Jump to content

Insert Real Name

  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Insert Real Name

  1. O.K., thanks very much for the explanations. I had set the Behaviour Blocker to auto-resolve, since I could always click on the toaster alert to allow/deny the Behaviour Blocker's decision, but the full Behaviour Blocker alert gives more information and more choices. I've noticed that EAM classifies some programs using the Windows 7 standard file chooser dialogs (e.g. the latest version of DVDStyler) to be "Code Injectors". No doubt these programs may be doing that (perhaps the Windows API they use to handle file chooser dialogs are the origin), but an indication of their code injecting targets in the full alert dialog details section would be very welcome to help make a decision. Maybe there should be a general preference choice: "Display more details in alerts"?
  2. Is there any setting that adds the actual type of suspicious behaviour (e.g. "Code Inject" or "Direct Disk Access") in nice *black* *capitals* (not trendy grey, please!) to the toaster notification produced by the Behaviour Blocker? Often there are programs that legitimately use e.g. direct disk access to check licensing, etc., and knowing the exact type of behaviour detected will help in accepting it or blocking it immediately. Also, should those legitimate program executable behaviours be reported as a false postive, or does the false positive classification not apply to behaviour blocker detections that are resolved by a rule allowing the behaviour?
  3. Quite true! I only used the full HPhosts list because I did not want to do the necessary work to collate narrowly focused lists that just focus on tracking/advertising domains, in addition to the malware domains list already used and updated in EAM. As you say, there are a lot of dead or completely obscure malware domains on that list, and in any case, blocking tracking/advertising domains is not part of EAM's function and too easily disables legitimate websites. Now I'm (mis)using the 2 lists at https://github.com/notracking/hosts-blocklists They are meant to be used with the Unix DNSmasq program, so need to be edited with regular expressions to isolate the domain names, but the combined and sorted list is just over 100K domains, much more reasonable than the HPHosts list. I load the list with "Block and Notify" settings, so that I can easily unblock anything that breaks a website. These seem to be regularly updated and only deal with malware/tracking/advertising domains. I've not seen much site breakage, and the removal of advertising is effective. And the existing Surf Protection list processing and search functions work efficiently with an added list of ~100K domains. I also use an ad-blocking extension in my browser in order to control cross-site requests, but blocking these domains at the DNS level is doing something like 80% of the work the ad-blocker normally does. People may wonder, why go to all this trouble? It's because the big Internet companies (Google & Co.) are obsessed with building profiles of their users by tracking their activities across the Internet, and they make it very difficult to determine how much of this profiling is directly connected to your known identity and to what other commercial parties (e.g. analytics and data brokers) your data may be communicated, as well as the actual profile data that is distributed. If you value privacy, you might want to block such activity (and I'm an old dinosaur who uses the least social media possible anyway...).
  4. Does one need to disable Powershell completely? And is this even desirable or possible on Windows versions greater than 7? On my Windows 7 machine, I started a Powershell console w/administrative privileges and ran Set-Execution-Policy -Scope LocalMachine Restricted which disables running PowerShell scripts execution in any context. Individual Powershell commands are still allowed, of course, so Powershell-powered malware hasn't been entirely neutered, but this is a significant protection I think.
  5. Ask your developers to experiment if there's some way for the host rules to be proccessed into a highly efficient in-memory search data structure for the host matching functions of a2service.exe and, at the same time, be directly shared with the UI process and efficiently traversed to build thehost list and search it.
  6. Thank you. Maybe black text on an *off-white* background will look less bare than just black/white and keep a certain trendy appearance...
  7. Sorry for the delay in timing the appearance of the normal bar cursor in the search field of the Surf Protection panel when started from "Host rules" in EAM's taskbar menu. With the 850,000 hosts added by the files described above in the EAM hosts list (no way of finding out how many duplicated the built-in list), it takes roughly ~40 sec for the hour-glass cursor to disappear and the text bar cursor to start blinking normally; each character typed takes roughly ~5 sec to appear while the list of hosts below the search field is sorted to include just the characters typed. Subsequent use of the menu short cut and the list-box sorting are much much faster (but this may be just in memory caching and not any indication of efficiency). Anyway, I hope it can be made more efficient, I find the feature useful to completely remove all advertising nonsense from webpages in every browser on my system. (To say nothing about the malware or tracking protection.)
  8. I'm rather tired of programs with a UI that uses grey text on white/black blackground, or unsaturated colors generally. Black text on white/near-white background is so much easier to read, especially is the text size in small. Can EAM offer the choice of such a high(er) contrast UI? Shouldn't that huge an amount of programming, surely...
  9. I use EAM Surf Protection's Host File Import feature to load the malware hosts list at http://hosts-file.net/?s=Download and the updates at http://hosts-file.net/hphosts-partial.asp These comprise roughly >800,000 host names, and EAM does actually load them without too great a delay. And if I choose randomly a few hosts in that huge list that are not already in the built-in list, EAM does intercept the DNS query and neutralize it. However, when I use the shortcut "Host rules" in EAM's taskbar menu, the EAM Hosts rules window is extremely slow in opening, and visible feedback in typing any text in the search field of that window is also extremely slow. Likewise changing the rule for any individual listed host is very slow--such a large list occasionally blocks hosts that are necessary for correct page display. I realize a list of 800,000 hosts was probably not in your specification for the Surf Protection feature, but it *is* very effective: on the rare occasion when I use the MS IE 11 browser on my Windows 7 SP1 x64 laptop (Sandy Bridge i7 processor, so relatively fast), the ad and tracker blocking is almost as good as when I use my regular browser with the uBlock Origin add-on, both in terms of speeding up web page display and eliminating distractions, a.k.a. advertisements. Can you change the internals of this feature so it uses a more efficient data structure to accommodate very large user-added host lists, with improved lookup and management response? Perhaps also to reduce the memory footprint of a2service.exe (~400MB physical memory private working set, ~500MB private bytes virtual memory)?
  10. Just a piece of personal opinion re. browser ad-blockers: if you are using Firefox, the combination of Ad-Block Plus and RequestPolicy extensions is pretty good. I don't like the distracting intrusive advertising/social-buttons most major websites use now (quite apart from their tracking behaviour), and Ad-Block Plus removes most of them (and the custom blocker dialog called by Ctrl-Shift-F3 can get rid of the rest). The down-side of Ad-Block Plus is that there are literally hundreds of ad-blocking rules, and determining which ones are "breaking" the current page (to create an exception in the rules) can be a bit of a mystery! The RequestPolicy extension gives you an easy oversight of exactly which 3rd party websites the current website is requesting content from, and you can then choose which of them to allow/deny on the current website. It has a default deny list of advertising/social 3rd party websites that you can customize, so there's very little tweaking you need to do when you begin using it. It partly overlaps the effect of Ad-Block but is still a useful complement.
  11. Fabian, I'm wondering if you could provide a short non-technical summary for those of us running OA (in standard mode) + EAM 9 on Windows 8.1 x64 (with all the OS standard protections, e.g. NX, enabled) of which EMET 5.0 mitigations are *actually* going to increase protection against threats that somehow get around OA+EAM and a cautious Internet user? I understand that some of the ROP protections EMET provides are already broken by the more advanced 32/64-bit executable threats, you probably know more about that...
  12. O.K., as an experiment I uninstalled Anti-Malware and installed the latest Internet Security. Some observations: I do all my installations while logged on my regular unprivileged account and assume (unless nothing works) that the installer will ask for elevation at the appropriate point(s) in the process. Once I rebooted my computer after the installation and logged on to my regular account, Internet security had already created a couple of Application Rules, but the issue was the same as my original post: selected rules cannot be edited, nor is the "Add new rule" button activated. (And maybe there were anomalies on other application screens, I did not check everything.) I then exited my usual account and loggon onto my administrative account, in order to check the Permissions screen for my regular account. Every permission was check-marked by default. I made no changes. Finally, I returned to my regular account and lo-and-behold: the Application Rules screen now actually worked correctly, i.e "Edit rule" and ""Remove rule" were active only if a rule was selected, and "Add new rule" was active by default. So it seems that at least one explicit log-on by an administrative user is required on my machine before the installation process fully concludes and the Internet Security defaults are entirely active. Maybe this whole thing is unique to my environment (but I haven't do any special tweaks to Windows 8.1, it's all pretty vanilla), however this kind of thing might frustrate a lot of potential users if it happened to them. UPDATE: Just read the thread http://support.emsisoft.com/topic/15637-grayed-out-buttons-on-windows-81-pro-x64/ and I think I might be not entirely alone on this issue. Maybe something extra is needed in the installation process, or perhaps additional per-user sanity checking when the application UI starts at log-on.
  13. No, this is a stand-alone PC. (Sorry for the delay in reply, but I was out of Internet communication.)
  14. I logged out of my usual account (limited user) and logged on an Administrative User (I always work in a limited regular user account) and on the Permissions page all privileges were already ticked for my limited user account. What I then did to attempt to solve the problem was to systematically toggle all of the permissions off/on for that user account. When I logged back into my usual account, all of the greyed-out buttons on the Application Rules and Surf Protection were working correctly when no line entry was selected and when one was selected. There was just one inconsistency: when no Surf Protection line was selected, the "Add new rule" button was still grey. So the problem could be solved by the toggle procedure, but it suggests something needs review in the UI<-->action code for those pages.
  15. Current fully licensed version of Anti-Malware 9.0, all stable updates as of 11AM EST today. Trial version of Online Armor, with a view to buying a license and then updating (free?) to the latest version of Internet Security (is that scenario possible?). Windows 8.1 Pro x64 (Hyper-V enabled), all MS Updates as of today. See attached screenshot: all action buttons are grayed out, even when one list entry is selected. So I can't add or delete files in the list, I can only edit their entries by double clicking on the file path line. What I expect: at all times the Add button should be enabled (even when a list entry is highlighted); the Edit and Remove button should be enabled when a line is highlighted. Keyboard accelerators should be similarly available: INS at all times for adding a file, and ENTER or DELETE to Edit or Remove a highlighted file entry.
  16. Thanks for the answer re. Microsoft EMET. EMET was something I was using with Microsoft's MSE before I switched to Anti-Malware (MSE's detection rates have really gone down in the last two years), so I just wanted to know how many protections they had in common, based on Microsoft's published documentation, and if they would tangle each other up... Maybe I'll try a test.
  17. I'd like Emsisoft tech support to also address the related question of the compatibility of running Microsoft's "Enhanced Mitigation Experience Toolkit 4.1" with Emsisoft's Anti-Malware. This Microsoft software allows the user to opt-in potentially exploitable software (e.g. that access the Internet) to an extended range of enhanced anti-malware protections (ASLR, DEP, heap spray, anti-detours, etc.) and it does this by injecting itself into the running programs and by monitoring and limiting the hooking of system APIs. I'd be really happy if the Emsisoft developers would take some time to look at this additional mitigation software and determine if there are any conflicts with using it concurrently with Emsisoft Anti-Malware. What protections are already implemented by Emsisoft and what protections will interfere with Anti-Malware's own functioning? I'm attaching the User Guide for the Microsoft EMET 5.0 Technical Preview
  18. Do EAM's Internet protections fully cover IPv6 traffic of Internet browsers and other Internet connected programs on the PC? I'm assuming that a packet filtering setup would capture it all, no matter what kind of Internet addressing is used--is this correct? I'm a former Online-Armor (OA) customer who stopped using it when my ISP upgraded to dual-stack IPv4/IPv6 Internet service (OA dosen't handle IPv6). As things stand now, I connect to many web sites via IPv6, some 100% (e.g. many Google domains). The IPv6 peering of my ISP doesn't seem any slower than their IPv4 peering. Now I'm thinking of getting better Internet protection on my Windows 7 SP1 x64 machine than my current combination of the Microsoft Security Essentials and Microsoft Enhanced Mitigation Experience Toolkit 4.1 (MSE and EMET41 for short). I will keep EMET41 for certain, as it does defend against various kinds of exploits, but anti-virus testing organizations like AV-Comparatives show that MSE is nowhere in general virus/phishing/etc threat detection/repair rates compared to Emsisoft, Bitdefender, or Kaspersky. I avoid "dangerous" websites/browsing behaviour as a matter of course, but, as always, it's the threats that you don't know about that eventually get you: e.g. cross website exploitations, various forms of in-browser key-stroke logging/spying, and so forth. And if you do online banking as I do, maybe we need to be more careful... In any case, I've always preferred security products that privilege live executable threat behaviours rather than just threat signatures, hence EAM.
  19. That's what I do, but the Google Boys are always changing their installers, so OA quite rightly wants your permission before they run. (In fact, Google installs a large number of updating software: in my case, with Google Earth and Google Talk installed, two Google Update services are running, as well as a couple of start-up and login items. It's like a California style beach party: you invite a few Google programs, and they bring all their friends with them.) My solution to this would be to be able to designate (in OA's "Advanced" mode) certain code-signing certificates as "Trusted", in the sense that each time an executable signed with that certificate runs, OA will silently verify that the certificate is current and not revoked and that the signature on the executable is valid. The "Trusted" certificates would be extracted from executables and stored by OA for future comparisons--or maybe just storing the serial number, thumbprint, and certification path would be enough.
  20. Emsisoft asked me earlier this week in reply to my bug report, to install the latest bug fix beta (, and the Banking Mode embedded learning browser now works correctly with MS IE9. Problem solved!
  21. Emsisoft acquired TallEmu's "Online Armor" product line, in which OA++ was the product that offered anti-virus protection, initially provided by the Kaspersky AV engine, and then--when Kaspersky discontinued that line of AV services--by the combined Emsisoft/Ikarus AV engine. Sorting out features in acquired products is always a bit difficult: long-time customers of the acquired products don't necessarily want to be forced to move to an improved united product line. My renewal of OA++ is coming up in a few months time, and certainly I'll be evaluating if the OA+EAM combo offers anything that I don't already have with combining cautious Internet use with OA++. I've been hoping that Emsisoft will move its Windows firewall architecture on Windows Vista/7 to use the built-in Windows filtering platform, since this gives the user both IPv4 and IPv6 filtering/proctection on a common platform that will continue on Windows 8. But such a step does introduce yet another dependency for Emsisoft on Microsoft's uncertain ability/willingness to disclose/fix bugs on this filtering platform.
  22. Thank you for looking into it! I've checked the learn function several times (and just a moment ago before making this note), and while in basic or advanced mode, the embedded "learn" browser does not add domain names to the trusted category in the domains list. Like most serious banks today, the bank domain I added to the protected category immediately redirects from htrtp://www.bank.com to https://www.bank.com and fetches all page text, images and other media from HTTPS sources, no mixed secure/insecure pages. I'm referring Emsisoft Support to this forum thread in my bug report.
  23. Yes, this Banking Mode permitted sites learning process did work correctly on IE8 (which is the version installed by default on Windows 7), but no longer worked when I installed IE9. I'm not reverting to IE8, however: I find the combination of the Windows RSS platform (where RSS subscriptions are downloaded automatically by background threads) and IE9's new Tracking Protection Lists & per-site ActiveX permissions very useful as a simple and functional RSS reader, even if I do most web browsing in Firefox by default.
  24. Firefox is my default browser, and OA++ is my only security software installed. I always am using a "limited" regular Windows user account. The problem occurs while in "basic" or "advanced" mode, when I use the embedded IE9 browser in OA++'s learning process that monitors which websites should be added to the "Trusted" category when browsing a "protected" website, in preparation for a future use of "banking" mode on the protected website.
  25. Hello, Long-time user of OA++ (now at ver. on Windows 7 Ult. x64 SP1). Used to use Banking Mode with MS IE 7/8, which I configured using the usual procedure of using the "Learn" context menu point that invokes an embedded browser on the bank website listed as "protected" on the Domains page while still in Basic/Advanced mode. Trusted websites were automatically added. Using Learning with IE 9 (Release version) fails to add any websites to the Domains list, hence Banking Mocde no longer can be configured (it still blocks net connections very thoroughly, though). Is this a known bug?
  • Create New...