Prevent malware from entering your PC with Emsisoft Surf Protection

Malicious software needs to have already been downloaded to a PC in order for real-time protection or behavior blockers to detect it. Ideally, it would be preferable if malware never entered your PC at all though. This is precisely what Emsisoft’s Surf Protection is designed for. This article will enlighten you on the details of Emsisoft Anti-Malware’s first layer of protection.

Would you want malware to be present on your PC? Most likely not – but in fact it already is, by the time conventional security software raises an alert. Emsisoft Anti-Malware is different, as Surf Protection warns you the moment you access malicious websites. Connections to a dangerous host are blocked completely so that no data can be exchanged.

A host is defined as a website domain such as or also an IP address that can contain data for several domains. Hackers often use single physical servers with unique IP addresses that dozens of different domains point to. Emsisoft’s Surf Protection even detects many new malware domains reliably and halts all exchange of data – unless you as the user explicitly grant access.

Automatically blocking a host that is considered malicious.

You can click on the green check mark to allow the connection.

A strong point of Surf Protection is that connections are intercepted at the Windows system level. This ensures that Surf Protection works with all browsers, without needing compatibility updates whenever a browser is updated to a new version. In basic terms, connection attempts by any program are checked and if the target domain is verified as suspicious, the attempt is blocked.

How does Emsisoft’s Surf Protection recognize suspicious hosts?

Just like its collection of typical malware signatures, Emsisoft Anti-Malware has a database that contains known malicious hosts. The data is derived both from publicly available lists as well as from specialized companies that Emsisoft has partnered with. To ensure maximum security, it is highly critical that this database remains up to date. To this end, the list is updated hourly, with new threats continually being added.

There are three different categories of suspicious hosts:

  • Malware hosts: Suspected of spreading malicious software such as trojans, adware, rootkits or viruses.
  • Phishing hosts: Hosts that steal passwords and other private data via fake websites.
  • Privacy risks: Hosts that are used for advertising or tracking.

The first two categories are automatically blocked as they are of course generally undesirable. Privacy risks as per default settings, however, are not automatically blocked as this category contains a large amount of “allegedly” legitimate websites. Among these for instance, are Facebook and eBay that track their users via advertising networks or visitor counters.

You can change the default settings to your preferences via Guard –> Surf Protection. After changing the default settings for Privacy risks to “Alert”, you will typically see an alert similar to the one below when trying to access a basically good website such as This can be confusing for less experienced PC users, so we’ll explain the reasons for this in a moment.

Click to enlarge image

Google or Google Analytics are basically not considered dangerous. Google Analytics is a tracking service that evaluates user’s behavior as well as where a website visitor comes from, in order to provide its operator with statistical data. Advertising networks take it one step further by, for example, displaying personalized banners. This is no direct threat either, but it is the user’s prerogative to decide for themself what constitutes an invasion of their privacy. Even when the host classified as a privacy risk is blocked, the originating website that you requested will usually still be loaded. This is due to the fact that most websites utilize third party domains to display their advertisments and provide their tracking functions. Hence only the advertisements and functions related to these third party domains are blocked (this is what is being alerted to in our example image above when accessing

Additional settings for Emsisoft’s Surf Protection

Emsisoft Anti-Malware’s default settings offer maximum security and are simple to use. However, you can adapt the settings at any time to meet your individual needs. For example, you can add your own custom hosts to block or selectively allow hosts that have been blocked by Surf Protection’s built-in list. Are your children hanging out on social networks instead of doing their homework? Or is your partner spending much of your income in online shops? Emsisoft Anti-Malware not only helps in the fight against malware, but can also be used as a tool in managing web browsing.

You can see the list of all blocked hosts by clicking on Guard -> Host Rules. By clicking on the check box “My own”, you will see all customized rules and by clicking on “Built-in list” you will see the ones in Surf Protection’s default list. You can find individual entries by using the “Search” bar.

Click to enlarge image

The hosts file is part of Windows and is located in c:\windows\system32\drivers\. It is used for overriding DNS settings by redirecting certain domains to certain IP addresses in a targeted manner. Various hosts file lists are available to download online and this has been a popular method used by people to build their own form of “surf protection” with tools that come with Windows. Malicious domains are then redirected to the local IP, which neutralizes them.

There are some disadvantages to this approach though. You never know when a connection has been redirected, and a large hosts file in particular can slow down your system’s performance. There are also no automatic updates, so you have to keep your hosts file list up-to-date yourself.

If you wish to use third-party hosts file lists, we recommend you import them directly into Emsisoft Anti-Malware instead using the “Import hosts file” option which allows you to import individual entries as well as larger lists in one go. Unlike using a custom Windows host file, importing a third-party list into Emsisoft Anti-Malware’s Surf Protection, will not slow down your system. Use of third-party lists is purely optional – most entries are already on the built-in list that is updated hourly. Host rules feature the following modes:

  • Don’t block: Allows access to the host without asking
  • Alert: Alerts about access, and lets you decide whether to block or to allow it
  • Block and notify: Blocks the connection automatically and displays a pop-up window to let you know about it
  • Block silently: Blocks the connection, but does not show any notification

We recommend using the default setting “Block and notify” so that you will know immediately when a connection has been blocked. This may keep you from wondering why a certain website has not loaded.

Maximum protection against phishing

More than ever, phishing is becoming one of the main reasons for stolen login details, emptied bank accounts and theft of other private data. The reason is simple: fake e-mails and websites are looking more and more authentic these days, so that even professionals have to examine them very closely to see if they are fake or not. Slightly modified domains or domains bearing special characters may not appear suspicious at first. If the url reads for instance instead of, this likely won’t raise much suspicion amongst typical users. They just enter their login details as usual – and end up becoming the victims of cyber criminals.

Even conventional anti-virus software with specialized anti-phishing components can fail here, as no malware is downloaded, which keeps the fraud from being detected. Emsisoft Anti-Malware with its sophisticated Surf Protection module, detects most phishing sites and blocks any connection attempt to them, thus protecting you against phishing in the best possible way. For more information on how Emsisoft Anti-Malware works, please read our article “How well is your PC protected?”.


Have a nice (malware-free) day!

Your Emsisoft Team