Overview:
There are times you want to block certain web sites for devices that are either your own or that you are managing.
Emsisoft Web Protection is part of the full Emsisoft program and also has the option to filter for contents and to create more custom rules compared to the Browser Security extension.

How to add a new host rule:
Open Protection Policies in your Workspace, choose the desired Policy Group (We suggest to make generic changes on the Group Level) and scroll to: Custom Host Rules under: Content Filtering

Open it and click on: Add

Then you can specify if you want to use a simple text based matching on the host name/IP, or a more complex Regular Expression based matching pattern. See: What is a RegEx?

How to change custom host rules:
Double-click a rule or select a rule and click: Edit rule to open the edit window. Host rules feature the following actions:

• Don’t block: Allows access to the host without asking.
• Alert: Alerts about access, and lets you decide whether to block or to allow it.
• Block and notify: Blocks the connection automatically and displays a notification pop-up window to let you know about it.
• Block silently: Blocks the connection but does not show any notification.

We recommend using the default setting “Block and notify” so that you will know immediately when a connection has been blocked. This may keep you from wondering why a certain website has not loaded.

How to import a third party hosts file
The hosts file is part of Windows and is located in c:\windows\system32\drivers\
It is used for overriding DNS settings by redirecting certain domains to certain IP addresses in a targeted manner. Various hosts file lists are available to download online and this has been a popular method used by people to build their own form of “web protection” with tools that come with Windows.
Malicious domains are then redirected to the local IP 127.0.0.1 or the invalid endpoint 0.0.0.0, which both neutralize them.

There are some disadvantages to this approach, though. You never know when a connection has been redirected, and a large hosts file can slow down your system’s performance. There are also no automatic updates, so you have to keep your hosts file list up-to-date yourself.

If you wish to use third-party hosts file lists, we recommend you import them directly into the local Emsisoft Anti-Malware program instead, by using the “Import hosts file” option which allows you to import individual entries as well as larger lists in one go.

Open the local Emsisoft program and click on: Web Protection

Then open: Import hosts file

Click on the 3 dots:

And search and select the location and the hosts file you want to import:

Unlike using a custom Windows host file, importing a third-party list into Emsisoft Anti-Malware’s Web Protection, will not slow down your system. Use of third-party lists is purely optional – most entries are already on the built-in list that is frequently updated.

The post How can I block a website or exclude it from being blocked? appeared first on Emsisoft Help.

Overview:
An Admin needs to be able to track the changes that were done to a Policy Group and also on a device, especially if the client PC has permissions to make changes locally.

How to identify changes:
In the Workspace, you might have noticed the: Edits counter, per device. This counter indicates the number of changes related to the parent policy and ideally should be zero.

Note that settings should always be managed either at the root level or the group level, and not on a device level. If you make a setting change on the lowest level (which is device level), it breaks the inheritance from parent group(s).

Setting changes on the device level (on the local machine itself or in the Workspace) overrule Protection Policy settings, which are displayed as a blue circular arrow icon in the Protection Policies.
If you later make a change in the parent policy or root policy, this change will not be inherited by the device, unless you click the revert to parent policy (blue circular arrow) button.

When you click that revert arrow, it will reset the device polices to the parent group.

The post How can I track changes that were made to Protection Policies? appeared first on Emsisoft Help.

Common queries and when to use them

A common query is a predefined set of instructions or criteria used to search and analyze data in a system, helping identify specific information or patterns from a dataset or database. It can vary based on the specific goals of the analysis, such as filtering data, checking system information, or simply extracting meaningful insights from the dataset.

The choice of common queries will depend on the specific analytical objectives, the characteristics of the dataset, and the insights you are seeking to gain from the data. Understanding the nature of your data and the questions you want to answer will guide the selection of appropriate queries for your analysis.

Running Queries on-demand and asynchronous

Live query:
Live queries – or on-demand queries – are suitable when immediate, up-to-the-moment data is crucial, and suitable for tasks that are quick to execute and return results.
Running a query on-demand enables real-time result viewing within your dashboard. This flexible query tool allows us to examine all selected devices and promptly display the results right below.

Asynchronous queries and reports:
When running asynchronous queries, they operate independently of the main program flow, and their execution does not depend on the immediate completion of other tasks. It allows Admins to check reports later while editing different reports in real-time.
Asynchronous queries are beneficial for tasks that take longer to execute, common in scenarios where the user experience is not compromised by waiting for the result. Ideal when dealing with tasks that can be performed concurrently or when non-blocking behavior is crucial.

The Snapshots represent a complete copy of a report instead of displaying it in the live results view. It can be seen on the Reports panel.

Please note that certain queries might take a while to return results. Admins have the option to click a Cancel Query button to stop execution.

Create a new report and start analyzing using common queries

1. At your Emsisoft Management Console, select an existing Workspace, click on Threat Hunting and Create new report.
   
2. Click on the Edit Report button to handle your Queries settings and initiate report runs.
   
3. Create an automated security system by scheduling your reports daily, weekly, or monthly.
   
4. Explore and select from the list of pre-defined common queries for a more effective approach to threat hunting.
   
5. Choose either to show the full dataset or just the changes from previous runs on your dashboard. This feature enhances efficient alerting for potentially malicious system modifications. This setting can be modified in View mode to see other results if needed.
   
   Opting for Highlight changes brings a user-friendly touch to your data analysis. Here, GREEN steers you toward modified or added data, while RED signals the removal of previously existing data from the device. This color-coded system simplifies the process of quickly spotting and understanding alterations.
   

Threat Hunting within the Incidents Panel

The Alert Changes checkbox specifies whether any detected changes in query results from the previous run, and it shall trigger an event in the incidents list, email notifications, and integrations.

Whenever a modification in a hostfile is identified, the alteration will be emphasized in the reports dashboard, and an event will be triggered in the Incidents panel overview.

Simply click on the detection from the Incidents panel, and a Snapshot will open in the Only Changes mode, providing a complete copy of the report.

Handling unexpected errors

While executing queries on a set of devices, if one of the devices encounters an issue and doesn’t respond, the system will promptly generate a notification on the dashboard stating View 1 error.
This button will specifically identify the problematic device and provide details about the query that was in progress at the time of the occurrence.

Here is the example of what happens once clicked:

If some devices are offline while creating asynchronous or scheduled snapshots, we’ll wait for one hour just in case these devices come online again. This ensures they can be included in the report.

Behind the Query execution logic

Imagine your database as a giant library, and your query is like asking the librarian to find specific books. The database engine, acting as the librarian, follows these steps:

1. Understanding the Query: The librarian first understands your question (query) to figure out which books (data) you’re looking for.
2. Query Parsing: Next, the librarian breaks down your question into smaller parts, like identifying keywords and conditions in your query.
3. Query Optimization: Just as the librarian might choose the best route to collect books efficiently, the database engine optimizes the query execution plan to fetch data most effectively.
4. Data Retrieval: Now, the librarian goes through the shelves, fetching the books (data) that match your criteria.
5. Result Presentation: Finally, the librarian hands you the books, neatly organized according to your query. Similarly, the database engine presents the queried data in a readable format.

Understanding the logic behind query execution helps ensure a speedy and accurate retrieval of information from the database.

Need help or have questions?
Our customer support team is always here to help. If you have any questions about these changes or need assistance with managing your licenses, please don’t hesitate to contact us.

The post Threat Hunting guide appeared first on Emsisoft Help.

Overview:
Sometimes, applications as games, small customized apps or even business software are erroneously flagged as dangerous, even though they are safe to use. This may happen when an application is not digitally signed.
In a perfect world, all legitimate software would be digitally signed. Code signing is the process of digitally signing executables and scripts to confirm the software author and to guarantee that the code has not been altered or corrupted from the moment of his publication.
Malware is known for not being digitally signed. For this reason, unsigned apps will be flagged by your Anti-Malware as a precaution, giving you the choice to allow them into your system or block them.

How do deal with quarantined program:
If a program is flagged as dangerous and you are not sure if it is safe to use or not, it is best to leave it in the Quarantine.
Emsisoft gives you the possibility to share the info of this software to our lab for analysis directly, comfortably from the Quarantine panel. Here’s how:

1. Open the local Emsisoft app on the computer.
2. Click on: Quarantine in the blue tab: Scan & Clean
3. Highlight the file
4. Then click on: False Detection. Please include your accurate email address so we can reply. Please make sure to also fill out the info about the alert and the program.
5. Then please click the: Send button

Once our lab receives the files information, we can analyze how safe that software is.
If it is safe, we will then whitelist it if it is legitimate and allow it through the anti-malware. Will reply to you, so that you can then restore the file by clicking on the file in the Quarantine and by clicking: Restore.

You can also submit the file causing the detection via email to our lab: fp@emsisoft.com so we can analyze and correct the suspected false detection.
If the file is too large to send, please upload it to Virustotal and send us the web address of the scan result via email to submit@emsisoft.com or send us the file via wetransfer.com to submit@emsisoft.com

Files that were tested by us and are not digitally signed need to be added to Monitoring Exclusions, otherwise it will be flagged again each time it is updated without the necessary certificate.
If you are CERTAIN that the program is OK, you can add it directly to the Monitoring Exclusions.

The post False positives: Why did Emsisoft quarantine a safe program? appeared first on Emsisoft Help.

1.Open Emsisoft Anti-Malware and click “Settings”.
2.Open the section “Advanced”.
3.Scroll down to find the option “User interface language”, and use the pull-down menu to select the language you prefer.

The change should happen within a few seconds after changing the pull-down menu language.

To change the user interface language from your the Management Console in MyEmsisoft:

1. Log into my.emsisoft.com
2. Click on your name in the top right corner and then click on “My Account”

3. Scroll down until you will find a “Language” dropdown menu where you can choose between English, French and German.

To change the user interface language from the Protection Policies section:

1. Click on the Workspace name.
2. Click on Protection Policies.
3. Find the option “User interface language”, and use the pull-down menu to select the language you prefer.

The post How To Change Language appeared first on Emsisoft Help.

Please contact our support with the following logs attached so that we can analyze and understand what might be the cause of it.

1. Open Emsisoft Anti-Malware, then click the Settings tile, then the ‘Advanced’ tab. Scroll down a bit, then use the last option in the advanced section, ‘Debug logging’, to enable debug logging for one day. Leaving it on always isn’t recommended because logs will fill the hard drive eventually. Close the Emsisoft Anti-Malware window after making your selection.

2. Restart the computer. This is mandatory for the logs to be created completely.
Reproduce the issue you are having, twice if possible. The issue must occur, or the logs won’t be of any use.

3. Once you have reproduced the issue, open Emsisoft Anti-Malware again, and click on the Support icon which is the chat bubble in the lower left corner, then click on the button that says “Send an email”. Select everything in the right hand column that shows today’s dates. Fill in the e-mail contact form, then click on “Send now” at the bottom once you are ready to send the logs.

NOTE: If you like, you may just compress and email or upload to a file sharing location the following folder instead of using the in-program form.

C:\ProgramData\Emsisoft\Logs\ (NOTE: ProgramData is a hidden folder) C:\Program Files\Emsisoft Anti-Malware\Logs\Logs.db3.

IMPORTANT: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

The post High CPU usage appeared first on Emsisoft Help.

NOTE: This special feed is created especially for business users.

From the in-program description: For administrators who want to serve their clients only stable versions that they have tested via the stable feed before.

In order to activate the delayed feed in Emsisoft Anti-Malware, open your Emsisoft program, click Settings in the top row, then Updates in the second row. Next, choose the Delayed feed from the ‘Update feed’ pull-down menu. Click the ‘Update now’ button, and the program will download what it needs to change itself to the delayed feed. To change back, use the same process and switch to the Stable feed, and use the ‘Update now’ button again.

The post What are delayed updates? appeared first on Emsisoft Help.

The total required download traffic for online updates is typically less than 25 MB per day when updates are left at the hourly default, except when a new software version is being released near the beginning of each month. If you miss running updates for more than a few days, the total required data-traffic can exceed 350 MB since it will need to download the entire offline signature database along with any available core program updates.

Emsisoft Anti-Malware is optimized for online updates being enabled and set to 1 hour intervals to ensure the best protection and lowest total amount of traffic.

The Emsisoft update system implements a number of mechanisms to reduce the required download traffic to a minimum:

Update compression

All files are transferred in a compressed state from the Emsisoft update server infrastructure.

Differential updates

Instead of downloading all modified files in full, our software only transfers the differences to the previous file versions. Emsisoft provides differential updates for the last 30 versions of each software component.

As some of the signature and malware-host database files are frequently refreshed (up to every hour), the total interval of available differential updates may be as short as about 24 hours for specific files. That implies that when you turn off automatic updates or set a longer update interval, you may miss the opportunity to get significantly smaller differential updates. Your software then downloads the full files.

The post How do I reduce download traffic for online updates? appeared first on Emsisoft Help.

Emsisoft Anti-Malware

Open the main window of Emsisoft Anti-Malware. Go to “Settings” and then “Exclusions” section. 

The first section is called “Exclude from scanning”. Here you can exclude a file (program) or an entire folder from real-time protection and scans. In detail, the objects inserted in this list will be excluded from the Protection > File Guard feature and from all the scans you can perform from the Scan section.

The second section is called “Exclude from monitoring”. Here you can exclude a file (program) or all the files inside a folder from the Protection > Behavior Blocker feature. This section is created for those people who run fixed or unknown applications that could create incorrect program alerts.

Please be certain the program is safe before adding exclusions. Once added, anything malicious in those programs or folders will be ignored.

Example: Exclude a single file

If we want to exclude completely (both from the File Guard, Behavior Blocker and scans) just the CCleaner executable file, click on “Add file” button of the first section to start.

Navigate to the CCleaner program folder, select the program file (in this case Ccleaner.exe; you might not see the .exe part, depending on your computer’s configuration) and then click on the “Open” button.

The file will be added to the list. Next, click on “Add program” button of the second section.

In the window displayed, navigate again to the CCleaner folder, select the program file “Ccleaner.exe” and click on “Open” button.

At the end of this procedure you will have the same file listed in both sections, and it will be excluded:

Example: Exclude a folder

In this case we want to exclude completely (from the File Guard, Behavior Blocker and scans) the entire program CCleaner using its folder. Click on “Add folder” button of the first section to start.

In the window that is displayed, navigate to your program folder and select the CCleaner folder (or the folder of the program you want to exclude), and click on the “OK” button to add the folder to the list.

Click on the “Add folder” button of the second section to proceed.

Do the same thing again; navigate to your program folder and select CCleaner folder, then press the “OK” button.

At the end of this procedure you will have same folder listed in both sections, and the content will be excluded from scans and live protection:

If you want to remove an exclusion, just click on “X Remove” next to the object selected and press on the “Yes” button of the window that is displayed:

The exclusion will be removed, and the excluded object will be monitored/scanned again.

NOTE: it is not needed to exclude a single file if it is excluded in the parent folder. In fact, excluding a folder will exclude automatically all the files and sub-folder of that path.

Emsisoft Emergency Kit

Emsisoft Emergency Kit doesn’t contain real-time protection, so exclusions for this program apply only to the scanner. When you create an exclusion, it will be saved for future scans.

Example: Exclude a single file

Open the main window of Emsisoft Emergency Kit. Click the large "Scan" tile, and then click on the "Manage exclusions" button.

The "Manage exclusions" dialog will be displayed:

As you can see, there is just the “Exclude from scanning” section. To add a file to exclude, click on “Add file” button.

In the window displayed, navigate again to the CCleaner folder, select the program (in this example, the “Ccleaner.exe” file) and click on “Open” button.

At the end of this procedure you will have the file listed and it will be excluded:

Example: Exclude a folder

In this example, we want to exclude the entire program CCleaner using its folder. Click on the “Add folder” button to start.

In the window that is displayed, navigate to the program’s installation folder and select its folder (Ccleaner in this example), then click on the “OK” button to add the folder to the list.

The folder’s path will be added to the list:

If you want to remove an exclusion, just click on “X Remove” next to the object selected and press on the “Yes” button of the window that is displayed, and the object will be scanned during scans again.

NOTE: it is not needed to exclude a single file if it is excluded the parent folder, in fact, excluding a folder will exclude automatically all the files and sub-folder of that path.

The post How do I exclude a program from an Emsisoft product? appeared first on Emsisoft Help.

If you would prefer to allow a particular domain that was blocked, you can overwrite an internal host rule with a user created host rule.

How to create or modify a rule

Open Emsisoft Anti-Malware and go to the “Protection” section, then switch to the menu item “Web Protection”. Below the list of “Host Rules” click the “Add new rule” button

Enter the domain name into the textbox and select “Don’t block” as the “Implemented action”. Confirm your choice by clicking OK

Keep in mind that you can block or allow all subdomains of a domain by using wildcards. E.g. use *.test.com to specify all subdomains like www.test.com, ads.test.com, etc. The results should appear as shown in the following screenshots

The post How do I allow a website that has been blocked by an Emsisoft product? appeared first on Emsisoft Help.