Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by JeremyNicoll

  1. Well then, maybe next time someone should remember to post (that it's being looked at) in the EAM forum. Otherwise customers think nobody knows or - worse - nobody cares. The thread there ran for two days before anyone from Emsisoft commented.
  2. Do Emsisoft have no automated monitoring of the update servers?
  3. You've not yet adequately answered my questions. I have however noticed that EAM hasn't nagged me recently; does that mean that someone's tweaked the code to stop the nagging, or is it just coincidence (since the nags seemed to be at irregular intervals)? If the nagging is going to continue, then please explain once and for all WHY this authentication is needed for a user who is not using the website-based console. Please also address all the other points I've raised here, namely: - the possibility (if there's not multiple instances) that your backend server is a single point of failure - the possibility (if someone manages to hack into those server(s)) of the security of customers' systems being at risk. I'm sure you won't have forgotten that an Emsisoft server was breached in Jan-Feb 2021. I know that was reported as a fairly minor data leak, but that doesn't mean that other kinds of breach are impossible. I wonder how much thought Emsisoft have given to how they'd mitigate effects (on customers' systems) if such a breach were to occur. And, do you run disaster-recovery tests on your infrastructure? If eg a data-centre which houses your servers burns down (as did OVHcloud, Strasbourg, France, in March 2021) how long will your customers be affected for? - the point about the website console, if one chooses to change to "Local Only" resetting my (private) PC's EAM configuration to default - two problems there: why would it reset anything, and secondly how/why (if my PC is not authenticated to the workspace) does it have the right to perform a reset? - the tooltip text for the "Local Only" option I do not think I have muddied the waters with conjecture. But note that "conjecture" means speculation based on inadequate information. The very fact that I've been asking the initial question here (about the nagging) over and over again without a proper answer being given has not helped. Questions about single points of failure etc might have been less relevant before when your customers' systems were less tightly integrated with your servers; I mean all of us could cope with occasional absences of signature updates. But centralised control of our copies of EAM by your servers considerably heightens risk for customers. I would like you to understand that I ask about these things based on my professional experiences in a UK bank's datacentre.
  4. Google translate says that text means: "you can't extend full path view in main window, you don't know what the file is, especially if the path is long or medium! (After Scan = Last Result) This error is in the latest versions" Is it possible to highlight the path and copy it elsewhere?
  5. You don't say which version of EEK you were using. I've never used it so don't know if that's a known problem or not, but unfortunately Emsisoft's current version of EEK is for "Windows 10 (64 bit), Server 2016, and higher". They probably won't support a Win 7 problem and even if the same issue happens on W10/W11 a fix might not work for you. Maybe another user will know more.
  6. I'm just a user, not an Emsisoft employee, and I have never used the Business version of EAM so if it's significantly different then what I write may be irrelevant. It's not entirely clear from what you write whether the "one bit of software running on a single computer" is only installed on one computer, or is installed on more but only causing a problem in one instance. Is the software concerned something that only you (or your business clients) have, or can anyone install it? Does it do anything security-related? Does the machine with this problem have any other security software installed? What Scan Level do you have File Guard set to (Default, Thorough or Paranoid)? When the program is blocked, does it start and then fail to do something, or does it not start at all? Is it, for example, unpacking other programs or resource files and those are the things that are causing the detection, but - say - they're not placed in any of the folders you're excluding? Edited later: Files placed in TEMP quite often cause this sort of problem, and if they have random names that can make excluding just the right ones tricky too (since one is unlikely to be willing to risk excluding the whole of TEMP). I realise that excluding the whole of C:\ probably suggests that unpacking to somewhere isn't the issue ... unless the machine concerned has other disks? Or, is there any possibility that the software concerned implements a RAM disk or some kind of virtual file system for its own use? On that sort of topic, is the software running in a VM? Have you asked whoever supplied this program whether there's any known problems making it work with anti-malware software (from any/other vendors)? Is EAM giving you a specific reason for the block, eg that it thinks the program (or eg some process it attempts to start) has a specific problem? Do any files get quarantined when the block occurs? I suppose it's possible that whatever it is detecting might be a false positive, and if the detection signatures get updated the problem will go away.
  7. And another thing... There's tooltip text on the three options: "Local Only", "Local & Remote", "Remote Only". The text for "Local Only" says two things; the first (which makes sense) says: "Protection settings are managed on the local device only." but the second means nothing to me. Maybe it's not worded very well? It says: "Data exchange between the device and Emsisoft Management Console are limited by protection status only." Should that say "... are limited TO protection status only." ?? Right now I can see (on the website's main pane - the one where my PC is shown as "NOT MANAGED") when my copy of EAM was last updated and the number of items in quarantine... but I don't quite understand why even that much information is apparently able to be shown by the website when my PC has not been /authenticated/.
  8. Thank-you for the suggestion. I logged-in to My.Emsisoft for another look. On the initial display, in the pane named "Managed devices" my PC is shown as "Not Managed", which seems pretty clear to me. Not obvious at all, there's also a three-way choice under Settings: "Local Only", "Local & Remote", "Remote Only" , of which it appears that the middle option "Local & Remote" is set. I was about to change this to "Local Only"... but I get a warning that "Changing the security management immediately affects all devices in your workspace. By switching to local management, protection on all your devices will be disconnected from protection policies and reset to factory defaults." I certainly don't want all the configuration setting on my PC's copy of EAM to be reset to defaults. I want them left alone. Then again, perhaps the warning doesn't mean that they'll be reset - after all, how would that reset command get sent to my PC in the first place if it's never been authenticated to this wretched central-server? And what does that "disconnected from protection policies" text actually mean? Whose "protection policies"? Does that mean (for anyone who has been using the central server control) the current settings managed centrally? What about people not yet using that facility?
  9. You're not getting the point. I don't much want to change to another product as I've been happy for years with EAM's core function. Controlling EAM from my own PC, right in front of me, works fine. I have no need to use the PC I am sitting at to login to a website to have an Emsisoft server then communicate my wishes to EAM on that same PC. It just adds needless complexity. I'm also not wildly happy about the idea that any external entity can affect the way I configure security software on my PC. How can Emsisoft /guarantee/ that no hacker ever gets access to those servers? I absolutely 'get' that someone responsible for security on tens, hundreds or thousands of corporate PCs might love such a facility so they could configure everyone's instance of EAM in a consistent way, see infections on affected machines etc from a single point ... but /I/ don't need it, and I can't see why any typical home user would need it either. I /think/ that the authentication is all about enabling the link between my logon at the website, the central servers (I sincerely hope there's not just one - a possible single point of failure in all of this), and my PC ... and I do not want such a link to be enabled. But - for users like me who have no interest in controlling their copies of EAM this way - I don't understand why we can't just opt-out and not keep getting nagged about it.
  10. The point is, though, that my fully-licenced copy of EAM is still getting updates (as I would hope it would), and is working (as far as I can tell) perfectly. No-one will tell me what extra facility /that I need/ will suddenly start working if I do the authentication. I have zero interest in managing my PC's use of EAM from a web interface.
  11. @David Biggar- so what? What does my instance of EAM fail to do, that /I/ need it to do, that requires that communication to be working properly? I keep asking this and no-one explains.
  12. Ah, sorry, I've never seen any of the partner aspect of this. I'm just a sole user.
  13. You can (as I do), for the moment, turn off the auto-subscription mode, in which case you'll see the licence code and #days until it expires, in the GUI. But the turning-off has to be done by logging-in to My.Emsisoft and finding your way to a Licences pane. If you have many users to do that for, maybe [email protected] could do it for the whole lot for you. Unfortunately every time you renew a licence you have to do this all over again.
  14. @David Biggar said "If you have the problem of Emsisoft Anti-Malware asking you to re-authenticate..." EAM seems to work perfectly despite these re-authentication prompts occurring. WHY does EAM keep asking me to do it?
  15. I get them too - typically two or three times in one day, then none at all for a few days, then another set. If (like me) you have no interest in using the My.Emsisoft website way of managing multiple devices, I think you can (as I do) just dismiss these popups. It doesn't make sense to me that I should have to "authenticate" anything, bearing in mind that I have an active licence and am receiving updates alright.
  16. Upload a copy of fwchksd.exe to Virustotal - https://www.virustotal.com/gui/ - and find out what other vendors make of it, for a start. Google suggests it is part of Lenovo's firmware update utility; maybe you should ask about that on the Lenovo forums?
  17. I expect Emsisoft support will need to investigate, but meantime perhaps you can look at the cpu use of the a2- tasks, that is a2start, a2service, a2guard in Task Manager (use the Details tab and make sure the CPU column is visible - if not, right-click on the column titles and choose Select Columns), or Process Explorer or Process Hacker if you have either of the latter installed. Ideally have the TM/PE/PH display open and the cpu column visible before you try to start a scan. Here, a2start and a2service both fleetingly get busy when I start a context menu scan. In your case I wonder if eg a2start doesn't respond at all for a few seconds, or if it gets very busy for a few seconds before a2service (which actually does the scan) does. You mentioned Self Protection earlier; if you turned it off, I hope you've turned it back on. Do you have any other security software installed? You said you've had the problem for quite some time - is that days, weeks, months? Did anything significant happen on your system when you first saw this problem?
  18. More recently than the thread you linked to, I had a somewhat similar problem (under Win 8.1) where the scan got done by EAM but then there was a few seconds of no response between me dismissing the scan results page and returning to explorer. I eventually realised that I was dismissing the results page by clicking the "X" in its top-righthand-corner, and tried changing my habits to click on the "Close" button (under the results), then "X" on the screen that's displayed after that. That "solved" it. Right now, with the current version, it seems to make no difference which one I click. So, when exactly do you get your hang? Is it before the scan starts, or after? Is it before or during or after you've dismissed the result display?
  19. Who knows? Have you followed the advice given (at the "Emsiclean" section) here: https://help.emsisoft.com/en/1787/how-do-i-completely-uninstall-an-emsisoft-product/
  20. I've no idea from an EAM point of view, but it's possible to turn on auditing (in eventlogs) of process creation (and termination), and once you have process creation being logged you can turn on logging of the command lines used to start processes. Process creation logging might be enough (as it'll show who's issuing the command, I think). For auditing process creation etc the 'proper' way to do it is via gpedit, but you can also do it from an elevated cmd prompt using the "auditpol" command, as follows (as used by me on W8.1 but I exepct it'll work for W10 too): Auditpol.exe /set /subcategory:"process creation" /success:enable Auditpol.exe /set /subcategory:"process creation" /failure:enable - under Win 8.1, these commands turned on eventlogging of successful & failed process creates Auditpol.exe /set /subcategory:"process termination" /success:enable Auditpol.exe /set /subcategory:"process termination" /failure:enable - under Win 8.1, these commands turned on eventlogging of successful & failed process terminations. Before and after issuing those you can see what's turned on/off by: auditpol /get /category:* I'd advise you to read the help shown from (first): auditpol /? and then auditpol /list /? and auditpol /get /? and auditpol /set /? etc first. The eventlog records are placed in the Security log and you can expect there to be lots of them. I don't know if you have to reboot to get the change to take effect. For commandline logging (which is a security risk because some commands contain passwords, and might not be suitable for a corporate environment), from my notes a few years back: [Using the (excellent) tool at: http://gpsearch.azurewebsites.net/#10674 I was able to find info on how the command-line flagging ie enabled. It says System Auditing Include command line in process creation events HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit Value: ProcessCreationIncludeCmdLine_Enabled Googling told me that that value needs to be a DWORD set to 1.] I don't know if that helps.
  21. Also, the reason you're being asked several times per day is probably because you have "Settings - Advanced - Quarantine re-scan after updates" turned on. That is, every time EAM gets new signatures it rechecks if quarantined items have changed status. I don't know why you're not able to say "no" to the re-scan question, but turning off the re-scan might help.
  22. For help having this analysed/fixed you'd be better to post in sub-forum: https://support.emsisoft.com/forum/6-help-my-pc-is-infected/ Be sure to collect the information, described in one of the 'pinned' posts (at the top of that sub-forum) that the analyst will need to see. This sub-forum is normally used for more general discussions.
  23. Deleting the a2settings.ini file though will presumably revert other things to default too. If @fly60chooses this method they should note their settings first so they can reinstate them afterwards.
  24. @fly60 you said: "Now I have never sat this password up and I do not know what the password is." It's an optional feature that can be defined within the EAM GUI, when you are logged-on to Windows as an Admin user. It's not something that makes much sense to define if you are the only person who uses your machine, but if - say - it is shared between family members, and whoever set-up EAM wants settings not to be altered by other peope, then it does make sense. Are you the person who set-up EAM? If all set-up was done by you, do you keep notes on what options you choose and why you do that? It strikes me that as you say you don't know what this password is, that it's not impossible that - while using EAM when logged-in as an Admin - you might have defined a password thinking EAM was asking for something else, eg the Admin id's login password? Possibly, if you kept notes, you'd know you'd done it. To turn the password off you'd have to login as an Admin id, then go to Settings - Permissions, then explore the options. I've never defined a password so don't know how you turn one off. It's possible that that can't be done without specifying the value, which maybe/probably you don't know. But if you thought EAM was asking for - say - the Admin user's login password, it might be that. ALTERNATIVELY the password prompt you are seeing might be being shown by mistake? My notes tell me that EAM always starts off offering restricted access to non-Admin users and full access to Admin ones. In this situation parts of the GUI seen by non-Admin users are greyed-out. Is it possible that you experienced that then read that Permissions (and a password) were required to grant full access to a non-Admin user? If so, that's not the case. It IS possible for a non-Admin user to have full access, without one also needing to define a password. One logs in as Admin, goes to Settings - Permissions, then changes the level of access a specific user is entitled to from Basic to Full. It is not necessary also to define a password. Even so, turning off a password if you don't know what its value is, might be impossible.
  • Create New...