Emsisoft’s dual-engine scanner Behind the scenes

Basic scan methodology for detection of virtual parasites has been around for as long as there have been PCs. But just like the car industry that has been around for more than 100 years, there are always useful new inventions and extensive improvements.

Emsisoft’s scan technology can, of course, get along without ABS or ESP, but there are countless invisible details and innovations that ensure the security of your data. What is most important – apart from efficient protection – is performance: more than 12 million signatures (as of November 2012) need to be handled in an efficient manner without taking their toll on your computer’s performance.

Developers of security software are therefore always facing new challenges, whether it is due to new threat scenarios or the user’s wish for more comfort. Not all scanners are the same – Emsisoft’s scanner has been one of the best for some time. This is reason enough to explain the technology and progressive features in more detail.

Two engines find more than one

Emsisoft relies on hybrid technology. The scanner uses two complete scan components to ensure the best detection possible. Every day, tens of thousands of new malware variants are born. Even though most of them are only slightly modified variants of widespread types, the scanner needs a detection signature for each and every one of them, a kind of fingerprint. The saying “make assurance double sure” applies here. Two scanners detect more than one.

The first engine (E1) is a creation of Emsisoft’s, the second one (E2) has been in use since we released Emsisoft Anti-Malware 7.0 and Emergency Kit 3.0 and comes from BitDefender. BitDefender is known for its very good detection rate as well as displaying few false alerts, which is why we use this third-party engine. As “very good” is just not enough where PC security is concerned, Emsisoft’s own engine takes care of particularly difficult cases as well as excellent cleaning. Our team, consisting of security experts and analysts, provide it with new signatures 24/7. They browse sinister underground forums and countless illegal warez sites in the depths of the World Wide Web in order to find new malware trends and infection waves before they can reach your PC.

Combined together, these two technologies form the Ferrari of malware scanners and are known worldwide for brilliant detection rates.

Two scan units, and still lightning quick

Speaking of Ferrari, anyone who thought that two engines would have to be quite slow and take up a lot of RAM is wrong. There are a number of technical features that lead to quite the opposite. First of all, all double signatures are removed so that there is no redundancy and all malware is detected by one engine only. This will have a positive effect on memory usage and speed.

Furthermore, both engines have been improved at a low level to work together as well as possible, just like the Italian car manufacturer has made an effort to tune all cylinders of their models in order to have the best performance possible. Of course, it takes a lot of developing work due to the high complexity of the software, but both scan engines run faster and more efficiently together than many competitors’ products that only have one single engine. As a matter of fact, it is almost always the hard drive that causes a bottleneck and limits the speed. Only brand-new SSD hard drives are able to read data fast enough that the scan engine will not go idle during the scan.

Emsisoft even goes some steps further in optimizing the speed. Advanced Caching
ensures that the file guard does not scan a file several times when it is accessed again and again. The effect of this is huge as there is a great number of files that Windows reads frequently. For instance, when launching a program, closing it, and loading it again later on. If a file has not been changed in the meantime and has been proven to be “clean” over a longer period of time, new scans are not necessary and simply waste useful system resources. This is what Advanced Caching helps to avoid and thus continuously speeds up your system.

By the way, it is totally up to you how much of your CPU load is used during a scan. Not only professional users appreciate the new performance settings that allow you to choose the number of used CPUs and threads. You can find this setting when choosing the scan mode. Either reach your goal at full throttle in no time at all, choose longer scan run-times with enough resources for other tasks or find a good compromise – everything is possible.


Emsisoft’s scanner will find what stays hidden from Windows

Unfortunately, it is not only the developers of anti-virus software that are crafty engineers and programmers. The malware industry also has some smart guys who try to hide their malicious software as well as possible. Once your OS has been infected, harmful processes and files may remain hidden from scan software. Rootkits in particular are known for this insidious behavior.

But there is no need to worry, as Emsisoft solves this problem with the Direct Disk Access Mode . As the name suggests, the Windows interface used to read files is not used, and data will be read directly from your PC’s hard drive. Emsisoft’s dual-engine scanner therefore gains direct access to relevant hard-drive sectors just like through a tunnel. This helps to discover well-hidden malware.

If you are now asking yourself why Direct Disk Access (DDA) is not generally used, it is because it has the disadvantage of being slower at reading files than using Windows. It scans all security-related parts in a reliable manner, though, such as Windows drivers and boot sectors. Of course, you can also choose to scan your entire hard-drive using DDA. Simply enable the option “Use Direct Disk Access” when doing a custom scan.

Another technical highlight is the “Scan in NTFS Alternate Data Streams” option. These alternate data streams enable Windows to save user data connected to a file without the user seeing this. Few people know about it, but it is sometimes used by malware to hide its main files. So a Malware.exe of about 2 MB can be hidden in a second data stream of a harmless 100 KB .doc file without Windows Explorer being aware of it. We therefore recommend keeping this option enabled.

How often should I scan my PC?

The good news is, if you are using the full version of Emsisoft Anti-Malware, a single complete initial scan will do. This is done after installation and should not be skipped. As long as you do not disable the file guard, every file that is loaded or written will automatically be scanned. It is therefore almost impossible for a malicious file to infiltrate your PC unnoticed.

You also have the option of scheduling scans. You can do this via “Configuration” – “Scheduled Scans”. You can, for instance, scan your PC every Friday afternoon once done with your work – or every 12 hours. There is almost no limit to your wishes, and customized settings for certain paths or file types can easily be done.

Real-time protection also detects newly inserted drives such as USB sticks or external hard drives. As soon as infected data are copied, the file guard will warn you. Manual scanning is therefore not really necessary. Emsisoft aims at enabling you to use your PC without worry and without even noticing you are being protected, unless you are being attacked by malware.

In the event of an infection, malware is removed in a reliable manner

If a virus scanner is working just the way it should and warns you about an infection, you would of course like to get rid of it as soon as possible. Therefore, we built a cleaning feature into Emsisoft’s scan technology. It may seem surprising, but so-called “cleaning” is one of the most complicated features of all. This is because simply removing the detected file is rarely enough these days. Malware “digs” deep into your system and leaves fragments in different locations. Free scanners in particular fail here and are not able to safely remove a detected file.

It may then come as a big surprise when malware inexplicably replicates itself every time it has been removed and remains active as if nothing had happened. What is even worse is that, when not properly removed, your OS may be affected so badly that it will not boot correctly and may require reinstalling. This is often blamed on the malware and not the scanner.

As we do not want this to happen and would rather remove even the most persistent malware, we equipped Emsisoft’s dual-engine scanner with a so-called “traces scan”. This detects all files, folders and registry entries created by malware so they can be removed without leaving any traces. It is often even possible to restore original values from Windows system sectors after an infection. This may help you to avoid reinstalling your OS after being infected by malware.

However, no scanner is able to remove each and every infection – not even Emsisoft’s dual-engine scanner. Active rootkits in particular are difficult to remove automatically as they often leave irreparable damage in the boot sector. In principle, it would be possible to write a cleaning routine for each and every variant but, as there are many new rootkits, manual removal is simply more secure. This will help to avoid a defective OS. Best of all, Emsisoft offers you free help in removing malware. You can reach our security experts via the Support Forum or via e-mail any time you need help.


Have a nice (malware-free) day!

Your Emsisoft Team