JeremyNicoll

Member
  • Content Count

    1769
  • Joined

  • Last visited

  • Days Won

    26

Posts posted by JeremyNicoll


  1. 1 hour ago, Frank H said:

    it would be be hard to buy something via an online shop then :P

    Everything is bought online, as I can't go to shops.  I've changed what I buy to make things as safe as I can.  More tinned food etc, as it can sit untouched for weeks.  Much less fresh food as it has to be refrigerated or frozen for storage (but virus on refrigerated things is viable for a while*, and freezing doesn't 'kill' it either so it's just as potentially dangerous when dug out of a freezer as when it went in, as far as I know**).  No fruit/veg unless it'll be cooked.  There's a few items (eg milk) that are definitely a problem; I more or less trust the milk itself (packaged industrially) but when it comes I normally freeze it immediately, deferring the worry of getting at the milk itself until I'm alert days/weeks later.   Stuff in tins, bottles etc gets put aside for several weeks.  Parcels etc are put to one side.  Most letters too.  If one arrives that I can tell needs immediate attention, I'll carefully get the letter out of the envelope (& throw that out) and into a transparent A4 polypocket so it can be handled safely, but everything else waits.  If I accidentally touch my clothes with a possibly infected item or hand, the whole lot goes in the washing machine.  I also do sorting (of eg arriving grocery orders) outside the house (because it all arrives jumbled up and I need eg to get all the tins together).   Paranoid?  Maybe, but I've been ill for more than 20 years and while life is not great, I'd prefer to stay alive.

    * - I'm sure I read somewhere that to maximise viability of swab samples taken from possibly infected people, those samples are transferred to labs at the sorts of temperatures that domestic refrigerators run at.  At   https://covid19.nj.gov/faqs/coronavirus-information/about-novel-coronavirus-2019/will-the-coronavirus-survive-in-the-refrigerator-or-freezer-u21gz2n7br it says "... at 4 degrees C, or 40 degrees F, and 20% relative humidity, more than two thirds of the viruses survived for 28 days".

    ** - don't virology labs store virus samples frozen for future research?

    (Sorry for dragging things off-topic.)


  2. 39 minutes ago, stapp said:

    I have nothing in quarantine.

    Nothing?  I don't unpack anything that comes into the house for several weeks, until I'm sure it's safe to touch.  I hope you're being careful enough...


  3. 7 hours ago, GT500 said:

    I don't believe we've published any articles discussing cloud scanning recently, beyond our recent privacy article of course.

     

    Thanks for your feedback. Note that you can also send feedback directly to our management by sending an e-mail to feedback@emsisoft.com (all e-mails received at this address should be read, except the obvious junk mail of course).

     

    There were actual reasons for changing it. For instance some corporate customers would actually prefer update notifications be removed as their employees have no need to see such information, and they prefer their IT teams to manage their Anti-Virus remotely.

    There are actual reasons for keeping it, too.

    Doesn't the corporate version have "policies" that allow the corporate people to set which things can be altered by the users?  And even if not, I don't see why an IT person would get that bothered if someone turned on a notification that is meant to be off - it is after all only a notification.  Users can't change anything based on it.


  4. I don't quite understand.  "Auto resolve" means the BB /decides what to do/... so there's no scope for the user or anyone else to make a decision - it's already been made.

    If you want to have the opportunity to make your own decision, you need to set "Alert".


  5. 8 hours ago, GT500 said:

    The Behavior Blocker is capable of producing a significant number of notifications in rapid succession. They have to be contained to prevent blocking too much screen real estate, otherwise they become too much of a nuisance. Currently we handle that by only allowing a single notification on the screen at a time.

    Also, in this case, as soon as EAM receives information from our servers about the process being queried, the notification that it's looking up the reputation becomes irrelevant since EAM is done doing that and is ready to tell you what it found. That's why the notification changes immediately instead of waiting for its normal timeout period.

    OK... provided there's never a possibility that a more important notification is covered by a less important one.


  6. What I see when I watch the video carefully is:   First you run "Pubg_Lite Cheat.exe".   That gets an alert (presumably from File Guard) which says

       gets alert Trojan   C:\hostwin\runtimereview.exe

    and it says that that was detected and quarantined. 

     

    It's not clear to me how that relates to what happens next, which is that the BB says "suspicious behaviour" in

        C:\hostwin\d8Ct...........bat      & Verifying with AMN

    Then there's a pane that says

     

        "Suspicious behaviour detected and stopped"
        C:\hostwin\d8Ct...........bat

        Program will be quarantined in 9s

                     OK              Wait, I think it is safe

     

    For some reason you expect to see a pane telling you what the result of the AMN lookup was? 

    But in Advanced Settings you have:

       YES   Look up reputation
       NO    Automatically      allow programs with good reputation
       YES   Automatically quarantine programs with bad  reputation

    (You need the   "   YES   Look up reputation"  set for the lookup to happen, ... and we know it did happen because you got "Verifying with AMN" earlier.)

    The AMN clearly thinks the file is bad, so

         YES   Automatically quarantine programs with bad  reputation

    applies.  So you get the pane telling you ("Program will be quarantined in 9s") that the file is about to be quarantined.

     

    What did you expect that is different?

     


  7. > i'm sure my Internet connection is not faster than yours considering you was able to see the result of the action

    The speed of Arthur's internet connection is not relevant.

    He (and I, and anyone else) can see the sequence of notifications /in the video/ by stopping it at the 46-second point then clicking to move the "current point" back and forth on the video timeline.  In real time (as it happened for you) it's probably impossible to see that sequence but the video frame-by-frame sequence makes it possible.

    @GT500 - it would be sensible if the notification display logic were changed.  Although a user can choose where on the screen a notification will be displayed, that preference should only apply if there is no other notification already displayed.  If multiple ones are needed they should not completely overlay previous ones. 

    • Like 1

  8. @GT500 said a while back (mid-May) that they could reproduce the problem.  It's interesting that the new release apparently contains some code intended to try to colelct data about what;s going on... but if it does, how is that info meant to get back to the developers?  Is EAM "phoning home"?  Are there enough developers all running that code that they can see whatever it collects themselves?


  9. @bjm_  - No, it's not "cloud-based".  Signatures are held on the local pc but are normally updated frequently, typically every hour.

    When something that might be malware is analysed, there's an optional check made of knowledge on an online server (the Antimalware Network).  Users can choose if that will be done and whether or not they want the server's opinion to be displayed or immediately acted on.

    There's also an optional browser extension that uses an online server to judge whether specific pages of certain websites are dangerous.

     

    • Like 1

  10. When beta 10204 was made available Frank strongly implied that the following beta 10209 (which is now 'stable') would fix these issues.  It definitely has not.   From Monday noon (when I installed beta 10209 (as it was termed then) through to midnight+ last night I've kept a note of the ProcessHacker-recorded Working Set and cpu use of a2start roughly hourly.  When looking at the cpu rates the 3-second cycle (where you see a lower cpu use figure one second, then two higher values for the next two seconds, then the lower one again and so on) has continued.  Each time I recorded these figures I watched for typically four or so complete cycles and noted what seemed average figures for each (because of course they vary a bit).   Just to remind you: 4 cores, 8 threads here, so the most I ever see for a single thread is 12.50%.  Anyway:

    MON 01:
     1200 WS  70 MB, cpu     0.10   0.33    0.33
     1445 WS   87 MB, cpu    0.24   0.48    0.48
     1603 WS   91 MB, cpu    0.53   0.77    0.77
     1703 WS   91 MB, cpu    0.60   0.84    0.84
     1803 WS   92 MB, cpu    0.63   0.87    0.87
     1903 WS -- away from machine
     2003 WS   97 MB, cpu    1.16   1.37    1.37
     2103 WS   98 MB, cpu    1.44   1.66    1.66
     2203 WS   99 MB, cpu    1.50   1.71    1.71
     2303 WS 100 MB, cpu    1.85   2.06    2.06     then machine 'asleep' overnight

    TUE 02:
     0848 WS 103 MB, cpu    2.36   2.60   2.60
     0948 WS 105 MB, cpu    2.81   3.03   3.03
     1048 WS 107 MB, cpu    3.31   3.54   3.54
     1148 WS 120 MB, cpu    3.90   4.11   4.11
     1248 WS 125 MB, cpu    4.47   4.69   4.73
     1348 WS  (missed)
     1448 WS 127 MB, cpu    5.74   6.00   6.01
     1548 WS 129 MB, cpu    6.48   6.71   6.73
     1648 WS 130 MB, cpu    6.63   6.97   6.91
     1756 WS 133 MB, cpu    7.36   7.61   7.63
     1848 WS 135 MB, cpu    8.30   8.51   8.66
     2248 WS 140 MB, cpu 11.24 11.42 11.43

    WED 03:
     0018 WS 142 MB, cpu 12.23 12.49 12.50 (I stopped recording but machine in use until ~3am then 'asleep' until ~9am)

     1000 WS 148 MB, cpu 12.50 12.50 12.50

    It's interesting that the extra cpu use in the second-2 and second-3 figures is pretty consistent (about 0.2%) all the way through that.

    The growth in WS, except at the very start, is around 1 MB per hour in the first few hours, then 1-2 then 3-5  (ish) which for a machine that hasn't been heavily used and was used for pretty much the same thing througout - mostly browsing webmail and new sites, is a little odd.

    Just what exactly does a /GUI/ .exe need to double its memory use for?   This smacks of a memory leak, to me.

    I have the impression that cpu rates are climbing geometrically/exponentially rather than linearly.    Maybe, if some sort of data is being kept in that increasing memory (rather than the definition of the GUI screen layouts, which should be constant), a2start is wasting more and more cpu scanning though more and more memory?  That is, are these figures related? 

     

     


  11. > Jeremy, that is exactly since I am a Cloud Service Provider ....

    It's perfectly sensible to evaluate things, though I don't see that the type of business you're in has any relevance.

     

    > Well open the Task Manager and under processes kill the process "Emsisoft Protection Service" nothing will happen

    Ordinarily you wouldn't expect to be able to end the  a2service.exe  task (because if you can, so can malware), unless you've turned off the  'self-protection' option within EAM (in Home, at least, presumably also in the Business version),  in Settings - Advanced.

    I don't know why you'd then see a cpu spike... but it should still have been only in one (v)CPU.    You didn't say what other processes are suddenly so busy on the other seven CPUs.

     

    What is the host operating system?   And what is the OS under VMware?    


  12. When you say "End Task", what task were you trying to end?

    There is an ongoing problem (at least in the Home version of EAM) with cpu spikes... but no-one discussing it on the forum has described a 99% cpu busy situation.  The worst people have seen is for one thread (usually half a core) to be 100% busy.  What sort of CPU does your machine have?  If a2service was keeping one thread busy, what was keeping every other thread/core busy?


  13. Good catch!

    I agree - the option should be reinstated.  For those who don't like it, they can turn it off.   But for those who like constant reassurance that things are working properly, hour by hour, the notification that signatures just got updated is big and obvious - much more so than the very small systray flag you'd get if signature updates have stopped for some reason.

    • Like 1

  14. The newest beta hasn't fixed the issue of a2start cpu growing.  I installed beta 10209 at noon, at which point its cpu was (still on a 3-second cycle) showing rates of 0.10   0.33   0.33  whereas now it's gone up to  0.25  0.48  0.48. 


  15. Memory use stayed high for ages, and then at some point yesterday it fell markedly, don't know why.

    This morning, restarted but still using 10204, it was initially about 80 MB but climbed, going up by maybe 3 or 4 MB an hour.

    At noon, I installed the 10209 beta, and it started with WS 70 MB but three hours later (and I've been away from the pc for quite a lot of that time) it's reached 87 MB.


  16. Jumping in.... one sees "don't show again" on lots of other EAM notifications.

    For this one, @stapp is probably wondering whether choosing not to install something NOW, also means one won't be told about the thing next time Edge is opened.

    Putting it another way, what's the difference between "Later" (which presumably means don't install it now), and "Don't install" (which also means don't install it now)?


  17. Win 8.1 64 bit

    I can't remember what a2start's memory use normally is, but right now mine has (according to Process Hacker) a "Private Bytes" value of 1.43 GB and a /working set/ of 1.38 GB.

     A custom scan (which looked at 1.4m objects) finished about an hour and a quarter ago; that ran with debug-logging on.    Debug-logging has been disabled and re-enabled since then, without affecting a2start's memory use.

     

    I understand that this working set is only /virtual storage/ but commited pages still have to be backed in either RAM or the page file.  I've 8 GB RAM and just over 8 GB of pagefile, so about 16.1 GB is the maximum amount of commitable vs ... and on that basis 1.38 GB doesn't seem like a vast amount - about 8.6% of the system's overall maximum.

    But it's still the largest WS of any application on the system by a huge margin.


  18. I always start my custom scans (usually done once per week) by importing settings, and what's more it's normal for me to import first a set of settings I don't plan to use, then import the set I do wish to use.  I know that's odd, but I do it because it means I always see something change in the GUI regardless of whatever was displayed before the import. 

    I have a scan running now, which I started in exactly the same way as this morning's attempted one... except this time I do have debug logging on...


  19. Win 8.1, 64 bit.    Unfortunately debug logging was not on, after yesterday's experiments.

    I used the GUI to try to start a custom scan, loaded predefined scan settings, and clicked NEXT.  Immediately got a "Emsisoft Security Centre has stopped working" pane, [with the usual misleading info that Windows is going to phone a friend and see if they can fix it (which has never ever worked for anything as far as I know)].

    I was not offered a chance to send a dump to Emsisoft.   Windows did save a small crash dump - I'll PM its location to @Frank H

    Event log has:

    Log Name:      Application
    Source:        Application Error
    Date:          30/05/2020 11:09:24
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      SAMSUNG-NP350
    Description:
    Faulting application name: a2start.exe, version: 2020.6.0.10204, time stamp: 0x5ecea8fc
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x0000000005410fd8
    Faulting process ID: 0x1ea0
    Faulting application start time: 0x01d635bb1682db2e
    Faulting application path: C:\Program Files\Emsisoft Internet Security\a2start.exe
    Faulting module path: unknown
    Report ID: a2cdc279-a25d-11ea-822f-50b7c3e8a12a
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2020-05-30T10:09:24.000000000Z" />
        <EventRecordID>250243</EventRecordID>
        <Channel>Application</Channel>
        <Computer>SAMSUNG-NP350</Computer>
        <Security />
      </System>
      <EventData>
        <Data>a2start.exe</Data>
        <Data>2020.6.0.10204</Data>
        <Data>5ecea8fc</Data>
        <Data>unknown</Data>
        <Data>0.0.0.0</Data>
        <Data>00000000</Data>
        <Data>c0000005</Data>
        <Data>0000000005410fd8</Data>
        <Data>1ea0</Data>
        <Data>01d635bb1682db2e</Data>
        <Data>C:\Program Files\Emsisoft Internet Security\a2start.exe</Data>
        <Data>unknown</Data>
        <Data>a2cdc279-a25d-11ea-822f-50b7c3e8a12a</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>


  20. > We already have fixed this in the upcoming beta2, like i explained earlier:

    Ah, sorry.  I thought your statement about what would be fixed next was this bit:

            We will fix these little CPU spikes in an upcoming beta.

    and you'd then followed that with what I thought was 'history'.  I think I now see what you mean.