An in-depth look at the Emsisoft scanner technology

  • July 16, 2015
  • 13 min read
dual-engine-malware-scanner-blog

dual-engine-malware-scanner-blog

A good antivirus product can seem like modern day magic. It lurks quietly in the background and, through some sort of technical sorcery, is able to keep your data safe and neutralize digital threats as you wander the web.

While you’re probably familiar with how to use the Emsisoft Anti-Malware scanner thanks to our video tutorials, exactly how the technology works may be a bit more of a mystery.

Well, look behind the scenes and you’ll find a dedicated team of developers working hard to ensure everything runs smoothly. Let’s pop the hood and dive into the underlying technology that drives all Emsisoft products.

  1. Two scan engines are better than one
  2. Available scan methods
  3. Advanced scanner features
  4. Productivity features
  5. Cleaning infections

1. Two scan engines are better than one

Part of what gives our scanner its advanced detection power is its dual engine system. Comprised of Emsisoft’s proprietary scanner as well as a Bitdefender scanner, a two-pronged approach to detection minimizes the chances of malware slipping past your system’s defenses. This powerful pairing of antivirus technology allows us to keep ahead of the curve and makes Emsisoft Anti-Malware incredibly effective at combating all types of malware, including trojans, worms, keyloggers, ransomware and more.

Advanced signature-based detection

The engine we have built complements the second Bitdefender engine, and they are combined seamlessly to maximize efficiency.

One of the ways we detect unwanted programs is through signature-based detection. What this means is that we search programs for their unique signatures, which are like fingerprints, and scan your computer for these threats.

Here at Emsisoft, most of our lab time is spent creating detection signatures for PUPs (potentially unwanted programs) and on custom malware removal code for specific infections. We ran some numbers a while ago and discovered that more than 74% of the total detected PUPs are detected by our in-house built scan engine component.

Maximizing performance with a dual engine scanner

Having two engines means we are better equipped to provide new signatures for threats as quickly as possible — so quickly, that often times both vendors have signatures made for the same threat within the hour!

These engines are built to complement each other, so you don’t have to worry about redundant functionality. The files on your hard disk are only read once and then scanned by both engines. This ensures that there is no significant scan time loss, even though we use two engines. It’s no coincidence that our dual engine scanner works faster than many big brands use a single engine!

So how does information translate to your own practical use?

Simple: all detections with an (A) postfix are from our own engine and those with (B) are from Bitdefender.

In a nutshell: We believe two engines are better than one, and we use our own technology to detect threats to your computer that might otherwise be missed. But we won’t compromise efficiency in this process — Emsisoft works to keep your memory clean and uncluttered, and to detect threats at optimal speeds. To see some numbers about the real power of the second scan engine in our products, please see this article.

2. Available scan methods

Here is a quick rundown of the scan methods available in Emsisoft Anti-Malware and Emsisoft Emergency Kit:

EN-scan types

Quick Scan

Quick Scan quickly gives you an overview of any active infections on your computer. It does so by scanning through all running programs and their modules. Quick Scan also completes something called a “trace scan.” Traces are known file and registry- paths of malware infections. In simpler terms, it’s an antivirus scan that looks for a trace left behind by malware in order to locate it.

Additionally, Quick Scan checks installed drivers for active rootkits. A rootkit is a type of malicious software that hides certain files or registry keys from normal methods of detection so that it continues to have access to your computer. More on rootkits later!

We recommend a Quick Scan for automated/scheduled scans after boot or on user logons. It generally takes about thirty seconds to complete, so you don’t have to worry about it interrupting your day!

Malware Scan

The Malware Scan is similar to the Quick Scan, but it scans files in all folders that are known to host active malware infections. Our scanner identifies about a hundred common areas where malware likes to strike. One advantage here is that malware is really predictable in where it chooses to install — but don’t think the Emsisoft team is complacent! Our analysis team is constantly moving forward to detect new common areas, and they’re able to update software within minutes to keep your Emsisoft applications up to date.

We recommend a Malware Scan as the default scan when you suspect an active infection on your system. The malware scan does not detect inactive malware files, but luckily inactive files are non-active threats. These files can simply be deleted with the stroke of a key.

Custom Scan

By default, Custom Scan performs a complete, full scan. Use this option if you want to do a very thorough malware search and scan all files on all drives of your computer. The Custom Scan takes a significant amount of time to complete, and it isn’t recommended for frequent or daily use. It’s the kind of scan you should run a few times a year to be absolutely sure nothing is hiding around on your computer.

3. Advanced scanner features

One of the great features of a custom scan is that you can control your scanning settings. If you look at the custom scan settings dialog you’ll see all of your options. Some of them are enabled by default and others aren’t. Knowledge is the key to knowing what you need and what you don’t, but we have the best options selected for the everyday user. We’ll detail the options below so that you can familiarize yourself with what may or may not be appropriate for your scanning needs.

EN-advanced scanner features

Scan for active rootkits

A normal file scan uses Windows APIs (Application Program Interfaces) to read files. Essentially a set of routines and protocols, an API is the foundation for building software applications.

While Windows APIs may help speed and performance in some scenarios, they’re also often vulnerable to manipulation by rootkits.

What are rootkits?

Rootkits are like soldiers in camouflage. They blend into systems through a number of different means, and a very common way to do this is by modifying lists and tables that tell a system where to find code (this is called “hooking”).

When antivirus software accesses this list of available files, the rootkit is able to manipulate the list to prevent a file (i.e. the malware) from being detected. Once a file has been made invisible like this, it’s difficult for your malware scanner to detect it.

To find hidden rootkits, our scanner uses its own NTFS file system parser code. This code doesn’t rely on the common Windows APIs, which gives us an advantage over stealthy rootkits.

If the rootkit has camouflage, the Emsisoft scanner has thermal vision!

Cleaning rootkits

Cleaning rootkits properly is very tricky. Sometimes rootkits can even hide within certain regions of your computer’s harddisk, like the boot sector. Simply deleting these malicious files often results in an unbootable computer.

Our specialists help many victims of careless cleaning attempts by other anti-malware products, so we know firsthand how important it is to use a trustworthy source.

Rootkits generally require manual cleaning. Our scanner will tell you to consult our malware removal experts to clean rootkits. They will analyze and identify the type of rootkit affecting your system, and provide you with detailed, step by step instructions to remove it without risking the stability of your computer system.

You might wonder why all of the scans don’t rely on our own scanner. This is because reading directly from the file system (direct disk access) is generally very challenging and typically much slower than using Windows APIs. If it were different, rest assured, we would use our own NTFS file system parser code for all scans.

Scan memory for active Malware

Rather than focusing on scanning files on the harddisks, the memory scan enumerates all active programs – including all their loaded DLLs and other components – and scans them first. The scan typically completes within fractions of a second.

Scan for Malware Traces

As the name implies, a trace scan is a scan that looks for traces that malware has left behind. There are three main types:

  1. File traces: These are known paths of executable files on the hard disk that are used exclusively by malware. They exist alone in the hard drive, independent of any other program’s folders.

Example: C:\windows\explore.exe (may be mixed with exploreR.exe)

  1. Folder traces: These are similar to file traces, but exist inside the folders of other common applications, like a Google Chrome settings folder.

Example: c:\program files (x86)\PUP Folder\

  1. Registry traces: These are entries in the system registry database that indicate a malware infection. A registry trace points to an infection inside the actual settings of the computer. These are the most dangerous traces, and the related virus may significantly slow down the speed of your computer.

Example: HKLM\Software\Windows\CurrentVersion\Run

It’s important to note that if a malware trace is detected, it doesn’t necessarily mean that there is an active infection. It may well be leftovers from a previous, incomplete cleaning attempt. Trace infections are an indication that you need to investigate further.

Generally when there is an active infection, traces are typically found next to file findings. You can clean them at any time.

Detect Potentially Unwanted Programs (PUPs)

For legal reasons, we can’t call all unwanted programs “malware” in our user interfaces. The term PUP was invented by the antivirus industry several years back, which stands for Potentially Unwanted Program. Generally, PUPs exist to get their creators some extra cash by displaying ads, changing your default search engine provider, or collecting private data to sell to advertisers.

Scan in compressed archives

Compressed archives are files that contain a number of other files and shrink their size. Some common examples are ZIP, RAR, or 7Z, but there are hundreds of other less known compressed archives. Even an EXE program may actually be a self-extracting archive, meaning it contains other files (generally this is for more efficient data transferring).

A malware file can’t directly start from within a compressed archive – it needs to be unpacked first. Because of this, archives aren’t typically considered dangerous on their own. As a result, many scanners exclude archives from scanning or limit archive scanning to files of a certain size.

Unpacking archives is incredibly time consuming and takes up a lot of system resources. You may disable the archive scan feature if you already understand what’s happening within your own archives and are confident that there isn’t a possibility of infection.

Scan in email data files

Local email client programs typically save all emails in one large database file. If this scanner option is enabled, Emsisoft Anti-Malware will try to extract all individual files from email attachments and scan them for infections. Supported email clients include Outlook, Thunderbird, The Bat! and more.

Scan in NTFS alternate data streams

In 1993, with the introduction of NTFS (New Technology File System) as the default file system of Windows NT (predecessor of 2000, XP, 7, 8, 10, etc.), a new feature called Alternate Data Streams was introduced. Files were now able to store metadata in hidden layers.

Unfortunately, these streams can also be used to store other types of harmful data, such as complete malware programs — and all within a 0 byte text file.

Fast forward to today, and a harmless looking file extension may contain dangerous code that can be started automatically via autorun registry keys.

When the NTFS Alternate Data Streams scan option is enabled, the scanner searches all data layers for hidden threats.

File extension filter

With the file extension filter you can limit the number of scanned files based on their file type. Many file types cannot be used to host dangerous code, so many people might initially think it’s a waste of time to scan certain files.

For example, all executable Windows files start with the byte sequence “MZ” which tells the operating system that the file can be run by the computer. Checking these byte sequences (or “magic bytes”) is a reliable method, and almost as fast as simply checking the file extension itself.

But it’s important to note: there’s a very good reason why this feature is actually disabled in the default settings. This is because the scanner doesn’t just look at the type of file extension by name, but looks for specific file type markers inside of the file. File extensions can be easily changed to fool a scanner, but the content can’t.

Direct disk access mode

As mentioned above, the scanner is able to search files that are hidden by active rootkits by utilizing our own NTFS file system parser instead of Windows APIs. Direct disk access mode allows the Emsisoft scanner to bypass security checks and go directly to a file location to find protected malware.

The downside of this method is how immensely time consuming it can be. Therefore it should only be used for specific folders that may contain rootkits. There is not much to gain by using this feature to scan your whole disk, which is why this option is disabled by default. Rootkit scan always uses the direct disk access mode feature, so rest assured that it’s automatically set to be utilized when necessary.

Scanner settings

EN-scan settings

When viewing the Scan area of the software, you’ll see a section called “Scanner settings”. If you click on it, you’ll find global advanced scanner settings:

Detect Potentially Unwanted Programs (PUPs)

This option defines whether PUP detection should be included in all scans or not.

Performance impact

Here you can decide whether you want the Emsisoft scanner to use all your available hardware resources to make scans as fast as possible, or reduce the available resources for threat scans in order to keep all your main programs working as fluidly as possible.

On scan completion

Define the defaults for what should happen when a scan has finished without you attending the action. The available options are self explanatory:

4. Productivity features

Context menu scan in Explorer (Not available in Emsisoft Emergency Kit)

The web is teeming with malware just waiting to get inside your system. But a context menu scan can act as a great preventative method to contracting viruses in the first place.

Emsisoft Anti-Malware comes with a useful Windows Explorer integration that can save you a lot of time if you’re performing frequent scans. Just right-click on any file or folder in Explorer and select the option “Scan with Emsisoft Anti-Malware” in the context menu to start your custom scan.

Commandline Scanner

A commandline scanner is best suited to professionals who don’t need a graphical user interface to perform their scans. If you’re unsure of what this means, don’t worry! This isn’t a program that you’ll need.

The Emsisoft Commandline Scanner is a complete commandline interface that includes all features of the Windows-based scanner. It’s primarily used for automated scans initiated by other programs or scripts which require a return value for further processing. Learn more about the available parameters of the command line scanner here.

5. Cleaning infections

Detecting an active threat is just one part of the journey to a clean computer. Cleaning is actually a more difficult process than finding PUPs, because malware works hard to avoid being removed. Here are a couple of cleaning prevention mechanisms that malware uses to lodge itself in your computer:

Lock the file

Some malware is able to lock a file. If a file is locked, it can’t be deleted. Locks can be achieved by ensuring a program is always running.

Watchdogs

This is an infection method in which malware comes in a pair of programs. If you kill one program, the other will notice and restart immediately. If you kill the second, the first one restarts, and so on.

Hiding

As mentioned above, rootkits manipulate system APIs to remain hidden. If a file can’t be seen it can’t be removed.

Autorun as system component

Some threats load themselves into programs that your operating system automatically runs (autoruns) when you start your computer. If you try to kill them, you’ll get the dreaded blue screen, and everything will stall. If you remove the autorun entry, the malware recovers instantly.

How Emsisoft cleans infections

To cope with these malware tricks, we have developed our own sophisticated cleaning engine. It cleans about 100 locations in the registry and file system that can be abused to automatically load malware on system startup.

If a file is locked, our cleaning engine schedules its removal for the next system boot up, using a method that prevents the malware from re-locking the file. Additionally, our engine restores default values of a number of autorun locations that would render the system unusable if you were to just delete the malware entries. During removal, a quarantine copy of each threat is saved for later analysis or restoration (unless you select the “delete” option instead of “quarantine”).

So what does it mean when a file is in “quarantine”? It means that a file is wrapped in an encrypted, secure container file where it cannot do harm to other files and applications on your system. We always recommend using the quarantine feature because there is a small chance that the file that was detected is harmless (a false positive), or that the file might be necessary for further investigation or forensics. You may delete quarantine files after a couple of weeks if it turns out that the file is in fact harmless.

Scanning and cleaning files on network shares

While it is possible to scan files on network shares that are located on other machines, we don’t recommend that at all. It might save you a bit of time, but please be aware that scanning remote files has some serious limitations by design:

Always scan and clean locally. If you don’t want to install our software for a one-off job, go for the Emsisoft Emergency Kit scanner, which is fully portable and doesn’t require any installation.

Whether you’re an antivirus expert or a casual internet browser, we hope this information will help you understand exactly how Emsisoft’s top of the line technology is working to protect your computer from malware.

Have a great, malware-free day!

Emsi

Emsi

Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next

Reader Comments