An in-depth look at the Emsisoft scanner technology (blog post)
Carla Jerez
A good antivirus product can seem like modern day magic. It lurks quietly in the background and, through some sort of technical sorcery, is able to keep your data safe and neutralize digital threats as you wander the web.
While you’re probably familiar with how to use the Emsisoft Anti-Malware scanner thanks to our video tutorials, exactly how the technology works may be a bit more of a mystery.
Well, look behind the scenes and you’ll find a dedicated team of developers working hard to ensure everything runs smoothly. Let’s pop the hood and dive into the underlying technology that drives all Emsisoft products.
1. Two scan engines are better than one
Part of what gives our scanner its advanced detection power is its dual engine system. Comprised of Emsisoft’s proprietary scanner as well as a Bitdefender scanner, a two-pronged approach to detection minimizes the chances of malware slipping past your system’s defenses. This powerful pairing of antivirus technology allows us to keep ahead of the curve and makes Emsisoft Anti-Malware incredibly effective at combating all types of malware, including trojans, worms, keyloggers, ransomware and more.
Advanced signature-based detection
The engine we have built complements the second Bitdefender engine, and they are combined seamlessly to maximize efficiency.
One of the ways we detect unwanted programs is through signature-based detection. What this means is that we search programs for their unique signatures, which are like fingerprints, and scan your computer for these threats.
Here at Emsisoft, most of our lab time is spent creating detection signatures for PUPs (potentially unwanted programs) and on custom malware removal code for specific infections. We ran some numbers a while ago and discovered that more than 74% of the total detected PUPs are detected by our in-house built scan engine component.
Maximizing performance with a dual engine scanner
Having two engines means we are better equipped to provide new signatures for threats as quickly as possible — so quickly, that often times both vendors have signatures made for the same threat within the hour!
These engines are built to complement each other, so you don’t have to worry about redundant functionality. The files on your hard disk are only read once and then scanned by both engines. This ensures that there is no significant scan time loss, even though we use two engines. It’s no coincidence that our dual engine scanner works faster than many big brands use a single engine!
So how does information translate to your own practical use?
Simple: all detections with an (A) postfix are from our own engine and those with (B) are from Bitdefender.
In a nutshell: We believe two engines are better than one, and we use our own technology to detect threats to your computer that might otherwise be missed. But we won’t compromise efficiency in this process — Emsisoft works to keep your memory clean and uncluttered, and to detect threats at optimal speeds. To see some numbers about the real power of the second scan engine in our products, please see this article.
2. Available scan methods
Here is a quick rundown of the scan methods available in Emsisoft Anti-Malware and Emsisoft Emergency Kit:
EN-scan types
Quick Scan
Quick Scan quickly gives you an overview of any active infections on your computer. It does so by scanning through all running programs and their modules. Quick Scan also completes something called a “trace scan.” Traces are known file and registry- paths of malware infections. In simpler terms, it’s an antivirus scan that looks for a trace left behind by malware in order to locate it.
We recommend a Quick Scan for automated/scheduled scans after boot or on user logons. It generally takes about thirty seconds to complete, so you don’t have to worry about it interrupting your day!
Malware Scan
The Malware Scan is similar to the Quick Scan, but it scans files in all folders that are known to host active malware infections. Our scanner identifies about a hundred common areas where malware likes to strike. One advantage here is that malware is really predictable in where it chooses to install — but don’t think the Emsisoft team is complacent! Our analysis team is constantly moving forward to detect new common areas, and they’re able to update software within minutes to keep your Emsisoft applications up to date.
We recommend a Malware Scan as the default scan when you suspect an active infection on your system. The malware scan does not detect inactive malware files, but luckily inactive files are non-active threats. These files can simply be deleted with the stroke of a key.
Custom Scan
By default, Custom Scan performs a complete, full scan. Use this option if you want to do a very thorough malware search and scan all files on all drives of your computer. The Custom Scan takes a significant amount of time to complete, and it isn’t recommended for frequent or daily use. It’s the kind of scan you should run a few times a year to be absolutely sure nothing is hiding around on your computer.
3. Advanced scanner features
One of the great features of a custom scan is that you can control your scanning settings. If you look at the custom scan settings dialog you’ll see all of your options. Some of them are enabled by default and others aren’t. Knowledge is the key to knowing what you need and what you don’t, but we have the best options selected for the everyday user. We’ll detail the options below so that you can familiarize yourself with what may or may not be appropriate for your scanning needs.
EN-advanced scanner features
Scan memory for active Malware
Rather than focusing on scanning files on the harddisks, the memory scan enumerates all active programs – including all their loaded DLLs and other components – and scans them first. The scan typically completes within fractions of a second.
Scan for Malware Traces
As the name implies, a trace scan is a scan that looks for traces that malware has left behind. There are three main types:
File traces: These are known paths of executable files on the hard disk that are used exclusively by malware. They exist alone in the hard drive, independent of any other program’s folders.
Example: C:\windows\explore.exe (may be mixed with exploreR.exe)
Folder traces: These are similar to file traces, but exist inside the folders of other common applications, like a Google Chrome settings folder.
Example: c:\program files (x86)\PUP Folder\
Registry traces: These are entries in the system registry database that indicate a malware infection. A registry trace points to an infection inside the actual settings of the computer. These are the most dangerous traces, and the related virus may significantly slow down the speed of your computer.
Example: HKLM\Software\Windows\CurrentVersion\Run
It’s important to note that if a malware trace is detected, it doesn’t necessarily mean that there is an active infection. It may well be leftovers from a previous, incomplete cleaning attempt. Trace infections are an indication that you need to investigate further.
Generally when there is an active infection, traces are typically found next to file findings. You can clean them at any time.
Detect Potentially Unwanted Programs (PUPs)
For legal reasons, we can’t call all unwanted programs “malware” in our user interfaces. The term PUP was invented by the antivirus industry several years back, which stands for Potentially Unwanted Program. Generally, PUPs exist to get their creators some extra cash by displaying ads, changing your default search engine provider, or collecting private data to sell to advertisers.
Scan in compressed archives
Compressed archives are files that contain a number of other files and shrink their size. Some common examples are ZIP, RAR, or 7Z, but there are hundreds of other less known compressed archives. Even an EXE program may actually be a self-extracting archive, meaning it contains other files (generally this is for more efficient data transferring).
A malware file can’t directly start from within a compressed archive – it needs to be unpacked first. Because of this, archives aren’t typically considered dangerous on their own. As a result, many scanners exclude archives from scanning or limit archive scanning to files of a certain size.
Unpacking archives is incredibly time consuming and takes up a lot of system resources. You may disable the archive scan feature if you already understand what’s happening within your own archives and are confident that there isn’t a possibility of infection.
Scan in email data files
Local email client programs typically save all emails in one large database file. If this scanner option is enabled, Emsisoft Anti-Malware will try to extract all individual files from email attachments and scan them for infections. Supported email clients include Outlook, Thunderbird, The Bat! and more.
Scan in NTFS alternate data streams
In 1993, with the introduction of NTFS (New Technology File System) as the default file system of Windows NT (predecessor of 2000, XP, 7, 8, 10, etc.), a new feature called Alternate Data Streams was introduced. Files were now able to store metadata in hidden layers.
Unfortunately, these streams can also be used to store other types of harmful data, such as complete malware programs — and all within a 0 byte text file.
Fast forward to today, and a harmless looking file extension may contain dangerous code that can be started automatically via autorun registry keys.
When the NTFS Alternate Data Streams scan option is enabled, the scanner searches all data layers for hidden threats.
File extension filter
With the file extension filter you can limit the number of scanned files based on their file type. Many file types cannot be used to host dangerous code, so many people might initially think it’s a waste of time to scan certain files.
For example, all executable Windows files start with the byte sequence “MZ” which tells the operating system that the file can be run by the computer. Checking these byte sequences (or “magic bytes”) is a reliable method, and almost as fast as simply checking the file extension itself.
But it’s important to note: there’s a very good reason why this feature is actually disabled in the default settings. This is because the scanner doesn’t just look at the type of file extension by name, but looks for specific file type markers inside of the file. File extensions can be easily changed to fool a scanner, but the content can’t.
Scanner settings
EN-scan settings
When viewing the Scan area of the software, you’ll see a section called “Scanner settings”. If you click on it, you’ll find global advanced scanner settings:
Detect Potentially Unwanted Programs (PUPs)
This option defines whether PUP detection should be included in all scans or not.
Performance impact
Here you can decide whether you want the Emsisoft scanner to use all your available hardware resources to make scans as fast as possible, or reduce the available resources for threat scans in order to keep all your main programs working as fluidly as possible.
On scan completion
Define the defaults for what should happen when a scan has finished without you attending the action. The available options are self explanatory:
Report only (default)
Report only + computer shutdown
Quarantine detections
Quarantine detections + computer shutdown
4. Productivity features
Context menu scan in Explorer (Not available in Emsisoft Emergency Kit)
The web is teeming with malware just waiting to get inside your system. But a context menu scan can act as a great preventative method to contracting viruses in the first place.
Emsisoft Anti-Malware comes with a useful Windows Explorer integration that can save you a lot of time if you’re performing frequent scans. Just right-click on any file or folder in Explorer and select the option “Scan with Emsisoft Anti-Malware” in the context menu to start your custom scan.
Commandline Scanner
A commandline scanner is best suited to professionals who don’t need a graphical user interface to perform their scans. If you’re unsure of what this means, don’t worry! This isn’t a program that you’ll need.
The Emsisoft Commandline Scanner is a complete commandline interface that includes all features of the Windows-based scanner. It’s primarily used for automated scans initiated by other programs or scripts which require a return value for further processing. Learn more about the available parameters of the command line scanner here.
5. Cleaning infections
Detecting an active threat is just one part of the journey to a clean computer. Cleaning is actually a more difficult process than finding PUPs, because malware works hard to avoid being removed. Here are a couple of cleaning prevention mechanisms that malware uses to lodge itself in your computer:
Lock the file
Some malware is able to lock a file. If a file is locked, it can’t be deleted. Locks can be achieved by ensuring a program is always running.
Watchdogs
This is an infection method in which malware comes in a pair of programs. If you kill one program, the other will notice and restart immediately. If you kill the second, the first one restarts, and so on.
Autorun as system component
Some threats load themselves into programs that your operating system automatically runs (autoruns) when you start your computer. If you try to kill them, you’ll get the dreaded blue screen, and everything will stall. If you remove the autorun entry, the malware recovers instantly.
How Emsisoft cleans infections
To cope with these malware tricks, we have developed our own sophisticated cleaning engine. It cleans about 100 locations in the registry and file system that can be abused to automatically load malware on system startup.
If a file is locked, our cleaning engine schedules its removal for the next system boot up, using a method that prevents the malware from re-locking the file. Additionally, our engine restores default values of a number of autorun locations that would render the system unusable if you were to just delete the malware entries. During removal, a quarantine copy of each threat is saved for later analysis or restoration (unless you select the “delete” option instead of “quarantine”).
So what does it mean when a file is in “quarantine”? It means that a file is wrapped in an encrypted, secure container file where it cannot do harm to other files and applications on your system. We always recommend using the quarantine feature because there is a small chance that the file that was detected is harmless (a false positive), or that the file might be necessary for further investigation or forensics. You may delete quarantine files after a couple of weeks if it turns out that the file is in fact harmless.
Scanning and cleaning files on network shares
While it is possible to scan files on network shares that are located on other machines, we don’t recommend that at all. It might save you a bit of time, but please be aware that scanning remote files has some serious limitations by design:
Memory and trace scans are not possible, as they require operating system APIs that can only be accessed locally.
Cleaning is not possible at all, because removing a detected active malware file without removing its accompanying autorun entries would most likely crash the computer and leave it in an unbootable state.
Always scan and clean locally. If you don’t want to install our software for a one-off job, go for the Emsisoft Emergency Kit scanner, which is fully portable and doesn’t require any installation.
Whether you’re an antivirus expert or a casual internet browser, we hope this information will help you understand exactly how Emsisoft’s top of the line technology is working to protect your computer from malware.
Have a great, malware-free day!
Like this project
Posted Jan 2, 2024
Emsisoft is an award-winning anti-malware and anti-virus company based in Austria. I wrote cybersecurity tips, news, and reports for their B2C blog.
Likes
0
Views
9
