EasyMalwareBlocker - File System Monitor

Q: What is the File System Monitor's job?

A: Depending on the mode, the File System Monitor (FSM) blocks executable files (for geeks only: on driver level) which are written either by the browsers or by any (known or unknown) user programs on the hard disc.

Q: How do I best setup the FSM?

Quick A: For newbies the best mode is 'Safe Mode (Blacklist).
For experts the best mode is the safest mode: 'Super Save Mode (Whitelist)'. In most cases that requires tweaking the FSM.

How does the File System Monitor work?

General

In modes 1) and 2) blocking executable files applies only for the three most common browsers (Internet Explorer (versions 6 and 7), Firefox and Opera). The FSM has virtually no function when none of the three browsers is open (it only protects its own folders).

In modes 3) and 4) blocking generally applies for ALL executable files written anywhere on the Hard Disc and for any user program. However, third party file managers, backup programs, compilers, etc, can be put in the 'Special Programs' list on the FSM panel. User programs in this list are allowed to write any files. Any files can be written to any folders listed in 'Special Folders'.
Some rules apply for Internet Explorer (IE) version 7 only. In FSM 'Drive-By-Block (Blacklist) Mode' or 'Safe Mode' all kind of files, including potentially dangerous ones, are allowed to be written to any of the Internet Caches of the 3 browsers. When an executable file is started from the cache IE 7 will warn you.
In terms of security for EMB the old version 6 of the Internet Explorer is somewhat safer than the new version 7.
Note: It is possible to downgrade IE 7 to IE 6 by uninstalling IE 7. The result is IE version 6.

For the next paragraph you need to be familiar with the terms 'Blacklist' and 'Whitelist'. Click here to get an explanation.

The FSM works in six different modes:

1) Drive-By-Block Mode (Blacklist, black icon with 'D'), default

All executable files are being blocked which are written by the browsers Internet Explorer, Firefox or Opera, unless you have put some folders in the 'Special Folders' list. Any files can be written into these folders. The main purpose of this list is to enable downloading programs from the Internet to precisely this or one of these folders. When you select a folder which is NOT in this list you can not download executable files, they will be blocked.
Note: Non executable files like movies, pictures and simple text files, etc, can be downloaded to any folder.
This mode is the easiest to use mode, however, all other Blacklist or Whitelist modes offer more protection. No settings have to be done, except when programs are downloaded from the Internet. You have to specify a Download folder and select it when you download programs (and any other executable files), otherwise the downloaded file will be blocked by the FSM.
As the name of this mode implies, usually malicious programs - which can be copied and installed clandestinely when you surf the Internet - are being blocked. This kind of threat is becoming more and more popular these days.You can download programs (file extensions .zip, .exe, .msi, etc) and also install them in this mode.
You can add more file extensions: Files with extensions added by the user will always be blocked, in the same way as the default ones. (File extensions which are in the Whitelist can NOT be put in the Blacklist.)
Notes:
a) You are NOT protected from attacks by listening ports (in case there are some because the setup of EMB has not been done properly or as recommended.)
b) In case your email provider allows potentially dangerous attachments (most of the big ones like hotmail, gmail, yahoo, gmx, etc, don't, but many smaller ones unfortunately do) and you open them there is NO protection: malware can install itself without any problems, if it is malware indeed.
This is the default mode after EMB has been installed. It's NOT really recommended to generally surf the Internet in this mode, if you don't experience problems with 'Safe' and 'Super Save' mode, use one of these safer modes instead.

2) Drive-By-Block Mode (Whitelist, white icon with character 'D')

All harmless files with file extensions which are NOT listed in the Whitelist (about 80) are being blocked, unless the exception rules apply (Special Folders).
You can add other file extensions in case harmless files which are not in the default list are being blocked.
This mode is a bit safer than mode 1), most of the statements made there apply here too.
You can add more file extensions: Files with these extensions will never be blocked. (File extensions which are in the Blacklist can NOT be put in the Whitelist.)

In this mode the FSM sometimes falsely blocks files which should not be blocked when you surf the Internet. Follow the instructions given on the 'Blocked Files' Panel in order to avoid blocking these files (you can either put the file extension(s) of the blocked file(s) on the 'Editable List' or put the program by which the files were written in the 'Special Programs' list).
If that is too complicated for you please switch the FSM to 'Safe Mode (BL)' which is safer than this one and the problems with falsely blocked files should disappear too.

Note: Downloading of executable files, eg programs, and updating any programs, including Windows XP, is NOT possible in this mode.

3) Safe Mode (Blacklist, black icon with character 'S')

All executable files are being blocked which are written by any program.
You can add more file extensions: Files with these extensions will always be blocked unless they are being written in any of folders listed in the 'Special Folders' list or the programs which write them were manually put in the 'Special Programs' list on the FSM panel. (File extensions which are already in the Whitelist can NOT be put in the Blacklist.)

This mode is recommended for people with limited or no knowledge about computer fundamentals, especially the file system. In this mode the FSM should not falsely block any files, yet it is quite safe.

Note: Updating any programs including Windows XP, is NOT possible in this mode.

4) Super Safe Mode (Whitelist, white icon with character 'S')

This is the safest mode. All harmless (non executable) files with file extensions which are NOT listed in the Whitelist (about 80) are being blocked when written to the hard disc by any program, unless they are being written by the System or in any of the folders listed in the 'Special Folders' list or by programs which were manually put in the 'Special Programs' list on the FSM panel.
You can add more file extensions: Files with extensions added by the user will never be blocked. (File extensions which are in the Blacklist can NOT be put in the Whitelist.)

In this mode the FSM sometimes falsely blocks files which should not be blocked. Follow the instructions given on the 'Blocked Files' Panel in order to avoid blocking these files (you can either put the file extension(s) of the blocked file(s) on the 'Editable List' or put the program by which the files were written in the 'Special Programs' list).
If that is too complicated for you please switch the FSM to 'Safe Mode (BL)'. This mode is still quite safe but the problems with falsely blocked files should disappear.

Note: Downloading of executable files, eg programs, and updating any programs including Windows XP, is NOT possible in this mode for security reasons.

5) Install/Uninstall Mode (violet icon)

There is NO protection at all in this mode. Use it only for installing, uninstalling and repairing programs. Immediately switch back to any of the modes 1) .. 4) when you are done with this kind of operations, especially when a connection to the Internet is established.
Hint: In case you were using this mode while a connection to the Internet was established it's recommended to run 'Last Files written' on the 'Options' panel shortly after you have changed to any mode 1) .. 4). Check carefully for files which might NOT have been written by the program which you have installed.
Note: This mode is not yet supported.

6) Disabled Mode (red icon)

There is NO protection at all in this mode. It is NOT recommended to use this mode for a long period of time, only for emergencies when problems with new installations or updates, etc, occur.
Hint: In case you were using this mode while a connection to the Internet was established it's recommended to run 'Last Files written' on the 'Options' panel shortly after you have changed to any mode 1) .. 4). Check carefully for files which might NOT have been written by the program which you have installed.
Note: When you exit EMB the FSM is running in the disabled mode too.

Q: What are the pros and cons of Whitelist and Blacklist modes in the File System Monitor?

I) Whitelist Modes

When it comes to security and protection level issues, Whitelist Modes are safer than Blacklist Modes. Only files with extensions found in the Whitelist will be processed normally (eg NOT blocked) and all the ones which are NOT found in the Whitelist are blocked. (Files with NO extensions are always passed through. Note: File extensions are NOT shown by default in XP)

Q: Under what circumstances is it beneficial to choose 'Super Safe Mode'?

A: 'Super Safe Mode (Whitelist)'* is the appropriate mode only if:
- you do NOT experiment with any kind of NEW programs, either downloaded from the Internet or installed from CD/DVD, etc. That also applies to any kind of new games.
- You have the option "Automatic Updates" for Windows XP disabled and you also do NOT allow other programs you have installed on your computer to update themselves automatically.
- you have at least some basic knowledge about computers.
If in doubt select any 'Blacklist Mode', it's safer to select 'Safe Mode (BL)' than 'Drive-by-block (BL) Mode'.

*Some websites use Java Scripts for their links. Reading letters in Hotmail.com does NOT work in any of the Whitelist Modes, so please as a quick fix use any Blacklist Modes for this particular website and other wellknown websites which use Java Scripts too. You can also put the '.js' file extension to the editable Whitelist.

Q: What happens if I choose any Whitelist Mode and some programs update themselves automatically?

A: It is possible that some of those programs get in an undefined state and have to be re-installed. If Windows XP Updates get blocked the system won't crash.

Bottomline: If you as an individual home user or the employees in your company are using the same programs all the time and all kind of automatic updates are disabled then 'Super Safe Mode' suits you perfectly.

II) Blacklist Modes

Pro: Easy to use, especially for users with no basic knowledge about computers.
Con: NO full protection in Drive-By-Block Mode (BL)' as already mentioned.

Q: Why does the File System Monitor of EMB have Whitelist AND Blacklist Modes?

A: As stated above the FSM running in Whitelist Modes is safer than in the Blacklist Modes. If no exotic programs are installed FSM running in Whitelist Mode should NOT block any files which are supposed to be passed. When any kind of files are copied, moved, renamed or deleted by the internal Windows (File System) Explorer (NOT to be confused by the Internet Explorer which is NOT the same) all these operations work normally.
However, when files are blocked while surfing the Internet and you don't know exactly what to do to resolve the problem you can switch to any of the two Blacklist Modes. In these modes only known executable files will be blocked.

Q: How do 'Special Folders' on the FSM Panel work?

A: All files and subfolders in a folder which has been added to this list will NOT be monitored by the FSM and therefore all kind of files - including potentially dangerous ones - may be written into them. (Partition 'C:\' (and all other rootfolders) and 'C:\Windows' are NOT permitted, because in most of the cases the Windows Operating System resides on this partition and most of the malware tries to copy and install themselves on that partition and the 'Windows' folder, respectively.)
Examples:
1.) It's recommended to specify the 'Downloads' folder as a 'Special Folder' where any files, including executable ones (eg programs) can be downloaded (written).
2.) In case you are a program developer you can specify the main folder in which your executable files are generated as a 'Special Folder'.

Q: How do 'Special Programs' on the FSM Panel work?

In case you are using File Managers, File Synchronizers, Backup Programs, etc, you have to put their names in this list, otherwise copy, move or rename operations which involve executable files will be blocked.

Q: How are Microsoft Word, Excel and Powerpoint Files treated in EMB?

A: All files which are created by these office programs on your computer can be written with no problem.

Sometimes normally harmless files with extensions *.doc (Word), *.xls (Excel) or *.ppt (Powerpoint) can become dangerous when they contain so called macros. Most of the time these macros are also harmless, but in rare cases they can be dangerous too.

In case files with these three extensions (among others) are downloaded from the Internet or are attached on an email EMB's FSM blocks them by default (they are NOT blocked if you create them yourself on your computer). You can either manually put ".do" and ".xl" into the Whitelist or copy files with these two extensions in a Special Folder in order NOT to have these files blocked by FSM. Please create either a new folder on a partition other than C: (if available) or a subfolder in main folder "Documents and Settings" and do NOT just put them in main folder "Documents and Settings" for security reasons.

Screenshot of File System Monitor in 'Safe Mode'

EMBFSMSceenshot.png