JeremyNicoll

Member
  • Content Count

    1711
  • Joined

  • Last visited

  • Days Won

    26

Posts posted by JeremyNicoll


  1. What I see when I watch the video carefully is:   First you run "Pubg_Lite Cheat.exe".   That gets an alert (presumably from File Guard) which says

       gets alert Trojan   C:\hostwin\runtimereview.exe

    and it says that that was detected and quarantined. 

     

    It's not clear to me how that relates to what happens next, which is that the BB says "suspicious behaviour" in

        C:\hostwin\d8Ct...........bat      & Verifying with AMN

    Then there's a pane that says

     

        "Suspicious behaviour detected and stopped"
        C:\hostwin\d8Ct...........bat

        Program will be quarantined in 9s

                     OK              Wait, I think it is safe

     

    For some reason you expect to see a pane telling you what the result of the AMN lookup was? 

    But in Advanced Settings you have:

       YES   Look up reputation
       NO    Automatically      allow programs with good reputation
       YES   Automatically quarantine programs with bad  reputation

    (You need the   "   YES   Look up reputation"  set for the lookup to happen, ... and we know it did happen because you got "Verifying with AMN" earlier.)

    The AMN clearly thinks the file is bad, so

         YES   Automatically quarantine programs with bad  reputation

    applies.  So you get the pane telling you ("Program will be quarantined in 9s") that the file is about to be quarantined.

     

    What did you expect that is different?

     


  2. > i'm sure my Internet connection is not faster than yours considering you was able to see the result of the action

    The speed of Arthur's internet connection is not relevant.

    He (and I, and anyone else) can see the sequence of notifications /in the video/ by stopping it at the 46-second point then clicking to move the "current point" back and forth on the video timeline.  In real time (as it happened for you) it's probably impossible to see that sequence but the video frame-by-frame sequence makes it possible.

    @GT500 - it would be sensible if the notification display logic were changed.  Although a user can choose where on the screen a notification will be displayed, that preference should only apply if there is no other notification already displayed.  If multiple ones are needed they should not completely overlay previous ones. 

    • Like 1

  3. @GT500 said a while back (mid-May) that they could reproduce the problem.  It's interesting that the new release apparently contains some code intended to try to colelct data about what;s going on... but if it does, how is that info meant to get back to the developers?  Is EAM "phoning home"?  Are there enough developers all running that code that they can see whatever it collects themselves?


  4. @bjm_  - No, it's not "cloud-based".  Signatures are held on the local pc but are normally updated frequently, typically every hour.

    When something that might be malware is analysed, there's an optional check made of knowledge on an online server (the Antimalware Network).  Users can choose if that will be done and whether or not they want the server's opinion to be displayed or immediately acted on.

    There's also an optional browser extension that uses an online server to judge whether specific pages of certain websites are dangerous.

     


  5. When beta 10204 was made available Frank strongly implied that the following beta 10209 (which is now 'stable') would fix these issues.  It definitely has not.   From Monday noon (when I installed beta 10209 (as it was termed then) through to midnight+ last night I've kept a note of the ProcessHacker-recorded Working Set and cpu use of a2start roughly hourly.  When looking at the cpu rates the 3-second cycle (where you see a lower cpu use figure one second, then two higher values for the next two seconds, then the lower one again and so on) has continued.  Each time I recorded these figures I watched for typically four or so complete cycles and noted what seemed average figures for each (because of course they vary a bit).   Just to remind you: 4 cores, 8 threads here, so the most I ever see for a single thread is 12.50%.  Anyway:

    MON 01:
     1200 WS  70 MB, cpu     0.10   0.33    0.33
     1445 WS   87 MB, cpu    0.24   0.48    0.48
     1603 WS   91 MB, cpu    0.53   0.77    0.77
     1703 WS   91 MB, cpu    0.60   0.84    0.84
     1803 WS   92 MB, cpu    0.63   0.87    0.87
     1903 WS -- away from machine
     2003 WS   97 MB, cpu    1.16   1.37    1.37
     2103 WS   98 MB, cpu    1.44   1.66    1.66
     2203 WS   99 MB, cpu    1.50   1.71    1.71
     2303 WS 100 MB, cpu    1.85   2.06    2.06     then machine 'asleep' overnight

    TUE 02:
     0848 WS 103 MB, cpu    2.36   2.60   2.60
     0948 WS 105 MB, cpu    2.81   3.03   3.03
     1048 WS 107 MB, cpu    3.31   3.54   3.54
     1148 WS 120 MB, cpu    3.90   4.11   4.11
     1248 WS 125 MB, cpu    4.47   4.69   4.73
     1348 WS  (missed)
     1448 WS 127 MB, cpu    5.74   6.00   6.01
     1548 WS 129 MB, cpu    6.48   6.71   6.73
     1648 WS 130 MB, cpu    6.63   6.97   6.91
     1756 WS 133 MB, cpu    7.36   7.61   7.63
     1848 WS 135 MB, cpu    8.30   8.51   8.66
     2248 WS 140 MB, cpu 11.24 11.42 11.43

    WED 03:
     0018 WS 142 MB, cpu 12.23 12.49 12.50 (I stopped recording but machine in use until ~3am then 'asleep' until ~9am)

     1000 WS 148 MB, cpu 12.50 12.50 12.50

    It's interesting that the extra cpu use in the second-2 and second-3 figures is pretty consistent (about 0.2%) all the way through that.

    The growth in WS, except at the very start, is around 1 MB per hour in the first few hours, then 1-2 then 3-5  (ish) which for a machine that hasn't been heavily used and was used for pretty much the same thing througout - mostly browsing webmail and new sites, is a little odd.

    Just what exactly does a /GUI/ .exe need to double its memory use for?   This smacks of a memory leak, to me.

    I have the impression that cpu rates are climbing geometrically/exponentially rather than linearly.    Maybe, if some sort of data is being kept in that increasing memory (rather than the definition of the GUI screen layouts, which should be constant), a2start is wasting more and more cpu scanning though more and more memory?  That is, are these figures related? 

     

     


  6. > Jeremy, that is exactly since I am a Cloud Service Provider ....

    It's perfectly sensible to evaluate things, though I don't see that the type of business you're in has any relevance.

     

    > Well open the Task Manager and under processes kill the process "Emsisoft Protection Service" nothing will happen

    Ordinarily you wouldn't expect to be able to end the  a2service.exe  task (because if you can, so can malware), unless you've turned off the  'self-protection' option within EAM (in Home, at least, presumably also in the Business version),  in Settings - Advanced.

    I don't know why you'd then see a cpu spike... but it should still have been only in one (v)CPU.    You didn't say what other processes are suddenly so busy on the other seven CPUs.

     

    What is the host operating system?   And what is the OS under VMware?    


  7. When you say "End Task", what task were you trying to end?

    There is an ongoing problem (at least in the Home version of EAM) with cpu spikes... but no-one discussing it on the forum has described a 99% cpu busy situation.  The worst people have seen is for one thread (usually half a core) to be 100% busy.  What sort of CPU does your machine have?  If a2service was keeping one thread busy, what was keeping every other thread/core busy?


  8. Good catch!

    I agree - the option should be reinstated.  For those who don't like it, they can turn it off.   But for those who like constant reassurance that things are working properly, hour by hour, the notification that signatures just got updated is big and obvious - much more so than the very small systray flag you'd get if signature updates have stopped for some reason.

    • Like 1

  9. Memory use stayed high for ages, and then at some point yesterday it fell markedly, don't know why.

    This morning, restarted but still using 10204, it was initially about 80 MB but climbed, going up by maybe 3 or 4 MB an hour.

    At noon, I installed the 10209 beta, and it started with WS 70 MB but three hours later (and I've been away from the pc for quite a lot of that time) it's reached 87 MB.


  10. Jumping in.... one sees "don't show again" on lots of other EAM notifications.

    For this one, @stapp is probably wondering whether choosing not to install something NOW, also means one won't be told about the thing next time Edge is opened.

    Putting it another way, what's the difference between "Later" (which presumably means don't install it now), and "Don't install" (which also means don't install it now)?


  11. Win 8.1 64 bit

    I can't remember what a2start's memory use normally is, but right now mine has (according to Process Hacker) a "Private Bytes" value of 1.43 GB and a /working set/ of 1.38 GB.

     A custom scan (which looked at 1.4m objects) finished about an hour and a quarter ago; that ran with debug-logging on.    Debug-logging has been disabled and re-enabled since then, without affecting a2start's memory use.

     

    I understand that this working set is only /virtual storage/ but commited pages still have to be backed in either RAM or the page file.  I've 8 GB RAM and just over 8 GB of pagefile, so about 16.1 GB is the maximum amount of commitable vs ... and on that basis 1.38 GB doesn't seem like a vast amount - about 8.6% of the system's overall maximum.

    But it's still the largest WS of any application on the system by a huge margin.


  12. I always start my custom scans (usually done once per week) by importing settings, and what's more it's normal for me to import first a set of settings I don't plan to use, then import the set I do wish to use.  I know that's odd, but I do it because it means I always see something change in the GUI regardless of whatever was displayed before the import. 

    I have a scan running now, which I started in exactly the same way as this morning's attempted one... except this time I do have debug logging on...


  13. Win 8.1, 64 bit.    Unfortunately debug logging was not on, after yesterday's experiments.

    I used the GUI to try to start a custom scan, loaded predefined scan settings, and clicked NEXT.  Immediately got a "Emsisoft Security Centre has stopped working" pane, [with the usual misleading info that Windows is going to phone a friend and see if they can fix it (which has never ever worked for anything as far as I know)].

    I was not offered a chance to send a dump to Emsisoft.   Windows did save a small crash dump - I'll PM its location to @Frank H

    Event log has:

    Log Name:      Application
    Source:        Application Error
    Date:          30/05/2020 11:09:24
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      SAMSUNG-NP350
    Description:
    Faulting application name: a2start.exe, version: 2020.6.0.10204, time stamp: 0x5ecea8fc
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x0000000005410fd8
    Faulting process ID: 0x1ea0
    Faulting application start time: 0x01d635bb1682db2e
    Faulting application path: C:\Program Files\Emsisoft Internet Security\a2start.exe
    Faulting module path: unknown
    Report ID: a2cdc279-a25d-11ea-822f-50b7c3e8a12a
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2020-05-30T10:09:24.000000000Z" />
        <EventRecordID>250243</EventRecordID>
        <Channel>Application</Channel>
        <Computer>SAMSUNG-NP350</Computer>
        <Security />
      </System>
      <EventData>
        <Data>a2start.exe</Data>
        <Data>2020.6.0.10204</Data>
        <Data>5ecea8fc</Data>
        <Data>unknown</Data>
        <Data>0.0.0.0</Data>
        <Data>00000000</Data>
        <Data>c0000005</Data>
        <Data>0000000005410fd8</Data>
        <Data>1ea0</Data>
        <Data>01d635bb1682db2e</Data>
        <Data>C:\Program Files\Emsisoft Internet Security\a2start.exe</Data>
        <Data>unknown</Data>
        <Data>a2cdc279-a25d-11ea-822f-50b7c3e8a12a</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>


  14. > We already have fixed this in the upcoming beta2, like i explained earlier:

    Ah, sorry.  I thought your statement about what would be fixed next was this bit:

            We will fix these little CPU spikes in an upcoming beta.

    and you'd then followed that with what I thought was 'history'.  I think I now see what you mean.


  15. After terminating and restarting a2start,  with debug logging off,  its cpu use is ranging from 0.17 thru 0.42.     That's  nearly double the 0.09 - 0.23 values it  used immediately after this morning's reboot.  Why would a freshly started a2start need more cpu than this morning's one?

     


  16. 27 minutes ago, Frank H said:

    thanks for your feedback.

    We will fix these little CPU spikes in an upcoming beta.

    We added a CPU monitor to be able to check when when CPU use increases, which unfortunately checks stuff every few seconds.

    what we will improve:

    • only check when debug logging is ON
    • check once a minute

     

     

    It's not just the spikes though, cpu usage is still growing.  I'm seeing  lows of 0.56-0.62 now and highs of around 0.81-0.83  ... though am just going to terminate and restart a2start to see if that fixes the logging issue.


  17. @Frank H  Before I try terminating and restarting a2start ...   I've been looking at something else.   I turned self-protection off then copied the logs.db3 file elsewhere.  Using sqlite3 I used  ".dump"  to create a readable text file version of the log.  Looking at the unix epoch date stamp values for entries being added to the ForensicLogs table, it's clear that logging is working ok - there's uptodate stuff being written into the log database itself.


  18. Opening that dropdown and toggling to Actions rather than Components, then closing the choice and waiting a while makes no different, likewise reverting to the All components selection.

    I did earlier have debug logging on (as I normally do all the time) but turned that off when Arthur asked if that affected the weird cpu use.  I've no idea if the (non-debug) log had any contents before that.