How to use Web Protection to prevent malware entering your PC

  • February 18, 2013
  • 6 min read

Note: This post has been updated to reflect the new name of Surf Protection. Goodbye ‘Surf Protection,’ welcome ‘Web Protection!’

Would you rather your home security system removed an intruder after they entered your home or stopped them before they could even open the front gate?

The latter is obviously preferable. Emsisoft’s Web Protection component is built with this basic premise in mind.

Real-time protection components are only able to detect malicious software after your system has been hit with a dangerous file. Ideally, your antivirus software should be able to intercept malware before it touches your PC. This is precisely what Emsisoft’s Web Protection is designed for.

What does Web Protection (formerly Surf Protection) actually do?

Web Protection keeps watch as you browse the web and warns you when you try to access a malicious website. By blocking your connection to dangerous hosts, Web Protection prevents data from being exchanged and minimizes the risk of malware infecting your machine.

A host can be defined as a website domain such as or an IP address that might contain data for several domains. Hackers often use single physical servers with unique IP addresses that dozens of different domains point to. Emsisoft’s Web Protection is able to detect new malware domains reliably and halts all exchange of data – unless you as the user explicitly grant access.

Emsisoft Web Protection Notification

One of the key benefits of Web Protection is that it intercepts connections at the Windows system level. This ensures that Web Protection works with all browsers, and doesn’t require compatibility updates whenever a new version of your browser or browser plugin is released.

How does Emsisoft’s Web Protection recognize suspicious hosts?

In addition to a massive collection of conventional malware signatures, Emsisoft Anti-Malware also has a huge database of known malicious hosts. The data is gathered from publicly available lists, intel from specialized companies that Emsisoft has partnered with, and verified user submissions. To keep the database up to date and provide maximum security against the latest malicious websites, new threats are continually added and the list is updated every 15 minutes.

There are four categories of suspicious hosts:

Malware, phishing and PUP hosts are automatically blocked as they are generally undesirable. Hosts that fall under the “privacy risks” category are not automatically blocked as this group includes a large number of websites that claim to be legitimate. Among these, for instance, are all sorts of advertising networks that track their users across the Internet to create web browsing profiles.

You can change the default settings via Protection menu > Web Protection and selecting an option from the Privacy risks dropdown menu.

After changing the default settings for Privacy risks to “Alert”, you will typically see an alert similar to the one below when trying to access a benign website such as This can be confusing for less experienced PC users, so we’ll explain the reasons for this in a moment.

Emsisoft Web Protection alert.

Google Analytics is a tracking service that evaluates a user’s behavior in order to provide its operator with statistical data. Advertising networks take it one step further by, for example, displaying personalized banners. While this is considered dangerous per se, it is nevertheless the user’s prerogative to decide for themselves what constitutes an invasion of their privacy.

In the event that Web Protection blocks a host that is classified as a privacy risk, the originally requested website will probably still load. This is due to the fact that most websites utilize third-party domains to display their advertisements and provide their tracking functions. As a result, only the advertisements and functions related to these third-party domains are blocked (this is the cause of the alert in our example image above when accessing

How to configure Web Protection

Emsisoft Anti-Malware’s default settings offer maximum security and are simple to use. However, you can change the settings at any time to meet your individual needs.

Emsisoft Web Protection panel.

1. How to view user-added blocked hosts

Protection menu > Web Protection 

You can see all user-added blocked hosts by clicking Protection menu -> Web Protection. You can also find individual entries by using the Search bar. Please note that only user-added added entries are shown.

2. How to check if a host is on your custom list

Protection menu > Web Protection > Search for host

If you want to confirm that a certain host is blocked, you can do so by using the Search function.

3. How to import hosts file

Protection menu > Web Protection > Import hosts file > select hosts file > select Implemented action > OK

The hosts file is part of Windows and is located in c:\windows\system32\drivers\. It is used for overriding DNS settings by redirecting certain domains to certain IP addresses in a targeted manner. Various hosts file lists are available to download online and this has been a popular method used by people to build their own form of “web protection” with tools that come with Windows. Malicious domains are then redirected to the local IP, which neutralizes them.

There are some disadvantages to this approach, though. You never know when a connection has been redirected, and a large hosts file can slow down your system’s performance. There are also no automatic updates, so you have to keep your hosts file list up-to-date yourself.

If you wish to use third-party hosts file lists, we recommend you import them directly into Emsisoft Anti-Malware instead, by using the “Import hosts file” option which allows you to import individual entries as well as larger lists in one go. Unlike using a custom Windows host file, importing a third-party list into Emsisoft Anti-Malware’s Web Protection, will not slow down your system. Use of third-party lists is purely optional – most entries are already on the built-in list that is updated every 15 minutes.

4. How to change block and notification rules

Protection menu > Web Protection > select option from hosts dropdown menus

Host rules feature the following modes:

We recommend using the default setting “Block and notify” so that you will know immediately when a connection has been blocked. This may keep you from wondering why a certain website has not loaded.

5. How to clear all custom hosts

Settings menu > General > Factory defaults > check “Host rules” only > OK

The fastest way to clear the entire list of custom hosts is to use the “Restore to factory defaults” function and ensure that “Host rules” is the only category that is checked.

Maximum protection against phishing

Phishing remains one of the most popular attack vectors among cybercriminals due to the fact that it’s far easier to fool humans than machines. In many cases, phishing websites and emails look indistinguishable from the real thing, save for a slightly modified domain name. When you unwittingly enter your username and password into these sites, you’re inadvertently sending your login credentials straight into the hands of the bad guys.

Emsisoft Anti-Malware with its sophisticated Web Protection module is specifically designed to detect most phishing sites and block any connection attempt to them, thereby protecting you against phishing in the best possible way.

Have a nice (malware-free) day!

Your Emsisoft Team

Protect your device with Emsisoft Anti-Malware.

Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Start free trial



Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next

Reader Comments