What is Behavior Blocking? How does it work?
Malware protection without signatures?
The Emsisoft Anti-Malware File Guard scans all running programs with a signature scanner, just like any other antivirus software does. Even though we rely on a high-performance dual-engine scanner, new malware can only be detected if there is already a signature for it. Precious time can be lost during the gap between the appearance of new malware and the release of signature updates that detect it, leaving your PC unprotected in the meantime.
This is where our Behavior Blocker comes in. It uses technology that is able to detect and block dangerous malware without the need for signatures. The Behavior Blocker is part of Emsisoft Anti-Malware.
Malware is usually detected with the aid of heuristics. Heuristic scanning decides whether or not a program is harmful by analyzing the file's code. Emsisoft's Behavior Blocker works differently, by monitoring the behavior of all active programs in real-time. If a program tries to alter something, you will be notified immediately and given the chance to authorize this change. If the Behavior Blocker displays an alert when you aren't doing anything on your computer, you can be reasonably certain that the program in question is acting without your approval.
And this is the way it works..
Malware is always designed to achieve a particular goal. A virus always infects, a worm always spreads, a trojan always sends files and a dialer always dials. Their methods may differ, but the result is the same.
It is at this point that the Behavior Blocker alerts you if anything harmful is detected. The program is then interrupted and cannot continue until you decide whether or not to authorize the behavior.
All this probably sounds too good to be true, and there is one disadvantage: the Behavior Blocker only recognizes behavior, and cannot give you the actual name of the malware in question. In other words, you will know if it's a worm, but not if it's the NetSky or Bagle worm. Of course, this doesn't really matter - the important thing is that you know it's there, and you can run the appropriate removal program.
What does it detect?
The Emsisoft Behavior Blocker is capable of detecting the following types of malware:
Trojan downloader with reverse connection logic
In addition, the Behavior Blocker is also able to detect and stop the following potentially dangerous actions:
- Installation of new drivers and services
Any kind of process manipulation like DLL-injection, code-injection, patching, termination, etc.
Installation of new BHOs (Browser Helper Objects)
Changes to your Internet Explorer configuration
Hidden installations of software
Changes to your Hosts file (redirects domains)
Installations of debuggers on the system
What should I do if it gives me an alert?
Emsisoft's Behavior Blocker is a system that has been designed to detect suspicious behavior patterns. As the behavior of regular programs and malware is sometimes very similar, there are some cases where it may be mistaken. It is important to consider what you are doing with your computer at the time of the alert and whether you recognize the program the alert is about, before clicking allow or block. If you are unsure, we recommend that you close the program and submit it to us for further analysis.
A general tip for using the Behavior Blocker:
After installing the software, please ensure that the guard is running and then start any programs you use frequently so that you can tell the Behavior Blocker that these programs are allowed. This procedure only takes a few minutes and ensures that Emsisoft's Behavior Blocker is set up optimally for your PC.
Who can I ask if I have a problem?
If you are uncertain as to whether a specific program is really dangerous, please seek help from our experts on the support forum. Your questions will be answered promptly.
Best In Test!
100% in AV-Comparatives “Real-World” Protection Test!
More independent reviews of anti-malware software