JeremyNicoll

Member
  • Content Count

    1840
  • Joined

  • Last visited

  • Days Won

    29

Everything posted by JeremyNicoll

  1. Unfortunately the Bellavista method is no use to me as I have no ScrollLock key on this laptop. I did it the hard way instead, setting up an alternate trigger, then tested that that would create a full dump on request. (I'm not sure that I'd agree wth Orlando Pivi's assertion that a 'controlled blue screen is safe', though. By its nature this surely risks damage to a file system? - but needs must.) Anyway, after I'd tested the dump process and done a clean shutdown & reboot, I edited the VBS script concerned (to change its hash, as you suggested), then opened a different editor window and issued the same command sequence as before. That's to say: my text editor KEDIT, ie: C:\Program Files (x86)\~M-folder\Mansfield\KeditV161\KEDITW32.exe ran a 'KEXX' macro, which in turn issued a command to run a VBS script: C:\Dropbox\JN_VB_and_VBS\JN-Shell-Explore-Folder.vbs The command the macro issued, to run the VBS script, was: winexec nowait normal wscript.exe "C:\Dropbox\JN_VB_and_VBS\JN-Shell-Explore-Folder.vbs" "full" "C:\ProgramData" The reason for the "full" parameter before the full path of the target folder is that this script also takes some requests in terms of ShellSpecialFolderConstants as described at: https://msdn.microsoft.com/en-us/library/windows/desktop/bb774096(v=vs.85).aspx The script parses the (in this case) specified full path into a variable named 'pathspnm' and then executes: set FSO = CreateObject("Scripting.FileSystemObject") fexists = FSO.FolderExists(pathspnm) set FSO = Nothing if not fexists then grumble = "FULL did not find 'fullpath' folder: >" & pathspnm & "<" & nl2 wscript.echo msgfrm & grumble & callas wscript.quit end if usefoldr = pathspnm set objShell = CreateObject("shell.application") objShell.Explore(usefoldr) set objShell = Nothing As before, an AMN pane slid in from the righthandside of the screen, and as soon as I put the mouse pointer over that pane it displayed as a spinning blue circle. I triggered the system dump immediately. I'll PM you with the location of the zipped-up dump.
  2. Hmm, I have W8.1 and here Windows Defender is turned off, though I can't see from my notes how I did that. You'll need to wait for someone with W10 experience to advise you, sorry.
  3. Are you using W10? There's a known problem where W10 doesn't properly show EIS status - there's other threads here about that...
  4. Hover your mouse over "GT500" on the lefthand side of one of his posts until a pane displays, then click on Message.
  5. There's only one EventLog record that's relevant, and I'm not sure that it sheds any light: Log Name: Application Source: Application Hang Date: 12/06/2017 07:42:35 Event ID: 1002 Task Category: (101) Level: Error Keywords: Classic User: N/A Computer: SAMSUNG-NP350 Description: The program a2guard.exe version 2017.5.1.7567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 18e0 Start Time: 01d2e340dbe9620c Termination Time: 4294967295 Application Path: C:\Program Files\Emsisoft Internet Security\a2guard.exe Report Id: 0a10cbd3-4f39-11e7-809b-50b7c3e8a12a Faulting package full name: Faulting package-relative application ID: Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Hang" /> <EventID Qualifiers="0">1002</EventID> <Level>2</Level> <Task>101</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-06-12T06:42:35.000000000Z" /> <EventRecordID>142591</EventRecordID> <Channel>Application</Channel> <Computer>SAMSUNG-NP350</Computer> <Security /> </System> <EventData> <Data>a2guard.exe</Data> <Data>2017.5.1.7567</Data> <Data>18e0</Data> <Data>01d2e340dbe9620c</Data> <Data>4294967295</Data> <Data>C:\Program Files\Emsisoft Internet Security\a2guard.exe</Data> <Data>0a10cbd3-4f39-11e7-809b-50b7c3e8a12a</Data> <Data> </Data> <Data> </Data> <Binary>55006E006B006E006F0077006E0000000000</Binary> </EventData> </Event>
  6. Using W8.1, 64bit, EIS 2017.5.1.7567, Stable feed. This problem happened again today. Same reason - running the 'fav' script inside Kedit, which then launches a VBS script to use set objShell = CreateObject("shell.application") objShell.Explore(usefoldr) to open a File Explorer view of a folder. Just like last time EIS popped up a 'suspicious behaviour' alert, which couldn't be cancelled and never reached a decision. I was writing notes in my text editor at the time, and could still Save those notes, but when eg I made a screenshot of the alert pane, started IrfanView and pasted that in, when I tried a SaveAs I just got a revolving blue circle and IrfanView's window title changed to 'Not Responding'. I started a second instance of the text editor and tried to SaveAs from there, and also got the blue circle. Double-clicking my desktop shortcut to 'Admin Tools' (to go and look at EventViewer) produced no action at all. The EIS alert pane showed the same revolving blue circle whenever the mouse pointer was over it. If I clicked anywhere on the pane it was replaced by an OS 'not responding' box, offering me the choice of waiting until it did respond (which never happened) or terminating EIS - which I didn't want to do. I was however able to sign-out. I signed-in again, and turned debug logging on. Then from another Kedit session, issued fav prog (to get a list of 'prog' files and folders) and chose program-data (again). The macro told me it had issued the command to run the VBS script. But nothing at all then happened - no folder view opened, no alert pane was displayed. Double-clicking 'AdminTools' again did nothing. I took a screenshot of my edit session and was able to paste that into a new instance of IrfanView, but as before its File -> SaveAs just gave the blue spinner. IrfanView's window title again said 'Not responding'. I also tried double-clicking the desktop 'RecycleBin' shortcut - nothing happened. I signed-out again. I'll PM the debug logs to you. For the avoidance of doubt, it's not the fact that I get an alert (at least when debug logging isn't on) that bothers me, but instead the fact that the alert pane isn't cancellable etc. (logs sent)
  7. You can right-click the EIS tray icon and select Application Rules, then click the BB tab - but here I find no difference in speed doing that vv opening the full GUI then choosing Protection and then BB. Adding BB to the systray icon context menu would only save you one click. On the other hand it's not clear why Application Rules & Host Rules (ie Surf Protection, I suppose) get contetx menu links, but BB, File Guard and Firewall do not. I think if I were Emsisoft I'd probably remove the two current rules options and just have a link to Protection settings as ocne you get there you can pick the tab you need.
  8. Yes you can delete them - delete the oldest ones. Logs should be in: C:\ProgramData\Emsisoft\Logs Names like: a2service_20170205003925(1116).log are named according to the part of the product that created the log (eg "a2service") then the yyyymmddhhmmss date and time they were first created, and the last bit in brackets is (I think) the process id. Just don't try to delete the log(s) that are being written to at the moment.
  9. Yes, cosmetic. See: https://support.emsisoft.com/topic/27497-re-new-in-20175-anti-ransomware/
  10. What tool (presumably running on another machine on your LAN?) are you using to do the port scan?
  11. Didn't you ask that before and get told that both home users and corporate users get the same level of protection? If that's what you're asking this time, why would you doubt it? As a home user, do I deserve less protection than a corporate user?
  12. I know you said all your computers are using dynamic IP... but can I just check? You do mean they're all on your network? If they ARE on your network, why are you using dymaic IP - is it so that if/when the machines are taken elsewhere and use dynamic IP elsewhere, you don't have to change the way they're set up? Arthur commented above on the advisability (or not) of allowing traffic to/from all addresses... but if the machines are on a network then surely you only need to allow that traffic to/from the IP addresses that are valid on your network, not the entire outside world? On the other hand, if one of these computers IS in the outside world then apart from rules in both machines' EIS firewalls, there might be a problem in the firewall component of your router (if you have one) - it may not be passing all the required inbound traffic to the target machine.
  13. Ok, that makes more sense. Remember that as well as the tooltip the help file (somewhat wordier) would benefit from this more detailed explanation. One thing though, by no means every user of an email client would thing of such files as /archives/ - if you're using an offline reader, especially if POP3 rather than IMAP, the files are (or could be) the live mails, not archived old ones.
  14. > I'm having the same issues with my clients running Windows 10 Pro along with Trend Micro Worry Free Business Security Advanced. Why are you even trying to install EAM on machines that have some other security product on them? What happens if you uninstall the Trend thing first?
  15. > The issue that was fixed is that when you move the main window to screen 2, shutdown the pc and start with only 1 screen connect, the main program will open on the > visible desktop on screen 1 OK. Though... IS that an issue? It's what I'd expect to have happen, Surely you wouldn't want the window to open on a non-connected second screen? (Having said that I know most/all of the multi-screen control software has facilities for moving windows around automatically.) > e issue you describe is 'quite' corner case however we might fix this. Yes! The bottom righthand corner of the screen. (I know what you mean... the trouble is that if it happens it's hard for anyone to know what's happened; whether they can then get out of the problem depends on their level of knowledge and/or access to programmers' utilities.)
  16. Elise: so, it's not the creation of that sub-folder by some version of VLC that's suspicious, but the way in which that is attempted? Is that because that (API or whatever) can be used to issue other commands, and/or EIS doesn't see what the command involved is?
  17. Elise, thank-you, that worked. Back to my question though, does the exploit blocker pay attention to which version of a program is to be blocked?
  18. Stapp means, I think, "just press once to get a new paragraph" (which is what the double spacing is). More to the point, don't press Enter at all at the end of a normal line... just keep typing. Or compose the text somewhere else and c&p it in.
  19. Hmm, I'd not noticed that c&p resulted in single spacing! Unlike stapp I tend just to press Enter at the ends of limes... and get double spacing too (Grrr!). The only way to get single spacing otherwise is to just keep on typing so that the text wraps very long sentences as - hopefully - you'll see with this one.