JeremyNicoll

Member
  • Content Count

    1510
  • Joined

  • Last visited

  • Days Won

    24

Posts posted by JeremyNicoll


  1. I've added several program folder paths to the OA - Options - Exclusions configuration, always using the Add feature to navigate through the folders tree on my disk and pick the one I want to add.  I've noticed that some of the entries added have a trailing backslash on them and some do not.  For example on one machine the entries are:

     

      subf=TICKED    C:\Documents & Settings\Laptop\Application Data\Dropbox\bin\
      subf=notick       C:\My Dropbox\Programs--ALL-\Kozlov Renamer V5-60\
      subf=notick       C:\Program Files\Emsisoft Anti-Malware\
      subf=TICKED    C:\Program Files\~I-folder\Intellegit
      subf=notick       C:\Program Files\~S-folder\SecCopy

     

    Why would this happen?   Does it affect the way the exclusions feature works?


  2. In OA's history I see some red lines saying something has been blocked:

     

    Created:      07/04/2013 13:52:19
    Summary:      Program Guard: brctrcen.exe -> Sti_Trace.log
    Description:  C:\Program Files\Brother\ControlCenter2\brctrcen.exe wants to modify executable file C:\WINDOWS\Sti_Trace.log
    Event type:   Suspicious file(13)
    Event action: Blocked(3)

     

    The BrotherControlCenter software is something to do with a Brother all-in-one USB-attached scanner/printer which I sometimes have plugged into the machine, though not today. 

     

    I'm puzzled by the description which appears to be classing  "C:\WINDOWS\Sti_Trace.log"  as an executable file.  Is that just because it's in C:\WINDOWS ?    It's an empty file, certainly not an executable.

     

    Googling I find that  Sti_Trace.log  is typically found in random locations on people's machines and is thought to be something to do with the "Still Image Monitor" stimon.exe though descriptions of that which I've read suggests it's a Windows ME/98 program, and I'm running XP.

     

    OA's Programs list does include STI.DLL described as Still Image Devices client (maybe the XP equivalent of Stimon.exe?).


  3. The OA exclusion operates on either a whole folder, or even worse, a folder and its subfolders.   I'm already unhappy that I can't limit the exclusion that I've had to code to just the single program (or maybe the program and some of the DLLs it loads) that experience the problem.   In my case, I say 'maybe' for the DLLs because although I think they must be involved (Qt) none of them turned up by name in the OA Programs list, which struck me as odd.  


  4. I understand.  But the fact remains that quite a few programs I have seem to use features, hopefully innocently, which look to OA as if they might not be innocent.  I'd quite like to pursue with the programmers of those programs the idea that perhaps they should change what they're doing.  It's going to be hard to do that if I can't tell them which API functions are the problem areas.


  5. I've noticed that quite a few of the apps I run have this 'screen logger' warning.  I was wondering what it is that OA spots that makes it think that an app is doing this?   I'm guessing that it's use of some set / family of screen control features (ie an API or subset) which can be used in a program to do a bunch of things one/some of which might be logging. 

     

    I'm hoping that the problem is that when programmers write apps they often use general libraries of program code; such a library might offer a set of functions or procedures to do various things, none of which are logging, but all of which use the same underlying OS API as a logger might use, and perhaps OA is unable to tell if logging is actually taking place.  Some clues would be useful.... eg links to MSDN pages where such things are described. 


  6. Win XP Pro SP3, 32bit;  OA 6.0.0.1736   Also using most recent EAM. 

     

    Today I finally put the trial versoins of OA and EAM onto my oldest, slowest laptop - which has an AMD Sempron 3000+ and 1 GB RAM.  (I did a few days ago increase the RAM to 2 GB but the machine was unstable - lots of application crashes and BSODs - so I reverted to the original RAM.)

     

    I've found that my email & news client is very sluggish when OA is running; ok if it is not, and ok if I run OA with the HIPS features disabled.  Sluggish?  Things selected by mouse-click take up to 10 seconds to show they're selected, double-clicked mails take 10 seconds to open, etc.  Normally there are no speed problems. 

     

    It can't just be RAM either because the email/news client only uses a modest 60 MB or so; the same system runs Firefox (using 150-200 MB) ok.

     

    The email client is a uncommon one, written using Qt for cross-platform support, in this case V4.7.3, if that matters.

     

    Before I tried turning OA off completely, or (as now) running OA without HIPS stuff, I had defined the email client's .exe on OA's Programs list - Allowed, Trusted, Normal.  File & Registry shields are off.  The folders where the app keeps its data are on EAM's FileGuard whitelist.

     

    I'm slightly surprised that none of the Qt DLLs (supplied in the email client's program folder) appear by name in OA's Programs list (I'm looking at the whole list, not just the untrusted stuff).  Of course I don't know if Qt is implicated, but other apps on the machine seem fine, and since the problem appears to be in the email client's GUI support, Qt might be relevant.

     

     


  7. Just for info, using a suite installer I downloaded from you yesterday, I just ran the trial install ok on my third machine.  Unlike the other two, I had it connected to the internet from the start.  The process ran fine, though at the point where new malware signatures were to be downloaded if available I'd say it wasn't absolutely clear that anything was happening at first.  There was some text saying something like "0 of 0 KB downloaded", for maybe 20-30 seconds.  Once it had fetched the list of required sig files and started fetching those, it was very obvious that something was happening.


  8. On the 12th March I used the suite installer I'd previously downloaded and used on one machine to install both EAM & OA trial versions, to try to install the trial of both products on the second machine.  EAM did go on there in trial mode ok, but OA refused to.   On that machine OA is now running in freeware mode.  I want - if it is possible - to force that install into trial mode of the full product, and I want to know if I should expect the same installer to work properly when applied to the third test machine. 


  9. I had a possibly related issue today with another program - something called DesktopOK - which I use to save desktop icon layouts so they can be restored to the same arrangement.  Some installers ruin desktop layouts and it's handy to be able to reset it.  

     

    DesktopOK was listed in OA's Programs list as "Allow" but Trust was unknown.  When I started DesktopOK I got three OA alerts asking for various permissions which in each case I said "Allow" to, but didn't choose "Trust".  The app then presented its GUI.  When I clicked the 'Save' button (to save icon layouts) the app hung and had to be ended from task manager.  OA's History showed another instance of OA denying an attempt of one process sending a message to another, this time DesktopOK -> explorer.  


  10. Changing to the full version doesn't work...     If at Options->License I click "Obtain a new key" it takes me to the website purchase page.  But I'm not yet trying to buy, but trial it.  If I choose "to activate another key click here" it just says again that the trial period has expired.  I didn't even download the suite installer until the 8th March and first tried to install it on this particular pc on the 12th.  Surely it shouldn't expire until 8th or 12th April?  

     

    I don't understand your suggestion that I could "enter another licence key".  I do not have a key to enter as I have not yet bought the product.  I wanted to run the trial version of EAM (that's ok) and OA (not cooperating) on each of my 3 machines which have wildly different capabilities and run different mixes of programs, looking to see if they work ok.   The first machine was fine.  The second one got into the mess described above.  I have not yet tried on the 3rd machine - my day-to-day laptop - because it's the oldest/slowest machine but also the one I most need to have working properly.  If I can't get OA to work in trial mode on the second machine I'm not sure if I will even try on the third.  That puts me in a quandary because the ESET NOD32 antivirus that the 3rd machine has has now expired.


  11. Weird.  The first time (when I opened the original problem) I didn't even connect the LAN cable until well after I'd arrived at the 'update signatures' screen and discovered I needed an internet connection.  The second time around I think I connected the cable about the same time as I clicked to go to that screen.  I wasn't surprised that it didn't immediately work (because XP was doing whatever it does to initialise the connection).

     

    When I said that "it sat there doing nothing" I unfortunately cannot remember whether a 'Retry' button was present.  I'm sure that if it was I'd have clicked it, which suggests that if it were there it didn't help. 

     

    I also can't remember if there was a 'Continue' button.  It's possible that even if one was offered I didn't try it, because I knew that malware downloads were needed.

     

    I know that's unsatisfactory as a bug report.  The trouble is that I thought the notes I'd taken were adequate to remember what happened, but they're not adequate to remember exactly what I did, writing about it too many days later on.

     

     

     

    What about the problem with the OA part of the suite's installer not offering me the full version to try?  And the learning mode progress bar freezing?

     

    To get the full version under trial on the second machine, what do I do next?    Do I download the standalone OA trial installer, then uninstall the freeware version and install the full trial?

     

     

    And for my third, slowest machine?  Should I also download the latest standalone EAM installer and run separate installs of OA trial, and EAM trial?

     

     

     

    I'm not wild about having to use different installers for each machine, because I do like to use the same things on all three machines, so that I'm not introducing unexpected differences to their setups. 

     

     

    One thing that may help the 2nd and 3rd machines is that the new RAM I ordered arrived today and has been put in each machine.


  12. The first trial got installed on my fastest machine, which - being a bulky desktop machine - is used least often.  A couple of days ago I tried to install (using the same installer as before) on my next slowest machine - a netbook that I mainly use for watching streamed or pre-downloaded BBC iPlayer programmes.   I do also plan to install it on my slowest machine, an old laptop that is mainly used for day-to-day admin & email & usenet.  Obviously I'm interested in performance issues as both the slower machines have much less CPU power and a lot less RAM (though I'm considering  getting more RAM for both of them) than the desktop machine.  The first install was onto XP Pro, but the latest one onto XP Home.  If & when I try the slowest machine, that's also XP Pro.

     

    Mindful that my first install had had a problem when it tried to download malware signatures for EAM, I connected the second machine to the internet somewhat earlier in the install process, but clearly not early enough.  When the install reached the stage where it would try to download signatures it just sat doing nothing.  At the same time I was able to use network utilities - the machine did have an working connection.  I think the installer needs to be more tolerant of someone not having any network connection, or a flakey one, at that stage.

     

    Eventually (after maybe 20 minutes?) I cancelled the EAM installer.  The OA installer then started to run.  It told me almost at once that the trial period had expired.  I cancelled the installer, then went to Add/Remove programs and removed OA.  It wanted to reboot but before letting it I also ran an uninstall for EAM.

     

    After the reboot I reran the installer with the machine connected to the LAN from the start.  EAM installed ok, grabbed malware signatures ok, and told me I had 29 days of trial period left.  Then the OA installer started and again it said the trial period had expired.  I chose the freeware version install, to get something working.

     

    As requested I then rebooted.  OA went into learning mode; when this ended a balloon tip told me that (and I think I dismissed the balloon tip ok).  But the window which had had the moving progress bar in it froze - the bar stopped moving and the window could not be dismissed.  I could still move the mouse around the screen.  I turned the machine off and rebooted.

     

    After the reboot it all worked ok, but very slowly.

     

    On subsequent boots of this machine things have not been so bad; the issue may just be that the machine only has 1 GB RAM and is paging a lot; I'm being more careful about what tasks I have active at the same time. 

     

    I'm a bit fearful of what will happen when I try EAM & OA on the slowest machine...

     

    I'm also wondering why I couldn't get the trial full version of OA going; it means presumably that I'll need to uninstall the free one and re-install the full trial at some point - how?

     

    And how do I get the full version trial onto my third machine?


                                                                   


  13. I said "nothing in the OA plain text firewall log" ... and that's true.  But I just found loads of entries in the OA History (of alerts and actions) many of which mentionKedit, eg:

     

    Program Guard: kernel event,12/03/2013 16:49:53,None,"OADriver: SendMessage, 2180 -> 440, Msg: 49413/c105 - Deny (watched)",2180 - KEDITW32.exe 440 - csrss.exe
    Program Guard: kernel event,12/03/2013 16:45:56,None,"OADriver: PostMessage, 2828 -> 4044, Msg: 2034/7f2 - Deny (watched)",2828 - KEDITW32.exe 4044 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:45:42,None,"OADriver: PostMessage, 4084 -> 4044, Msg: 2034/7f2 - Deny (watched)",4044 - KEDITW32.exe 4084 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:45:33,None,"OADriver: PostMessage, 2264 -> 4044, Msg: 2034/7f2 - Deny (watched)",2264 - KEDITW32.exe 4044 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:43:41,None,"OADriver: SendMessage, 764 -> 440, Msg: 49413/c105 - Deny (watched)",440 - csrss.exe 764 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:43:24,None,"OADriver: SendMessage, 1940 -> 440, Msg: 49413/c105 - Deny (watched)",1940 - rundll32.exe 440 - csrss.exe
    Program Guard: kernel event,12/03/2013 16:30:37,None,"OADriver: SendMessage, 2556 -> 440, Msg: 49413/c105 - Deny (watched)",2556 - KEDITW32.exe 440 - csrss.exe
    Program Guard: kernel event,12/03/2013 16:20:46,None,"OADriver: PostMessage, 2648 -> 3572, Msg: 2034/7f2 - Deny (watched)",2648 - KEDITW32.exe 3572 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:20:43,None,"OADriver: PostMessage, 3432 -> 3572, Msg: 2034/7f2 - Deny (watched)",3432 - KEDITW32.exe 3572 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:20:37,None,"OADriver: PostMessage, 3068 -> 3572, Msg: 2034/7f2 - Deny (watched)",3068 - KEDITW32.exe 3572 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:20:07,None,"OADriver: PostMessage, 2088 -> 436, Msg: 2034/7f2 - Deny (watched)",2088 - KEDITW32.exe 436 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:19:53,None,"OADriver: PostMessage, 112 -> 436, Msg: 2034/7f2 - Deny (watched)",112 - KEDITW32.exe 436 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:19:51,None,"OADriver: PostMessage, 2408 -> 436, Msg: 2034/7f2 - Deny (watched)",2408 - KEDITW32.exe 436 - KEDITW32.exe
    Program Guard: kernel event,12/03/2013 16:19:45,None,"OADriver: SendMessage, 436 -> 440, Msg: 49413/c105 - Deny (watched)",436 - KEDITW32.exe 440 - csrss.exe

     

    I don't know how, or if, these relate to the behaviour I've seen.  It's sad too that none of this gets written to the FWnnnnnnnnnn.log file. 

     

    In ProgramGuard, KEDITW32.EXE is Allowed, Trusted, Normal.   I'm not clear what it is that the history records say is being denied.  Even in the list of specific permissions etc for KEDITW32.EXE everything is either Allowed, or set to Ask.  I'm not being asked anything.


  14. XP Pro SP3  -  I don't know if this is an EAM or OA issue, sorry.  I installed both of those a couple of days ago.

     

    Normally if I double-click a .txt file in Windows Explorer, it either opens in the already-running text editor, or starts the text editor up from scratch.  I also have an explicit WE context menu entry "Edit with Kedit" (along with similar 'Edit with Notepad', 'Edit with ...' options so I can explicitly open a file in the editor of my choice).  I'm finding that intermittently neither a double-click of a file nor an explicit choice of 'Edit with Kedit' will open such a file.  If I wait a few seconds and try again, sometimes it works....   Also a QuickLaunch button I have that launches a specific day-today notes .txt file is only intermittently working.

     

    I've been using Kedit (a programmers' text editor based on IBM's Xedit mainframe editor) for years and never had this problem before.    Normally if, for example, one tries to edit a file that's locked by another app, Kedit will produce a suitable error message.  I don't know how Windows tells apps that they might want to load a file - is there a msg passed around apps that might wish to respond to a txt file and only if no app does, then the app is started?  It makes me wonder if such a message is being swallowed up by EAM or OA.

     

    There's nothing that I can see in the EAM logs (in the db3 file) or the OA plain text firewall log.

     

    I've noticed that if Kedit is running but doesn't have focus then when I double-click a .txt file in WE, the editor window does get focus even though it doesn't then open the file.  If - say - it couldn't access the file because at that instance EAM had it open, I would expect to see a 'file in use by another app' message from Kedit.

     

    I thought that File Guard might be the problem.  I have it activated, set to "Additionally scan files when created or modified", and a few (very few) experiments suggest that whether or not "Only scan files with the following extensions" is selected makes a difference - txt files seem to open more reliably if "Only scan" is selected.   But not completely reliably.  But ".TXT" is in the list of files that will be scanned whether or not that option is selected so this can't be the reason... 

     

    I tried turning FileGuard off.  Sometimes I can edit files and sometimes I cannot.