21.02.2015, 00:22
Hi,
I hope I am posting this in the correct place, however on other forums I keep reading posts about people receiving BSOD crashes and having performance issues. I will try and share my knowledge to help answer why this occurs.
Why may Blue Screen of Death crashes occur when using Emsisoft Internet Security?
Same as advanced and sophisticated rootkits, security products should take advantage of what you can call kernel-mode (Ring 0). This is where a kernel-mode driver is loaded. When one of your standard programs crash (running in user mode - ring 3), just that program will crash and end up closing - usually Windows will show a alert asking to find a solution about it, etc. However, when your in kernel-mode, the lowest level available, when a crash occurs it will result in a BSOD crash. However, in kernel-mode, you can do A LOT and you have so much control. This is why rootkit developers tend to appreciate kernel-mode. It allows them to hide processes from process monitors, hide files on the system, prevent files from being removed on the system, protect a user-mode program from being terminated on the system. This is another reason why Antivirus developers like it - they can protect their user-mode developed services from being attacked by malware through hooking and using kernel-mode callbacks (SSDT hooking on 32-bit and call backs on 64-bit, however a lot of things in kernel-mode are undocumented on officially...). When Emsisoft Anti-Malware or Internet Security encounters an "unhandled exception" in the kernel-mode drivers, this will result in a BSOD. Looking at the error message on a BSOD crash may help you have an idea, and using such tools to create logs of what happened, of possible.
Why may there be performance issues?
Simply because it is monitoring what a process does - the behaviour blocker is very advanced. Emsisoft also injects a DLL into every currently running process on the system and newer creations (it could monitor process creations through hooking CreateProcessInternalW, using a call back in kernel-mode to PsSetProcessCreationNotifyRoutine and other ways). This DLL can use advantages like API hooking to monitor what a process does, which may distinguish and be able to classify a variant based on it''s behaviour and alert the user of suspicious activity. Since a DLL is being injected in every process for this and that, it may slow things down depending on how it''s done since it''s intercepting the API calls and logging everything. Just an idea of what it could be doing - I do not work at Emsisoft, I could be wrong.
Cheers.
I hope I am posting this in the correct place, however on other forums I keep reading posts about people receiving BSOD crashes and having performance issues. I will try and share my knowledge to help answer why this occurs.
Why may Blue Screen of Death crashes occur when using Emsisoft Internet Security?
Same as advanced and sophisticated rootkits, security products should take advantage of what you can call kernel-mode (Ring 0). This is where a kernel-mode driver is loaded. When one of your standard programs crash (running in user mode - ring 3), just that program will crash and end up closing - usually Windows will show a alert asking to find a solution about it, etc. However, when your in kernel-mode, the lowest level available, when a crash occurs it will result in a BSOD crash. However, in kernel-mode, you can do A LOT and you have so much control. This is why rootkit developers tend to appreciate kernel-mode. It allows them to hide processes from process monitors, hide files on the system, prevent files from being removed on the system, protect a user-mode program from being terminated on the system. This is another reason why Antivirus developers like it - they can protect their user-mode developed services from being attacked by malware through hooking and using kernel-mode callbacks (SSDT hooking on 32-bit and call backs on 64-bit, however a lot of things in kernel-mode are undocumented on officially...). When Emsisoft Anti-Malware or Internet Security encounters an "unhandled exception" in the kernel-mode drivers, this will result in a BSOD. Looking at the error message on a BSOD crash may help you have an idea, and using such tools to create logs of what happened, of possible.
Why may there be performance issues?
Simply because it is monitoring what a process does - the behaviour blocker is very advanced. Emsisoft also injects a DLL into every currently running process on the system and newer creations (it could monitor process creations through hooking CreateProcessInternalW, using a call back in kernel-mode to PsSetProcessCreationNotifyRoutine and other ways). This DLL can use advantages like API hooking to monitor what a process does, which may distinguish and be able to classify a variant based on it''s behaviour and alert the user of suspicious activity. Since a DLL is being injected in every process for this and that, it may slow things down depending on how it''s done since it''s intercepting the API calls and logging everything. Just an idea of what it could be doing - I do not work at Emsisoft, I could be wrong.
Cheers.