EasyMalwareBlocker HIPS - Your All-In-One Computer Protector: Short Introduction

Short Introduction to EasyMalwareBlocker: Your All-In-One Computer Protector

General

This introduction shows a lot of screenshots and as little text as possible.

It can also serve as a tutorial and it provides samples what choices to make for firewall and other popups.

NOTE: Many sample screenshots have been made for demonstration only. It's NOT very likely you see them all on your computer.

After the installation of EasyMalwareBlocker has been completed you should see two new icons in the systemtray (near the clock):

EasyMalwareBlocker has two icons, the left one is for the File- and Registry Protector (FRP) section and the right one for the firewall:

The icon of the FRP section (left) is colour-coded according to the FRP mode selected. The example above shows the safest FRP mode 'Super Safe' (yellow). Doubleclicking this icon shows the 'Blocked and Warned Operations' panel.
The icon on the right represents the firewall and can be a gauged Internet traffic indicator when set as such. Doubleclicking this icon shows the Network Application Control (NAC, firewall) panel.

When EMB is set up these two icons is all what you see from EasyMalwareBlocker. It runs silently in the background, it hardly slows down your computer and no splash screens are popped up.

When RIGHT-clicking them 2 slightly different menues will appear.

The FRP Menu and the result of the FRP Quick Test are shown:

First Run

Generally downloading programs is being blocked, but EMB allows downloading programs to 'Special Folders' only. On the first run EasyMalwareBlocker (EMB) searches for folders with the name 'Download' and if it finds one it suggests it as can be seen on this screenshot:

All you do is clicking the 'Yes' button. If no Download folder is found you can easily create one.
If you don't set a download folder downloading programs is NOT possible.
In the 'Home' and 'Netbook' versions downloading music and movies to any location is no problem whereas in the 'Business' version this is NOT possible.

The main principle of EasyMalwareBlocker is to block any potentially dangerous file- and Registry operations made by user programs. But the good ones have to be excempted from this rule. On the first run EasyMalwareBlocker has to learn which programs are to be allowed to make any file- and Registry operations.

On the first of several tables some of the most popular programs are shown:

Most users won't modify anything and just click 'Apply'.
(This example shows a screenshot of a testcomputer at EMB to demonstrate that all the programs listed have also been installed and tested.)

If more programs are found these are shown on other tables like this:

In this example 'EdgeModem.exe' is the support program for an installed aircard, so this program definitely needs to access the Internet. The 'Access to Internet' checkbox has to be ticked too.
There are a lot of programs installed which are rarely (if ever...) used, so don't tick them as used. When such an unticked program (or one that has been forgotten to mark as used) is launched EMB will report that event with a red popup.

It's not always easy to make optimal choices. Often many subprograms are listed for the same application. Most of the time it's not necessary to tick all of them as used as shown on the screenshot.
It's NOT a mistake when wrong or unnecessary programs or subprograms have been ticked. EMB will work perfectly all the same (although an unperceivable tiny little bit slower). The result can be viewed and corrected, if neccessary, on the FRP and NAC panels.

In the following sceenshots we look under the hood of EMB. For ordinary users it's not necessary to open these panels at all. Access to them for unauthorized persons can be protected by a password. Computer experts can doublecheck the settings and correct them if necessary and also tweak them for best performance of EMB.

File- and Registry Protector Panel

The File- and Registry Protector panel lists
- the current FRP mode
- Special Programs (applications in this list are allowed to do any file and Registry operations,
- Special Folders (any file operations are allowed in these folders) and
- Special Registry Entries (the specified Registry operations are allowed for the specified program and key)
- Set a password to restrict access to important panels
- and more:

As the lower section (file extensions) is rarely used it is shown only at the click of an extra button.

When a file or Registry operation has been blocked which you want to allow entries to the FRP panel can also be made on the 'Blocked- and Warned Operations' panel by a single click on a button:

As you can see on the 'Blocked and Warned File Operations' list '.com' files and other files with extensions NOT in the Whitelist written by the Internet Explorer have been blocked.
Two of the blocked file's file extension are '.com' which is in the blacklist, so this does not need an explanation.
Does blocking of the other files written by the Internet Explorer (iexplore.exe) harm your computer? As experience showed: No (unfortunately, that answer is corrrect only for IE 6. Blocking any files written by IE 7 or 8 can result in blank pages when a website is revisited. Problems like that do not occur with other browsers as they write files with no file extensions in their Internet caches.)
Many times there is no compelling reason to write harmless files at all so they might as well be blocked. In most cases just ignore the warning by EMB when the FRP is either in 'Super Safe' or 'Drive-By Download Protection WL' mode.
Blocking the file with extension '.pbk' caused the program 'EdgeMdm' to malfunction. As also Registry operations have been blocked written by the same program it is recommended to put this program to the 'Special Programs' list, terminate the program and start it again.
Because it's not allways that easy what to do if a file has been blocked in 'FRP Super Safe' Mode, this mode is for computer experts only even when IE6 is being used.

As for the Blocked Registry Operations it looks like the listed program has been forgotten to mark as 'used' on the first run so it has not been put in the 'Special Programs' list. No problem: With a click on the suggested button you can do that right on this panel as shown on the screenshot above.

'Special Programs'can also be added manually, before an operation has been blocked, eg when you have installed a new program:

A password can be set to prevent access to important EMB panels for unauthorized persons:

A detail for technically minded readers: The same security measures for passwords as with eg banks apply: The password itself is NOT being stored, only its MD5 is.

Network Application Control Panel (Firewall)

The Network Application Control (NAC) panel (Firewall) lists applications and their Internet access statuses and more:

Modules without company and/or description should be treated as suspicious and verified by a search engine.

Current network connections are shown at a single click:

No unknown programs are listed on this panel.

Would you like to know if a keylogger is installed on your computer? Here is the answer:

Needs a bit of interpretation, so not everybody will be able to tell, but computer experts will be.

A red popup is shown when an application unknown to EMB has been launched. 'Alien' modules loaded with it are listed too:

There is no reason to grant this text editor access to he Internet even though the loaded module is made by a trusted company.
The listed app loads some other modules not listed here which can at least theoretically access the Internet (text on the popup: '...but it most likely has the capability to access the Internet'). Versions 3 of EMB are not able to block them. Security minded people better do not use this text editor when there is a connection to the Internet.

A variation of a red popup when a module with status 'block' has been loaded with an application which had status 'allow':

As the module seems to be from a big company - on the NAC panel - it can be given Internet Status 'Allow' and the program can be given the Internet Status 'Allow' again.

If your computer is 'clean' you most likely will never see a yellow popup.
A yellow popup is shown when an unknown module has been loaded with an application which has the (Internet) status 'allow':

The loaded module is NOT one from a big company so you have to check if
- it could be a toolbar from a program you know. Be cautious with any loaded modules: They could access the Internet too and send your personal data!
- it is a module from a company you don't know, including '(na)': Block it!

If in doubt: Block the module (and therefore the listed program too) from accessing the Internet!

On the NAC panel you have the option to rename the listed module. That has the same effect as deleting it, but the operation can easily be reversed.

And finally a blue popup is shown when an application has been launched by another application (and NOT by a system program like 'explorer' as usual) or - in very rare cases - eg by an office program or a (possibly malicious) PDF file.
The chance that ordinary users see this popup is very little.

'SpeedCommander' is a trusted file manager. It is allowed to launch any program.

System Tools

AutoStart

About 500 files loaded at boot are listed. New, deleted and modified entres can all be seen on the same panel:

Computer experts can see if malicious programs are being started at boot.

Delete Traces

Delete traces from surfing the Internet for the four most common browsers, clean up Temp files and delete difficult to remove malware:

For the Internet Explorer Cookies can be deleted selectively:

Keep the ones you need and get rid of all the rest at a click of a button!

Last Files Written

Can be used for double-checking the correct function of EMB or when EMB was temporarily disabled or not running.

This program is pretty fast: The whole partition C: with about 100 programs installed was searched in less than a minute!

Diagnostic Panel

Shows important Registry entries at a glance.

Other big brand AV programs are NOT able to detect if eg Safe Boot is possible or not!

Watchdog

The Watchdog periodically checks if EMB is still running and if the current FRP Mode is adequately protecting your computer.

EMB Uninstaller

The EMB Uninstaller has two modes: 'Install':

... and 'Analyze' (for computer experts only):

The EMB Uninstaller is able to make its own uninstaller file! The sample below shows the uninstall information for a newly installed program:

Files and Registry entries printed in bold red are very suspicious. Is it really necessary that this unlocker program installs a driver (a file with extension '.sys'. Drivers can be rootkits too!)?
The author of EMB does NOT recommend to use this program, so it's probably best NOT to start and immediately uninstall such a program!

EMB Test Program

This program tests the most important functions of EMB:

The name of this program can easily be changed to test other browsers too and also to simulate a malware program!

Last modified: July 6, 2010.

End of Short Introduction to EMB