Jump to content

Pilis

Member
  • Posts

    129
  • Joined

  • Days Won

    2

Posts posted by Pilis

  1. Still no bloat I would say. The extension is not 100% needed but "only" recommended for EAM users since it adds to the phishing protection. The existing surf protection based on DNS-requests will still be available. (And of course is still needed to block network requests by malware.) The extension is also only ~90KBs.

    What would be bloat imho and much more invasive is adding some sort of MITM, deep packet inspection, intercepting SSL-certificates in the browser and stuff.

    • Like 1
  2. Just for completeness, not really an issue: There are two other processes which show up as N/A just like the "Memory Compression" process.

    1. Registry: Has been introduced with Windows 10 Build 17063 in December last year. So if you have updated to the latest Windows 10 version 1803 (RS4) it will show up in the task-manager.
      It basically just holds the memory of the registry hives: https://blogs.windows.com/windowsexperience/2017/12/19/announcing-windows-10-insider-preview-build-17063-pc/ (somewhere at the bottom, search for "Registry Process")
    2. Secure System: This process only shows up if you enable the Hyper-V feature. It holds the Hyper-V container (VSM).
      Check here for more infos: https://df-stream.com/2017/08/memory-acquisition-and-virtual-secure/ & https://deploymentresearch.com/Research/Post/490/Enabling-Virtual-Secure-Mode-VSM-in-Windows-10-Enterprise-Build-10130

    EDIT: Woops, sorry. Looks like this has been reported already: https://support.emsisoft.com/topic/29477-build-8631-na-entries-in-bb-list/

  3. This is the process which shows the amount of memory which has been compressed through the memory compression feature introduced in Windows 10.
    Originally this compressed memory (stored in "compression stores") was located in the "System"-process’s working set. With Win 10 1607 (Anniversary Update) this compressed memory has been split up into a separate process called "Memory Compression" to account for the general confusion why the "System"-process has been so "memory-greedy" compared to Win 8.1.

    This process is hidden in the default Task Manager. But you can for example show it with an elevated PowerShell (Get-Process -Name "Memory Compression") or using Process Explorer:

    58f7d5d5a9a0a_CompressedMemory.thumb.PNG.655f76deb23e34db5f5f46faa56faa82.PNG

    I'm still on 1607 and for me EAM also hides this process in the Behavior Blocker window.
    Since you are already on 1703 (Creators Update) it looks like there maybe have been some changes to this process and the exception Emsisoft created doesn't work anymore. Since there is no real executable for this process I guess there's no easy way to actually create hashes of it. Which most probably is the reason why the reputation keeps staying on "Verifying...". Cloud lookups won't work if they don't know the hash of the process.

    Maybe Microsoft has only changed the name? (from "Memory Compression" to "MemCompression" like your screenshots say)
    Can you show us the output of "Get-Process -Name "Memory Compression"? (or "Get-Process -Name "MemCompression" respectively)

    It has always been called "MemCompression". Only third-party tools like Process Explorer or Process Hacker have named it "Memory Compression". (Source)
    So that's not the issue. Still Emsisoft simply needs to hide it again.

     

  4. My versions are on the left. I do not experience this issue atm.
    But I also have not yet restarted my computer to enable the new components from the latest EAM update 11.0.0.6131. So I guess this incompatibility was introduced with that new version.

    EDIT:

    Aaaaaand there we go: http://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/page-345#post-2561371

     

    Changelog

    • Fixed incompatibility with Emsisoft Internet Security 11.0.0.6131

     

    As always awesome fast support by the Surfright guys (and Emsisoft of course!). smile.png

  5. all I saw was "This Suggestion" Underlined I had no way of knowing what it was

    You could just hover your mouse cursor above the link and (depending on your webbrowser) you should see the URL appearing on the lower/upper left corner. If you're using touch you could touch and hold to see the URL.

    File Version 10.0.0.5735

    This version is outdated. Re-download it again from "https://www.emsisoft.com/en/software/antimalware/".

    The latest version is 11.0.0.5984.

  6. Seriously? It's just linking to another thread on this forum.

     

    Ok then, here's the suggestion: 

    Hello,

     

    Please open our software and go to Settings subsection Privacy. Disable the option Use SSL encryption for all server communication. Now you are able to get online updates in our software?

  7. Isn't that what this Temp-directory (%USERPROFILE%\AppData\Local\Temp or %TEMP%) is for? A place where third-party programs can store their temporary files. Many many other programs temporarily store some files in there. There are all sorts of log-files getting created during installation or while updating a software.

    I'm not sure what's the reason to "manage" those files other than regularly deleting the content of that folder (or letting Windows do that job for you).

     

    Edit: You were faster, JeremyNicoll.

  8. @Lode: It's not that difficult actually:

    • Download the Windows Software Development Kit (SDK) (only if you're using Windows 8.1)
    • You need the Windows Performance Tools (WPT) which is part of the SDK, so during the installation only pick this one. (The installation should look mostly like this.)
    • Make sure to reboot afterwards and then use this guide to create a boot trace. Yes, that's a huge post but actually you only need the first few paragraphs: You simply open an elevated command prompt and enter the first command mentioned on that post. This will shutdown and reboot your system. You have to wait for the countdown to finish.
    • Inside the "C:\TEMP" folder you should now find an "etl"-file which you can share with Fabian so he can analyse it.
  9. I have to agree that the update today (getting updated from the last stable to the one released today 10.0.0.5631) didn't went as smooth as before:

    1. EAM (not EIS as in your reports) updated after I turned the PC on and I saw the message on the lower right.
    2. Then I noticed the shield stayed orange so I opened EAM and saw "Surf Protection" and "Behaviour Blocking" being disabled. I tried to re-enable both but that didn't work (the application didn't freeze and was still usable, it simply didn't do anything after clicking).
    3. So I thought "Ok, usually EAM needs a reboot if some dll/exe get updated, so let's just try that." But after I clicked on rebooting (through the start menu) nothing happend.
    4. "Guess something, maybe EAM, is using up most CPU ressources, let's check task manager." Tried that but the task manager didn't want to come up. Which sort of indicates something's ****** up and blocking up some queue in the system.
    5. So I went on and hard reset the system.
    6. The next reboot took way longer than usual (about 3min, before it was much faster).
    7. Next strange thing: HitmanPro.Alert didn't show up anymore on the systray. Usually it was one of the first icons to appear with EAM usually only appearing about 10s after the taskbar appears. HitmanPro.Alert was still loaded (two processes running and the service started), I also could open the GUI by manually executing "hmpalert.exe" from it's installation directory. The last update of HitmanPro.Alert was on July 7th btw.
    8. "So how about another reboot?" Same situation: Slower boot time and the icon of HitmanPro.Alert still won't show up.
    9. So I shut down (not reboot) the computer after reading this thread to measure the time it takes to boot. Suddenly the HitmanPro.Alert icon does show up again and the boot time is around 45s (~28s till I see the desktop, including entering the password) with all icons loaded and no more spinning circle-cursor.

    I can't actually say if the boot time atm is still slower than before the 10.0.0.5631 update since I didn't measure the time then.

     

    I don't want to pinpoint this issue to HitmanPro.Alert but maybe some changes in the EAM update did introduce incompatibilities with it.

  10. hardik587, can you please provide us with instructions on how to see the false-positives on a freshly installed Windows 7 or 8 so everyone can verify it for themselves?

    By instructions I mean something like this:

    1. install Windows 7 or 8 with default settings
    2. update Windows through Windows Update
    3. restart
    4. install and update EAM/EIS
    5. restart
    6. start a Malware Scan
    7. get false-positives

    To quote yourself:

    without proof anyone can talk in air which will be meaningless.

     

  11. If you have a mechanical disk for example, decreasing the number may be beneficial as it reduces disk seeking caused by parallel disk access. SSDs on the other hand strive with parallel workloads, so increasing the thread count, even to a value way beyond your CPU core count, can lead to major improvements.

    Have you considered detecting the system disk type and configuring the thread value depending on if it's a hard disc drive or a SSD?

    For example:

    • fast SSD --> number of threads = number of cores + 3
    • slow HDD --> number of threads = number of cores - 1

    Of course only if the improvements are worth it and consistent.

    And maybe only for "Quick Scan" and "Malware Scan" which afaik mostly only scan the system partition (at least if you don't move %ProgramFiles%, %AppData%, etc. to other discs).

  12. I knew that I needed an anti malware to go with my anti virus, I did my research and found out Emsisoft is more than likely the one for me.

    Actually EAM is an "antivirus"-program as well. Quoting from the FAQ:

    Can it replace my current antivirus software?

    Yes. Emsisoft Anti-Malware is a complete antivirus solution that provides protection against all manner of threats that are lurking on the internet. Two full virus scanning engines are used to ensure optimal detection and cleaning, while the three-layered real-time protection prevents new infections from entering your PC.

    Why is it called "Anti-Malware" and not "Antivirus"?

    Our analysis lab has determined that classic viruses only make up less than 0.5% of total threats (in 2012). Referring to our product as an "Antivirus" would therefore be wrong by definition. We're perfectionists so we have elected to use the broader term "Malware" when naming our product. "Malware" includes all types of threats, such as viruses (0.5%), rogue security software (0.5%), rootkits (1.0%), adware (2.7%), possible malicious applications (4.1%), worms (4.6%), financial malware & password stealers (5.3%), online gaming password stealers (6.9%), backdoors (13.3%) and trojans (61.3%). Please note that not all "Anti-Malware" products on the market include the same functionality and protection level.

     (Also this blogpost can help you in your decision.)

    Of course you can use EAM (but not EIS!) alongside another security suite - question is if it's really necessary. I think it should be enough to either use KIS or EAM (or EIS if you really need a personal firewall) but that's for you to decide.

    As for performance issues: There are no known issues in combination with KIS (afaik) but I would just give it a try. Every system is different and imo it's always better to gain your own experiences.

    Also it´s recommended to use mutual exclusions so that both programs ignore each others processes. (Here's a tutorial on how-to. It's from an older version of EAM but should be mostly the same.)

  13. Looks like I've missed the related Wilders thread.

    Everything important has been said, I imagine Surfright will sit this one out like Malwarebytes did with their controversial test. At least they have a good chart to show to their customers. Customers who won't understand that the results only show the exploit-blocking ability of a product and not it's protection level as a whole. Anyway...

  14. I have to agree with Fabian. I don't really see the point in including EIS (or EAM) in this test if you say the product failed "whenever the malware was able to start or load (either from disk or in-memory)". So it's kind of obvious that EIS is only able to block the malware using blacklisting-approaches (blocking hosts using the surf protection or with signatures using the real-time file guard). Because the behaviour blocker only jumps in AFTER malware started trying to block its suspicious behaviour.

     

    Actually I have thought they were also counting those alerts from the behaviour blocker because otherwise the text is contradictory. In the introduction it says:

    Antivirus systems and Internet Security Suites have had a long journey from traditional signature-based protection to that which is implemented in a modern protection system. Advanced heuristics, sandboxing, intrusion prevention systems, URL filtering, cloud-based reputation systems, Javascript analysers, memory corruption protection, etc. are now used to combat modern malware threats. In order to test an endpoint protection system, one has to test all modules of the protection employed by that system. Also, the test has to be done in a way which emulates standard user behaviour accurately. Today, the vast majority of threats are delivered via the web and this is the reason why our test focuses exclusively on web-based exploits.

     

    I've highlighted the important parts:

    • Sandboxing only makes sense if you let malware run and then try to analyse it's behaviour.
    • If one has to test all protection modules why don't they count the alerts from the behaviour blocker?
    • Also: Standard user behaviour would be to have all modules enabled and actually react to alerts which come up on your screen. And not ignore them since you have "monitored new processes" and therefore the malware is already running. (They have stated that "The endpoint systems were installed with the default configuration." so the behaviour blocker was enabled and I guess they simply ignored all alerts from EIS after malware execution.)

    They also say:

    When user interaction was needed from the endpoint protection (e.g. site is not recommended to visit, etc.), the block/deny action was chosen.

     

    Does this explicitly exclude alerts from the behaviour blocker asking the using for a decision?

     

    I'm not really sure about it. Have they really ignored behaviour blocker alerts? Do you know this by fact, Fabian?

    I hope so actually otherwise I would be a bit disappointed by EIS's results failing so often which kind of contradicts other in-the-wild tests.

     

    Edit: If I think about it again. Actually most the system hardening functions (excluding the BadUSB-blocker) under the "risk reduction" section of HitmanPro.Alert only make sense AFTER malware has started. So I don't see the point why they're not including such protections in that test. And if they really only wanted to test exploit-blocking capabilities: Why include EIS??

×
×
  • Create New...