Thursday, January 24, 2013

[Review] Emsisoft Anti-Malware 7 (paid version)



- Can be used as main Antivirus or Companion AV  alongside another one.
- Very High Detection Rate due to 2 Engines: Bit Defender & Emsisoft
- Light on system during normal use
- Powerful Behavior Blocker
- Hosts Blocker
- Easy to use
- Almost max settings out-of-the box
- Very good Support team


- Paid
- Can be high on resources usage for some system during boot, scans & updates
- Surf Protection may have many False Positives especially for less-known sites

Emsisoft Anti-Malware

Emsisoft Anti-malware (Aka EAM) is one of the best Antivirus available on the market, it has 2  versions:

1- The free version: used just as an "on-demand" scanner, you will have access only to the antivirus engines and updates.

2- The Paid version: the full version with Behavior Blocker and Surf protection, i will describe it now.

Here the top results of EAM for 2012 in the MRG Flash Tests

Lets go now for a tour !

0- Security Status

The Emsisoft Anti-Malware start screen, called "Security Status", shows an overview of all program and configuration options; here you have access to all functions of EAM and to some informations concerning its current version and signature database plus some links to Emsisoft.

The security status window is divided into three sections.

The first part is the menu on the left, containing "Scan PC", "Quarantine", "Logs", "Guard" and "Configuration", and it provides easy access to all relevant program options and configuration dialogs.

The middle area provides a status overview of the major program components such as the Guard, Scanner and Update settings. Each component of Emsisoft Anti-Malware has a separate entry and can be directly toggled on or off using the mouse. "Settings" takes you to the corresponding configuration dialog for the respective component. "Emsisoft News" shows the latest Emsisoft headlines and keeps you up to date on the latest news.

The third and last area on the right provides you with access to the main Emsisoft Anti-Malware resources, including the Emsisoft homepage, contact details for Emsisoft, Support forum, Security articles and also allows you to send suspicious files to our experts for analysis. The lower part of this area shows the exact version number of Emsisoft Anti-Malware, the number of signatures used for scanning and the number of days remaining before your license expires

1- File Guard

Like some other Antiviruses (Gdata, Coranti, roboscan, etc…) EAM engine is composed of 2 engines, Emsisoft engine and Bit Defender engine, the association of both makes EAM a potent AV with a high detection rate, EAM is one of the few AV that almost passed all detection test in various virus test labs (MRG for example), but because of that EAM may be a bit heavy on resources for some computers, especially during an update of his database or a scan (~180mb)

a- Application rules

The place where you set the rules for the various softwares runnings on your system.

"Application Rules" lists all application rules that have been defined, with filename and mode. The filename field shows the file path of the program for which the rule was created. The mode field shows whether the program is blocked (Blocked), excluded from monitoring (Excluded) or monitored (Monitored). "Monitored" means that particular behavior is allowed but the program will still be monitored by Emsisoft Anti-Malware for other suspicious behavior.

Rules can be added, edited and deleted.

b- File Guard

Here the settings for the real-time module.
An interesting feature is that EAM allow you to choose between performance or protection, you have 3 choices (scan before executed, scan additionally when created + modified, and scan additionally when read)
Setting EAM on "scan only program before they are executed" is the setting that reduces the resources usage the most while offreing a decent protection.

Scan only programs before they are executed - This setting configures executable files to be scanned immediately before they run. This setting has the least effect on the performance of your system while still providing sufficient protection.

Additionally scan all files when they are created or modified - This setting configures all files to be scanned when they are created or written to. For example, this occurs when a file is downloaded or copied onto your computer from a USB stick.

Additionally scan all files when they are read - This setting causes all files to be scanned before every read operation, so that simply selecting a file is sufficient to cause it to be scanned. This setting has the greatest effect on your system performance and should only be used on high end systems.

The File Guard not only scans files before they are executed, but depending on the chosen settings, also before all other file actions such as moving or downloading from the Internet.

- Detect Riskware - When this check box is selected the File Guard also raises an alert for so-called Riskware. Riskware is usually defined as benign software that can be used for malicious purposes by Malware authors. In the case of a Riskware alert you should always check whether you installed the program intentionally or not.

what is a Riskware

c- Scan

EAM possess various kind of scans

- Quick Scan - Scans all active programs and Spyware Traces.
- Smart Scan - Good, fast result, but only important folders will be scanned.
- Deep Scan - Slowest scan, all files on all hard disks will be scanned deeply.
- Custom Scan - All scanner settings can be manually set and stored for later use.

EAM scans performances can be adjusted to your needs

Use the following processors for scans -Advanced users may wish to limit scans to using only a certain number of processors if they require individual processors to be reserved for other tasks. By default all processors are used.

Number of threads - Specifies the number of worker threads active during a scan. The default is the number of processors being used for scanning plus one for reading the data.

Scan thread priority - Advises Windows to give the scanning threads the specified priority over other running processes. Priority can be set to a minimum to avoid negatively affecting the performance of other active tasks, e.g. when running lengthy background scans.

Use advanced data caching - Allows intelligent self-optimization of scans on a continual basis by avoiding the need to re-examine known safe files if their contents remained unchanged.

2-  Behavior Blocker

EAM incorporates, what i consider, the best Behavior Blocker in the market named Mamutu (also made by Emsisoft); my comrade Biozfear made a very good review of it here

a- Behavior Blocker

The "Behavior Blocker" tab allows you to define the types of behavior that should be monitored system-wide by Emsisoft Anti-Malware.

b- Alert Setting

Here you have various options concerning the Behavior Blocker "Behavior" :p (ok easy joke), it is also here that you can see the "Cloud" feature of EAM.

Emsisoft Anti-Malware reports the behavior of programs that are sometimes clearly dangerous but sometimes also only possibly dangerous. With some benign programs a clear decision between benign and malicious behavior is not technically possible. Emsisoft Anti-Malware always reports this type of suspicious behavior unless you activate alert reduction to reduce the number of false alerts relating to benign programs.

The most important are:

- Activate intelligent alert reduction - Emsisoft Anti-Malware performs a technical analysis of the program file of a suspicious program to identify whether it is benign or not. Good examples of false alerts are Explorer.exe (Windows Explorer), Internet Explorer or Firefox. When starting, all these programs exhibit behavior that is also used by Malware. For example, changing the browser settings or generating network traffic without a visible user interface. If intelligent alert reduction is not activated, then warning alerts are generated each time these programs start. With intelligent alert reduction activated, Emsisoft Anti-Malware recognizes that these are legitimate programs and doesn't generate warning alerts. The intelligent alert reduction is deactivated by default because in rare situations it is possible that it could allow a dangerous program to become active.

- Community-based alert reduction - Emsisoft Anti-Malware relies on the intelligence of the masses. When this option is activated, an online query is sent to the Anti-Malware Network and the decisions of all Emsisoft Anti-Malware users on what to do with a reported program (allow, block, quarantine, exclude from monitoring) are displayed as a colored graphic. Emsisoft Anti-Malware uses this to provide a recommendation of how to proceed with the reported program.

- Activate paranoid mode - Alerts for additional possibly malicious activity by applications with a suspicious or Malware-like file layout. This option is deactivated by default because it can produce many false alerts and is only recommended for advanced users

Here an interesting article concerning EAM Behavior Blocker

3- Surf Protection

a- Surf Protection

His component protects you from dangerous website and links, an unaware user will be unable to access some kind of dangerous websites (depending of the settings).

b- Host Rules

EAM possess this  HOST rules component containing Black Listed domains. You can manually add your  own list to increase its efficiency, i personally add the MVPS Host List.

The "Host Rules" module lists all rules created for blocked and allowed hosts with "Hostname" and "Mode". The rules can be individually added, edited or removed.

4- Configuration

Here the various options available, the most noticeable are:

- Activate email scanning - Allows email scanning to be integrated into Microsoft Outlook 2003, 2007, and 2010. For advanced email scanning settings, please open your email client and open the Anti-Malware settings in the newly appeared toolbar/ribbon.

- Activate memory usage optimization - When enabled this option reduces the amount of RAM being used by swapping out non-active data (such as signatures) to the pagefile. On older PC's this may result in system slowdowns. If you have sufficient RAM, you may wish to disable this feature to ensure maximum speed.

5- Hijack Free

It is a process/services/autoruns/ports monitor that allow an user to check what happening in his system and terminate or delete illegitimate processes and files.

Final Note

Not to say, EAM is my favorite antivirus, i use it since very long time, and it never failed me yet, its user-friendliness and great protection made it a masterpiece in my security configuration.

I rate it 5/5 .

EAM is also part of Emsisoft Internet Security Pack (Emsisoft Anti-Malware + Online Armor Premium)

1 comment:

  1. Hello Umbra,
    Love your reviews and post on malwaretips. At this moment I am checking out Emsisoft Internet Security Pack . It runs very smooth on my notebook (windows 7) and love the support from Emsisoft.

    Just wondering if I need to configure someting in Online Armor, or is automatic mode after learning mode enough?
    I did an only firewall check and not all ports were stealth and the online program advised me to adjust the firewall.

    thanks for your input.