JeremyNicoll

Member
  • Content Count

    1480
  • Joined

  • Last visited

  • Days Won

    24

Everything posted by JeremyNicoll

  1. Fantastic! That sorted the problem, in the short-term at least. However, I wonder if there's any way to find out why this was necessary?
  2. Win XP Pro SP3, 32bit; OA 6.0.0.1736 Also using most recent EAM. Today I finally put the trial versoins of OA and EAM onto my oldest, slowest laptop - which has an AMD Sempron 3000+ and 1 GB RAM. (I did a few days ago increase the RAM to 2 GB but the machine was unstable - lots of application crashes and BSODs - so I reverted to the original RAM.) I've found that my email & news client is very sluggish when OA is running; ok if it is not, and ok if I run OA with the HIPS features disabled. Sluggish? Things selected by mouse-click take up to 10 seconds to show they're selected, double-clicked mails take 10 seconds to open, etc. Normally there are no speed problems. It can't just be RAM either because the email/news client only uses a modest 60 MB or so; the same system runs Firefox (using 150-200 MB) ok. The email client is a uncommon one, written using Qt for cross-platform support, in this case V4.7.3, if that matters. Before I tried turning OA off completely, or (as now) running OA without HIPS stuff, I had defined the email client's .exe on OA's Programs list - Allowed, Trusted, Normal. File & Registry shields are off. The folders where the app keeps its data are on EAM's FileGuard whitelist. I'm slightly surprised that none of the Qt DLLs (supplied in the email client's program folder) appear by name in OA's Programs list (I'm looking at the whole list, not just the untrusted stuff). Of course I don't know if Qt is implicated, but other apps on the machine seem fine, and since the problem appears to be in the email client's GUI support, Qt might be relevant.
  3. Just for info, using a suite installer I downloaded from you yesterday, I just ran the trial install ok on my third machine. Unlike the other two, I had it connected to the internet from the start. The process ran fine, though at the point where new malware signatures were to be downloaded if available I'd say it wasn't absolutely clear that anything was happening at first. There was some text saying something like "0 of 0 KB downloaded", for maybe 20-30 seconds. Once it had fetched the list of required sig files and started fetching those, it was very obvious that something was happening.
  4. It seems a little odd that whatever process is used worked for EAM but not OA... However, thank-you for PMing the key, which I have just successfully applied to OA on the second machine. I'm away from home at the moment so it will be a few days before I try installing on the third machine. I'll let you know what happens.
  5. On the 12th March I used the suite installer I'd previously downloaded and used on one machine to install both EAM & OA trial versions, to try to install the trial of both products on the second machine. EAM did go on there in trial mode ok, but OA refused to. On that machine OA is now running in freeware mode. I want - if it is possible - to force that install into trial mode of the full product, and I want to know if I should expect the same installer to work properly when applied to the third test machine.
  6. But if I do that the following screen asks me to provide a full licence key, which I do not have. Where am I supposed to get that from?
  7. I had a possibly related issue today with another program - something called DesktopOK - which I use to save desktop icon layouts so they can be restored to the same arrangement. Some installers ruin desktop layouts and it's handy to be able to reset it. DesktopOK was listed in OA's Programs list as "Allow" but Trust was unknown. When I started DesktopOK I got three OA alerts asking for various permissions which in each case I said "Allow" to, but didn't choose "Trust". The app then presented its GUI. When I clicked the 'Save' button (to save icon layouts) the app hung and had to be ended from task manager. OA's History showed another instance of OA denying an attempt of one process sending a message to another, this time DesktopOK -> explorer.
  8. Changing to the full version doesn't work... If at Options->License I click "Obtain a new key" it takes me to the website purchase page. But I'm not yet trying to buy, but trial it. If I choose "to activate another key click here" it just says again that the trial period has expired. I didn't even download the suite installer until the 8th March and first tried to install it on this particular pc on the 12th. Surely it shouldn't expire until 8th or 12th April? I don't understand your suggestion that I could "enter another licence key". I do not have a key to enter as I have not yet bought the product. I wanted to run the trial version of EAM (that's ok) and OA (not cooperating) on each of my 3 machines which have wildly different capabilities and run different mixes of programs, looking to see if they work ok. The first machine was fine. The second one got into the mess described above. I have not yet tried on the 3rd machine - my day-to-day laptop - because it's the oldest/slowest machine but also the one I most need to have working properly. If I can't get OA to work in trial mode on the second machine I'm not sure if I will even try on the third. That puts me in a quandary because the ESET NOD32 antivirus that the 3rd machine has has now expired.
  9. Weird. The first time (when I opened the original problem) I didn't even connect the LAN cable until well after I'd arrived at the 'update signatures' screen and discovered I needed an internet connection. The second time around I think I connected the cable about the same time as I clicked to go to that screen. I wasn't surprised that it didn't immediately work (because XP was doing whatever it does to initialise the connection). When I said that "it sat there doing nothing" I unfortunately cannot remember whether a 'Retry' button was present. I'm sure that if it was I'd have clicked it, which suggests that if it were there it didn't help. I also can't remember if there was a 'Continue' button. It's possible that even if one was offered I didn't try it, because I knew that malware downloads were needed. I know that's unsatisfactory as a bug report. The trouble is that I thought the notes I'd taken were adequate to remember what happened, but they're not adequate to remember exactly what I did, writing about it too many days later on. What about the problem with the OA part of the suite's installer not offering me the full version to try? And the learning mode progress bar freezing? To get the full version under trial on the second machine, what do I do next? Do I download the standalone OA trial installer, then uninstall the freeware version and install the full trial? And for my third, slowest machine? Should I also download the latest standalone EAM installer and run separate installs of OA trial, and EAM trial? I'm not wild about having to use different installers for each machine, because I do like to use the same things on all three machines, so that I'm not introducing unexpected differences to their setups. One thing that may help the 2nd and 3rd machines is that the new RAM I ordered arrived today and has been put in each machine.
  10. Sorry .... I've not yet had time to create the logs - hopefully tomorrow.
  11. The first trial got installed on my fastest machine, which - being a bulky desktop machine - is used least often. A couple of days ago I tried to install (using the same installer as before) on my next slowest machine - a netbook that I mainly use for watching streamed or pre-downloaded BBC iPlayer programmes. I do also plan to install it on my slowest machine, an old laptop that is mainly used for day-to-day admin & email & usenet. Obviously I'm interested in performance issues as both the slower machines have much less CPU power and a lot less RAM (though I'm considering getting more RAM for both of them) than the desktop machine. The first install was onto XP Pro, but the latest one onto XP Home. If & when I try the slowest machine, that's also XP Pro. Mindful that my first install had had a problem when it tried to download malware signatures for EAM, I connected the second machine to the internet somewhat earlier in the install process, but clearly not early enough. When the install reached the stage where it would try to download signatures it just sat doing nothing. At the same time I was able to use network utilities - the machine did have an working connection. I think the installer needs to be more tolerant of someone not having any network connection, or a flakey one, at that stage. Eventually (after maybe 20 minutes?) I cancelled the EAM installer. The OA installer then started to run. It told me almost at once that the trial period had expired. I cancelled the installer, then went to Add/Remove programs and removed OA. It wanted to reboot but before letting it I also ran an uninstall for EAM. After the reboot I reran the installer with the machine connected to the LAN from the start. EAM installed ok, grabbed malware signatures ok, and told me I had 29 days of trial period left. Then the OA installer started and again it said the trial period had expired. I chose the freeware version install, to get something working. As requested I then rebooted. OA went into learning mode; when this ended a balloon tip told me that (and I think I dismissed the balloon tip ok). But the window which had had the moving progress bar in it froze - the bar stopped moving and the window could not be dismissed. I could still move the mouse around the screen. I turned the machine off and rebooted. After the reboot it all worked ok, but very slowly. On subsequent boots of this machine things have not been so bad; the issue may just be that the machine only has 1 GB RAM and is paging a lot; I'm being more careful about what tasks I have active at the same time. I'm a bit fearful of what will happen when I try EAM & OA on the slowest machine... I'm also wondering why I couldn't get the trial full version of OA going; it means presumably that I'll need to uninstall the free one and re-install the full trial at some point - how? And how do I get the full version trial onto my third machine?
  12. OK, I've changed the setting and am just shutting the machine down. But it's time for bed, so it'll be at least 10-12 hours before I try to recreate the problem... Thanks for your help.
  13. Is what you're suggesting different from the Trusted status I already described? See last couple of sentences in my second post.
  14. I said "nothing in the OA plain text firewall log" ... and that's true. But I just found loads of entries in the OA History (of alerts and actions) many of which mentionKedit, eg: Program Guard: kernel event,12/03/2013 16:49:53,None,"OADriver: SendMessage, 2180 -> 440, Msg: 49413/c105 - Deny (watched)",2180 - KEDITW32.exe 440 - csrss.exe Program Guard: kernel event,12/03/2013 16:45:56,None,"OADriver: PostMessage, 2828 -> 4044, Msg: 2034/7f2 - Deny (watched)",2828 - KEDITW32.exe 4044 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:45:42,None,"OADriver: PostMessage, 4084 -> 4044, Msg: 2034/7f2 - Deny (watched)",4044 - KEDITW32.exe 4084 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:45:33,None,"OADriver: PostMessage, 2264 -> 4044, Msg: 2034/7f2 - Deny (watched)",2264 - KEDITW32.exe 4044 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:43:41,None,"OADriver: SendMessage, 764 -> 440, Msg: 49413/c105 - Deny (watched)",440 - csrss.exe 764 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:43:24,None,"OADriver: SendMessage, 1940 -> 440, Msg: 49413/c105 - Deny (watched)",1940 - rundll32.exe 440 - csrss.exe Program Guard: kernel event,12/03/2013 16:30:37,None,"OADriver: SendMessage, 2556 -> 440, Msg: 49413/c105 - Deny (watched)",2556 - KEDITW32.exe 440 - csrss.exe Program Guard: kernel event,12/03/2013 16:20:46,None,"OADriver: PostMessage, 2648 -> 3572, Msg: 2034/7f2 - Deny (watched)",2648 - KEDITW32.exe 3572 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:20:43,None,"OADriver: PostMessage, 3432 -> 3572, Msg: 2034/7f2 - Deny (watched)",3432 - KEDITW32.exe 3572 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:20:37,None,"OADriver: PostMessage, 3068 -> 3572, Msg: 2034/7f2 - Deny (watched)",3068 - KEDITW32.exe 3572 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:20:07,None,"OADriver: PostMessage, 2088 -> 436, Msg: 2034/7f2 - Deny (watched)",2088 - KEDITW32.exe 436 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:19:53,None,"OADriver: PostMessage, 112 -> 436, Msg: 2034/7f2 - Deny (watched)",112 - KEDITW32.exe 436 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:19:51,None,"OADriver: PostMessage, 2408 -> 436, Msg: 2034/7f2 - Deny (watched)",2408 - KEDITW32.exe 436 - KEDITW32.exe Program Guard: kernel event,12/03/2013 16:19:45,None,"OADriver: SendMessage, 436 -> 440, Msg: 49413/c105 - Deny (watched)",436 - KEDITW32.exe 440 - csrss.exe I don't know how, or if, these relate to the behaviour I've seen. It's sad too that none of this gets written to the FWnnnnnnnnnn.log file. In ProgramGuard, KEDITW32.EXE is Allowed, Trusted, Normal. I'm not clear what it is that the history records say is being denied. Even in the list of specific permissions etc for KEDITW32.EXE everything is either Allowed, or set to Ask. I'm not being asked anything.
  15. XP Pro SP3 - I don't know if this is an EAM or OA issue, sorry. I installed both of those a couple of days ago. Normally if I double-click a .txt file in Windows Explorer, it either opens in the already-running text editor, or starts the text editor up from scratch. I also have an explicit WE context menu entry "Edit with Kedit" (along with similar 'Edit with Notepad', 'Edit with ...' options so I can explicitly open a file in the editor of my choice). I'm finding that intermittently neither a double-click of a file nor an explicit choice of 'Edit with Kedit' will open such a file. If I wait a few seconds and try again, sometimes it works.... Also a QuickLaunch button I have that launches a specific day-today notes .txt file is only intermittently working. I've been using Kedit (a programmers' text editor based on IBM's Xedit mainframe editor) for years and never had this problem before. Normally if, for example, one tries to edit a file that's locked by another app, Kedit will produce a suitable error message. I don't know how Windows tells apps that they might want to load a file - is there a msg passed around apps that might wish to respond to a txt file and only if no app does, then the app is started? It makes me wonder if such a message is being swallowed up by EAM or OA. There's nothing that I can see in the EAM logs (in the db3 file) or the OA plain text firewall log. I've noticed that if Kedit is running but doesn't have focus then when I double-click a .txt file in WE, the editor window does get focus even though it doesn't then open the file. If - say - it couldn't access the file because at that instance EAM had it open, I would expect to see a 'file in use by another app' message from Kedit. I thought that File Guard might be the problem. I have it activated, set to "Additionally scan files when created or modified", and a few (very few) experiments suggest that whether or not "Only scan files with the following extensions" is selected makes a difference - txt files seem to open more reliably if "Only scan" is selected. But not completely reliably. But ".TXT" is in the list of files that will be scanned whether or not that option is selected so this can't be the reason... I tried turning FileGuard off. Sometimes I can edit files and sometimes I cannot.
  16. On the Configuration -> General tab, there's an option for defining how Quarantine re-scanning behaves. I understand that this is re-scanning of quarantined files after each fetch of new malware signatures, so that FPs can be unquarantined. The help file info on what the three options do is very terse. I'm guessing (from what I've read in other forum posts) that: Silent - means that the re-scans are executed, and are 'silent' in that you're not told they are happening, until/if they find some file eligible for a restore, at which point EAM tells you Manual - this might mean that no re-scans are done and one has to use the Quarantine dialog to force a re-scan manually. But: No re-scan - would be the same as "Manual" .... and as it's a separate option it must not be the same.
  17. Doing my first deep scan of all files on a machine that I installed EAM on yesterday, I notice that the "Scanning: ..." line which normally shows rapidly changing filenames has nearly slowed to a stop. Task manager is showing 25% cpu (one core) busy for a2service.exe but only very small amounts of I/O happening. The files that are being scanned at the moment are in my MS SDK help files eg ...\MS-SDK-HelpLibrary\content\Microsoft\store\Development_Frameworks_21823146_VS_100_en-us_4.1.metadata which is only 298 bytes long, and is a plain text file (well, unicode) containing some xml, eg its entire contents pasted in here is: ?xml version="1.0" encoding="utf-8"?><Metadata><ETag>1c1508e9-55ed-b4f2-c010-552cb810001e</ETag><Date>09/01/2011 03:13:31</Date><Url>http://packages.mtps.microsoft.com/development_frameworks_21823146_vs_100_en-us_4(1c1508e9-55ed-b4f2-c010-552cb810001e).cab</Url><Size>25595958</Size></Metadata> Why would a file like this take 50 seconds to scan? Though it's maybe not that simple... looking at the folder contents there's sets of files in threes - a .metadata file (tiny) then a .mshc file (around 25 MB), then a .mshi file (around 14 MB), and the "Scanning:" line barely flickers as it passes the big files. Maybe it's skipping them, or maybe the "Scanning:" info is out of sync with the file actually being looked at?
  18. For bleeping computer: I did explore the links there to see if I could find out what the program was, and thus did discover that it would download from the zonealarm website, however ESET NOD32 on the machine I was doing this on then warned me that http://download.zonealarm.com/bin/free/support/download/clean.exe - contained Win32/Toolbar.Conduit - a potentially unwanted application. However I have managed to find the FAQ about how to uninstall ZA manually, though I've not yet worked my way through it. Regarding the keys, having now got EAM to install completely I've explored it a bit. The update log shows a couple of 'connection error's which I think were when I still had the target machine offline. It then shows five 'Error's, between 00:21:20 and 01:13:20 (UK time), which is interesting because I wrote this message at 00:42 and my last edit/save in my own notes before i gave up and went to bed (leaving the machine on) was at 00:45. Moreover the log then shows an 'Update successful' at 01:15 and more of the same at hourly intervals, when I was definitely asleep. I've also browsed the logs.db3 file whose URequests table shows return codes of -1 for a http request to createkey & the updates server twice (at 00:12:18, 00:12:49 and 00:18:29) then HTTP 200s for some later attempts to get updates. Then at 01:13 there's a sequence of createkey, viewlicense etc calls at 01:13 - so the application obviously retried all by itself and managed to get a key. Then there's HTTP 200s for the signature updates that happened through the night.
  19. Hmm. I think that's unlikely. After running the ZAP uninstall I read through the two uninstaller logs; nothing looked like it had failed. I also examined all the filelocation it mentioned looking for orphan files ie things that should have been deleted but hadn't been - there were none. I also trawled through the registry looking for refs to the old install location, the product's name (both zonealarm & checkpoint etc) and some other things. ESET-wise, I got rid of NOD32 using their standalone uninstaller. I'm reluctant to use a ZA uninstall tool that's not from CheckPoint's website. I'm sure in my notes for older uninstalls I do have a list of all the things needed if one does an uninstall manually - I'll see if i can find that and work through the items to check everything really is gone. But a crucial point here is what "The update process was terminated. Your key can't be found in the database, please obtain a new one." actually means. Nothing in the install of the trial product has asked me for any personal information; I've never had a key. I would have thought that the trial product would use a generic key, if it needs one at all. What does "obtain a new one" mean? The installer is still sitting on the page where it would try to get malware signatures. Can I bypass this step? Alternatively can I stop the installer (how?) and then uninstall and try again - if so, how? Oh! I just tried one last click on the "Retry update" button, and it worked. So that does rather suggest the problem, whatever it was, was on your server.
  20. I double-clicked the Internet Security installer I'd downloaded yesterday. When the EAM installer started I chose 30-day trial, join the malware network, don't update additional languages, don't use betas... and then the next pane tried to download signatures. Because I've just uninstalled both my old (ESET) antivirus and old firewall (ZoneAlarmPro) on this machine I had it disconnected from the LAN. I reconnected it, but every time I click the "Retry Update" button on this dialog, I get a message saying The update process was terminated. Your key can't be found in the database, please obtain a new one. What key? I thought as a trial user the whole point was I don't have one yet. The Windows Firewall is presumably in use; I know nothing about what it does having used ZAP for years. Is it somehow blocking the installer's access to the internet? (I'm sending this message from a different machine.)
  21. Thanks; I've been using NirSoft's HashMyFiles - http://www.nirsoft.net/utils/hash_my_files.html - for one-off checks; one neat feature there is that once a set of files have been hashed if one copies a hash literal string (eg from a website page) into the clipboard the app will automatically highlight any of the displayed file hashes that match that value. You don't have to paste the hex string into a field in the app for that to be done. The app I use for file searching also has a facility to hash each file it looks at. One can save that information easily, and also search for files with specific hashes. Indeed one could search for files with a partial hash eg "23A9" occurring in their hash value - though goodness knows why one would want to!
  22. Ah, I see. I didn't realise the installer had malware signatures inside it. Now it makes perfect sense. I was in any case just being careful; the ESET NOD32 'damage' message had made me wonder if I'd not received a complete download. Later getting different sized files, I wasn't so much failing to trust Emsisoft (after all if I don't trust you I shouldn't plan to use your products); it was more that I was wondering if I had a problem with Firefox. As for digital signing, this is the first product I've ever downloaded where I've looked at a digital signature, though I have for years checked MD5 or SHA-nnn hashes wherever a website has provided them. Indeed I had been going to ask why your site didn't list them. I presume though that digital signatures makes that unnecessary? It might be a good idea (if that's the case) if the website was updated to tell downloaders that they should check the digital signature on any file they download to be certain they've got a complete and non-corrupt file. I've downloaded and run SigCheck too; for anyone who doesn't want to install the MS Windows SDK or Visual Studio to get SignTool.exe, this is clearly a simple and easy alternative. Thank-you for your help.