How to use the new behavior blocker panel to quickly spot potential threats

One of the biggest improvements of Emsisoft Anti-Malware and Emsisoft Internet Security version 10 is the new behavior blocker panel, which gives you full control over your running programs. If your PC seems to run slower or behaves erratically, it’s time to view which and what programs are running on your system and take action accordingly. Here’s how you can do so.

What is the purpose of a behavior blocker?

The best way to understand what a behavior blocker does is to imagine a layer that sits between your operating system and the programs on your computer. This layer checks for certain malicious behavior patterns in the actions of the programs and raises an alert as soon as something suspicious occurs. For example, if a program is not digitally signed, starts without a visible window, creates an auto-run entry in registry or sends data over the internet then chances are high this is a piece of spyware.

No matter how encrypted or complex a malware program is, it’s can’t hide its behavior. Because there are a limited amount of ways a malware can behave (e.g. a virus will always infect files), the behavior blocker can detect almost any type of malware.

151205_EmsisoftProcessList5

The Emsisoft behavior blocker.

However, many legitimate programs behave quite similar to malware, such as software updaters that may also run in the background and send data over the internet. That’s where the Emsisoft Anti-Malware Network comes in: the behavior blocker uses our public malware database to perform a live cloud verification when it notices a program is exhibiting questionable behavior. If the Emsisoft Anti-Malware Network has a clear indication that a program is good or bad, the alert can be skipped and will automatically be allowed or blocked, drastically reducing the amount of false positives. The Emsisoft Anti-Malware Network knows over 163 million malware threats, and more than 200,000 threats are added daily!

The behavior blocker settings

The behavior blocker panel has several key settings:

Activate or deactivate the behavior blocker

You can activate or reactivate the behavior blocker by checking the “Activate Behavior Blocker” option. We don’t recommended to disable the behavior blocker as this will lower your overall protection against malware. If the need ever arises that you must disable the behavior blocker, simply uncheck this box.

Show or hide fully trusted programs

You can choose your preferred view of running processes by using the “Hide fully trusted applications” option. To view all running processes, uncheck the box and all processes that have good, bad, or unknown reputations will become visible. Checking the box will only show bad or unknown processes and hide the ones that are known to be safe.

View details about active running processes

You can view several details about each actively running program in the revamped behavior blocker panel. The most important columns in the panel to look at are the “Company” column and the “Reputation” column. A company name is marked in green if the file is digitally signed and the certificate is valid. This is important because any file property information can potentially be faked by malware authors. Therefore, if you only see a black color coded “Microsoft Corporation”, that does not guarantee that the file is from Microsoft. You should always pay attention to the reputation rating for each program in the last column (good, bad or unknown) as this is essential in distinguishing the good from the bad.

How to use the process list to spot potential threats

Now that you know where to find the key settings in the panel, you are ready to utilize the process list to find and remove potentially malicious applications running on your PC. If the behavior blocker indicates that a program’s reputation is unknown or bad, you can right-click on the program to perform several actions: create rule, lookup online, end process, quarantine process, open file location, and view file properties.

ContextMenuBB_151805

Right-click on any process to perform various tasks to find out more about it.

The quarantine and end process options are only available for new or bad processes in order to prevent you from harming your system by mistakenly performing one of these actions on a harmless or critical windows process. Each action will allow you to learn specific details about the program:

Create rule

Creating application rules for active running processes is simple: Right click on any individual process and select the “create rule” option from the context menu. You can then configure application rules and set your preferences on how you want the behavior blocker to behave, which is described in more detail in the next paragraph.

Lookup online

Use this feature to check a file in the Emsisoft Anti-Malware Network. After selecting the desired process, you’ll be directed to a page in which you can view several file properties and details about the executable process that you can use to make an informed decision about the safety of a file.

IsThisFileSafe_151605

The process list “lookup online” feature using the Emsisoft Anti-Malware Network.

If a process is known to have a bad or unknown reputation, you are presented with options to either quarantine or end the process. If a file is classified as new or unknown, use caution. If a file status is classified as bad, we recommend you remove the file entirely.

Quarantine program

You can use the quarantine program option to move an unknown or malicious process or program safely to Emsisoft’s quarantine. Once you move a program or process to quarantine it can no longer be accessed or run because it is placed in an encrypted container that will keep it locked. In the event that you mistakenly quarantine a harmless file, you can restore the file from the quarantine at at any given time.

End process

You can use the end process option to end an unknown or active malicious process. This means that the the threat cannot harm your PC anymore since it is no longer running. The end process option may be a safer alternative than the quarantine option in the event you are unsure if a process is malicious, but still do not trust it or notice that it is potentially exhibiting suspicious behavior.

Open the file location

Navigate to a file location to get insight about where exactly a file is located. For example, if a supposed system process is typically located in the System32 directory but is now present in your Documents folder, it is most likely malware. Experienced users may wish to manually remove threats using this option.

View the file properties

File properties are traits of the file such as the size or type. Viewing file properties is helpful in determining whether a file is malicious because users can view the MD5 hash of any given file which can be compared to the authentic hash that can quickly be found online. The MD5 hash of a file is a sequence of 32 characters which help identify each file uniquely and comes in handy to see if a file as been manipulated or changed. If the hash is different, there is a high probability that the file is malicious. The date a file was first and last seen is a factor to take into consideration because if a file is relatively new and not classified yet, it in theory should not be trusted.

What to do when a malicious process is found

ProcessList_151605If a process is found to be malicious, it will most likely be blocked in realtime by the Emsisoft behavior blocker. Alternatively, use the process list to quarantine or end the active malicious program. If a program is classified as malicious, it is recommended that you quarantine the threat.

If the program is unknown, ending the process may be a safer option at the time as the program could potentially be harmless. At this point, running a scan with your security product may be a wise choice to ensure that your PC is free of other potential malware infections. Alternatively, feel free to consult with our malware removal experts on our support forum if you are unsure of which action to take.

How to configure application rules

You can configure application rules in order to define your own preferences on how you want the Emsisoft behavior blocker to react to specific programs. If you notice there is already a rule available for that program, then double click on the process to open an “edit rule box” instead of creating a new rule. You can configure application rules under the protection tab or by right-clicking on an individual program in the process list. You have the following options:

ApplicationRule2_151605

Configure an “all allowed” application rule.

All allowed should be used when the application is undoubtedly safe and is a common everyday application with favorable reputation status among many users.

ApplicationRule3_151605

Configure  a “custom monitoring” application rule.

Monitor this application but, allow/block specific activities should be used when a safe or unknown application is not necessarily malicious, but exhibits suspicious behavior at times that triggers the behavior blocker to prompt you frequently.

ApplicationRule1_151605

Configure an “always block this application” rule.

Always block this application should be used if you are certain a program is behaving in a malicious manner. An example of such a scenario is if an unknown application is attempting to capture your keystrokes or injecting code into another process.

Conclusion

The revamped behavior blocker panel offers new ways to spot potential threats. You can use the new process list to weed out suspected threats and learn several details about which programs are running on your PC. When a malicious process is found, simply use the end or quarantine option to remove the threat from memory. In addition, you can create application rules control the manner in which the behavior blocker handles certain applications and activities. You can use the new panel to your advantage to get the most out of your Emsisoft protection.

Please share your feedback about the new behavior blocker panel, we always like to hear your thoughts!

Have a great (malware-free) day!

 

  • DJRiful

    Nice guide

  • AdolfV

    Behavior blocker, can’t find all threats. There is a lots of kind developed by hackers in suspect countries, and this category threat can’t be detected even not with Emsisoft, or any other antivirus creator.

    • Christian

      Can you show any proof of that assumption? We would be quite happy to get a malware sample that can’t be detected by our behavior blocker. So far we didn’t see many.

      • AdolfV

        Before professional viruses/malwares, are released out to the targets, the virus writers they do test on all general antivirus manufacturers software, to be ensure this new viruses will stay undiscovered as long as possible. Proof for that I can’t find out, because its state secrets as a part of military political, economical strategy, but I still remember Win.32. Duqu/Stuxnet. This you already know Christian. And can you guarantee me I will be 100% secure against state Trojans using Emsisoft? Then I will use Emsisoft IS.

        • Christian

          While Malware can be written/modified in a way that signature based detection fails, it can hardly hide its behavior. That’s where our behavior blocker succeeds. So far we didn’t see many real world samples that can not be detected by this technique. We already detected several state trojans years before anyone knew they even exist. We didn’t know that it’s state trojans, but we knew that it’s trojans. That’s enough to protect from them. Giving a 100% guarantee would be unprofessional, but our historic records give a pretty clean picture on that.

  • Alexander Stiven

    About Behavior Blocker, Where is “Monitored Behavior”?.

  • techienumber1

    I used to have trouble blocking all the free loaders on my network so all I did was contact my bro whos account in on the connection and got him to change the wifi frequency to a different one now I have no trouble with free loaders because the frequency is one they cant connect to because its too high for their dongles to connect with

  • LodeHere

    I have SpyShelter, which utilizes HIPS (just as Online Armor also does.) But SpyShelter is listed as “Bad” under reputation in my Behavior Blocker list, while I don’t know why it has been given the category of being bad. As far as I know it is not bad at all.

    So I have All Allowed given it, but EIS is still monitoring it, and I can’t change the reputation nor the monitoring status.

    I consider this a false positive, but luckily I can still utilize the program. So in the end it doesn’t really matter in the practical sense. But it is giving SpyShelter a bad reputation while it deserves better.

  • LodeHere

    PS:
    I just realized EIS would also detect eventual keyloggers with its behaviour monitoring of all processes. So I don’t really need SpyShelter on top of EIS, even thought SpyShelter is a good program. I’m going to trust EIS fully and remove SpyShelter.

    • Mariska

      Are you part of our Emsisoft Anti-Malware Network? This is our online database of millions of programs (good and bad) and EIS performs online lookups of suspicous (or good) programs against the databse. You can be part by adjusting this in the Settings tab of EIS. Either way it would be great if you can submit the program to our support staff (support@emsisoft.com) so they can take a look and determine whether it was a false positive that needs to be labeled as “good” in our database. To learn more, see: http://blog.emsisoft.com/2015/05/08/is-this-file-safe-re-launch-of-the-emsisoft-anti-malware-network/ Thanks!