Serious Discussion Windows and Office Genuine ISO Verifier detected by Emsisoft BB

[Divine_Barakah]

I have been using Windows and Office Genuine ISO Verifier tool for ages. I have kept a backup copy of this tool on my flash drive. When I ran the tool now, it notified of a new version and I approved the update. When I ran the updated version, Emsisoft quarantined it as shown in the attached warning.

Windows and Office Genuine ISO Verifier

Windows and Office Genuine ISO Verifier

genuine-iso-verifier.weebly.com

So the version v.11.11.33.22. (15/11/2022) was not detected by Emsisoft, but the new version v.11.19.45.24. (16/07/2024). I have submitted the tool to be reviewed by Emsisoft, but any ideas what triggered the detection?

Edit: I did not download the new version from the aforementioned link. The tool (old version) notified of the update and it downloaded the new update in the downloads folder.


Thank you in advance

 

[Bot]

It's possible that the new version of the tool contains code or behavior that Emsisoft identifies as potentially harmful, hence the quarantine. It could also be a false positive. Emsisoft's review should clarify this. In the meantime, avoid using the tool until the issue is resolved.

 

[Divine_Barakah]

I have submitted the tool to VT, and the verdict came out clean except for one vendor that I have never heard of before.

 

[Mahesh Sudula]

These tools check the DLL's of windows files. As such, accessing such critical files or injecting a code / starting a driver to check those triggers. HIPS inherited behavior blocker behave this way. Emsisoft BB is a sort of HIPS previously it was Mamuto (i think)

This BB triggers a lot of user prompts / FP's day to day. Known issue with Emsisoft. As long you are connected to internet, decision should be automatic else it is headache.

 

[Divine_Barakah]

These tools check the DLL's of windows files. As such, accessing such critical files or injecting a code / starting a driver to check those triggers. HIPS inherited behavior blocker behave this way. Emsisoft BB is a sort of HIPS previously it was Mamuto (i think)

This BB triggers a lot of user prompts / FP's day to day. Known issue with Emsisoft. As long you are connected to internet, decision should be automatic else it is headache.

It seems you are talking about another tool? This tool does check ISO hash and compare it to a list of stored hashes of Windows and Office iso images.

 

[Mahesh Sudula]

We need to see the logs on why BB triggered. That should show list of actions executed by this app. Emsisoft support should also help you on this.
Verifying a genuine windows ISO is more than just hash check. I used MS tools previously. They also inject a driver background..
Matured BB's cleverly allow such actions, because they look at the whole picture not just a specific action or two. HIPS as usual knock for everything- COMODO

 

[Divine_Barakah]

We need to see the logs on why BB triggered. That should show list of actions executed by this app. Emsisoft support should also help you on this.
Verifying a genuine windows ISO is more than just hash check. I used MS tools previously. They also inject a driver background..
Matured BB's cleverly allow such actions, because they look at the whole picture not just a specific action or two. HIPS as usual knock for everything- COMODO

Unfortunately, there is nothing in the logs except for "suspicious behaviour detected". As for the tool, you select the iso file you need to check its authenticity and the tool calculates hash and compares it with a list of hashes.

 

[Mahesh Sudula]

Lets see what emsisoft support responds. They should let you know what made BB trigger

 

[simmerskool]

Lets see what emsisoft support responds. They should let you know what made BB trigger

@Divine_Barakah yes would like to know how emsi support replies. I just started using EAM (again) this time /Business and my limited contact with support has been fast & good, and I'm not getting false+ so far, but my computer habits are tamer than they were once upon a time. I increased the file guard from default to thorough, downloads are perhaps a tad slower, but too early to for me to tell overall impact.

 

[Divine_Barakah]

my limited contact with support has been fast & good, and I'm not getting false+

I have contacted Emsisoft support many times and they proved fast and helpful. Honestly, support is one of the main reasons I am using Emsisoft. Regarding the FPs, the Anti-Malware network is doing a great job to minimise FPs.

I increased the file guard from default to thorough, downloads are perhaps a tad slower, but too early to for me to tell overall impact.

Why did you choose that? I believe it is unnecessary and will cause a system slowdown.

 

[simmerskool]

I have contacted Emsisoft support many times and they proved fast and helpful. Honestly, support is one of the main reasons I am using Emsisoft. Regarding the FPs, the Anti-Malware network is doing a great job to minimise FPs.

Why did you choose that? I believe it is unnecessary and will cause a system slowdown.

I was a long-time user of EAM but not recently, until this past week. Good experience so far. So far the slowdown, if any, from "thorough" is minimal. So far I have not "researched" what thorough is doing compared to default, but it might be scanning files as they are being downloaded -- more than just a hash? Not sure but finding the time to see what I can find. I like the idea of early prevention. Not slow here so no reason to go back to default, at least not yet.

 

[Divine_Barakah]

I was a long-time user of EAM but not recently, until this past week. Good experience so far. So far the slowdown, if any, from "thorough" is minimal. So far I have not "researched" what thorough is doing compared to default, but it might be scanning files as they are being downloaded -- more than just a hash? Not sure but finding the time to see what I can find. I like the idea of early prevention. Not slow here so no reason to go back to default, at least not yet.

Well, you can always right-scan downloads. Moreover, when you launch the specific file Emsisoft will scan it and you also have the BB. So I see no point in using Thorough or Paranoid. But since it is working fine for you with no slowdowns then why not.

 

[Divine_Barakah]

Just received a reply to the FP report

Hello,

Many thanks for reporting this issue. I have checked and fixed the detection. The file should no longer be blocked after the next online update.


Best regards,

Lab Team

I will ask support about what triggered the detection.

 

[Divine_Barakah]

After updating Emsisoft signatures, I received this notification. I really like this feature "rescan quarantine after signatures updates".

It seems that Emsisoft labs just whitelist hashes of reported files (SHA1: 4EC6A4DEDA1FF67207AFF94681245B0EC109E23F). This was the header of the result email.

 

[Oldie1950]

I was a long-time user of EAM but not recently, until this past week. Good experience so far. So far the slowdown, if any, from "thorough" is minimal. So far I have not "researched" what thorough is doing compared to default, but it might be scanning files as they are being downloaded -- more than just a hash? Not sure but finding the time to see what I can find. I like the idea of early prevention. Not slow here so no reason to go back to default, at least not yet.

Translation of the German help text:

The following options are available in File Guard:

Scan Depth - Use the slider to set the File Guard's scan depth between best performance and best protection as follows:

Standard - Scans programs when they are started. This option has the least impact on system performance while still preventing malware from running. However, inactive malware may go undetected until a manual scan is performed. This option is the recommended setting.

Thorough - Every file is scanned when it is created or modified, such as when it is downloaded to your computer or copied from another computer via a USB stick. This makes it easier to find inactive malware. However, since files only become a threat when they are run, the standard setting will still protect you. However, if you are not experiencing performance issues, this option is also useful.

Paranoid - This will ultimately scan all files accessed by any program. Simply selecting the file is enough. However, since a typical computer typically reads thousands of files in the background every minute, this option will inevitably slow down your computer's performance. Although we cannot recommend this option, we still want to keep it for those users who want to be sure that everything is detected immediately without delay. For example, it may be useful to temporarily enable this option if Emsisoft Anti-Malware is installed on an already infected computer that needs to be cleaned.

 

[TairikuOkami]

but any ideas what triggered the detection?

It used to contain a cryptominer and it also tried to add the context menu automatically, I believe it is optional now.

 

[Divine_Barakah]

Received a reply for my question about what triggered the detection

In this case the file's behavior is considered suspicious because it doesn't have a digital signature. This means Emsisoft can't determine it's owner which in combination with certain changes the file makes, leads to a detection.

 

[simmerskool]

Translation of the German help text:

The following options are available in File Guard:

Scan Depth - Use the slider to set the File Guard's scan depth between best performance and best protection as follows:

Standard - Scans programs when they are started. This option has the least impact on system performance while still preventing malware from running. However, inactive malware may go undetected until a manual scan is performed. This option is the recommended setting.

Thorough - Every file is scanned when it is created or modified, such as when it is downloaded to your computer or copied from another computer via a USB stick. This makes it easier to find inactive malware. However, since files only become a threat when they are run, the standard setting will still protect you. However, if you are not experiencing performance issues, this option is also useful.

Paranoid - This will ultimately scan all files accessed by any program. Simply selecting the file is enough. However, since a typical computer typically reads thousands of files in the background every minute, this option will inevitably slow down your computer's performance. Although we cannot recommend this option, we still want to keep it for those users who want to be sure that everything is detected immediately without delay. For example, it may be useful to temporarily enable this option if Emsisoft Anti-Malware is installed on an already infected computer that needs to be cleaned.

Not sure there's a scan depth "slider" in the current version EAM/Business. I did (do) see 3 options (select 1) Default (recommended); Thorough or Paranoid. I did tweak File Guard to Thorough. Yesterday, I input a few malware URL that @Shadowra used in the Heimdal video, (I was running Emsi VM with browser in Sandboxie-Plus), and 1 bad file started to download and was almost immediately blocked by Emsisoft & quarantined. I think or understand that if Emsi was set to Default the file would have downloaded and then sat in download folder if and until it was executed or manually scanned, but I prefer proactive prevention, so was happy to see the download auto-quarantined. And again, my Emsi is not noticeably slowed down and seems rock solid stable. I am use to running Harmony, which is heavier and a little slower. I'm guessing overall Harmony is more secure, but I'm enjoying running Emsi VM (VMware is best decision I've made). Maybe some misunderstanding re term "slider" -- in any event thanks for that input.

 

[Oldie1950]

Not sure there's a scan depth "slider" in the current version EAM/Business. I did (do) see 3 options (select 1) Default (recommended); Thorough or Paranoid. I did tweak File Guard to Thorough. Yesterday, I input a few malware URL that @Shadowra used in the Heimdal video, (I was running Emsi VM with browser in Sandboxie-Plus), and 1 bad file started to download and was almost immediately blocked by Emsisoft & quarantined. I think or understand that if Emsi was set to Default the file would have downloaded and then sat in download folder if and until it was executed or manually scanned, but I prefer proactive prevention, so was happy to see the download auto-quarantined. And again, my Emsi is not noticeably slowed down and seems rock solid stable. I am use to running Harmony, which is heavier and a little slower. I'm guessing overall Harmony is more secure, but I'm enjoying running Emsi VM (VMware is best decision I've made). Maybe some misunderstanding re term "slider" -- in any event thanks for that input.

I also use the Thorough setting. I haven't noticed any noticeable slowdown with this option. The name Slider no longer corresponds to the current GUI. The help text probably needs to be updated.

 

[Divine_Barakah]

After playing with the online console, I found where the details about incidents

So what triggered the BB alert was the fact that the tool is not digitally signed.

So basically everything that is not digitally signed (and not whitelisted by Emsisoft Antimalware Network) is going to trigger the BB?