Regardless of its homeland, Emsisoft earned good scores in our malware protection and ransomware protection tests, though it didn’t fare well defending against dangerous and fraudulent websites. The management console, which offers comprehensive remote management, is now much easier to set up. Emsisoft is a good choice for the right customer, though not up to the standards of our Editors’ Choice antivirus products.
How Much Does Emsisoft Anti-Malware Cost?
Just under $40 per year is the most common price for standalone antivirus protection. More than a quarter of the products I follow are in that price range, among them Bitdefender, Malwarebytes, and Webroot SecureAnywhere AntiVirus. Emsisoft used to cost the same years ago, but more recently it goes for just $29.99. You can get three Emsisoft licenses for $49.99 per year, or five for $69.99.
At $59.99 per year for a single license, Norton AntiVirus Plus costs quite a bit more, though it does include spam filtering, password management, online backup, and other bonus features. McAfee looks expensive, with that same $59.99 per year subscription, but that one subscription lets you install it on every Windows, macOS, Android, and iOS device in your household.
Getting Started With Emsisoft
As with many modern security products, you begin your Emsisoft adventure by creating an online profile. From the profile you can start a 30-day free trial or enter your license code. When you launch the Emsisoft installer, it downloads the latest version of product.
During the installation you get an interesting choice for security management. You can opt for totally local, totally remote, or a combination of the two. All-remote management is typically a business style, but you might choose it for a relative who’s not good at leaving things alone. All local is, of course, the most secure, because there’s no chance of some cyber-ninja breaking into your management console. Most users will stick with the default, allowing both local and remote configuration.
Presuming you do include remote configuration, the installer guides you to create an online workspace. Workspace names must be unique system-wide, for security reasons. The system warns if the name you’ve typed is already in use. In a fit of GoT nostalgia I decided to name my workspace Braavos. While typing in the name, I learned that “B,” “Br,” and “Bra” are already in use as workspace names.
Once the main window comes up, you’ll notice that the Protection panel briefly displays a No Protection warning. Just give it a few seconds to finish installing, updating, and configuring its components.
Four big panels dominate the main window’s light-colored background: Protection, Scan & Clean, Logs, and Settings. A left-rail menu effectively duplicates the effect of clicking the panels; the one you’ll use most is the Overview icon that brings you back to the main screen. Emsisoft’s combination of greens, blues, and whites gives it a pleasant appearance, quite different from the tough-looking slate-gray tones found in some competitors.
Right in the Scan & Clean panel, without ever leaving the Overview page, you can click links to run a quick scan, a malware scan, or a custom scan. Clicking the panel itself brings up a page with clear descriptions of each scan. The quick scan scans only active programs, looking for traces of malware. The malware scan looks in “all places that malware typically infects.”
What about the familiar full scan of your entire computer, seen in most other antivirus utilities? To get that, you choose a custom scan. By default, it scans the entire C: drive, which is probably what you want. The custom scan page includes several settings to configure just how the scan proceeds, but they come preconfigured for the best protection. Don’t change them unless you know what you’re doing.
A full custom scan of a standard clean test system took 69 minutes, just slightly more than the current average of 64 minutes. A repeat full scan finished in 24 minutes. That improvement on the subsequent scan suggests that the initial scan performed some optimization steps, perhaps marking known safe programs so they needn’t be scanned again. Other products take optimization even further. Bitdefender Antivirus Free Edition, for example, went from 58 minutes for its first scan down to just one minute on a repeat scan. To be fair, Emsisoft emphasizes the malware scan, which took four minutes, and the quick scan, which finished in less than 30 seconds.
I do recommend a full scan immediately after installing a new antivirus, to clear out any malware that may have taken up residence while you were without protection. Emsisoft does schedule a weekly full scan, but it’s not active until you open the schedule and enable that planned scan. You can also schedule other scans on a daily, weekly, or monthly basis.
There’s one more scan you should consider. Clicking Emergency Kit Maker on the scan page gets you the option to create your own self-contained Emsisoft Emergency Kit. This is a standalone executable that you can save on a removable drive and use to scan other computers, perhaps ones so badly infested by malware that you can’t install the full antivirus. This isn’t a bootable rescue system like you get with Kaspersky or Bitdefender Antivirus Plus, but it can be a useful tool.
No Help From the Labs
Independent antivirus testing labs around the world have as their goal evaluating security products and reporting on how well they perform their essential tasks. I follow four such labs, and I’m impressed by any product that shows up in results from all four. Among these are Kaspersky, McAfee, and Norton. Alas, Emsisoft is at the other end of the spectrum. It used to have a toehold in the lab results realm, appearing in a single report. However, it doesn’t show up in the latest results from any of the four.
For those products evaluated by at least two labs, I use an algorithm that normalizes lab tests to a 10-point scale and produces an aggregate score. With results from all four labs and an aggregate score of 9.9, Kaspersky Anti-Virus is clearly the darling of the labs. AVG and Bitdefender come very close, with 9.8 points, but in both cases the score comes from just three labs.
Mixed Malware Protection Scores
When I get no help from the labs, my own hands-on malware protection testing becomes vitally important. To start the basic protection test, I simply open a folder containing a collection of malware that I gathered, curated, and analyzed myself. For many products, the minimal access that occurs when Windows Explorer checks the file’s name, size, and creation date for display is enough to trigger an on-access scan. For others, the trigger involves copying samples to a new location.
Like Cylance, McAfee AntiVirus Plus, and a few others, Emsisoft waits until a process launches to check it for malware. That means a bit more work for me, as I must launch every single sample. Fortunately, Emsisoft caught all but a small number of the samples immediately at launch. Each such detection resulted in a slide-in notification from the antivirus, along with a Windows error message explaining that the file contained a virus. A couple of items managed to launch but got caught later.
Like Malwarebytes and McAfee, Emsisoft detected 100% of the samples. Malwarebytes completely blocked all the malware from installing anything significant and thereby earns the maximum, 10 points. In a few cases, Emsisoft halted the malware installation mid-way and left some executable files on the test system, which pulled its overall score down to 9.7. That’s still better than almost all recently tested products.
Because gathering and analyzing a new selection of malware takes a long time, I can’t refresh the collection often. For a look at how each antivirus handles up-to-the-minute malware, I use a feed of recent malware-hosting URLs generously supplied by MRG-Effitas, a London-based security testing firm.
As I go down the list, launching each URL, I usually find many that are already defunct, even though they’re just a few days old. For those still viable, I note whether the antivirus blocks access to the URL, eliminates the malware payload, or simply fails to react. When I have sufficient data points, I run the numbers.
Emsisoft boasts two distinct defenses in this realm. The browser-independent Web Protection checks URLs against a local blacklist that’s updated every 15 minutes and prevents all access by any browser or other program, sliding in a notification so you’ll know what happened. The Browser Security extension (for Chrome, Edge, and other Chromium-based browsers) checks unknown URLs with Emsisoft online and diverts dangerous access attempts to an explanatory page.
Emsisoft’s blog posts point out that Browser Security never sends the URLs you visit to the cloud for checking. Rather, it sends a hash of the domain, for comparison with hashes of known dangerous domains. There’s no possibility of Emsisoft or its employees gathering a history of your web browsing.
Working my way through the URLs, I went a long time before seeing Emsisoft handle a malware download, because most of its detections occurred earlier in the process. When it did eliminate a malware download, it reported the event using the now-familiar slide-in notification, while the browser displayed a message that the download failed because a virus was detected.
Emsisoft blocked 70% of the malware-hosting URLs and eliminated another 7% during the download process, for a total of 77%. That’s a big drop since its last review, where it blocked 33% at the URL level and another 60% during download, for a 93% total. Very few recent products have scored lower than 77%.
It’s true that the list of URLs involved is different every time, since they’re always the newest. You might think that bad luck handed Emsisoft an extra-tough bunch. However, I had this product and Bitdefender Antivirus Free Edition up on the rack for testing at the same time, and Bitdefender defended against 100% of these URLs. Tested with its own set of new dangerous URLs, McAfee also scored 100%, while Bitdefender, G Data, and Sophos managed 99%.
I can only characterize Emsisoft’s scores in my hands-on malware protection testing as mixed. In the basic malware protection test, it made the top five. But in the malicious URL blocking test, it landed in the bottom five.
Imperfect Phishing Protection
The perpetrators of phishing websites don’t need any malware coding skills. They don’t try to steal login credentials. Rather, they rely on inattentive netizens to simply hand over their passwords. Phishing sites mimic financial sites, shopping sites, and even dating sites, displaying a realistic login page. If you enter your username and password, the fraudster owns your account. These sites get taken down quickly, but the criminals just pop up another one.
To test phishing protection, I start by gathering hundreds of reported fraudulent URLs, making sure to include both verified frauds and those too new to have been analyzed. I launch each simultaneously in a browser protected by the antivirus under test, and in instances of Chrome, Firefox, and Microsoft Edge protected only by their built-in antiphishing filters. Only verified phishing sites that load properly in all four browsers count toward the totals.
Here again Emsisoft brings two layers of protection to bear. The browser-independent Web Protection component blocks all access to phishing sites that are on its blacklist. And the browser extension diverts unwary users to a warning page.
Last time I ran this test, Emsisoft detected 85% of the verified phishing frauds. That’s not great—almost half the current products scored higher. This time around Emsisoft’s score comes in at 55%, a very poor score.
After conversing with my Emsisoft contact, I began to develop a theory. While the Browser Security extension can block a known phishing site whether it’s secured with HTTPS or not, Emsisoft does not attempt to check the content of HTTPS pages. My contact cited a scholarly paper indicating that doing so can actually reduce security. Since phishing pages are so ephemeral, a truly effective defense requires real-time checking of page content. In addition, the number of HTTPS URLs in my collected phishing and malware-hosting test URLs has been steadily growing. The dangerous URLs run about one in eight, but more than half of the phishing URLs I collect use HTTPS. It’s possible this trend contributed to Emsisoft’s low score.
F-Secure and McAfee both detect 100% of the verified frauds in their latest tests, respectively. Bitdefender, Norton, and Webroot almost make it to the top, each scoring 99%. These products do check unknown pages for signs of phishing, and the results suggest that this includes checking secure HTTPS pages.
When I write about how you can learn to detect phishing frauds, I always mention that if the HTTPS lock is missing, the site is probably a fake. It seems perfectly natural to me that fraudsters would make a point of securing their sites, to make them look legit. I will continue to recommend products that help users avoid all fraudulent sites, even these extra-tricky ones.
Behavior-Based Ransomware Protection
Malware coders are always working on new attacks, new hiding techniques, and new ways to sleaze past antivirus protection. If they manage to slip through a Trojan or a botnet that your antivirus misses, that’s not good, but very likely an update will wipe out the problem within a few days. But if the zero-day attack involves ransomware, you’re up the creek. Your files are already encrypted, and removing the ransomware won’t bring them back. That’s why many antivirus tools now include an extra layer of protection against ransomware.
Emsisoft’s ransomware protection isn’t separate from its general-purpose Behavior Blocker. Fortunately, Emsisoft doesn’t couple behavioral protection with the regular real-time protection of the File Guard component the way Trend Micro, Avira Antivirus Pro, and a few others do. I had no trouble turning off File Guard while leaving ransomware protection active. Turning off real-time protection serves to simulate a zero-day attack that gets past ordinary real-time protection.
This tool’s ransomware protection focuses on the widespread problem of file-encrypting ransomware. After cutting off my test virtual machine from the network, I launched almost a dozen real-world encrypting ransomware samples. Emsisoft detected and blocked all of them, identifying them as suspicious or dangerous based on behavior.
The ransomware style that encrypts your whole disk is much less common. Indeed, Emsisoft didn’t stop my one disk-encrypting ransomware sample from bricking the test system. Fortunately, it was a virtual machine; reverting to an earlier snapshot restored it to full functionality.
As a further test, I configured a couple of the encrypting ransomware samples to launch at startup and rebooted the test system. Some ransomware detection systems are slow out the gate, allowing ransomware attacks before they’ve fully fired up their protection. Not Emsisoft. It visibly got ahead of the threats, wiping them out just as it did when I launched them directly. Emsisoft also detected and blocked my very simple hand-coded ransomware simulator.
For another view of ransomware protection, I use KnowBe4’s RanSim ransomware simulator, which simulates 10 common ransomware behaviors along with two harmless encryption behaviors. I don’t zing products that fail the test, since its simulations are not truly ransomware, but passing is a good thing. Emsisoft wanted to quarantine the installer and the simulation launcher module; I had to rescue those two programs. After that, the simulator worked fine.
Emsisoft blocked all 10 of the simulated ransomware attacks. It also blocked one of two innocuous encryption-related scenarios, but that’s not so bad. If it blocked your encryption program in the real world, you could just release the file from quarantine.
Overall, Emsisoft behavioral detection proved very effective against file-encrypting ransomware. It didn’t stop a disk-encrypting sample, but remember, this sample along with all the others was quarantined by the real-time File Guard component. I had to turn off File Guard before I could even run this test.
Management Console Remote Control
Emsisoft’s Management Console offers very though remote management. This feature is especially useful for those installing Emsisoft protection across a business, but it’s completely available to home users.
Remember that workspace you created back at install time? That’s where you go to engage remote management. To start, you log into the My Emsisoft online portal, the same place you registered your license. Note that each login requires entry of a security code sent to the email address associated with your account. Once you’ve logged in, you have full access to your workspace. There’s none of the confusing license-transfer business that I reported in my last review when the Management Console was new.
Many antivirus products offer some degree of remote access. Webroot lets you view and control quite a bit, as does Sophos Home Premium. With Emsisoft, you control the application’s full range of settings. If you can do it locally, you can do it remotely. You can even access the local user interface remotely, so everything you learned about that interface carries over. Launch a scan? View files in quarantine? Change settings? No problem!
For a home user, this complete remote management can be a big selling point. Now you can install antivirus for your aging relatives and take care of their security problems without driving across town. You can even lock local access to settings, disable confusing notifications, or hide such things as the purchase and renewal buttons. For the right user, this is fantastic.
Good for the Right User
Emsisoft Anti-Malware has received good lab test scores in the past, but it doesn’t appear in any of the latest test reports. It earned a very good score in our hands-on malware protection test, and its behavior-based protection fended off all our encrypting ransomware samples. However, it didn’t do well at all when challenged to defend against dangerous or fraudulent websites. The management console offers total control over remote installations, which is a great feature if you’re the family’s security chief. But in terms of basic antivirus protection there are better choices.
In the crowded field of antivirus protection, some products do stand out. Bitdefender Antivirus Plus and Kaspersky Anti-Virus lead the field in test results from independent labs. McAfee AntiVirus Plus protects every device in your household. With its journal-and-rollback handling of unknown files Webroot SecureAnywhere AntiVirus can even roll back ransomware activity. These four have all earned Editors’ Choice recognitions as top commercial antivirus products. They all cost more than Emsisoft, but they’re worth the the extra money.