Overview:
There are times you want to block certain web sites for devices that are either your own or that you are managing.
Emsisoft Web Protection is part of the full Emsisoft program and also has the option to filter for contents and to create more custom rules compared to the Browser Security extension.

How to add a new host rule:
Open Protection Policies in your Workspace, choose the desired Policy Group (We suggest to make generic changes on the Group Level) and scroll to: Custom Host Rules under: Content Filtering

Open it and click on: Add

Then you can specify if you want to use a simple text based matching on the host name/IP, or a more complex Regular Expression based matching pattern. See: What is a RegEx?

How to change custom host rules:
Double-click a rule or select a rule and click: Edit rule to open the edit window. Host rules feature the following actions:

• Don’t block: Allows access to the host without asking.
• Alert: Alerts about access, and lets you decide whether to block or to allow it.
• Block and notify: Blocks the connection automatically and displays a notification pop-up window to let you know about it.
• Block silently: Blocks the connection but does not show any notification.

We recommend using the default setting “Block and notify” so that you will know immediately when a connection has been blocked. This may keep you from wondering why a certain website has not loaded.

How to import a third party hosts file
The hosts file is part of Windows and is located in c:\windows\system32\drivers\
It is used for overriding DNS settings by redirecting certain domains to certain IP addresses in a targeted manner. Various hosts file lists are available to download online and this has been a popular method used by people to build their own form of “web protection” with tools that come with Windows.
Malicious domains are then redirected to the local IP 127.0.0.1 or the invalid endpoint 0.0.0.0, which both neutralize them.

There are some disadvantages to this approach, though. You never know when a connection has been redirected, and a large hosts file can slow down your system’s performance. There are also no automatic updates, so you have to keep your hosts file list up-to-date yourself.

If you wish to use third-party hosts file lists, we recommend you import them directly into the local Emsisoft Anti-Malware program instead, by using the “Import hosts file” option which allows you to import individual entries as well as larger lists in one go.

Open the local Emsisoft program and click on: Web Protection

Then open: Import hosts file

Click on the 3 dots:

And search and select the location and the hosts file you want to import:

Unlike using a custom Windows host file, importing a third-party list into Emsisoft Anti-Malware’s Web Protection, will not slow down your system. Use of third-party lists is purely optional – most entries are already on the built-in list that is frequently updated.

The post How can I block a website or exclude it from being blocked? appeared first on Emsisoft Help.

Overview:
PUPs (Potentially Unwanted Programs) for example are flagged by our FileGuard protection during a scan. Some of these apps are harmless and therefor first need to be submitted to our lab, the same way like an app flagged by our Behaviour Blocker.
See instructions here. 
Then they have to be added to the Scanning Exclusions, otherwise it will be flagged again each time it is updated without the necessary certificate.
It can also be a known False Positive that is flagged. In order to have immediate access to that .exe, one should still submit it to our lab, but can afterwards restore it immediately and then add it to Scanning Exclusions and also to Monitoring Exclusions.

How to add a file to Scanning Exclusions:
Open the Workspace, click on: Protection Policies and choose the desired Policy Group. Then scroll down on the right till: Exclusions. Under: Exclude from scanning, click on: Add file or Add folder and and add the wanted exclusion/s.

This list also displays the path of any files or folders that have been excluded from signature based detection by the Scanner and the FG.

An exclusion can be easily removed at any time by clicking the Trash can icon.

The post Why did Emsisoft Scanner flag a safe file as malicious? appeared first on Emsisoft Help.

Overview:
An Admin needs to be able to track the changes that were done to a Policy Group and also on a device, especially if the client PC has permissions to make changes locally.

How to identify changes:
In the Workspace, you might have noticed the: Edits counter, per device. This counter indicates the number of changes related to the parent policy and ideally should be zero.

Note that settings should always be managed either at the root level or the group level, and not on a device level. If you make a setting change on the lowest level (which is device level), it breaks the inheritance from parent group(s).

Setting changes on the device level (on the local machine itself or in the Workspace) overrule Protection Policy settings, which are displayed as a blue circular arrow icon in the Protection Policies.
If you later make a change in the parent policy or root policy, this change will not be inherited by the device, unless you click the revert to parent policy (blue circular arrow) button.

When you click that revert arrow, it will reset the device polices to the parent group.

The post How can I track changes that were made to Protection Policies? appeared first on Emsisoft Help.

Common queries and when to use them

A common query is a predefined set of instructions or criteria used to search and analyze data in a system, helping identify specific information or patterns from a dataset or database. It can vary based on the specific goals of the analysis, such as filtering data, checking system information, or simply extracting meaningful insights from the dataset.

The choice of common queries will depend on the specific analytical objectives, the characteristics of the dataset, and the insights you are seeking to gain from the data. Understanding the nature of your data and the questions you want to answer will guide the selection of appropriate queries for your analysis.

Running Queries on-demand and asynchronous

Live query:
Live queries – or on-demand queries – are suitable when immediate, up-to-the-moment data is crucial, and suitable for tasks that are quick to execute and return results.
Running a query on-demand enables real-time result viewing within your dashboard. This flexible query tool allows us to examine all selected devices and promptly display the results right below.

Asynchronous queries and reports:
When running asynchronous queries, they operate independently of the main program flow, and their execution does not depend on the immediate completion of other tasks. It allows Admins to check reports later while editing different reports in real-time.
Asynchronous queries are beneficial for tasks that take longer to execute, common in scenarios where the user experience is not compromised by waiting for the result. Ideal when dealing with tasks that can be performed concurrently or when non-blocking behavior is crucial.

The Snapshots represent a complete copy of a report instead of displaying it in the live results view. It can be seen on the Reports panel.

Please note that certain queries might take a while to return results. Admins have the option to click a Cancel Query button to stop execution.

Create a new report and start analyzing using common queries

1. At your Emsisoft Management Console, select an existing Workspace, click on Threat Hunting and Create new report.
   
2. Click on the Edit Report button to handle your Queries settings and initiate report runs.
   
3. Create an automated security system by scheduling your reports daily, weekly, or monthly.
   
4. Explore and select from the list of pre-defined common queries for a more effective approach to threat hunting.
   
5. Choose either to show the full dataset or just the changes from previous runs on your dashboard. This feature enhances efficient alerting for potentially malicious system modifications. This setting can be modified in View mode to see other results if needed.
   
   Opting for Highlight changes brings a user-friendly touch to your data analysis. Here, GREEN steers you toward modified or added data, while RED signals the removal of previously existing data from the device. This color-coded system simplifies the process of quickly spotting and understanding alterations.
   

Threat Hunting within the Incidents Panel

The Alert Changes checkbox specifies whether any detected changes in query results from the previous run, and it shall trigger an event in the incidents list, email notifications, and integrations.

Whenever a modification in a hostfile is identified, the alteration will be emphasized in the reports dashboard, and an event will be triggered in the Incidents panel overview.

Simply click on the detection from the Incidents panel, and a Snapshot will open in the Only Changes mode, providing a complete copy of the report.

Handling unexpected errors

While executing queries on a set of devices, if one of the devices encounters an issue and doesn’t respond, the system will promptly generate a notification on the dashboard stating View 1 error.
This button will specifically identify the problematic device and provide details about the query that was in progress at the time of the occurrence.

Here is the example of what happens once clicked:

If some devices are offline while creating asynchronous or scheduled snapshots, we’ll wait for one hour just in case these devices come online again. This ensures they can be included in the report.

Behind the Query execution logic

Imagine your database as a giant library, and your query is like asking the librarian to find specific books. The database engine, acting as the librarian, follows these steps:

1. Understanding the Query: The librarian first understands your question (query) to figure out which books (data) you’re looking for.
2. Query Parsing: Next, the librarian breaks down your question into smaller parts, like identifying keywords and conditions in your query.
3. Query Optimization: Just as the librarian might choose the best route to collect books efficiently, the database engine optimizes the query execution plan to fetch data most effectively.
4. Data Retrieval: Now, the librarian goes through the shelves, fetching the books (data) that match your criteria.
5. Result Presentation: Finally, the librarian hands you the books, neatly organized according to your query. Similarly, the database engine presents the queried data in a readable format.

Understanding the logic behind query execution helps ensure a speedy and accurate retrieval of information from the database.

Need help or have questions?
Our customer support team is always here to help. If you have any questions about these changes or need assistance with managing your licenses, please don’t hesitate to contact us.

The post Threat Hunting guide appeared first on Emsisoft Help.

We have updated our licensing model and the way it assigns devices to the available seats. This means that you no longer have to worry about exceeding the seat limit. For your convenience we have simplified things and you can now count on a solid seat allocation model where each device is assigned to a unique seat within your license plan.

This method allows an easier management of your devices and provides a clear view on the seat availability. Thanks to this method we will also notify you if there are too many devices used compared to the available seats.
If you find yourself with more devices than seats, there are two alternatives that you can choose from: free up a seat or upgrade your license.

Free up seats by removing unused devices.

1. Sign into http://my.emsisoft.com , choose your Workspace and find the device that is no longer in use. You can use the column: ‘Last Updated’ to easily spot the unused devices.
2. On the right side of the device listed, click on the icon with the three vertical dots and choose: ‘Remove protection’. Note that it might be shown as: ‘Clear seat’ instead.

For larger MSPs or resellers, we recommend using the: ‘Bulk action’ if necessary.

1. In the Workspace page, click: ‘All devices’, sort by: ‘Last update’ column, click the menu: ‘Bulk action’, select ‘Bulk action’: ‘Remove protection’.
2. Select the devices with the oldest update, and click the button: ‘Apply’. This will remove all old devices from all Workspaces at the same time.

Upgrade your license to protect more devices.

1. At your MyEmsisoft portal on https://my.emsisoft.com , click on your Workspace and then on ‘Settings’. From there you can choose the new total amount of seats for the plan of your choice.
2. You can then click on: ‘Upgrade now’ to be forwarded to a shopping cart and access it’s final price.

Clear and Informative Error Messages.

If your Workspace has no available seats, Emsisoft will display a clear and informative error message, guiding you on the next steps to take. This ensures that you are always in the loop and can take the necessary actions to manage your licenses effectively.

Need help or have questions?

Our customer support team is always here to help. If you have any questions about these changes or need assistance with managing your licenses, please don’t hesitate to contact us.

The post Introducing Enhanced License Management appeared first on Emsisoft Help.

Overview:
Sometimes, applications as games, small customized apps or even business software are erroneously flagged as dangerous, even though they are safe to use. This may happen when an application is not digitally signed.
In a perfect world, all legitimate software would be digitally signed. Code signing is the process of digitally signing executables and scripts to confirm the software author and to guarantee that the code has not been altered or corrupted from the moment of his publication.
Malware is known for not being digitally signed. For this reason, unsigned apps will be flagged by your Anti-Malware as a precaution, giving you the choice to allow them into your system or block them.

How do deal with quarantined program:
If a program is flagged as dangerous and you are not sure if it is safe to use or not, it is best to leave it in the Quarantine.
Emsisoft gives you the possibility to share the info of this software to our lab for analysis directly, comfortably from the Quarantine panel. Here’s how:

1. Open the local Emsisoft app on the computer.
2. Click on: Quarantine in the blue tab: Scan & Clean
3. Highlight the file
4. Then click on: False Detection. Please include your accurate email address so we can reply. Please make sure to also fill out the info about the alert and the program.
5. Then please click the: Send button

Once our lab receives the files information, we can analyze how safe that software is.
If it is safe, we will then whitelist it if it is legitimate and allow it through the anti-malware. Will reply to you, so that you can then restore the file by clicking on the file in the Quarantine and by clicking: Restore.

You can also submit the file causing the detection via email to our lab: fp@emsisoft.com so we can analyze and correct the suspected false detection.
If the file is too large to send, please upload it to Virustotal and send us the web address of the scan result via email to submit@emsisoft.com or send us the file via wetransfer.com to submit@emsisoft.com

Files that were tested by us and are not digitally signed need to be added to Monitoring Exclusions, otherwise it will be flagged again each time it is updated without the necessary certificate.
If you are CERTAIN that the program is OK, you can add it directly to the Monitoring Exclusions.

The post False positives: Why did Emsisoft quarantine a safe program? appeared first on Emsisoft Help.

At Emsisoft, we understand how frustrating technical problems can be. This is the reason you always have a real person to chat with you, and your email messages are addressed within a couple of hours, if not instantly.
Our dedicated support team is here to provide swift and effective solutions to all your concerns, whether they are technical, billing, or administrative in nature. With their expertise and your cooperation, you can expect a speedy and efficient resolution to any issue.

While nearly all reported issues can be resolved through our self-help pages, this blog article outlines the steps you can take to expedite the resolution process when reaching out to our Support Team.

Channels

You can contact us through our Help Pages, where you can use the Mail or Chat button, both options are accessible from the bottom left corner of the interface of our installed software, as well.
Alternatively, you can send us an email to support@emsisoft.com or initiate a chat by clicking on the chat bubble in the corner of any of our webpages.
For more complex issues, we encourage you to use email, which allows for detailed descriptions of steps taken, screenshots, and logs.
For quick questions, the chat channel is your best option, but please keep in mind that we need to verify your identity, which can be done by providing us the relevant order number or license key.

Regardless of the channel, please explicitly state that we have permission to access your workspace. Granting us access to view your workspace information is essential in replicating and resolving issues.

Here’s a summary of the crucial details you should include in your communications with us:

Provide a Clear and Detailed Description

When creating a support ticket, your description of the issue is vital. Emsisoft’s dedicated support team relies on specificity. Please include:

• The nature of the problem or request.
• When the issue first occurred.
• Any error messages or codes encountered.
• Recent changes to your system or software.

Clear and concise descriptions help our team to quickly understand the problem, avoiding unnecessary delays due to vague descriptions.

Include Relevant System Information

Emsisoft’s experts need information about your hardware, software, and environment for effective diagnosis and resolution. Please provide:

• Name of your workspace and computer.
• Permission to log into your Workspace to check Settings and Logs
• Device type (e.g., laptop, desktop, smartphone) and Operating System version.
• Recent updates or changes made to your system.

This information helps Emsisoft’s support agents narrow down potential causes and provide solutions specific to your setup.

Attach Relevant Screenshots or Logs

Visual aids, logs and description of recent events can be very helpful in diagnosing issues, for instance:

• If your issue involves error messages, software glitches, or any visual anomalies, please take screenshots and attach them to your support ticket.
• More rarely we will ask you to collect logs locally, on your device. Here you can find the step-by-step instructions on how to collect debug logs and FRST Logs.

Mention Any Troubleshooting Steps Taken

If you’ve already attempted to address the issue on your own, Emsisoft’s support team encourages you to share what you’ve tried. For this reason, please include details about any troubleshooting steps, fixes, or workarounds you’ve attempted.

Conclusion

Our dedication to your satisfaction, together with your cooperation in providing punctual information, guarantees that your technical issues are addressed promptly, effectively, and effortlessly. Our excellent Support Team is always available to help you, rest assured that you are in good hands.
Please do not hesitate to visit our help pages and reach out to us whenever you need.

The post How to resolve your technical issues quickly appeared first on Emsisoft Help.

The Rollback feature in Emsisoft Enterprise Security constitutes a robust functionality designed to safeguard the security and data integrity of your systems. It provides a dependable mechanism for reverting damage to previous states, thus mitigating potential damage from malicious activities such as from ransomware.
In simpler words, if a malware ever modifies a file, you can revert that file to one of its previous, unaffected versions.

How to enable the Rollback feature

Activating the Rollback feature is an effortless task within the Emsisoft Management Console in my.emsisoft.com. Just turn ON the EDR and Rollback at “Protection Policy”. Upon activation, the functionality empowers users to effortlessly restore files to their prior states.

Backup

The heart of the Rollback feature revolves around the Emsisoft-Backup folder. This repository serves as a secure vault for housing backup copies of your files. Whenever an incident is identified, the Emsisoft Protection captures this event and generates a backup copy of the affected file. It is important to note that only modifications from untrusted processes are backed up for their reversal. 

Rollback Disk Quota

The optimal functioning of the Rollback feature hinges on effective disk quota management. Rollback disk quota defines the maximum disk space allocated for housing backup copies, ensuring that these copies do not consume your system’s storage unnecessarily. You can allocate between 5% and 50% of your disk space and it is set at 30% by default.

Retention Time

A crucial user-defined parameter, retention time dictates the duration for which backup files remain stored in the Emsisoft-Backup folder. Upon exceeding the specified retention period, backup files that outlast this timeframe are automatically deleted. This feature serves to maintain a streamlined and uncluttered backup repository. You can choose between 12 and 72 hours of retention time and it is set to 48 hours by default.

Incident Trigger and Remediation

When an incident is generated and a backup file corresponding to this incident is present (not removed by disk quota or retention time constraints), the rollback option becomes available.

Upon selecting “Remediate Threat” in the incident section, a retention menu emerges, allowing users to specify which files should be restored, akin to retrieving data from a backup. This process is then initiated, with its subsequent status accessible in the Remediation History.

Requirements

The Rollback feature in Emsisoft Protection is a powerful tool for safeguarding your system’s integrity, it’s important to be aware of the technical requirements that influence its operation. Here a summary of what you have to take in consideration:

Backup File Location and Drive Association

If a program initiates changes on a specific drive, such as altering files on Local Disk “D:” while being located on Local Disk “C:”, the generated backup will be stored in the Emsisoft-Backup folder on the drive from which the program originated – in this case, Local Disk “C:”. This mechanism ensures that the backup file’s location aligns with the drive containing the program responsible for the process.

Minimum Disk Space Requirement

To accommodate the storage of backup files, a minimum of 6GB of free space on the relevant drive is required. This ensures that ample space is available for retaining backup copies without impinging on system performance or operation.
The backups will not be created if the available space in the disk is less than the minimum required, no matter what disk allocation you have set.

Supported Drive Format and external Drives

The Rollback functionality is streamlined to the internal structure of your system, ensuring optimal reliability and performance. It is designed to operate within the confines of your system’s internal NFTS drives and is not supported on external drives. This includes external storage devices such as flash drives.

Frequently Asked Questions (FAQs)

1. How should I balance the parameters available regarding disk allocation? By default, the Rollback feature is set to 30% of the disk space and a time retention of 48 hours, which is ideal for the majority of users. We recommend adjusting these parameters only if you’re an advanced user with specific scenarios requiring extended retention time or larger disk quotas for storing backups.
2. Is there specific malware for which rollback would kick in? Rollback is designed to address a broad spectrum of malware attacks causing system changes. It activates based on threat behaviors, not specific malware types.
3. Is there a limit to the number of rollback backups that can be stored on a drive? There’s no fixed limit. The number of stored backups is determined by disk quota settings and available space.
4. Can the Rollback feature revert changes made to system settings and configurations? Yes, Rollback can revert various changes in system settings and configurations caused by malware attacks.
5. Is it possible to manually trigger a rollback for a specific incident? Yes, incident-specific rollback can be initiated via the “Remediate Threat” process for each mapped incident. The creation of backups instead is automatic and cannot be manually executed for specific files, folders, or processes.
6. Can rollback backups be accessed or restored individually? Rollback restores all changes associated with a specific incident, rather than offering individual file restoration.
7. Does the Rollback feature affects the system’s boot-up time or the computer’s overall performance? The Rollback feature doesn’t significantly impact the system’s boot-up time or overall performance.
8. What happens if the disk quota is filled up due to excessive backup files? When the disk quota is exceeded, older backups are automatically deleted to create space for new ones.
9. Can I exclude specific files or folders from being backed up by the Rollback feature The Rollback feature is designed to capture system-wide changes. For this reason there are no file or folder exclusions.
10. How does the Rollback feature interact with different types of file encryption and compression methods? Rollback focuses on reversing changes, regardless of the encryption or compression methods employed.

The post Emsisoft Rollback Feature appeared first on Emsisoft Help.

1.Open Emsisoft Anti-Malware and click “Settings”.
2.Open the section “Advanced”.
3.Scroll down to find the option “User interface language”, and use the pull-down menu to select the language you prefer.

The change should happen within a few seconds after changing the pull-down menu language.

To change the user interface language from your the Management Console in MyEmsisoft:

1. Log into my.emsisoft.com
2. Click on your name in the top right corner and then click on “My Account”

3. Scroll down until you will find a “Language” dropdown menu where you can choose between English, French and German.

To change the user interface language from the Protection Policies section:

1. Click on the Workspace name.
2. Click on Protection Policies.
3. Find the option “User interface language”, and use the pull-down menu to select the language you prefer.

The post How To Change Language appeared first on Emsisoft Help.

Please contact our support with the following logs attached so that we can analyze and understand what might be the cause of it.

1. Open Emsisoft Anti-Malware, then click the Settings tile, then the ‘Advanced’ tab. Scroll down a bit, then use the last option in the advanced section, ‘Debug logging’, to enable debug logging for one day. Leaving it on always isn’t recommended because logs will fill the hard drive eventually. Close the Emsisoft Anti-Malware window after making your selection.

2. Restart the computer. This is mandatory for the logs to be created completely.
Reproduce the issue you are having, twice if possible. The issue must occur, or the logs won’t be of any use.

3. Once you have reproduced the issue, open Emsisoft Anti-Malware again, and click on the Support icon which is the chat bubble in the lower left corner, then click on the button that says “Send an email”. Select everything in the right hand column that shows today’s dates. Fill in the e-mail contact form, then click on “Send now” at the bottom once you are ready to send the logs.

NOTE: If you like, you may just compress and email or upload to a file sharing location the following folder instead of using the in-program form.

C:\ProgramData\Emsisoft\Logs\ (NOTE: ProgramData is a hidden folder) C:\Program Files\Emsisoft Anti-Malware\Logs\Logs.db3.

IMPORTANT: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

The post High CPU usage appeared first on Emsisoft Help.