JeremyNicoll

Member
  • Content Count

    1772
  • Joined

  • Last visited

  • Days Won

    26

Everything posted by JeremyNicoll

  1. The advantage of the hash, as I saw it, is that your developers would know how much space it was going to take up - it'd be easy then to store that finite small amount of data inside the structure where you define whitelist entries. OTOH storing an arbitrary amount of information for an arbitrary number of files in the whitelisted directory would probably need yet another sub-database. I suppose it's possible that a user confronted with a "something's changed in this whitelisted folder" alert might want to know what had changed, and for that it might be worth storing the generated directory list somewhere - but only as a plain text file not intended ever again to be processed by EIS. Malware couldn't alter it (to mislead the user) because its original hash would be stored inside EAM/EIS.
  2. Even in an interpreted scripting language, I can get detailed directory listings extremely fast; I'd expect tailored compiled code using the relevant API to be able to do the same thing more quickly. The purpose of the idea, remember, is to spot extra files being added to a whitelisted folder, where the user might not want those extra files also to be whitelisted, and of course to spot changes being made to existing files. Make-a-dir-list and hash it code doesn't have to be really finicky, it just has to decide if it looks as if there's been a change to folder contents, so the user could be asked if they wanted changes since whenever to be whitelisted as well. You're right, it wouldn't be perfect, but it would be safer than the present whitelist mechanism that makes NO attempt to track changes in a folder.
  3. Yes, but I didn't mean make a hash of every file and save them; instead make a directory listing (a small text file in essence) and save the hash of that.
  4. What might be useful, in some circumstances anyway, would be an option for making an exclusion that caused EIS to store some sort of hash of the directory listing of that folder, so that unchanged files in the folder would remain excluded but any new file that arrived in the folder would not be excluded. Clearly that would be a nuisance for some folders where the current behaviour would be 'better'.
  5. GT500 said: "I was incorrect about the Behavior Blocker only preventing applications from running if they are launched from Windows Explorer (this may have been an old limitation that was overcome over the years, or perhaps just a memory lapse on my part). I apologize for the confusion". I'm glad that you were wrong (!) in this case.
  6. Do you mean: the former may prevent xyz.exe from executing at all, while the latter determines what xyz.exe can do once it is executing? If so, what's the difference between an app rule that stops pqr.exe from executing, and a BB rule that prevents xyz.exe from starting pqr.exe (if one can define that?)?
  7. Seeing reports elsewhere in the forum that this was fixed, I started a scan late last night when I'd finished using the machine. Remember it took 54 minutes back in November, before getting worse? Well, last night it was just 41 minutes, so I think we can safely say that's fixed! Emsisoft Internet Security - Version 12.1.0.6970 Last update: 13/12/2016 02:22:19 Scan type: Objects: Rootkits, Memory, Traces, C:\ Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Direct disk access: Off Scan start: 13/12/2016 02:41:54 Scanned 511670 Found 0 Scan end: 13/12/2016 03:23:09 Scan time: 0:41:15
  8. It's not a matter of whether you believe The Register or not. If you exclude a folder then you have to be aware that any file that gets into that folder, for any reason, not necessarily a malicious one, will be ignored, not just the files that were there originally. Worse, if any of the files present get infected, those infections will be ignored.
  9. So, what does the asterisk present in entries in the first list do? Is there any way of distinguishing between 'all the files in a folder' and 'everything in the folder and its sub-folders'?
  10. I'm following this topic, so just got emailed to say there were two updates to it. Not only did the emails NOT contain the new texts, neither of the links that they contained instead worked. In each case I ended up on a website page that said, eg for this link: http://support.emsisoft.com/topic/25809-malware-scan-using-6956/?do=findComment&comment=164045 an error message: Sorry, there is a problem We could not locate the item you are trying to view. Error code: 2S136/C (and I'm sure that this isn't the best place to report a forum problem, but I don't know where I should have done that)
  11. I started another scan and once it had got to the files part started PH (elevated). At that point the threads display showed one thread at 12.5% cpu (which I presume meant one core frantically busy) when the other threads were all well less than 1%, often less than 0.1%. But after maybe a minute that extreme difference levelled off a bit. But even so that particular thread (TID) is top of the list (sorted by CPU) almost every time the display updates. It's then typically showing values from 2 to 6 % cpu, while most of the ones immediately below are typically about 1/3 to 1/10 of that value. It's one of 9 threads with start address: a2engine.dll!InstallDdaDriver+0x2a620 I sat and watched this for quite a while - it's almost as good as TV! Occasionally one of the other (9) like threads dominated the list, again sometimes with cpu figures as high as 6 - 12%, and then all the others would again have tiny values. I stopped the scan after 18 minutes of excitement.
  12. This problem is still with me. I'm using IE11 (rather than my preferred Firefox) which certainly makes it less of an issue, but whenever I accidentally or intentionally start FF another chunk of virtual memory goes AWOL. Has anyone made any progress?
  13. The disadvantages of excluding some file types from scans, is that the file types set on your files might not actually accurately describe what's in the file. Also, you might presume that - say - a JPG could never be malicious. But that's not the case. If for example there's a vulnerability in one of the programs you use to display or manipulate JPGs, it might be possible (as Microsoft would describe it in one of their security updates) for a "specially crafted" JPG to take advantage of the error in the viewing/manipulating program and cause an unexpected or malicious side-effect. In the last year or so, fonts, PDF files and 'media files' have all had that problem. You might find it sensible to do regular/frequent scans with faster options, excluding some file types, but also every so often do a more thorough scan that looks at every file.
  14. I know you know this issue exists for EAM on W7x64 systems, but it's here (EIS) too. My OS is W8.1 x64 Last time I did a custom scan, of the whole machine, excluding contents of zips etc that took 54 minutes: Emsisoft Internet Security - Version 12.0.1.6859 Last update: 11/11/2016 09:57:23 Objects: Rootkits, Memory, Traces, C:\ Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Direct disk access: Off Scan start: 11/11/2016 10:13:47 Scanned 516954 Found 0 Scan end: 11/11/2016 11:07:52 Scan time: 0:54:05 Today, 196 minutes: Emsisoft Internet Security - Version 12.1.0.6970 Last update: 07/12/2016 09:51:12 Objects: Rootkits, Memory, Traces, C Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Direct disk access: Off Scan start: 07/12/2016 10:17:40 Scanned 513353 Found 0 Scan end: 07/12/2016 13:34:08 Scan time: 3:16:28 The laptop has a 4-core processor (so 8 cpu threads). For the November scan I left the machine completely alone as it worked, though for today's one, I did some reading of email in a webmail system for the first hour or so of the scan.
  15. Does the Emsisoft online payment system require the person whose name is on the payment card to be the same person that the software will be licenced to? If not, CoolWebSearch could perhaps find a friend or relation who's not so unused to online payments to do it for them.
  16. What sort of times do you see normally?
  17. > I'll ask someone to be certain, however I am thinking that our Behavior Blocker will only block programs from running that are launched by Windows Explorer Goodness! I hope that's not the case. It would mean that an innocuous script could load a malware .exe and that wouldn't be blocked.
  18. W8.1 x64 Around an hour ago I noticed that the systray icon's tooltip said the last update was on the 23rd at 14:47. The machine was 'asleep' from about 1530 to maybe 1900, but has certainly been awake again for more than an hour since then. I turned debug logging on at 23:01. I then watched streamed BBC iPlayer content until 23:44 or so, mainly in full-screen/maximised window (I'm not sure which it is) mode, but I came out of that a couple of times. Then at 23:44 I paused the video and did something else until 23:56; no update had occurred. I stopped the debug logging, took screenshots of the Logs->Updates and Settings->Updates displays, and zipped all that up. I'll PM it to GT500 in a minute or two.
  19. The info under Mark's 'picture' says he's using W7 x64, so why does a2hooks32.dll - rather than a2hooks64.dll - get involved? Different machine, or does this mean that Word and Outlook are running in 32-bit mode?
  20. Thanks for the update. At this instant, a2service has a CS of a bit over 1.2 GB, I ran SysInternals' VMmap to see if that gives any clues. Obviously wherever the problem is, it's heap data (though I guess that won't help you much)... and VMmap does show ID values - mostly 5 or 6 - on those - do those numbers mean anything to your developers? VMmap has an option to export a text file listing details about each block, though. VMmap display looks like: https://www.dropbox.com/s/b1k97pwtdfq7fnk/20161022%202055%2010%20VMmap%20%2820161122%20a2service%29%20VMmap.jpg?dl=0 I'll PM the exported file to GT500. If you want me to recreate a much worse scenario and - say - a new dump and the info from VMmap, let me know. But there's not much point unless the exported VMmap data might provide useful hints.
  21. You should be able to use a non-smartphone to send an SMS, after all SMS support has been around for more than 20 years (see: https://en.wikipedia.org/wiki/Short_Message_Service ). If the phone you send such a command /to/ replies with anything, or at least anything significantly more complicated than a simple "got the command and did it" reply, then that might be a problem. Testing WIPE etc... It depends on how much personal data you have on your smartphone. If it's new and you're only playing with it, you might as well find out what state it would be in if it had really been lost/stolen and you issued a WIPE... and then were lucky enough to get it back. But if you have lots of personal data on it and/or customised apps, and have never saved the data elsewhere or noted how you customised things, then wiping it all is going to be a huge nuisance...
  22. If they have to have one name, it could be changed to be less specific, eg "EAM/EIS".