FAQ EasyMalwareBlocker

Q: Who will benefit most by using EMB?

A:
- All users who want to be protected from malicious and clandestinely installed programs (drive-by-downloads) while surfing the Internet.
- Computer experts who install new programs frequently and want to know if they are benign or possibly "trojan horses".

Quite often we have heard the argument: "Oh, I dont't use my computer for banking and I have nothing to hide so anybody can spy any data on my computer. Therefore I don't need any protection."

Although there are indeed many Spy- and Adware programs in the Internet, there are other types of malware which modify Registry entries, delete system backup files or occupy most of the CPU time so working with the computer is no longer possible.

Sooner or later virtually every computer will get infected by malware, even when Internet protection software by competitors was running, just listen to your friends... With EMB running in the recommended FSM modes your computer will never get infected with malware!

Unlike many other Security Suite programs, EMB prevents all such infections BEFORE they happen.
We are using a new method (some other Internet Security programs search for patterns in the files which is never 100 % foolproof or they use difficult to maintain Reference Lists which need regular and frequent updates. Others only remove files when they have been written (and have done their sometimes destructive work) already.
EMB works with watching file extensions on File System driver level, so our program never needs any updates.

Q: Who will most likely NOT benefit by using EMB?

A:
- Unknown toolbars and EMB do not mix well (Google and Yahoo toolbars are no problem). If you don't want to uninstall them and unless you are a real computer expert (EMB can be individually taylored that any toolbar can be used), please do NOT install EMB.

- Anyone who thinks EMB works FULLY automatically in any situation and who doesn't want to read the text of very few popups carefully will also be disappointed. Sorry folks, there ist no such program available, and ours is no exception.
However, there are NO popups whatsoever by EMB if
- - you have reinstalled the XP Operating System and the Network and Executable Reference Files have been created.
- - you never install new programs which either want to access the Internet directly or indiectly when they have the system load modules when an access to the Internet is involved (eg when the Internet Explorer has been started).

Users with no basic theoretical knowledge about computers, particularly the file system, can also use EMB without problems when they have the program installed and set up by a computer knowledgeable person.

Q: Can EMB be used in Limited User Mode also?

A: NO! EMB only works in Administrator Mode as in limited user mode some important system files can not be read which are essential for the proper function of EMB.

Q: Does EMB also work on computers with dual (and other multiple) core CPUs?

A: Yes!

Q: I already have an Antivirus Program installed and running. Can I install EMB?

A: Probably not, but you can try. It is best you disable these kind of programs before you install EMB. And well, we think it's best to leave them disabled or to even uninstall them as with EMB installed and running you don't need them anymore...

Q: Why do the authors of EasyMalwareBlocker recommend to re-install the Operating System before installing their Internet Security Program?

A: It's NOT mandatory to have Reference Files created, the main features like the FSM (blocking of potentially dangerous files) and the Network Monitor (Firewall) work perfectly without them too, but recommended.
Most of the EMB's System Check Utilities compare a "clean" and uninfected state of the system against the current system which might have become infected because the user has installed a trojan horse type of program or by mistakingly using a non appropriate FSM Mode (Disabled or Install Mode) when surfing the Internet.

When the Operating System has been reinstalled it's highly recommended to have Reference Files created - including the Network Reference File - which are free of any malware (follow the instructions given on the download page on our website or the read me file for the correct order of steps). The Network Monitor is using the Network Reference File when doing "leaktests" and this avoids difficult to answer questions altogether after EMB has been started for the first time.
If the OS has NOT been reinstalled it's recommended NOT to have a new Reference File created for the Network Monitor. Choose the option that only the Executable Reference File is being crerated. That means sometimes difficult to answer questions have to be answered if modules (eg *.dlls) are involved when the Internet is being accessed for the first time after EMB has been installed. Unfortunately if there are popups they appear right after the time when EMB has been installed. Once you have allowed or blocked these programs and/or the modules EMB does not bother you again until you install a new program which wants to access the Internet.
When there is NO Network Reference File, that also means you get the chance to block any program which tries to access the Internet, including any kind of malware.
If you did not reinstall the OS and you had a Network Reference File created all programs, including malware, can access the Internet and there is no chance to block any of them (until you install a new program which accesses the Internet).

Another good reason to reinstall are so-called rootkits. According to a wellknown source there is a 30% chance that YOUR computer is infected with a rootkit too (!). They are very difficult to detect by even specialized programs because they hide themselves in a very sophisticated way. As re-installation reformats the partition where the Operation System resides all rootkits, if any, are also removed from the system, because they also have to reside in the Windows partition in order to do their malicious work. Reformatting or just reinstalling is a sure fire and the only way to get rid of any kind of malware, including rootkits.

As already stated above it is NOT mandatory to reinstall the Operating System when you want to use EMB. You can try to run virus- ad- and spyware- remover programs and also rootkit detector programs to get rid of malware if there is any. However, there is no guarantee that they find all of them. Installing EMB might fail due to malware which might be running on your system.

When Reference Files are created by EMB it is assumed the system is "clean" and subsequent comparisons always use these Reference Files, whether they are really clean or not.

Q: Why are not only one but two icons shown when EMB is up and running?

A: One icon is for the Network Monitor. It shows graphically the amount of traffic to (right, blue part) and from (orange, left part of the icon) the Internet. On a double-click the 'Options' panel is shown and a RIGHT-click shows the EMB menu.

The other one is for the File System Monitor. It shows the state its currently working, each colour represents a different mode. In case a file has been blocked a star is blinking in the icon. A double-click on this icon will show the list of blocked files.

Q: Why are not only one but two Monitors implemented - the File System and the Network Monitor?

A: In case the Operating System is NOT re-installed as recommended, the Network Monitor ensures that personal or classified data can be transmitted over the Internet with your consent only. Whenever a request for such a transfer occurs a message box is popped up which asks you for permission to actually transmit any kind of data over the Internet. Always read these messages very carefully and if in doubt deny access to the Internet for the mentioned program. If your system does NOT behave the same way it did before then you can still revoke the action and allow the transfer if it is appropriate or necessary. Select the program marked as "Blocked" in the "Application Control" form and click the "Allow" or "Ask" button.

File System Monitor (FSM)

Q: How does the File System Monitor (FSM) work?

A: Depending on the mode, the FSM blocks potentially dangerous files (for geeks only: on driver level) which are written either by the browsers or by any (known or unknown) user programs on the hard disc.

In modes 1) and 2) blocking potentially dangerous files applies only for the three most common browsers (Internet Explorer (versions 6 and 7), Firefox and Opera). The FSM has virtually no function when none of the three browsers is open (it only protects its own folders).

In modes 3) and 4) blocking generally applies for ALL potentially dangerous files written anywhere on the Hard Disc and for any user program. However, third party file managers, backup programs, compilers, etc, can be put in the 'Special Programs' list on the FSM panel. User programs in this list are allowed to write any files*. Likewise, any files* can be written by any program to any folders listed in 'Special Folders'. *including potentially dangerous files
Some rules apply for Internet Explorer (IE) version 7 only. In FSM 'Drive-By-Block (Blacklist) Mode' and 'Safe Mode' all kind of files, including potentially dangerous ones, are allowed to be written to any of the Internet Caches of the 3 browsers. When an executable file is started from the cache IE 7 will warn you.
In terms of security for EMB the old version 6 of the Internet Explorer is somewhat safer than the new version 7.
Note: It is possible to downgrade IE 7 to IE 6 by uninstalling IE 7. The result is IE version 6.

For the next paragraph you need to be familiar with the terms 'Blacklist' and 'Whitelist'. Click here to get an explanation.

The FSM works in six different modes:

1) Drive-By-Block Mode (Blacklist, black icon with character 'D'), default

All potentially dangerous files are being blocked which are written by the browsers Internet Explorer, Firefox or Opera, unless you have put some folders in the 'Special Folders' list. Any files can be written into these folders. The main purpose of this list is to enable downloading programs from the Internet to precisely this or one of these folders. When you select a folder which is NOT in this list you can not download potentially dangerous files, they will be blocked.
Note: Harmless files like movies, pictures and simple text (.txt) files, etc, can be downloaded to any folder.
This mode is the easiest to use mode, however, all other Blacklist or Whitelist modes offer more protection. No settings have to be done, except when programs are downloaded from the Internet. You have to specify a Download folder and select it when you download programs (and any other potentially dangerous files), otherwise the downloaded file will be blocked by the FSM.
As the name of this mode implies, usually malicious programs - which can be copied and installed clandestinely when you surf the Internet - are being blocked. This kind of threat is becoming more and more popular these days. You can download programs (file extensions .zip, .exe, .msi, etc) and also install them in this mode.
You can add more file extensions: Files with extensions added by the user will always be blocked, in the same way as the default ones. (File extensions which are in the Whitelist can NOT be put in the Blacklist.)
Notes:
a) You are NOT protected from attacks by listening ports (in case there are some because the setup of EMB has not been done properly or as recommended.)
b) In case your email provider allows potentially dangerous attachments (most of the big ones like hotmail, gmail, yahoo, gmx, etc, don't, but many smaller ones unfortunately do) and you open them there is NO protection: malware can install itself without any problems, if it is malware indeed.
This is the default mode after EMB has been installed. It's NOT really recommended to generally surf the Internet in this mode, if you don't experience problems with 'Safe' and 'Super Save' mode, use one of these safer modes instead.

2) Drive-By-Block Mode (Whitelist, white icon with character 'D')

All harmless files with file extensions which are NOT listed in the Whitelist (about 80) are being blocked, unless the exception rules apply (Special Folders).
You can add other file extensions in case harmless files which are not in the default list are being blocked.
This mode is a bit safer than mode 1), most of the statements made there apply here too.
You can add more file extensions: Files with these extensions will never be blocked. (File extensions which are in the Blacklist can NOT be put in the Whitelist.)

In this mode the FSM sometimes falsely blocks files which should not be blocked when you surf the Internet. Follow the instructions given on the 'Blocked Files' Panel in order to avoid blocking these files (you can either put the file extension(s) of the blocked file(s) on the 'Editable List' or put the program by which the files were written in the 'Special Programs' list).
If that is too complicated for you please switch the FSM to 'Safe Mode (BL)' which is safer than this one and the problems with falsely blocked files should disappear too.

Note: Downloading of potentially dangerous files, eg programs, and updating any programs, including Windows XP, is NOT possible in this mode.

3) Safe Mode (Blacklist, black icon with character 'S')

All potentially dangerous files are being blocked which are written by any program.
You can add more file extensions: Files with these extensions will always be blocked unless they are being written in any of folders listed in the 'Special Folders' list or the programs which write them were manually put in the 'Special Programs' list on the FSM panel. (File extensions which are already in the Whitelist can NOT be put in the Blacklist.)

This mode is recommended for people with limited or no knowledge about computer fundamentals, especially the file system. In this mode the FSM should not falsely block any files, yet it is quite safe.

Note: Updating any programs including Windows XP, is NOT possible in this mode.

4) Super Safe Mode (Whitelist, white icon with character 'S')

This is the safest mode. All harmless files with file extensions which are NOT listed in the Whitelist (about 80) are being blocked when written to the hard disc by any program, unless they are being written by the System or in any of the folders listed in the 'Special Folders' list or by programs which were manually put in the 'Special Programs' list on the FSM panel.
You can add more file extensions: Files with extensions added by the user will never be blocked. (File extensions which are in the Blacklist can NOT be put in the Whitelist.)

In this mode the FSM sometimes falsely blocks files which should not be blocked. Follow the instructions given on the 'Blocked Files' Panel in order to avoid blocking these files (you can either put the file extension(s) of the blocked file(s) on the 'Editable List' or put the program by which the files were written in the 'Special Programs' list).
If that is too complicated for you please switch the FSM to 'Safe Mode (BL)'. This mode is still quite safe but the problems with falsely blocked files should disappear.

Note: Downloading of potentially dangerous files, eg programs, and updating any programs including Windows XP, is NOT possible in this mode for security reasons.

5) Install/Uninstall Mode (violet icon)

There is NO protection at all in this mode. Use it only for installing, uninstalling and repairing programs. Immediately switch back to any of the modes 1) .. 4) when you are done with this kind of operations, especially when a connection to the Internet is established.
Hint: In case you were using this mode while a connection to the Internet was established it's recommended to run 'Last Files written' on the 'Options' panel shortly after you have changed to any mode 1) .. 4). Check carefully for files which might NOT have been written by the program which you have installed.
Note: This mode is not yet supported.

6) Disabled Mode (red icon)

There is NO protection at all in this mode. It is NOT recommended to use this mode for a long period of time, only for emergencies when problems with new installations or updates, etc, occur.
Hint: In case you were using this mode while a connection to the Internet was established it's recommended to run 'Last Files written' on the 'Options' panel shortly after you have changed to any mode 1) .. 4). Check carefully for files which might NOT have been written by the program which you have installed.
Note: When you exit EMB the FSM is running in the disabled mode too.

Q: What are the pros and cons of Whitelist and Blacklist modes in the File System Monitor?

I) Whitelist Modes

When it comes to security and protection level issues, Whitelist Modes are safer than Blacklist Modes. Only files with extensions found in the Whitelist will be processed normally (eg NOT blocked) and all the ones which are NOT found in the Whitelist are blocked. (Files with NO extensions are always passed through. Note: File extensions are NOT shown by default in XP)

Q: Under what circumstances is it beneficial to choose 'Super Safe Mode'?

A: 'Super Safe Mode (Whitelist)'* is the appropriate mode only if:
- you do NOT experiment with any kind of NEW programs, either downloaded from the Internet or installed from CD/DVD, etc. That also applies to any kind of new games.
- You have the option "Automatic Updates" for Windows XP disabled and you also do NOT allow other programs you have installed on your computer to update themselves automatically.
- you have at least some basic knowledge about computers.
If in doubt select any 'Blacklist Mode', it's safer and therefore recommended to select 'Safe Mode (BL)' than 'Drive-by-block (BL) Mode'.

*Some websites use Java Scripts for their links. Reading letters in Hotmail.com does NOT work in any of the Whitelist Modes, so please as a quick fix use any Blacklist Modes for this particular website and other wellknown websites which use Java Scripts for their linked pages too. You can also put the '.js' file extension to the editable Whitelist in order to use the Whitelist FSM modes.

Another downside of this mode might be the blocked (most of the time harmless) files when surfing the Internet.

Q: What happens if I choose any Whitelist Mode and some programs update themselves automatically?

A: It is possible that some of those programs get in an undefined state and have to be re-installed. If Windows XP Updates get blocked the system won't crash.

Bottomline: If you as an individual home user or the employees in your company are using the same programs all the time and all kind of automatic updates are disabled then 'Super Safe Mode' suits you perfectly.

II) Blacklist Modes

Pro: Easy to use, especially for users with no basic knowledge about computers.
Con: Harmless files can be downloaded and written anywhere on the Hard Disc. When the registry is manipulated by the same script a harmless file can be turned into potentionally dangerous one.

Q: Why does the File System Monitor of EMB have Whitelist AND Blacklist Modes?

A: As stated above the FSM running in Whitelist Modes is safer than in the Blacklist Modes. If no exotic programs are installed FSM running in Whitelist Mode should NOT block any files which are supposed to be passed. When any kind of files are copied, moved, renamed or deleted by the internal Windows (File System) Explorer (NOT to be confused by the Internet Explorer which is NOT the same) all these operations work normally.
However, when files are blocked while surfing the Internet and you don't know exactly what to do to resolve the problem you can switch to either 'Safe' or 'Drive-by Download (BL)' mode. In these modes only known potentially dangerous files will be blocked.

Q: How do 'Special Folders' on the FSM Panel work?

A: All files and subfolders in a folder which has been added to this list will NOT be monitored by the FSM and therefore all kind of files - including potentially dangerous ones - may be written into them. (Partition 'C:\' (and all other rootfolders) and 'C:\Windows' are NOT permitted, because in most of the cases the Windows Operating System resides on this partition and most of the malware tries to copy and install themselves on that partition and the 'Windows' folder, respectively.)
Examples:
1.) It's recommended to specify the 'Downloads' folder as a 'Special Folder' where any files, including potentially dangerous ones (eg programs) can be downloaded (written).
2.) In case you are a program developer you can specify the main folder in which your potentially dangerous files are generated as a 'Special Folder'.

Q: How do 'Special Programs' on the FSM Panel work?

In case you are using File Managers, File Synchronizers, Backup Programs, etc, you have to put their names in this list, otherwise copy, move or rename operations which involve potentially dangerous files will be blocked.

Q: How are Microsoft Word, Excel and Powerpoint Files treated in EMB?

A: All files which are created by these office programs on your computer can be written with no problem.

Sometimes normally harmless files with extensions *.doc (Word), *.xls (Excel) or *.ppt (Powerpoint) can become dangerous when they contain so called macros. Most of the time these macros are also harmless, but in rare cases they can be dangerous too.

In case files with these three extensions (among others) are downloaded from the Internet EMB's FSM blocks them by default (they are NOT blocked if you create them yourself on your computer). You can either manually put ".do" and ".xl" into the Whitelist or copy files with these two extensions in a Special Folder in order NOT to have these files blocked by FSM. Please create either a new folder on a partition other than C: (if available) or a subfolder in main folder "Documents and Settings" and do NOT just put them in main folder "Documents and Settings" for security reasons.

Q: Sometimes I can hear some funny "boing" sounds. What do they mean?

A: Every time you hear that sound a file (or a part of it) has been blocked (that means it could NOT have been written (stored) to any drive or partition in the current configuration of the file system, eg your Hard Disc).
Click on the EMB FSM icon with the blinking star to get a list of all blocked files, the last blocked ones are listed first.
Please make it a habit to immediately check what kind of file has been blocked. It might be your 50 MB program you wanted to download which has been blocked because you were in the wrong FSM mode, etc.

Q: How do I best react to those sounds (and when any file has been blocked)?

a) When you were surfing the Internet:

The FSM was in 'Drive-by-downloads (BL)' or 'Safe Mode':
If you were NOT downloading a program then EMB has just protected you from an infection with malware like a virus, ad- or spyware!!!
Imagine what would have happened if you hadn't installed EMB. This malware (when programs install themselves clandestinely it is malware) would have installed itself without you being aware of it. It most probably would have spied your habits or have used your computer to send emails of dubious contents over the Internet. When you decided to run a Ad- or Spyware Removal programm it would have taken one or even two hours of searching your computer. There would have been NO guarantee that this program found any malware, because it might be a new type which is not yet in their reference list or it might have been a rootkit which are very hard to detect because they hide themselves.

EasyMalwareBlocker just saved you from a lot of trouble!
There is NO need to take any action!

The FSM was in 'Drive-by-downloads (WL)' or 'Super Safe Mode':
Most of the time files blocked in these two Whitelist modes are files which are not really dangerous. Having blocked them may mean they have to be retransmitted when a site ist visited again, no big deal really. Most of the time you can put the file extensions of these blocked files in the editable part to avoid blocking them next time.
However, in case a *.js file has been blocked you may not be able to access a subpage by clicking on a link (underlined blue text). It is difficult to tell if a *.js file is benign or malicious and if blocking them really helps to prevent them doing any further malicious actions (*.js seem to do their job when they are loaded in the RAM).
Alternatively, you can switch to any of the two Blacklist Modes and the website will be shown normally. You may have to load it again (by simultaneously pressing buttons Ctrl-R or Ctrl-F5.)
Of course, there is this possiblity too: If you were NOT trying to download a program (wrong FSM modes!) then EMB might just have protected you from an infection with malware like a virus, ad- or spyware.
There is NO need to take any action if you do NOT trust the website, but you may not be able to access a linked page.

b) You were NOT surfing the Internet (eg you did NOT have any browsers open)

You were performing eg a copy operation with Windows Explorer (NOT to be mixed up with Windows Internet Explorer) or another file manager program: The FSM has blocked a file which it shouldn't have:
- I) If the FSM is currently in Super Safe Mode:
- - Quick, but not best fix: Switch the FSM to Safe Mode, then repeat the aborted action.
If that doesn't work put FSM in 'Disabled Mode' and try again. This is an emergency procedure only and is NOT really recommended.
- - Best fixes:
a) In case you are using a File Manager, a File Synchronizer, a Backup Programm, etc, put that program in the Special Programs list on the FSM Form, if that has not already been done.
b) Check the File Extension of the blocked file (doubleclick the icon) and put it into the Whitelist, if it is a harmless one, then repeat the aborted action.

- II) If the FSM is currently in Safe Mode:
- - You have to temporarily disable FSM by clicking on the big button on the FSM form. That should only be done when new programs are being installed. A new red icon will appear in the system tray warning you that the FSM is currently in 'Un/Install Mode'. Note: 'Un/Install Mode' is not yet implemented.

How do I know whether the blocked file is a good or a bad one?
You can savely assume that if that sound comes up unexpectedly, eg you were NOT copying, moving, renaming, installing a new program then the blocked file is a malicious one.

On the other hand when you were performing one of those mentioned activities and you hear that sound then most likely a file has been blocked which shouldn't have.

Important note: FSM lets you install new programs from CDs or DVDs without any warnings. It assumes (it has to, no choice) that you know what you are doing. In case you installed a trojan horse type of program EMB will notice that and come up with a warning message when that program wants to send (any, most likely spied personal) data from your computer over the Internet. Always assume the worst when such a message pops up and
when in slightest doubt (or you don't know) do block such a request.

Q: How can I download programs and other potentially dangerous files from the Internet?

A: In order to download potentially dangerous files you have to set the FSM to Safe Mode (downloading potentially dangerous files does NOT work in Whitelist Mode).
When you ran EMB for the first time you were asked to set a folder where downloaded files can be copied. Downloads only function properly precisely to that folder (or any other folder in the 'Special Folders' list). Other folders, including Desktop, do NOT work, downloaded potentially dangerous files will be blocked by EMB (a "boing" sound will be generated every time a file has been blocked).

In order to install the downloaded program it's recommended to switch off the connection to the Internet if this is possible (some programs need a connection in order to download the main program). You have to temporarily change the FSM to Install Mode (not yet implemented) or Drive-by-Block (BL) Mode.
When in Install Mode, switch the FSM mode back to Blacklist- or Whitelist Mode when you surf the Internet again. EMB will warn you in case you forgot to change the mode.

All these restrictions do NOT apply when movies, pictures and simple textfiles, etc, are downloaded.

Q: What is a potentially dangerous file?

A: In the realm of the computerworld there are potentially dangerous files, that means files which can do harm to your computer and harmless files. Potentially dangerous files can either execute themselves (they are programs eg with extensions *.exe, *.msi), they can be called by them (like files with the extensions *.dll) or they can call executable programs (like *.bat or *.cmd files).
The files can be distinguished by looking at the file extension (on XP Operating Systems fileextensions are NOT shown by default). The file extension is the last name after the last dot, eg .exe, .doc, .jpg, .avi and thousands more.
All potentially dangerous files with extensions like *.exe, *.dll, *.bat, *.msi (and dozens more) are potentially dangerous and will be blocked by FSM (in all Whitelist and Blacklist modes).
Harmless (or passive) files with extensions like *.txt, *.jpg, *.avi or *.mpg (and a gazillion others) on the other hand, (under normal circumstances) can do NO harm to your computer system. They need another program like an editor, a viewer or a player in order to be opened.
Files with the extension *.doc and *.xls for example are hybrids. They can not execute themselves but when opened (eg by the Microsoft Office Program Words) embedded macro viruses can execute themselves and generally do not but sometimes can cause all kind of damage to your computer, including install malware.

Q: What is malware?

A: Malware is a general term for executable files ("programs") which when executed causes malicious and/or undesired effects to your computer.
These programs are known as viruses, worms, trojans or trojan horses, spyware, adware, keyloggers, hijackers, phishing, backdoor and dialer programs and last but not least rootkits.
They also can (more often than not they do indeed!) spy your habits and send personal data over the Internet to their servers (Ad- and Spyware), which is at least annoying to say the least or even do harm to your computer like modifying the Registry and/or modifying or deleting system files. Sometimes you don't notice there is malware running on your system, because it's hiding itself in a very sophisticated way and hardly consumes any CPU time, but sometimes it is quite obvious that malware is running because your computer is being kept busy and working with it is virtually impossible because the response times are so long.

Keyloggers are programs which clandestinely monitor each and every keystroke you do whithout you being aware of that activity. Needless to say that they send the results - clandestinely - over the Internet to their server where they can be analyzed.

Trojan horses usually have a good and desired purpose, but at the same time they may also serve eg as ad- and/or spyware.

EasyMalwareBlocker detects all programs which try to send any data over the Internet and you have the option to deny such an access.

Backdoor programs can remotely control your computer, which means monitoring, but also downloading, installing and executing programs, all without you being aware of that.

The main purpose of a Rootkit is to hide itself and its activities in the system so that they can no longer be detected by the usual malware search and remover tools.

Other programs could also modify or delete any kind of files in your system (but luckily so far they very rarely actually do that). Deleting all your Restore Points seems to be quite popular. Others may delete drivers, eg for your CD ROM Drive, so that you don't have access to it anymore.
Modifications in the Registy can also be done easily.

Infections happen most often when a website is visited which has embedded (Java and other) scripts in the htm code. As already mentioned you as a user don't notice anything when your computer is infected by this way. You only notice it, when damage has already been done.

EasyMalwareBlocker blocks any malware - including even Rootkits - BEFORE it can install and execute itself clandestinely on your computer.

For more detailed information on any of these types of malware you can visit eg www.wikipedia.com

Q: How can my computer get infected with malware?

A: There are several possible ways:

I Over the Internet

- a) By open ports
Unfortunately, by default some ports on every Microsoft Windows computer are listening (that means there is a program which expects data sent by the Internet). Although actually used very rarely by most users these ports (channels) can receive data from other than the intended sources. Hackers and malware writers know these ports well and there are many viruses making use of these security holes. Firewalls are designed to block attacks on listening ports. You can be attacked anytime you are online (most often, with an ADSL modem you're always online as long as your computer is switched on), regardless if there is a browser open or not. While being attacked you won't notice anything at all, only when it's too late and malware has already installed itself you will notice the consequences, eg slow response or worse, missing personal data but fortunately that actually very rarely happens. More often you won't even be aware you have been infected as these programs work clandestinely in the background and in the case of rootkits, hide themselves in a very sophistcated way and therefore such potentially dangerous files can not be detected by ordinary virus and spyware scanner programs. They can be detected by their activities, though, eg, when they want to send data over the Internet. And this is when they get caught by EMB.

These are the reasons you need a good incoming AND outgoing firewall.

Unlike other firewalls, EMB Network Monitor blocks any unnecessary ports automatically (incoming firewall), you don't have to explicitely specify any of them. If an unknown program wants to send data over the Internet for the first time EMB Network Monitor will warn you with an option to block this kind of request (outgoing firewall).

- b) By enabling scripts in the browsers
Scripts are powerful software tools used to either - in a beneficial way - check user inputs they made in forms, implement special effects on websites or, on the other hand in a more questionable way, they also can copy, install and execute programs that analyze surfing habits of users, and send that kind of information back to their servers which in turn send customized ads back to that particular user, for example.

Unfortunately all the common script languages in general are too powerful as they have unlimited access to all the files and the registry in any computer system, directly or indirectly. That means they can delete files and folders and manipulate the registry.
In other words: They could wreak havoc on your computer and sometimes they actually do it!
When you do not have an Internet Security Program installed, as with open ports you won't notice when you get infected you only see it when it's too late.

You can disable scripts in the browsers but that also means the sites which are shown correctly is very limited. In practice this is unfeasable for the vast majority of users. For example Hotmail (and quite possibly other email providers too) can not be used with scripts disabled.

- c) By downloading unknown programs.
There are thousands of different programs for many different needs for all kind of users. Some are shareware and some are even available for free. Most of them do only what they are supposed to do but some also hide malicious code in them (they are called trojans) and may spy your surfing habits without you being aware of that. They could also reformat your Hard Disc if they wanted too, but again, luckily they very, very rarely actually do that.
EMB FSM blocks downloading of potentially dangerous files by the user in Whitelist Mode by default.
See instructions to download potentially dangerous files.

- d) By opening unknown attachments in Emails.
Fortunately, this kind of attack is being blocked by many big email providers (including hotmail, yahoo, gmail and gmx, to name a few), but it looks like smaller ones have no spam filter and file checkers installed. So in many cases you cannot even send potentially dangerous files in an email attachment because most email providers do not accept them. Sometimes these potentially dangerous files (so-called macros) are hidden in Microsoft Word .doc or Excel .xls documents. Surprising though, a recent study showed that the most malware infections happened by opening email attachments.
The EMB FSM blocks all *.do* and *.xl* files which are attached to emails (and all other potentially dangerous files) in 'Safe' and 'Super Safe' Modes.

II By manually installing programs from removable data carriers like CD, DVD, USB Memory Sticks, Floppy Discs, etc

Most of the programs (if not all of them) you buy on a CD/DVD in a shop in industrialized countries are free of any malware. However, some CDs/DVDs which carry dozens of pirated programs on them which are available for only a couple of US$/Euros in Asian (and possibly other) countries in rare cases also contain malware.
The FSM can be set that any access to CD/DVD drives and USB Flash Drives is blocked.

Q: I have a hardware router device installed. Do I still need a software firewall like EMB?

A: Yes! Hardware Routers are pretty effective when it comes to hide your computer in the Internet. So called Port Scanner programs won't see your computer and therefore can NOT attack it. What Hardware Routers can NOT do is preventing personal data being transmitted over the Internet. That can only be done by software firewalls (or by very expensive special hardware routers). That's why you (as a home or small business user) still need an efficient outgoing firewall program as implemented in EMB (Network Monitor). (Windows XP has a firewall also, but it's only for incoming, not for outgoing traffic.)

Q: I have a computer which is equipped with LAN and/or WLAN. Am I also protected from attacks over these channels?

A: Yes, you are! The protection works for all kinds of networks.

Q: Are small home networks supported?

A: Yes, home networks by any kind of transport media (cable, power lines, wireless) are fully supported.

Q: What is the difference between a Whitelist and a Blacklist?

A: If an item in a Whitelist is found the program will not take any special action and continue normally.

A Blacklist is exactly the opposite: If an item in a Blacklist is found the program will block the site (Parental Control) or the writing of the file.

Whitelist and Blacklist Examples:

When the File Extension ".abc" is put into the Whitelist and FSM works in Whitelist Mode all files with the extension *.abc will be processed normally (ie NOT blocked). However, if that same File Extension is put into the Blacklist (and FSM works in Blacklist Mode) all files with extension *.abc will be blocked.
If File Extension ".abc" is neither in the Whitelist nor in the Blacklist then files with extension *.abc will be blocked if the FSM works in Whitelist Mode, but allowed (eg not blocked) if FSM works in Blacklist Mode.

Q: Why do the makers of EMB recommend NOT to download updates for Windows XP (and any other updates for any other programs for that matter)?

A: Updates always modify existing potentially dangerous files or they add new or delete existing ones. For a File System Monitor it is difficult to track those downloads AND the installation thereof as they can happen anytime or do not happen at all. At the moment FSM does NOT track this kind of modifications which means when updates have been downloaded (and installed, if necessary) the Leak Part of the Network Monitor detects a mismatch when it compares certain features of loaded modules with the ones stored in the reference file list and has to ask difficult to answer questions. That turns out to be a security hole in case an efficient Internet Security Program like EMB is installed and running. So an intended good thing turns to the bad side which is certainly not meant to be in the first place.
EMB works perfectly and blocks any potentially dangerous files the Internet Explorer wants to write to the Hard Disc, there is no need to download updates for XP for security reasons.

Q: What do Updates do besides annoy you and make the programs remembering themselves?

A: Most of the time they just correct minor bugs and in case of Microsoft they download Security Patches (which YOU no longer need because you're running EMB!). Sometimes Microsoft adds new features to existing programs like the long awaited for tabbed browser IE7. These major new features are included in the automatic updates but they can also be downloaded individually and directly from the microsoft website.

Bottomline concerning updates: If your system works normally and you are happy with it

do NOT enable automatic downloading of Updates for Microsoft Windows XP.

If you're also happy how other programs which are installed in your system work you can also deny access to the Internet for those
in the Network Monitor.
Sometimes downloading new versions of programs proves counter productive, especially with Notebook computers which usually work perfectly for years without any updates.

Q: What can happen in the worst case when I enable Scripts in EMB?

A: When you enable Scripts (put extension .js manually in the Whitelist and use Whitelist Mode) all sites will be displayed in the best possible way.

Scripts are powerful software tools with which special effects in websites can be realized. Unfortunately they are too powerful and a script might also be malware itself or it can give instructions to install any kind of malware . With scripts files or folders can be deleted and the Windows Registry can be manipulated. They can also start executable files which can do all kind of things, including reformat your entire Hard Disc!

EMB blocks writing of any potentially dangerous files in 'Safe' and 'Super Save' FSM Modes and browsers are not permitted to delete potentially dangerous files so with EMB installed and running in either Blacklist or Whitelist Mode such a bad scenario never can happen.

Q: What happens (or rather what does NOT happen, resp) when I disable (block) Scripts in EMB?

A: The first page of a site which uses Scripts usually will be displayed correctly but if you click on a link that page sometimes may NOT show correctly or even not show at all. Fortunately that only happens with very few websites.
Downloaded *.htm files with embedded scripts are intermediately being stored in the RAM of your computer and are immediately executed from there. (There is no need to store them on the Hard Disc in order to be executed.) When these scripts do their malicious work they do it from the RAM.

Practice has shown that blocking Java Scripts in EMB has NOT really increased security.
Note: In case these scripts try to install potentially dangerous files that will be reliably blocked by EMB's FSM.

Q: What kind of websites are using scripts?

A: The site of your favourite daily newspaper may use scripts in order to make a profile of your surfing habits. With data gathered they can send personalized ads to individual users.
Most of the websites do NOT use scripts at all.
Some sites where you can get cracks for shareware programs or porn sites may try to install spy-, adware or even more malicious malware on your system which may cause that you can no longer access the Internet or links do not work anymore, for example. (Sorry, we don't have a lot of experience what kind of damage malware can do as we are using EMB ourselves and didn't get infected with malware for a long time...) They also could delete files, but luckily very, very rarely they actually do that.
Practice has shown that every website can get infected with malware especially the ones which have webhosters who are not professional enough to defend or even to detect such attacks by hackers who are most likely Russians, Chinese, Americans or Germans.
However, scripts are very common to check data typed in by users, eg in forms when you submit personal data over the Internet or when you log in to your email account.

When surfing in Whitelist Mode and go to Hotmail.com you can not open selected emails.
Change to 'Safe' Mode instead when reading email with hotmail and other email providers which also use Java Scripts on their sites for accessinf linked items. You have to reopen the site when you were in Whitelist Mode before in order to make links work.

Network Monitor

Parental Control / Websites Control

Whitelists and Blacklists:

When the site www.xyz.com is put into the Whitelist, it will always be shown normally. If the same site is put into the Blacklist it will always be blocked.

Q: How can set Parental Control in such a way that a particular Website is always shown?

If you want a website shown normally although it may contain words which are listed in either in any enabled (ticked) Predefined Genres or in the enabled Custom Wordlist you have to add that particular website to the whitelist (NO typos, please!)

Example: In general you want all sites to be blocked where the word "satan" occurs you put that word in the custom Wordlist (Blacklist Type). That may also mean that sites (or parts of them) might be blocked which you would like to have displayed without any restrictions, eg www.nyt.com or www.bible.com.
These two sites are exceptions to the rule so you manually put them into the Whitelist, exactly like that:
www.nyt.com
www.bible.com

The entries in the Whitelist override the Predefined Genres and the words in the Custom Wordlist. Therefore, both of the listed sites will always be shown as usual.

Blacklists are easier to handle: If you want a particular site to be blocked, eg www.xyz.com, you simply put it to the Blacklist. Remember that there are predefined (blacklist type) genres (Porn, Nazi, Violence and Sports). Should undesiredwebsites still be shown normally (because they do not categorize themselves correctly in the header part of the htm(l) file) you can manually put the URLs (www address) of these sites into the Blacklist.

Q: How safe are Predefined Genres in the Parental Control/Website Control?

A: Pretty safe but NOT 100 %.

Porn: A recent test showed that 99 out of the most common 100 pornsites were indeed blocked by using EMB.
If you want 99.5 % security or so, you will have to buy a dedicated Parental Control program, which you may install and run in parallel with EMB (they should not harm each other). Keep in mind that these dedicated programs have huge blacklists which have to be maintained with daily updates and may considerably slow down surfing the Internet. According to a recent test in a leading computer magazine some of them can easily be bypassed by your kids. See note.

Nazi: Efficiency has not been tested, as we do not have enough experience to really block all the appropriate sites.

Violence: Efficiency has not been tested, as we do not have enough experience to really block all the appropriate sites.

Sports: Only the 20 most common sports terms are blocked. If your employee has an inclination for an exotic kind of sports and you want to block the sites he/she regurlarly visits while he/she is supposed to work for the company you have to manually put these particular URLs into the Blacklist.

Note:
Even computer savvy kids can NOT bypass the imposed restrictions by EMB's Parental Control, unlike in other dedicated Parental Control Programs.

Q: I have just installed and started a new program. The Network Monitor has detected that it wants to access the Internet (a red popup is shown), but I don't really see why it should do that. What am I supposed to do?

A:
- a) Some programs constantly check for updates (eg for a new version of the program) and therefore need access to the Internet. Besides checking for new updates they might also send home some spied data. If you do not like that behaviour and you want to keep the program just deny access to the Internet and keep using the program. If you don't like it anyway, uninstall* it immediately.
You can also try to rename the .exe file in question and see if the main program still works properly (in most cases, it does).

- b) You might have installed a so-called trojan horse type of program. They do the desired job but they usually also send personal data to their home servers where it's being analyzed. As a result they can send personalized ads to your computer (Most of them just only do that. That's not very serious, but who likes to be observed without knowing it?). Others may modify or delete files or if you have been careless with passwords and bank accounts they could also empty them. Not very likely to actually happen, just worst case scenarios but which sometimes do happen indeed.
Often malware authors use modules (a file with extension '.dll') to access the Internet. These modules are loaded when a program which has access to the Internet (most of the time it's the Internet Explorer) is started. EasyMalwareBlocker detects if a new module is loaded and shows a yellow popup. Please read all the text on that popup including the notes on the right of that popup and the 'Help' text, if necessary very carefully! Even computer newbies can make educated decisions when they use their common sense!

If you really need the program, keep it but do deny access to the Internet for that particular program on the 'Application Control' panel (you need to be a medium advanced user to be able to do that). If not, uninstall* it immediately.
Sometimes it is difficult to tell benign programs from trojan horse type of programs. Lists of trojan horse programs can be found in the Internet.
* Getting rid of malware may not be that easy. Try to uninstall it by using Start - Control Panel - Software first. If the program doesn't show there there might be an uninstaller.exe in the program folder where the program resides. Unfortunately, both options are very unlikely.
Try to delete all potentially dangerous files associated with (suspected) malware by using Explorer or a File Manager program. More often than not that attempt will be futile too.
Try the built-in Malware Remover Tool on the EMB 'Options' panel (Delete Traces) or an antivirus and/or a spy/adware remover program to remove the unwanted program(s). Many of these remover programs are available for free on the Internet but make sure you download a widely recommended one! Otherwise you might install just another malware program, a trojan horse!

Sometimes the only way to get rid of malware is to start a mini OS from a CD. Only seasoned experts can use this method and find and delete files which are sometimes made unseen in hidden folders.

Q: Q: Sometimes I see red popups on the lower right corner of the screen. What do they mean?

A: The Network Monitor (incoming Firewall) has detected that an unexpected source wanted to query some information like eg a port scanner. The DNS number is shown, so if the popup with this DNS appears often you can find out who the originator of this is (Type in the DNS number eg at Google). There is not really much you can do in order to prevent them. This is for your information only, there is no need to take any action.

Troubleshooting

Q: I have experienced BSODs (bluescreens) after I have installed EMB. What can I do?

A: Newer versions of eg 'PowerDVD' movie player have caused BSODs (bluescreens) on some computers. The file 'C:\Program Files\CyberLink\PowerDVD\000.fcl (a driver(!)) was responsible for the problem.
A possible fix is to just rename the file to eg C:\Program Files\CyberLink\PowerDVD\XXX000.fcl or better and easier with EMB versions from 1.4: Start the EMB Autostart program and disable 000.fcl by clicking on the checked box (start looking for it from the bottom of the list!)
The movie player will still generally work although it has not been investigated what particular feature(s) may or may not work anymore.

Q: What do I have to do when EMB has been terminated by the system?

A: This can happen when the system is running at its capacity (too many open handles and/or too many running threads). As a result the Internet might not be accessible.
Try to close some open applications (eg open windows in any of the browsers) and try to start EMB again. If that fails reboot your computer.

Q: After a system crash EMB does NOT start automatically. No message is popping up and none of the EMB icons are shown in the system tray. What am I supposed to do?

A: Try to repair EMB by either launching EasyMalwareBlocker.msi or by Start-Control Panel-Software-EasyMalwareBlocker. Click the link 'Support' and then click the 'Repair' button.

If that fails, uninstall EMB by either launching EasyMalwareBlocker.msi directly or by Start-Control Panel-Software-EMB first, then reboot and reinstall EMB by launching EasyMalwareBlocker.msi.

Q: I have run an antivirus program and it showed some suspicious files although I've always been using 'Super Save Mode'

A: Should you run a 3rd party Virus Scanner or an Ad- and Spyware Remover Program there is the possibility they indeed find malware on your system, BUT that should only happen in the Internet Caches of the browsers, if at all.
However, installing all kind of potentially dangerous files will be blocked by EMB.

Q: All this sounds very complicated, really. Why is the program called EASY MalwareBlocker?

A: EASYMalwareBlocker adapts itself to different levels of user computer knowledge.

A newbie who just bought a new computer, for instance, uses just a few programs and possibly surfs the Internet every now and then and writes emails, downloads music, watches movies and plays games. He or she can use EASYMalwareBlocker out-of-the-box. There is NO need to configure anything, you more or less just click 'Cancel' or 'Close' buttons when you use EASYMalwareBlocker for the first time. All the necessary settings are already done automatically and the program is ready to go.
You don't have to know anything about different FSM modes, Java Scripts, malware, Special Folders, etc. as long you don't change any settings.
The only exception is changing the FSM mode to 'Safe Mode'. That could cause problems with some other applications which are running on your computer (see 'BSOD' above).

However, if you start to change other settings you should know EXACTLY what you are doing, especially on the FSM panel, otherwise the FSM might behave in a not desired way.

EASYMalwareBlocker is even suitable for professional and business users as it provides password protected access to the administrative parts of the program. (For geeks only: The same security measures as in banking were implemented: The password itself is NOT stored anyhere, but its MD5 only.)

Advanced users can customize EASYMalwareBlocker to his/her needs.

Compare it to an expensive photo camera which usually also have a "green" 'Ready to Click' mode. When there are difficult light conditions, experienced photographers can tweak the settings for an optimum result, while newbies still get an acceptable picture.

Miscellaneous

Q: Why is the program for business users more expensive than for home users?

A: Business users will most likely use EMB more often than home users and therefore a price difference is justified.

Q: When I want to buy EasyMalwareBlocker after the trial period has expired how does that work?

A: You won't get a registration code which you have to enter as with the vast majority of other programs. Please fill in the order form and pay with you credit card. After we have received the confirmation that the transaction has been successfully completed some hardware serial numbers which identify your computer will be transmitted to our database of our webhost and you can use EMB with no time limit.
In case you use our trial version when you start EMB the same hardware serial numbers are transmitted to our database where a check is made whether your trial period has been expired or not.
We guarantee that NO personal data are being used, stored anywhere on your system or transmitted over the Internet for identification and/or any other purpose.

Q: I have run a rootkit detector program and it showed EMB folders and files which I do not have access to

A: They probably list about 10 files in the subfolder 'Data' where EMB is installed and about 20 in App Data Path\EMB. Nothing wrong with that, we're just hiding our own files from access by users who might modify them in order to circumvent the restrictions in Parental Control/Website Control or FSM. There is also a program running which has been started by EMB and is not shown in the XP taskmanager. It checks if EMB is still running and warns you when EMB has been terminated because you (or your kids) have terminated it or it has been terminated by the system due to a severe error.

Last updated: June 20, 2008.

Home

FAQ EasyMalwareBlocker

Topics

Installation

File System Monitor (FSM)

Network Monitor

Troubleshooting

Miscellaneous

File System Monitor (FSM)

I) Whitelist Modes

II) Blacklist Modes

a) When you were surfing the Internet:

b) You were NOT surfing the Internet (eg you did NOT have any browsers open)

I Over the Internet

II By manually installing programs from removable data carriers like CD, DVD, USB Memory Sticks, Floppy Discs, etc

Network Monitor

Parental Control / Websites Control

Q: Q: Sometimes I see red popups on the lower right corner of the screen. What do they mean?

Troubleshooting

Miscellaneous