How to use the new behavior blocker panel to quickly spot potential threats
One of the biggest improvements of Emsisoft Anti-Malware and Emsisoft Internet Security version 10 is the new behavior blocker panel, which gives you full control over your running programs. If your PC seems to run slower or behaves erratically, it’s time to view which and what programs are running on your system and take action accordingly. Here’s how you can do so.
What is the purpose of a behavior blocker?
The best way to understand what a behavior blocker does is to imagine a layer that sits between your operating system and the programs on your computer. This layer checks for certain malicious behavior patterns in the actions of the programs and raises an alert as soon as something suspicious occurs. For example, if a program is not digitally signed, starts without a visible window, creates an auto-run entry in registry or sends data over the internet then chances are high this is a piece of spyware.
No matter how encrypted or complex a malware program is, it can’t hide its behavior. Because there are a limited amount of ways a malware can behave (e.g. a virus will always infect files), the behavior blocker can detect almost any type of malware.
However, many legitimate programs behave quite similar to malware, such as software updaters that may also run in the background and send data over the internet. That’s where the Emsisoft Anti-Malware Network comes in: the behavior blocker uses our public malware database to perform a live cloud verification when it notices a program is exhibiting questionable behavior. If the Emsisoft Anti-Malware Network has a clear indication that a program is good or bad, the alert can be skipped and will automatically be allowed or blocked, drastically reducing the amount of false positives. The Emsisoft Anti-Malware Network knows over 163 million malware threats, and more than 200,000 threats are added daily!
The behavior blocker settings
The behavior blocker panel has several key settings:
Activate or deactivate the behavior blocker
You can activate or reactivate the behavior blocker by checking the “Activate Behavior Blocker” option. We don’t recommended to disable the behavior blocker as this will lower your overall protection against malware. If the need ever arises that you must disable the behavior blocker, simply uncheck this box.
Show or hide fully trusted programs
You can choose your preferred view of running processes by using the “Hide fully trusted applications” option. To view all running processes, uncheck the box and all processes that have good, bad, or unknown reputations will become visible. Checking the box will only show bad or unknown processes and hide the ones that are known to be safe.
View details about active running processes
You can view several details about each actively running program in the revamped behavior blocker panel. The most important columns in the panel to look at are the “Company” column and the “Reputation” column. A company name is marked in green if the file is digitally signed and the certificate is valid. This is important because any file property information can potentially be faked by malware authors. Therefore, if you only see a black color coded “Microsoft Corporation”, that does not guarantee that the file is from Microsoft. You should always pay attention to the reputation rating for each program in the last column (good, bad or unknown) as this is essential in distinguishing the good from the bad.
How to use the process list to spot potential threats
Now that you know where to find the key settings in the panel, you are ready to utilize the process list to find and remove potentially malicious applications running on your PC. If the behavior blocker indicates that a program’s reputation is unknown or bad, you can right-click on the program to perform several actions: create rule, lookup online, end process, quarantine process, open file location, and view file properties.
The quarantine and end process options are only available for new or bad processes in order to prevent you from harming your system by mistakenly performing one of these actions on a harmless or critical windows process. Each action will allow you to learn specific details about the program:
Creating application rules for active running processes is simple: Right click on any individual process and select the “create rule” option from the context menu. You can then configure application rules and set your preferences on how you want the behavior blocker to behave, which is described in more detail in the next paragraph.
Use this feature to check a file in the Emsisoft Anti-Malware Network. After selecting the desired process, you’ll be directed to a page in which you can view several file properties and details about the executable process that you can use to make an informed decision about the safety of a file.
If a process is known to have a bad or unknown reputation, you are presented with options to either quarantine or end the process. If a file is classified as new or unknown, use caution. If a file status is classified as bad, we recommend you remove the file entirely.
You can use the quarantine program option to move an unknown or malicious process or program safely to Emsisoft’s quarantine. Once you move a program or process to quarantine it can no longer be accessed or run because it is placed in an encrypted container that will keep it locked. In the event that you mistakenly quarantine a harmless file, you can restore the file from the quarantine at at any given time.
You can use the end process option to end an unknown or active malicious process. This means that the the threat cannot harm your PC anymore since it is no longer running. The end process option may be a safer alternative than the quarantine option in the event you are unsure if a process is malicious, but still do not trust it or notice that it is potentially exhibiting suspicious behavior.
Open the file location
Navigate to a file location to get insight about where exactly a file is located. For example, if a supposed system process is typically located in the System32 directory but is now present in your Documents folder, it is most likely malware. Experienced users may wish to manually remove threats using this option.
View the file properties
File properties are traits of the file such as the size or type. Viewing file properties is helpful in determining whether a file is malicious because users can view the MD5 hash of any given file which can be compared to the authentic hash that can quickly be found online. The MD5 hash of a file is a sequence of 32 characters which help identify each file uniquely and comes in handy to see if a file as been manipulated or changed. If the hash is different, there is a high probability that the file is malicious. The date a file was first and last seen is a factor to take into consideration because if a file is relatively new and not classified yet, it in theory should not be trusted.
What to do when a malicious process is found
If a process is found to be malicious, it will most likely be blocked in realtime by the Emsisoft behavior blocker. Alternatively, use the process list to quarantine or end the active malicious program. If a program is classified as malicious, it is recommended that you quarantine the threat.
If the program is unknown, ending the process may be a safer option at the time as the program could potentially be harmless. At this point, running a scan with your security product may be a wise choice to ensure that your PC is free of other potential malware infections. Alternatively, feel free to consult with our malware removal experts on our support forum if you are unsure of which action to take.
How to configure application rules
You can configure application rules in order to define your own preferences on how you want the Emsisoft behavior blocker to react to specific programs. If you notice there is already a rule available for that program, then double click on the process to open an “edit rule box” instead of creating a new rule. You can configure application rules under the protection tab or by right-clicking on an individual program in the process list. You have the following options:
All allowed should be used when the application is undoubtedly safe and is a common everyday application with favorable reputation status among many users.
Monitor this application but, allow/block specific activities should be used when a safe or unknown application is not necessarily malicious, but exhibits suspicious behavior at times that triggers the behavior blocker to prompt you frequently.
Always block this application should be used if you are certain a program is behaving in a malicious manner. An example of such a scenario is if an unknown application is attempting to capture your keystrokes or injecting code into another process.
The revamped behavior blocker panel offers new ways to spot potential threats. You can use the new process list to weed out suspected threats and learn several details about which programs are running on your PC. When a malicious process is found, simply use the end or quarantine option to remove the threat from memory. In addition, you can create application rules control the manner in which the behavior blocker handles certain applications and activities. You can use the new panel to your advantage to get the most out of your Emsisoft protection.
Please share your feedback about the new behavior blocker panel, we always like to hear your thoughts!
Have a great (malware-free) day!
Malvertising makes use of the Magnitude exploit kit to deliver ransomware