Comments on: How it’s done right: Emsisoft’s Behavior Blocker vs. 20 crypto ransomware families

By: Michael Martin

Michael Martin — Wed, 18 May 2016 00:11:00 +0000

The examples given show that the ransomware programs (cryptofortress.exe and ZeroLocker.exe) were trying to run from Sarah’s desktop. In other words, they were already installed there. Should not Emsisoft Anti-malware have prevented that from happening in the first place?

By: dqdb@rtws

dqdb@rtws — Sun, 03 Jan 2016 10:36:00 +0000

In reply to Christian.

Maybe it would be a solution to extend BB to perform some basic format tests for popular file formats on write operations? For example when a process tries to write at position 0 to a JPEG file and written data doesn’t start with SOI, then BB should generate an alert, or PDF files should start with %PDF and end with %%EOF and so on.

I’ve been thinking of this for a while, but I don’t know that this is a viable option or it requires too much CPU and IO resources, and I have little knowledge about FSD filters (and even less free time) for a proof-of-concept implementation.

By: Christian

Christian — Mon, 28 Dec 2015 22:32:00 +0000

In reply to Mitchell Earl.

No, the behavior is always monitored locally, which means if the ransomware is executed on the server it is being detected but if it is executed on a client that just happen to have access to a folder remotely on a server, it isn’t. Therefore you should never rely on server side protection only but also install behavior blocking on all your clients that have access to the server.

Background: If ransomware encrypts files, it means it just edits existing files. A file write operation is not a malicious action though and therefore can’t be used as a trigger to alert. The behavior blocker monitors not just the file write action but also takes into account plenty of meta properties of the actual executable program that does the action, to come up with an alert.

By: Mitchell Earl

Mitchell Earl — Mon, 28 Dec 2015 21:38:00 +0000

Can Emsisoft Anti-Malware for Server prevent an infected workstation from encrypting it’s mapped drives? Since the executable never resides on the server itself, I’m curious if it would detect file level activity and be able to halt it.

By: Preston Mitchell

Preston Mitchell — Sat, 26 Dec 2015 02:45:00 +0000

FREE FULL LICENSE For Emsisoft Anti-Malware (for 203 days)
This is my 5th year of using Emsisoft Internet Security. Today–on Christmas, a virus utterly destroyed Emsisoft, KILLING both Emsisoft Anti-Malware and its Online Armor firewall. Emsisoft was not just crippled but fatally corrupted by the virus. FORTUNATELY, my PC was barely saved by a FREE online scanner called HerdProtect…which quickly quarantined the virus and saved my Windows from being permanently damaged. HOW SAD THAT A FREE SOFTWARE PERFORMED BETTER THAN EMSISOFT. THEN I had to use Revo Uninstaller to uninstall Emsisoft’s CORPSE, because the DEAD Emsisoft was unable to uninstall itself. If anybody wants to use the remainder of my PAID Emsisoft license, which expires in 203 days, here is the license number: BEX-BAK-BEN-682 BUT BE WARNED…USE EMSISOFT AT YOUR OWN RISK…least you spend Christmas repairing your PC after Emsisoft FAILS to PROTECT your PC!

By: David Sucesso

David Sucesso — Fri, 25 Dec 2015 21:25:00 +0000

thats a cool video. thanks