Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Emsisoft
What's good about Emsisoft?
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 841362" data-attributes="member: 24327"><p>The scan engine doesn't care about digital signatures at all. Well, technically we use digital signatures to create detections for PUPs a lot because most PUP companies are nice enough to sign all the crap they release using their certificates. The behaviour blocker does consider certificates to some extent and there are multiple levels to it. It also depends on the behaviour that is being observed.</p><p></p><p>In general, certificates build a reputation with us. The more good files we see that are signed using the same certificate, the higher it will rank. If we ever see any malicious or even questionable file (PUP) that is signed with a certain certificate, it will instantly lose all built up reputation. There is also some special treatment for digital signatures that belong to Microsoft (Windows components for example). So it's not a clear cut answer, unfortunately.</p><p></p><p></p><p>This will ultimately just lead to escalation. If we circumvent the security features Microsoft put in place for processes to protect themselves from code injection, which is possible by manipulating undocumented process structures in kernel mode, and that Chrome or Edge, for example, use to prevent AVs from touching their processes, Microsoft will just add coverage for these structures to PatchGuard, release an update and we will bluescreen all systems. So we just don't do it, not even optionally.</p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 841362, member: 24327"] The scan engine doesn't care about digital signatures at all. Well, technically we use digital signatures to create detections for PUPs a lot because most PUP companies are nice enough to sign all the crap they release using their certificates. The behaviour blocker does consider certificates to some extent and there are multiple levels to it. It also depends on the behaviour that is being observed. In general, certificates build a reputation with us. The more good files we see that are signed using the same certificate, the higher it will rank. If we ever see any malicious or even questionable file (PUP) that is signed with a certain certificate, it will instantly lose all built up reputation. There is also some special treatment for digital signatures that belong to Microsoft (Windows components for example). So it's not a clear cut answer, unfortunately. This will ultimately just lead to escalation. If we circumvent the security features Microsoft put in place for processes to protect themselves from code injection, which is possible by manipulating undocumented process structures in kernel mode, and that Chrome or Edge, for example, use to prevent AVs from touching their processes, Microsoft will just add coverage for these structures to PatchGuard, release an update and we will bluescreen all systems. So we just don't do it, not even optionally. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
