and cloud check before allowing an app to run would be awesome ( provided the cloud checkup can cope well with updates when the hash changes ) -- these are really cool things that would be huge pluses imo. It's really awesome that the web console is out for home users btw

Also one question about your BB. Let's say for the sake of the argument that a user visits a webpage using Chrome, the webpage in turn runs an exploit and compromises Chrome. Chrome is now acting maliciously ie, trying to launch other already installed binaries or it opens a port or starts a powershell process or uses COM interfaces that Chrome does not normally use etc etc. These are not common behaviors for Chrome but they're not easy to detect, unless someone keeps track of usual (parent process, child process) , (process, dlls commonly loaded), (process, com interfaces) interactions, does the BB check for suck things or performance hit would be too big?
I'm asking as no matter how hardened, the browser can always be a weak link, if Emsisoft does do these checks, then eg I'd be happy to stop using Application Guard for browsing.
 

Fabian Wosar

From Emsisoft
Verified
Developer
Does your AMSI module block obfurscated/encrypted/high entropy scripts? also a couple of questions specific to Python AMSI
Scripts are generally not high-entropy because they are text. It's difficult to create a high-entropy text file. The entire idea of AMSI in general is, that you don't have to deal with obfuscation or encryption at all, because every function that can evaluate scripts (think eval() in JavaScript/Python or IEX in PowerShell for example) will first pass the string they are about to evaluate/execute to AMSI for scanning.

Your questions kind of suggest that you may have not a clear idea what AMSI is. AMSI is just a standardised API that any interpreter can use to pass either a memory buffer (think the content of a file for example) or a string (think a line of script that is about to be interpreted) to an installed AV in a standardised manner. So instead of Python, for example, having to maintain different code to support scanning with Kaspersky, Windows Defender and Emsisoft for example, they can just use AMSI and whichever AV the user has installed will scan on Python's behalf, provided that the AV actually supports AMSI.

The key point to notice here is, that the interpreter has to use AMSI. So it is irrelevant if we "support Python" for example. Because Python's implementation is responsible to show us the code it is about to execute before it executes it. This also does include things like virtual environments and stuff like that. So whenever you do an "import" in Python, for example, Python would read the file you imported, whether from the global installation location or a virtual environment, and pass that as a string or buffer to AMSI to scan it. Whenever a Python script decrypts a string that contains malicious code for example and passes it into eval() to execute the string as Python code, Python is responsible to hand that string that is about to be eval'd over to AMSI so it can be scanned. That should also explain why blocking encrypted/obfuscated/high-entropy scripts as you called them is unnecessary. Because if the interpreter does things right, they will pass us the decrypted and deobfuscated code eventually, no matter how many layers of encryption and obfuscation have been applied. That is ultimately the true power of AMSI here.

So any question whether we support Python or node.js or any other scripting language with our AMSI module is kind of backwards. If an interpreter supports AMSI, then we support it as well. There is no extra work that an AMSI provider like EAM would have to take in order to support a certain interpreter specifically.

It's really awesome that the web console is out for home users btw
It's a necessity for us really. We are a small company, we don't want to maintain many products in parallel. In addition, pretty much every one of our employees (except maybe some of the marketing people) is also the personal computer technician for their entire extended family and friends, so they know the pain a lot of people who manage like a couple of family PCs feel. Just didn't feel right to us to lock such useful functionality behind a prohibitive paywall or some "minimum licenses required".

These are not common behaviors for Chrome but they're not easy to detect, unless someone keeps track of usual (parent process, child process) , (process, dlls commonly loaded), (process, com interfaces) interactions, does the BB check for suck things or performance hit would be too big?
I'm asking as no matter how hardened, the browser can always be a weak link, if Emsisoft does do these checks, then eg I'd be happy to stop using Application Guard for browsing.
We do detect some anomalies with browsers, but we could probably detect more. The biggest issue is that a lot of these things can't effectively be monitored without injecting code into the browser, which browser vendors do not want you to do (Microsoft blocks it in Edge, Google and Firefox plan to as well). In fact, Chrome will outright tell users to uninstall their AV if they see an AV vendor injecting code into their browser. If the world's number one browser tells their users to uninstall your software and you have a minuscule userbase compared to them, you will have to evaluate whether or not risking your economic livelihood is worth it.
 
We have similar labels inside the log file.
Thank you for these extremely informative posts! Indeed I made a correction post (too late to edit) about this oversight as well -- it wasn't super obvious for me to look at the detection log versus trying to click something on the popup banner.

BTW your cloud console is totally brilliant for home users too. I run some VMs (and also manage my parents' computers) and it goes without saying that just getting email infection alerts is a huge step up, without having to pay for expensive enterprise endpoint protection.

I've had rather positive experiences with Emsisoft's BB. I used to think it's between Emsisoft and KSW for the BB crown but lately F-Secure has caught my eye. I'm a developer but not a malware expert, but just writing random PowerShell scripts and .NET/C++ programs that do pseudo-suspicious things, Emsi and F-Secure DeepGuard were most likely to flag that there's something odd about their behavior.
 

Solarquest

Moderator
Verified
Staff member
Malware Hunter
We are at the moment toying with the idea of allowing users to enable cloud lookups for all applications they run. So before an application is allowed to run, EAM would query our cloud backends to see if we know this file is good, bad, or is currently unknown. It's something a lot of users have requested over the years but we have been hesitant mostly because of privacy concerns. That being said, it would be a natural progression to have an option that allows you to limit the system to only run known good applications.
Great news, looking forward to finally seeing this option!
 

davisd

Level 2
Verified
Still having an active Emsisoft subscribtion and renewing it every year just for the hope, but not gona re-use it until they jump out of BitDefender train, didn't see nothing wrong with Ikarus engine, now, however good and polished is Emsisoft's behaviour blocker is, I find irrelevant to talk about it, when there's idiot-proof 90% BitDefender engine backing up. If BitDefender engine weren't cheap, plenty of new and self proclaimed "security" companies wouldn't use it as ONLY way to detect malware, as you inspec them more in-depth, you spot that they have no clue about security nor making something by themselfes. AV in paint + BitDefender engine = make profit.