JeremyNicoll

Member
  • Content Count

    1818
  • Joined

  • Last visited

  • Days Won

    28

Posts posted by JeremyNicoll


  1. On 12/14/2016 at 4:26 AM, GT500 said:

    Unfortunately hash generation takes time, and for an entire directory it could easily take a ridiculous amount of time. My best guess is that it would lead to system freezing as new files were saved in a folder, unless the feature only applied to the on-demand scanner.

    Using file size and last modified date would significantly reduce the amount of processing that would be needed to pull such a thing off, but obviously wouldn't be infallible. Granted, neither are hashes.

    Yes, but I didn't mean make a hash of every file and save them; instead make a directory listing (a small text file in essence) and save the hash of that.


  2. What might be useful, in some circumstances anyway, would be an option for making an exclusion that caused EIS to store some sort of hash of the directory listing of that folder, so that unchanged files in the folder would remain excluded but any new file that arrived in the folder would not be excluded.  Clearly that would be a nuisance for some folders where the current behaviour would be 'better'. 


  3. On ‎25‎/‎11‎/‎2016 at 10:14 AM, GT500 said:

    Don't worry, there's a difference between the option in the Application Rules to prevent an application from running, and the normal protection functions of the Behavior Blocker. ;)

    Do you mean: the former may prevent xyz.exe from executing at all, while the latter determines what xyz.exe can do once it is executing?  

    If so, what's the difference between an app rule that stops pqr.exe from executing, and a BB rule that prevents xyz.exe from starting pqr.exe (if one can define that?)?  


  4. Seeing reports elsewhere in the forum that this was fixed, I started a scan late last night when I'd finished using the machine.   Remember it took 54 minutes back in November, before getting worse?  Well, last night it was just 41 minutes, so I think we can safely say that's fixed!

     

    Emsisoft Internet Security - Version 12.1.0.6970
    Last update: 13/12/2016 02:22:19

    Scan type:
    Objects: Rootkits, Memory, Traces, C:\

    Detect PUPs: On
    Scan archives: Off
    ADS Scan: On
    File extension filter: Off
    Direct disk access: Off

    Scan start: 13/12/2016 02:41:54

    Scanned 511670
    Found 0

    Scan end: 13/12/2016 03:23:09
    Scan time: 0:41:15

     


  5. It's not a matter of whether you believe The Register or not.   If you exclude a folder then you have to be aware that any file that gets into that folder, for any reason, not necessarily a malicious one, will be ignored, not just the files that were there originally.  Worse, if any of the files present get infected, those infections will be ignored.  


  6. On ‎08‎/‎12‎/‎2016 at 1:22 PM, GT500 said:

    The asterisk (*) you see in the example is only necessary when excluding things from the real-time protection, so if you just wanted to exclude a folder from scanning then it would look like this:

     

    C:\Users\<username>\Pictures\

     

    So, what does the asterisk present in entries in the first list do?  

    Is there any way of distinguishing between 'all the files in a folder' and 'everything in the folder and its sub-folders'? 


  7. I'm following this topic, so just got emailed to say there were two updates to it.  Not only did the emails NOT contain the new texts, neither of the links that they contained instead worked.  In each case I ended up on a website page that said, eg for this link:

      http://support.emsisoft.com/topic/25809-malware-scan-using-6956/?do=findComment&amp;comment=164045

    an error message:

          Sorry, there is a problem

        We could not locate the item you are trying to view.

         Error code: 2S136/C

     

    (and I'm sure that this isn't the best place to report a forum problem, but I don't know where I should have done that)


  8. I started another scan and once it had got to the files part started PH (elevated).  At that point the threads display showed one thread at 12.5% cpu (which I presume meant one core frantically busy) when the other threads were all well less than 1%, often less than 0.1%.   But after maybe a minute that extreme difference levelled off a bit.  But even so that particular thread (TID) is top of the list (sorted by CPU) almost every time the display updates.  It's then typically showing values from 2 to 6 % cpu, while most of the ones immediately below are typically about 1/3 to 1/10 of that value.

     

    It's one of 9 threads with start address:   a2engine.dll!InstallDdaDriver+0x2a620

     

    I sat and watched this for quite a while - it's almost as good as TV!   Occasionally one of the other (9) like threads dominated the list, again sometimes with cpu figures as high as 6 - 12%, and then all the others would again have tiny values.    I stopped the scan after 18 minutes of excitement.
     


  9. The disadvantages of excluding some file types from scans, is that the file types set on your files might not actually accurately describe what's in the file.  

     

    Also, you might presume that - say - a JPG could never be malicious.  But that's not the case.  If for example there's a vulnerability in one of the programs you use to display or manipulate JPGs, it might be possible (as Microsoft would describe it in one of their security updates) for a "specially crafted" JPG to take advantage of the error in the viewing/manipulating program and cause an unexpected or malicious side-effect.   In the last year or so, fonts, PDF files and 'media files' have all had that problem.

     

    You might find it sensible to do regular/frequent scans with faster options, excluding some file types, but also every so often do a more thorough scan that looks at every file.    

    • Upvote 1

  10. I know you know this issue exists for EAM on W7x64 systems, but it's here (EIS) too.  My OS is W8.1 x64

     

    Last time I did a custom scan, of the whole machine, excluding contents of zips etc that took 54 minutes:

     

    Emsisoft Internet Security - Version 12.0.1.6859
    Last update: 11/11/2016 09:57:23

    Objects: Rootkits, Memory, Traces, C:\                                   
    Detect PUPs: On                       
    Scan archives: Off        
    ADS Scan: On                          
    File extension filter: Off    
    Direct disk access: Off                                      
    Scan start:     11/11/2016 10:13:47                                      
    Scanned 516954                        
    Found   0                                                                 
    Scan end:       11/11/2016 11:07:52   
    Scan time:                  0:54:05  

     

     

     

    Today, 196 minutes:

     

    Emsisoft Internet Security - Version 12.1.0.6970
    Last update: 07/12/2016 09:51:12

    Objects: Rootkits, Memory, Traces, C                                 
    Detect PUPs: On                    
    Scan archives: Off              
    ADS Scan: On                       
    File extension filter: Off      
    Direct disk access: Off                                    
    Scan start:     07/12/2016 10:17:40                              
    Scanned 513353                     
    Found   0                                                      
    Scan end:       07/12/2016 13:34:08
    Scan time:      3:16:28            

     

     

    The laptop has a 4-core processor (so 8 cpu threads).   For the November scan I left the machine completely alone as it worked, though for today's one, I did some reading of email in a webmail system for the first hour or so of the scan.

     

     


  11. W8.1 x64

     

    Around an hour ago I noticed that the systray icon's tooltip said the last update was on the 23rd at 14:47. 

    The machine was 'asleep' from about 1530 to maybe 1900, but has certainly been awake again for more

    than an hour since then.

     

    I turned debug logging on at 23:01.  I then watched streamed BBC iPlayer content until 23:44 or so,  

    mainly in full-screen/maximised window (I'm not sure which it is) mode, but I came out of that a couple

    of times.

     

    Then at 23:44 I paused the video and did something else until 23:56; no update had occurred.  I stopped

    the debug logging, took screenshots of the Logs->Updates and Settings->Updates displays, and zipped

    all that up.  I'll PM it to GT500 in a minute or two.


  12. Thanks for the update.  At this instant, a2service has a CS of a bit over 1.2 GB, I ran SysInternals' VMmap to see if that gives any clues.  Obviously wherever the problem is, it's heap data (though I guess that won't help you much)... and VMmap does show ID values - mostly 5 or 6 - on those - do those numbers mean anything to your developers?  VMmap has an option to export a text file listing details about each block, though.   

     

    VMmap display looks like: https://www.dropbox.com/s/b1k97pwtdfq7fnk/20161022%202055%2010%20VMmap%20%2820161122%20a2service%29%20VMmap.jpg?dl=0

     

    I'll PM the exported file to GT500.  If you want me to recreate a much worse scenario and - say - a new dump and the info from VMmap, let me know.  But there's not much point unless the exported VMmap data might provide useful hints.


  13. You should be able to use a non-smartphone to send an SMS, after all SMS support has been around for more than 20 years (see: https://en.wikipedia.org/wiki/Short_Message_Service ). If the phone you send such a command /to/ replies with anything, or at least anything significantly more complicated than a simple "got the command and did it" reply, then that might be a problem.

     

    Testing WIPE etc...  It depends on how much personal data you have on your smartphone.  If it's new and you're only playing with it, you might as well find out what state it would be in if it had really been lost/stolen and you issued a WIPE... and then were lucky enough to get it back.  But if you have lots of personal data on it and/or customised apps, and have never saved the data elsewhere or noted how you customised things, then wiping it all is going to be a huge nuisance...