• Welcome
• Installation and setup
  • Learning Mode
  • Accessing Settings
  • Configuration
  • Banking Mode
  • RunSafer
• Using Online Armor
  • Status
  • Firewall
    • Creating Firewall Rules
    • Ports and Protocols
    • Firewall Status Screen
    • Firewall Logs
  • Domains
  • Programs
  • Files and Registry
    • Creating File Rules
    • Creating Registry Rules
  • Autoruns
  • Anti-Keylogger
  • Hosts file
  • History
  • Options
  • Debug
• Customer Support

Programs

Today's malware is often designed to allow an attacker access to your personal data or even complete control of your computer. To protect you against malware, Online Armor will try to identify any program that tries to run on your computer.

When a program starts to run, Online Armor will first try to make a decision automatically by using the Anti-Malware Network to check if it recognizes the program as Trusted or Not Trusted.

Programs List

Once a program has been Allowed or Blocked, it will be added to the Programs List. You can access the Programs list by opening the Online Armor Control Panel and selecting Programs from the Main Menu. The Programs list shows you basic information about the programs it has seen and allows you to change how Online Armor handles each program individually.

Above the table, on the right-hand side opposite of the tabs, is a drop down menu. This menu will allow you to filter the list to show only Programs, Components, Drivers, programs set to RunSafer, Installers, and Other. Selecting one of these options will hide all entries in the Programs list that do not match the specified criteria.

The Programs list is organized using a table with the following columns:

• Status – Shows whether the program is Allowed or Blocked.
• Program Name – Shows the file name of the program on your hard drive.
• Name – Shows the name of the program.
• First Detected – Shows the first time Online Armor saw the program.
• Trust Level – Shows whether the program is Trusted, Not Trusted, or Unknown.
• Security Group – Shows whether the program runs normally (Normal), has been set to "RunSafer" (Safer), or is a program that it is recommended that you set to "RunSafer" (Recommended).

Each row is color coded to indicate whether the program is set to Run Safer (blue), Installer (yellow), Trusted (green), Not Trusted (red), Unknown (salmon), or is no longer present (gray).

A legend showing the colors and their corresponding status can be displayed by clicking on the Legend link above the table.

Underneath the list are the following buttons:

• Run Safer – Sets the selected program to "RunSafer".
• Trust/Untrust – If the selected program is Trusted, this option changes it to Unknown so that it will be monitored for malicious behavior. If the selected program is Unknown, this option changes it to Trusted so that it will not be monitored for malicious behavior.
• Delete – Removes the program from the Programs list and deletes any history information that Online Armor has associated with this program. Deleting the item from the list will cause Online Armor to pop up if the program tries to run again in the future.
• Allow – If a program has been set to Blocked then this button will be enabled and will set the program to Allowed.
• Ask – Sets Online Armor to pop-up the next time this program tries to run, allowing you to Allow or Block it at that time. When a Trusted entry is selected, this button will be unavailable as Trusted programs are always allowed to run without asking.
• Block – Sets Online Armor to automatically Block the program from running.

Online Armor does not show Trusted programs by default to keep the Programs list more manageable. Remove the check next to the "Hide trusted" box to the left of the buttons at the bottom to see the Trusted programs in the list.

You can also place a check in the "Only deleted" box to view only programs that are no longer present.

Programs List Context Menu

You can right-click any program in the Programs list to access additional options including:

• Show file information – Shows any information about the file that was included by the maker of the program. If the program has a valid digital signature, the words "Signed by:" will be displayed in green text, followed by the name of the signer. You can also click More to be taken to the Online Armor website for any information Online Armor has collected about this particular program.
• Open file location – Opens the folder where the file is located on your computer.
• Open – Launches the program.
• Open Safer/Open Normal – If the program is not set to RunSafer then this menu item will say "Open Safer", and clicking it will launch the program with the RunSafer restrictions. If this menu item shows "Open Normal" then the program is set to RunSafer and selecting this menu entry will launch the program without the RunSafer restrictions this time only.
• Scan online – If you are not sure about a certain program, this option allows you to upload the selected file to the Emsisoft Anti-Malware Network for scanning using Emsisoft Anti-Malware. Files found to be infected are automatically marked "Not Trusted" in the Program's list and the "Emsisoft Online File Scan Results" web page is opened to display the infection details. There is an upload limit of 10MB per file and only one file may be uploaded at once.
• Advanced Options – Takes you to the Advanced Options for this program.
• Add – Helps you to add a program to the programs list without having to wait for it to run.
• Find – Allows you to perform a search in the Programs list to find a particular program.
• Copy to Clipboard – Copies all the text you see in the tooltip (when hovering the mouse over an entry) to the clipboard so that the information can be pasted.
• Autosize columns – Sets the programs list to automatically resize all columns in the table to accommodate the longest string of text in each column.

Advanced Options

You can access the advanced options for any program by double clicking it in the Programs list or right-clicking and selecting "Advanced options".

Security

Place a check in the box to enable the following features, or remove the check to disable them:

• RunSafer – Sets Online Armor to use RunSafer on this program.
• Installer – Installers run many programs and perform many actions that may raise pop-ups from Online Armor. Using this option will automatically allow Unknown programs that the installer runs, reducing or eliminating those pop-ups.

Permissions

These settings change the way that Online Armor will allow the selected program to behave. These settings restrict potentially high-risk behaviors used by some sophisticated malware. Some malware may take these actions directly, but malware can also hide its actions by manipulating legitimate programs in a way that forces them to perform malicious actions on the malware's behalf.

Click the icon to the left of the setting to change each setting. In Standard mode these settings can be toggled between "Ask, "Block" or "Allow" by clicking the individual items. In Advanced mode, it is possible to fine tune many of these settings further by clicking on "(More)". "(More)" indicates that clicking this item will open a new dialog with more options to configure. Once the setting is configured this will change to an icon of a page with writing and a green arrow. Otherwise the setting will show the current status icon and label.

Warning: While these actions are often taken by malware, they are also used by legitimate programs as well. You should not alter restrictions unless you know what these features protect against and you are sure that the application does not need to perform them. Enabling these options could prevent a program, or your system, from behaving as expected, hang, or crash.

These settings will not be enforced on Trusted programs.

• Start applications – Changes whether Online Armor will allow this program to start other programs. Clicking this option will allow you to configure Online Armor to allow or restrict the program from starting specific programs, any program, or to pop-up (ask) when it happens.
• Set global hooks – Changes whether Online Armor will allow this program to create hooks. A global hook is a piece of code injected into every program that runs on your computer for the purposes of obtaining specific data from that program. This could be to monitor for Hotkeys, to obtain information that you have typed, and so on.
• Physical memory access – Changes whether Online Armor will allow the program to directly access other programs in memory. This is typically done to gain additional information about a program, but could allow malware to affect other software in ways it normally couldn't. Clicking this option will allow you to configure Online Armor to allow or restrict the program from accessing specific programs, any program, or to pop-up (ask) when it happens.
• Remote code – Changes whether Online Armor will allow the program to control other programs that are running on your computer. Clicking this option will allow you to configure Online Armor to allow or restrict the program from controlling specific programs, any program, or to pop-up (ask) when it happens.
• Remote data modification – Changes whether Online Armor will allow the program to modify the data being held in virtual memory by another program. Clicking this option will allow you to configure Online Armor to allow or restrict the program from modifying data of specific programs, any program, or to pop-up (ask) when it happens.
• Suspend process/thread – Changes whether Online Armor will allow the program to suspend another program in memory or one of the program’s threads, preventing the target program or one of its functions from operating without actually terminating it. Clicking this option will allow you to configure Online Armor to allow or restrict the program from suspending specific programs or its threads, any programs, or to pop-up (ask) when it happens.
• Create executable – Changes whether Online Armor will allow the program to create executable program files on the hard drive. Clicking this option will allow you to configure Online Armor to allow or restrict the program from creating specific executables, any executables, or to pop-up (ask) when it happens.
• Use DNS API – Changes whether Online Armor will allow the program to make DNS queries using the DNS Client service.
• Enumerate files – Changes whether Online Armor will allow the program to get a list of files from a certain directory (a file manager is one example of a program that would require this permission).
• Direct Disk Access – Changes whether Online Armor will allow the program to access the hard drive directly, bypassing the normal methods of creating, modifying, or deleting files. Software such as disk defragmenters or data recovery tools are examples of legitimate software that may require direct disk access.
• System Shutdown – Changes whether Online Armor will allow the program to shutdown Windows.

Protection (available on 32bit systems only)

These settings protect the selected application against potentially high-risk behavior that sophisticated malware may take against target programs. These settings are best used to protect programs that contribute to your system's security and do not contain self-protection.

Note: Using these features on certain programs may result in the protected application not behaving as expected, which could lead to unpredictable problems. You should avoid using protection settings on programs that already contain similar protection.

• Restart if terminated – Automatically restarts the program if it suddenly exits, such as if it crashes or is forcibly closed.
• Protect from termination – Prevents other programs from forcibly closing the selected program.
• Protect from suspend – Prevents other programs from suspending the protected program, which would leave the program non-functional without actually terminating it.
• Protect from remote code control – Prevents other programs from manipulating the functions of the protected application.
• Protect from remote data modification – Prevents other programs from modifying data in memory belonging to the protected program.

Performance (available on 32bit systems only)

These settings change the way that the selected application utilizes your computer’s processor. These settings are intended for advanced users that require this type of control of selected programs.

• CPU Limit – Malfunctioning programs can sometimes use 100% of your computer's processing power, causing the system to freeze until it finishes (if it ever does).This feature changes the maximum amount of processor power that Online Armor will allow the selected application to use. At 100%, the selected application may use as much of the processor as it needs, but programs can be restricted to as little as 10% of the processor. Move the arrow shaped slider left to lower the setting, and move it right to increase. This feature is set to 100% by default (the right-most end of the slider).
• Affinity mask – When your computer has more than one processor, a multiple core processor, or a processor with "Hyperthreading", a program may not be able to use the processor(s) correctly or you may wish to choose which processor/core the program uses. This feature changes which processor/core the selected application should use the most, or "favor".

Options

The Options tab provides options that allow you to change how Online Armor handles programs in general, rather than individual programs.

These options include the following:

• Prompt when running unknown programs – Changes whether Online Armor will pop-up when an Unknown program runs, asking if you want to Allow or Block it. Remove the check from the box to the left if you do not want to answer pop-ups to allow Unknown programs to run.
• RunSafer unknown programs by default – Configures Online Armor to automatically set all new Unknown programs that run to RunSafer.
• Show colored border on programs set to RunSafer – Configures Online Armor to create a green border around any program that is running using RunSafer.
• Hidden proccess detection - Changes whether Online Armor will pop up when a program runs but tries to conceal itself from view (e.g. from the process list in Task Manager).
• Automatically trust programs that Emsisoft deems trustworthy – Changes whether Online Armor will use the Trusted list to automatically allow known safe programs to run. Disabling this setting will cause Online Armor to prompt you for any program that tries to run that you have not already Allowed. Disabling this option is not recommended.
• In addition, automatically trust programs signed with valid digital signatures – Configures Online Armor to automatically trust programs if they are found to have a valid digital signature. A digital signature is a security mark used to verify whether the publisher of a file is who they claim to be and that the file has not been tampered with after being signed. This option is enabled by default. Online Armor uses Emsisoft's signature blacklist to ensure that digital signatures that have been used in connection with fraudulent or malicious activities in the past, will not be trusted automatically. Updates to the signature blacklist are received regularly via automatic updates to ensure up to date protection.
• Contact Anti-Malware Network in realtime – Changes whether Online Armor contacts Emsisoft's Anti-Malware Network to try to identify known legitimate and malicious programs. It is strongly recommended that you keep this option enabled. No personally identifiable information is sent.
• Clear unknown programs on reboot – Configures Online Armor to clear the Programs list of all Unknown programs every time Online Armor is shut down, such as when you restart your computer. Enabling this option may cause repeated pop-ups for any Unknown programs that are installed on your computer.
• Notify when Online Armor auto trusts a program – Configures Online Armor to display a notification when Online Armor recognizes a program from the Trusted list and automatically allows it to run.
• Notify when Online Armor blocks a program – Configures Online Armor to display a notification when Online Armor blocks a program from running.
• Automatically block programs with suspicious filenames – This setting is enabled by default and will automatically block the execution of Unknown programs which may constitute a malware risk or use techniques commonly employed by malware. This includes:
  • programs using double extensions (such as coolpic.jpg.exe)
  • programs containing more than 5 continuous spaces in the file name.
  • programs that have the same name as common Windows components but are located in a different directory than usual (eg. svchost.exe outside of c:\windows\system32)
  • programs containing Unicode characters as part of the filename (Online Armor does not currently support Unicode so this provides previously missing protection against the execution of Unknown programs with Unicode filenames)
  Disabling this option will configure Online Armor to prompt you when a program with a suspicious filename attempts to run.