JeremyNicoll

Member
  • Content Count

    1818
  • Joined

  • Last visited

  • Days Won

    28

Posts posted by JeremyNicoll


  1. Arthur, you've missed the point.

    I was unable to wrest control from EIS when it got stuck trying to contact the Anti-malware network.   Possibly that happened at the start of running the VBS program, or maybe when that program asked windows to open the ProgramData folder, because when it hung, it crashed explorer.   Maybe that was caused by me telling Windows to end the unresponsive EIS task?   But why should EIS not have stopped holding me up?  Why wouldn't it take a click on its 'Cancel' button?  Whenever I moved the mouse over the 'suspicious behavior' pane, the pointer changed to a small blue (revolving?) circle.

    And, if you're right that the BB thought the script was suspicious, why alert me then and not tens of times previously, every day, when the same script is run?  My logs show that happened 14 times yesterday.  The hanging instance was roughly in the middle of the 14 uses.


  2. > I must have misunderstood ... update process

    I dragged it off-screen while the scan was running.    What update process?.

    > We generally have the About popup appear in the middle of the window

    The middle of the window is no use if the window is mainly off-screen.  if the user cannot even see that the About pane has been opened they will not understand why the main window cannot be dragged etc etc.    Also, I had thought that this only happens if you click on 'Emsisoft' but in fact you can click in the white area to the lefthand side of the word Emsisoft and have the same thing happen, in an area that's approximately the same width as the "EM" letters.  So a user who happens to place the mouse pointer there as they try to start a drag will cause the About pane to open and very likely have no idea that they even requested that.


  3. EIS 2017.4.0.7424   W8.1  64bit

    Within my text editor, Kedit, I issued a command (of a sort I run many times per day) which runs a script that runs within the editor environment.  The command was: fav progr

    It (fav.kex - written in KEXX which is more or less REXX but built-in to Kedit) presents a list of a bunch of folders and files whose nicknames (set by me) match the parameter I gave and lets me open whichever one I wanted. On this occasion I chose C:\Program Data, and then  nothing happened.  The editor fav.kex script (which logged what it did) issued:

      winexec nowait normal wscript.exe "C:\Dropbox\JN_VB_and_VBS\JN-Shell-Explore-Folder.vbs" "full" "C:\ProgramData"

    and that process (executing 'winexec') ran ok; the logs show that it received a zero return-code.

    But I got an EIS pop-up telling me that the behaviour of that vbs program was doubted - which in itself is odd because that program is run many times per day & has not changed since May 2016.   The pop-up said:

       Suspicious behaviour has been found in the following program:

        C:\Dropbox\JN_VB_and_VBS\JN-Shell-Explore-Folder.vbs

        ? Verifying status with Anti-Malware Network...

                                                                                                              Cancel

    Clicking 'Cancel' had no effect.  After maybe a minute or two, I got an OS message box:

       title: Emsisoft Real-Time Protection

       Emsisoft Real-Time Protection is not responding.

       If you close the program you might lose information.

       -> Close the program
       -> Wait for the program to respond

    After clicking on the latter option a few times, which each time just returned me to the  'Suspicious behaviour' dialog, and after a while told me again that Emsi wasn't responding, I chose the 'Close the program' option.   The EIS systray icon then disappeared.  

    I wasn't then absolutely sure if just the GUI had gone or more than that.

    The 'Suspicious behaviour' thing had, it seemed, stopped explorer from opening a folder viewer, and when I next clicked on part of an explorer window, the whole desktop background vanished leaving a dark blue screen with a bronze stripe across the bottom of the screen (where the taskbar would be), with a grey box where the system clock display should be.

    After a while, I got another message box: "Windows Explorer is not responding"...

    Fortunately I had my text editor window open, so could create these notes, and also issue system commands.  I tried: "dosq explorer.exe" but that didn't seem to do anything.  

    However "dosq cmd.exe" did give me a command window, and I was able to use (SysInernals') pslist, and in due course pskill to kill explorer.  However although I was able to start a new instance of explorer, that didn't bring back the desktop.

    After saving my notes, I did manage to shutdown the system, by opening another cmd.exe window and issuing:    shutdown /s /t 0


    After the reboot, looking in EIS' logs, I see that there was a successful update at 16:00, which is about half an hour before the freeze.  My own logs show the 'fav progr' command that provoked this was executed around 16:35 & had been preceded by several similar commands issued after 4pm.

    I'm naturally curious why EIS picked on that instance of running the VBS program, but I'm much more concerned that clicking 'Cancel' on the 'Suspicious activity' message box did not give me control of the machine.  After all, I don't care what the Anti-Malware network might think of my program - I know it's doing what it is meant to do. 


  4. I don't recall anything like that way back when I first installed the EIS trial.  It suggests the values entered aren't being saved, but you'll need to get an Emsisoft employee to comment on whether or not that's normal.   Did anything ... unusual... happen when you did the install?  And error messages?    Where did you get the trial version from?   Once it's running, what version number is it?  (You find out by opening the main GUI window and clicking on the 'Emsisoft' logo at the top lefthand corner.)


  5. > guess most folk drag a screen downwards almost off screen, which leaves all the x and minimize etc buttons still visible.

    Do they?  I run my machine with the option that makes the taskbar hide itself when it's not in use.  If I drag stuff down there then every time I try to bring the mouse pointer down to try and 'catch' the titlebar of a dragged window, the taskbar pops up and gets in the way.   Dragging stuff to the right - especially with a wide screen - 1600x900 here - works better for me.

    But in this case, if you drag the main GUI window downwards and leave it so that the X button etc are visible, then accidentally click on the Emsosoft word (and get the About pane), you a) can't see the About pane, b) the X, minimise buttons etc have no effect when one tries to click them.  Yes, Alt-F4 does seem to fix the problem if of course you first click on the GUI pane (else it shuts whatever else you're working on). 

     


  6. > Would Alt+F4 not close that window for you Jeremy ?

    After a quick experiment with the pane visible on-screen, yes it might do.   But the fundamental problem (apart from wondering how many users know about Alt-F4) is that when the About pane has opened on a main GUI screen that's shunted off-screen, you don't know that that's happened.  So why would you press Alt-F4?


  7. > It might be better to fix any issues that could cause the EAM/EIS window to appear outside of the normal viewing area of the screen.

    There's no 'issue'' I merely dragged the window mostly off-screen... as I do with all sorts of windows, often.  I'd be very upset if EIS was changed so the window couldn't be dragged like that.   

    Personally, as I have the tool I mentioned above, if I fall foul of the 'About' pane's buttons being inaccessible after an accidental click on "Emsisoft", I can fix it.  But users without a similar tool or any idea of what might have happened, cannot.  All I'm suggesting is that you either prevent the pane displaying when it won't be possible to dismiss it, or always place it in the moddle of the screen rather than relative to the main GUI's window position.


  8. Aha!  I solved this...   I ran a copy of Nir Sofer's WinExplorer (WinExp.exe) - a tool that shows you information about all the windows that are in existence (many of which are usually off-screen).  In that tool I saw three entries for Emsisoft-owned hierarchies of windows, one named

         Emsisoft Internet Security 2017.4 - About [TABoutEAM]

    and the details for it showed co-ordinates for its top left corner that were, misleadingly, quite reasonable for a fully-visible window.  But it wasn't present.  It had already occurred to me that in attempting to drag the off-screen window I might have clicked on the 'Emsisoft' name and caused an About window to be displayed... but I had expected that if that was the case it would have popped up centre-screen (clearly not the case) or been overlaid over the main GUI window and had hoped it would then show up on the thumbnail.   Anyway, WinExp allows you to modify an open window's position, so I made a minor change to the listed-but-invisible window's left co-ordinate, clicked Modify, and it popped up on the centre of my screen.   I clicked its OK button, and then the off-screen undraggable window became draggable again.

    Where is the About pane supposed to pop up when "Emsisoft" is clicked?     It needs always to have its dismiss X or OK buttons visible!


  9. When I said the taskbar icon didn't offer screen movement /resize options, I'd forgotten that in W8.1 you don't get them unless you right-click on the thumbnail view of the window.  When I looked at the thumbnail I found it looked as shown in screenshot:

    https://www.dropbox.com/s/63k2m9d9ice6gzb/20170505 1236 02 (screenshot) thumbnail - app rules.jpg?dl=0

    ie the app HAD responded to a click on the systray menu, to show application rules (one of the 'innocent' options that won't do something I can't see/control).


    I did then try clicking 'Security Overview' on the systray icon and the thumbnail then looked like:

    https://www.dropbox.com/s/geqehytpu9tcgiw/20170505 1236 03 (screenshot) thumbnail - sec overview.jpg?dl=0

    which - incidentally - shows something that I see from time to time when I make a routine request to see the Security Overview screen - the righthand blue part gets drawn then there's a few seconds delay before the rest of the screen is drawn.  It's interesting NOW because even several minutes after clicking Security Overview on the systray menu, the thumbnail still doesn't show a fully drawn screen (assuming that thumbnails are calculated when needed, not stored?).  And the off-screen window still cannot be dragged. 


  10. W8.1, 64bit machine, EIS stable feed - but I can't tell you what version.

    I just ran a custom scan of my machine, during which time I had the scan progress window shunted almost off screen.  When it was clear, from reduced fan noise etc that it had finished (and the tab on the taskbar no longer showed a progress bar) I tried to drag the progress window back into view.  I can't.  It simply won't drag at all.

    Right-clicking the taskbar icon offered me choices (but not those to move or change the size of the window) including View scan reports -  so I chose that and confirmed that the scan had completed and found nothing.

    There's no event log records for the time during which the scan was running.

    Clicking the EIS systray icon moves focus to the progress window's taskbar icon, but doesn't bring up the main GUI screen, nor - as far as I can tell - change what's on the undraggable window - but then,  can only see part of its top edge so it's impossible to tell.   Right-clicking the systray icon does produce the usual menu, but clicking things doesn't /seem/ to do anything.


  11. > See in task manager?

    Yes, assuming it was a .exe, but if it's a DLL running under the control of an .exe there might be a differently-named framework around it.  That's what happens for lots of Windows services run under  svchost.exe.  I can't remember if Task Manager shows that but tools like 'Process Explorer' or 'Process Hacker' do.


  12. The usual approach is to try to find an un-encrypted file - in a backup, or on your phone, or something you emailed to a friend that could be sent back to you, or something you know you downloaded from somewhere else that you could try to get again (clearly it would need to be precisely the same file again).


  13. It's timing out here (Edinburgh, Scotland) too (using Firefox from a Windows 8.1 machine).  However ping & tracert work:

    C:\>tracert central.emsisoft.com

    Tracing route to central.emsisoft.com [136.243.232.250]
    over a maximum of 30 hops:

      1     4 ms     8 ms     6 ms  192.168.0.1
      2    17 ms    13 ms    23 ms  10.234.180.1
      3    12 ms    13 ms    16 ms  sgyl-core-2a-xe-323-0.network.virginmedia.net [62.253.0.81]
      4    22 ms    21 ms    23 ms  sgyl-core-2b-ae1-0.network.virginmedia.net [81.97.48.86]
      5     *        *        *     Request timed out.
      6    27 ms    24 ms    30 ms  telw-ic-4-ae0-0.network.virginmedia.net [62.254.84.70]
      7    30 ms    23 ms    21 ms  ae1-0.lon10.core-backbone.com [195.66.224.238]
      8    33 ms    32 ms    33 ms  ae2-2077.fra20.core-backbone.com [5.56.18.1]
      9    37 ms    36 ms    46 ms  core-backbone-100g-fra.hetzner.de [80.255.15.122]
     10    39 ms    38 ms    39 ms  core1.fra.hetzner.com [213.239.245.9]
     11    41 ms    38 ms    44 ms  core24.fsn1.hetzner.com [213.239.229.78]
     12    42 ms    38 ms    38 ms  ex9k1.rz21.hetzner.de [213.239.203.186]
     13    43 ms    38 ms    36 ms  wotan.emsisoft.com [136.243.5.146]
     14    39 ms    38 ms    38 ms  control.emsisoft.com [136.243.232.250]

    Trace complete.

    C:\>ping central.emsisoft.com

    Pinging central.emsisoft.com [136.243.232.250] with 32 bytes of data:
    Reply from 136.243.232.250: bytes=32 time=53ms TTL=52
    Reply from 136.243.232.250: bytes=32 time=38ms TTL=52
    Reply from 136.243.232.250: bytes=32 time=38ms TTL=52
    Reply from 136.243.232.250: bytes=32 time=42ms TTL=52

    Ping statistics for 136.243.232.250:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 38ms, Maximum = 53ms, Average = 42ms

    C:\>

    That might suggest that the server itself is working... enough to reply to ping/tracert... but that the https service there is not working.  I doubt that helps you.


  14. Your reply  "There is no exclusion to the av folder,"  doesn't quite address what GT500 suggested. 

    Do you have any other antivirus or antimalware software running on that machine?  Or anything else giving any kind of 'real-time' protection?  If so, GT500 is suggesting that those products might need to be told to ignore the Emsisoft scanner's folders.   They might be interfering with the proper execution of the Emsi programmes.


  15. A good example of this sort of thing (if I've got the details right) is that the BB might warn you that a particular program looks like it might be acting like a keylogger (ie malware that records everything you type).  But, as I understand it, that would be because it had asked Windows to pass to it a copy of all the keystrokes.  And in fact, lots and lots of programs do that so that they can implement 'hot keys' - ie have some key combination that, when you type it, makes that program do something, even if the program was only running in the background.  So you can see that the BB can see /potentially/ malicious behaviour but not be able to distinguish it from perfectly normal behaviour.

    Of course, there's no /guarantee/ that the customers who decide that some program is ok, on the Anti-Malware Network, are actually correct.  Very few of them are likely to have seen the source of the program in question, or monitored precisely what it does.  It's more likely that they believe the program is innocent based, perhaps, on the programmer or vendor's reputation.  If such a program, using my example, seems to have no need whatsoever to intercept keystrokes, that would be worrying.  You may still need to make your own judgement - or eg to ask on a vendor's forum WHY your EAM detected that behaviour, and see what the vendor says.