2.1.3 Background Guard Settings
5.4 General Malware-IDS Settings
9. Mamutu in Operation – Dealing with Alert Messages
1. Program Description
Mamutu monitors all active programs in real time for dangerous behavior (Behavior Blocking) and can detect new unknown Trojans, Worms, Viruses and other damaging programs (Zero-Day dangers) without daily updates. Mamutu is small but very powerful. It saves resources and does not slow the PC down.
2. Installation
Always download the latest setup file to install Mamutu:
http://www.mamutu.com/en/software/download/
Start the downloaded file (MamutuSetup.exe) and follow the instructions of the setup wizard. During installation, you can decide where the software is to be installed and whether shortcuts are to be created on the Desktop and in the Quick Launch Toolbar. After installation, start the the Mamutu Security Wizard as recommended.
Deinstallation
Deinstallation of Mamutu is done using the Uninstaller provided. You reach this via Programs/Mamutu/Uninstall Mamutu or via the Windows Control Panel/Add or Remove Programs (Windows 2000/Windows XP) or Windows Control Panel/Programs and Features (Windows Vista).
2.1 Security Wizard
The Security Wizard automatically starts the first time you run Mamutu. The wizard helps you to set up an optimum security configuration on your PC and guides you step-by-step through the settings.
You are first requested to register your license. To do this, enter your user information (email address as username, and password) and then confirm the information by clicking “Log in”, If the login was successful then the next step will show you all licenses currently available in your user account. The trial license is always available by default. If you have several licenses, select the one you wish to use by clicking it and confirm your selection by clicking “Next”.
If you do not yet have a user account you can create one at any time by clicking “Create account”. Fill out the “Name” and “Email” fields and confirm your entries by clicking “Create account”. You will then immediately receive your password in an email sent to the specified email address.
If you have received a coupon code for a Mamutu license, e.g. if you purchased a license from a third-party dealer, then you can use the “Convert coupon code” hyperlink to convert your coupon into a license code. Enter your coupon code and confirm this by clicking “OK”. The license is then automatically created in your user account and you can proceed as described above.
2.1.1 Updater Settings
Select the components to be taken into account for online updates by selecting or deselecting the check box for each desired option.
- Install program help – Select this option if you need help with Mamutu or want to keep up to date. The help files require about 1 Mb of extra disk space.
- Install additional languages – Select this option if you wish to install and update additional language support. If this option is deselected then only the language package you are currently using will be updated.
- Install beta updates – Select this option only if you always want to use the latest, untested Beta versions of the program files. We recommend that only experienced users select this option, or when you are requested to do this for fault-finding purposes. Beta updates may still contain bugs and cause unpredictable problems.
- Join the Anti-Malware Network – Select this option to send data on found objects as needed and to use the community-based alert reduction feature.
- Verify program modules versions – Select this option to check that all program components are up to date and authentic each time the program starts.
The “Edit alerts settings” hyperlink allows you to activate or deactivate alert messages for “News Boxes”, “Update Messages” and “Restart Alerts”. These are small information windows that appear from the corner of the Taskbar. The display duration of these windows can be set for all types of messages.
Once you have made all Updater Settings, confirm these by clicking “Next”.
The Updater will now search for all updates and install them to bring Mamutu up to the latest version. The time required for this can vary and it may take a while, depending on the size and number of update modules and the speed of your Internet connection.
If you receive the message “Update process was finished successfully”, then the Update was successful and you can continue with the Security Wizard by clicking “Next”.
2.1.2 Alert Settings
We now come to the most important part of the configuration, the settings for alert messages. Mamutu reports the behavior of programs that are sometimes clearly damaging but sometimes also only possibly damaging. With some benign programs a clear decision between benign and malicious behavior is not technically possible. Mamutu always reports this type of suspicious behavior unless you activate alert reduction to reduce the number of false alarms relating to benign programs.
- Intelligent alert reduction – Mamutu performs a technical analysis of the program file for a reported program to determine if this is a benign program. Good examples of false alerts are Explorer.exe (Windows Explorer), Internet Explorer or Firefox. When starting, all these programs exhibit behavior that is also used by Malware. For example, changing the browser settings or generating network traffic without a visible user interface. If intelligent alarm reduction is not activated, then warning alerts are generated each time these programs start. With activated intelligent alarm reduction, Mamutu recognizes that these are legitimate programs and does not generate warning alerts. The intelligent alarm reduction is deactivated by default because in rare situations it is possible that dangerous programs may also become active.
- Community-based alert reduction – Mamutu relies on the intelligence of the masses. An online query to the Anti-Malware Network is made and the decisions of all Mamutu users on what to do with a reported program (allow, block, quarantine, exclude from monitoring) are displayed as a colored graphic. Mamutu uses this to provide a recommendation of how to proceed with the reported program.
- You can use percentage threshold values to define whether a program is automatically blocked or permitted using community-based alert reduction. The default values are a threshold of 90% for each. If 90% of Mamutu users have allowed the program to start then it will be automatically allowed on your system and an application rule is created for future program starts.
- Paranoid mode – Reports additional suspicious program starts and applications with a suspicious or Malware-similar file layout. The option is deactivated by default and is only recommended for advanced users.
You can use the “Edit Ruleset” hyperlink to define rules for programs in advance. Advance configuration should only be done by advanced users. Warning!
Never set important system components to “Block” or you could very rapidly ruin your operating system.
Click “Next” to reach the basic settings of the Mamutu Background Guard.
2.1.3 Background Guard Settings
The options “Enable background guard on system startup” and “Activate Malware-IDS” should always be activated, otherwise you have no Malware protection.
The option “Download and install updates automatically” ensures that Mamutu is always up to date and you will not miss any program updates. Mamutu searches online for new updates each day and installs them if they are available.
You confirm the background guard settings by clicking “Next”.
The basic configuration using the Security Wizard is now complete and you can finish the installation by clicking “Close setup wizard”. Mamutu will then start and displays the standard “Security Status” welcome screen. The blue-grey Mamutu symbol is displayed in the Taskbar next to the clock.
3. Security Status
The Mamutu start screen, called “Security Status”, shows an overview of all program and configuration elements. The security status window is divided into 4 sections. The first part is the menu at the left, containing “Processes”, “Malware-IDS”, “Quarantine”, “Logs” and “Settings”, and it provides easy access to all relevant program elements and settings dialogs.
The second part is the horizontal menu bar at the top, which is divided into “Language” for the languages supported, the Mamutu Quick Access menu item providing fast access to different settings dialogs or program elements via a drop-down menu, and finally the help menu item providing access to the help pages, the customer center and the discussion forum.
The third part is Mamutu Online and Mamutu News at the right side, which provides fast access via web links to the Mamutu Homepage and displays the latest news from Emsi Software.
The fourth part in the center shows a status overview of the background guard and update settings, the current software version, the date of the last update, the license period, the number of logged behavior alerts and the number of objects in quarantine.
4. Processes
The Mamutu process monitor lists all active process with their name, PID (process ID), file path and whether they are monitored (yes/no). Processes can be terminated (“Kill”), placed in quarantine (“Quarantine”), configured (double-click the process) or new processes can be started (“New process”). The “Edit rule” button can be used to define rules for each process allowing or blocking particular behavior or excluding processes from monitoring. All relevant processes are monitored by default. However, system-internal processes are not monitored.
Selecting a process displays the file properties of the process in the field below the process table. Clicking a process with the right mouse button displays a popup menu with options to “Edit rule” and “Request suggestion” (community-based alert reduction).
5. Malware-IDS
The core of Mamutu, divided into “Application Rules”, “Malware-IDS”, “Alerts” and “General settings” tabs, allows easy fine tuning, addition and deletion of all defined behavior rules.
5.1 Application Rules
Lists all defined application rules, with filename and mode. The filename field shows the file path of the program for which the rule was created. The mode field shows whether the program is blocked (Block), excluded from monitoring (Excluded) or monitored (Monitor).
Rules can be edited, deleted and added. The following section explains the dialog used for creating and editing a rule:
If a rule is to be created for program X, the first step is open the file selection dialog by clicking the “…” button next to the “Application Path:” field and select the appropriate file so that the complete path is displayed.
- Protect this application from process manipulationsActivate this option to prevent other processes from writing to the memory area of program X. Please note that some programs will only work correctly when this option is not activated. Only activate this feature when you are sure that program X does not require this functionality.
- Monitor this application, but allow specific activitiesUse this option to exactly defined the behavior that is permitted for program X. All other possibly dangerous behavior will still be recognized and reported. To defined the permitted behavior select the desired options in the lower part of the settings dialog.
- Always block this applicationCompletely blocks program X so that it can no longer be run. Mamutu reliably prevents program X from starting, without manipulating the contents of the program file. Another possibility is to place the program in quarantine. This moves the file to a secure environment from where it can no longer be started.
- Exclude from protectionProgram X is completely excluded from monitoring by Mamutu and can run freely. Only use this option when you are sure that you can trust the program. You can also use this option to prevent conflicts (program crashes) with other programs that use similar techniques as Mamutu.
5.2 Malware-IDS Functions
In the Malware-IDS tab you define the types of behavior that should be monitored system-wide by Mamutu. To exclude particular types of behavior from monitoring, remove the tick next to the relevant entry. Only deactivate Malware-IDS components if you are sure that this will not compromise your system security.
5.3 Alert Settings
Mamutu reports the behavior of programs that are sometimes clearly damaging but sometimes also only possibly damaging. With some benign programs a clear decision between benign and malicious behavior is not technically possible. Mamutu always reports this type of suspicious behavior unless you activate alert reduction to reduce the number of false alarms relating to benign programs.
- Intelligent alert reduction – Mamutu performs a technical analysis of the program file for a reported program to determine if this is a benign program. Good examples of false alerts are Explorer.exe (Windows Explorer), Internet Explorer or Firefox. When starting, all these programs exhibit behavior that is also used by Malware. For example, changing the browser settings or generating network traffic without a visible user interface. If intelligent alarm reduction is not activated, then warning alerts are generated each time these programs start. With activated intelligent alarm reduction, Mamutu recognizes that these are legitimate programs and does not generate warning alerts. The intelligent alarm reduction is deactivated by default because in rare situations it is possible that dangerous programs may also become active.
- Community-based alert reduction – Mamutu relies on the intelligence of the masses. An online query to the Anti-Malware Network is made and the decisions of all Mamutu users on what to do with a reported program (allow, block, quarantine, exclude from monitoring) are displayed as a colored graphic. Mamutu uses this to provide a recommendation of how to proceed with the reported program.
- You can use percentage threshold values to define whether a program is automatically blocked or permitted using community-based alert reduction. The default values are a threshold of 90% for each. If 90% of Mamutu users have allowed the program to start then it will be automatically allowed on your system and an application rule is created for future program starts.
- Paranoid mode – Reports additional suspicious program starts and applications with a suspicious or Malware-similar file layout. The option is deactivated by default and is only recommended for advanced users.
5.4 General Malware-IDS Settings
The options “Enable background guard on system startup” and “Activate Malware-IDS” should always be activated, otherwise you have no Malware protection.
The option “Download and install updates automatically” ensures that Mamutu is always up to date and you will not miss any program updates. Mamutu searches online for new updates each day and installs them if they are available.
6. Quarantine
Quarantine provides a safe place for storing dangerous or suspicious files. A file can also be restored from quarantine when (e.g.) it was moved by mistake or as the result of a false alert.
The quarantine table has Source (path), Behavior/Infection, Risk level, Date and Submitted columns The quarantine provides additional functions for managing these files.
“Save copy” allows you to save a 1:1 copy of the file to any desired location, e.g. to manually examine the file. “Submit file” sends the file to the Anti-Malware Network, allowing the developers to perform further analysis. This helps to classify currently unknown Malware and add it to the signature database. “Add file” allows you to move suspicious files into quarantine. “Restore” moves a file from quarantine back to its original location. “Delete” permanently removes the selected object(s) from the hard drive. These can then no longer be restored.
Right-clicking in the quarantine table displays a popup menu with “Select All”, “Select nothing” and “Invert” menu items to make selection and editing of multiple objects easier.
7. Logging
Logging is an important tool for tracing procedures. This has “Malware-IDS”, “Quarantine” and “Update” tabs:
- Malware-IDS – This lists all actions of the Malware-IDS, with “Date/Time”, PID (Process ID), Source (file path), Event and Behavior/Infection columns. For example, the last column shows if a program has been permitted as the result of an alert reduction.
- Quarantine – List all quarantine actions, such as “Move to Quarantine” and “Restore Quarantine”, with Date, Source (Path), Event and Behavior/Infection columns.
- Update – All update actions are listed here. These can be manual or automatic updates. The “View Details” button provides more information on each update action, such as the number and names of updated program elements and the size of the updates.
Individual log entries can be selected and then deleted via the “Delete” button. Clicking “Clear” deletes the entire log.
8. Settings
The settings area is used to configure all global options such as Updates, Notifications, Logs, Permissions and Licenses:
8.1 Update Settings
Select the components to be taken into account for online updates by selecting or deselecting the check box for each desired option.
- Install program help – Select this option if you need help with Mamutu or want to keep up to date. The help files require about 1 Mb of extra disk space.
- Install additional languages – Select this option if you wish to install and update additional language support. If this option is deselected then only the language package you are currently using will be updated.
- Install beta updates – Select this option only if you always want to use the latest, untested Beta versions of the program files. We recommend that only experienced users select this option, or when you are requested to do this for fault-finding purposes.
- Join the Anti-Malware Network – Select this option to send data on found objects as needed and to use the community-based alert reduction feature.
- Verify program modules versions – Select this option to check that all program components are up to date and authentic each time the program starts.
8.2 Notify Settings
Select the notifications you wish to receive. “News Boxes”, “Update Messages” and “Restart Alerts”. These are small information windows that appear from the corner of the Taskbar. The display duration of these windows can be set for all types of messages.
8.3 Logging
Define the maximum number of log messages for Updates, Quarantine and Malware-IDS messages. Use a value of 0 for unlimited logging (default value).
8.4 Permissions
If you use several Windows user accounts you can prevent individual users from changing the configuration of Mamutu. The default settings allow all users unrestricted access to all Mamutu functions. Open this dialog as an Administrator and select a non-administrator user that you wish to restrict. Then select the functions that this user is allowed to access. If your PC belongs to a domain, then select “Use domain users” to change the user list.
Permissions are an effective way of (e.g.) preventing children from using possibly dangerous programs. You can use an “Always block this application” application rule to prevent specific programs from running.
8.5 License
Here you can manage your license(s) or convert coupon codes into new licenses. The license list shows the license number, type, start date and end date of each license. For Mamutu to function, at least one license that has not expired must be selected in this list. The “Connection settings” hyperlink allows you to configure your Proxy settings.
9. Mamutu in Operation
An alert message from Mamutu looks like this:
The most important rule when dealing with Mamutu alert messages is: “Keep calm!”. You have plenty of time to make a decision because the reported program has been immediately interrupted and rendered inoperative as soon as the alert occurs. Look closely at the alert message and see where the reported program comes from (filename and path). This information is often enough to decide whether this is a suspicious or benign application. Did you start the program yourself or was it started in the background? Does the program come from a trustworthy source? What information is can be obtained from the file properties (Details tab) of the reported file?
For false alerts relating to benign programs the community-based alert reduction can help in many cases. Programs used by many users are often evaluated. You can then see the decisions of other users in the form of a bar graph. If most other users have allowed the program to run then Mamutu will recommend that you do the same.
If you are still unsure after checking, then take no risks and move the file to quarantine. Then contact our support team at the
MyEmsisoft or Support forum
and give them all readable information, such as path, file properties, diagnosis, Mamutu version, Windows version and what you were doing when the alert appeared.
10. Other
Mamutu is a program specializing purely in behavior analysis. You will not find a feature for scanning files on the hard drive. The Emsisoft Anti-Malware product provides a combination of Malware recognition using behavioral analysis and Signature-based scans. This contains all the so-called Behavior Blocker features of Mamutu.
10.1 Edition Comparison
The following page provides a comparative list of the features of Mamutu, Emsisoft Anti-Malware, a-squared Free and Anti-Dialer:
http://www.mamutu.com/en/software/compare/
10.2 Ordering Information
Important! To fully test Mamutu before purchasing it, please
download and install the free 30-day trial version. This provides the full range of features.
A subscription for Mamutu costs US $29.95 per year or US $39.95 for two years.
What do I receive when purchasing Mamutu?
- The full version of Mamutu, including the Background Guard with Malware-IDS and automatic updates, for one or two years.
- Access to all program updates and new versions for one or two years. New program versions do not need to be purchased!
- Access to personal support via the MyEmsisoft or email.
Order at: http://www.mamutu.com/en/order/mamutu/
Enabling your license:
The license is added to your user account. To adopt the license on your PC, click “Refresh licenses” in the License dialog and select the full version. Then perform an online update. A functioning Internet connection is required for enabling licenses.
Have a nice (Malware-free) day!
Your Emsi Software Team