JeremyNicoll

Member
  • Content Count

    1748
  • Joined

  • Last visited

  • Days Won

    26

Everything posted by JeremyNicoll

  1. What you've described makes sense but doesn't explain why the BB marked this particular file Good. It's not digitally signed, and submitting the hash to your database surely can't decide anything (bearing in mind that there's no data on the related webpage). I totally understand that I can research it myself. What I don't understand is why, with no info available saying that the file is thought to be ok, EAM marked it Good.
  2. W8.1 x64 During a 'Custom' scan with Custom's default choices, a handful of files have just been detected. I tried selecting one of the listed detected files, right-clicking and choosing 'open file location' but nothing happened. I paused the scan and tried again, and still nothing happened. The scan's running under my Admin id, and the file location is in a folder accessible to all users [C:\Dropbox\ ... ], not one owned by a specific user. I can separately navigate to the dubious files' parent folders with no difiiculty using file explorer.
  3. Exploring the new BB panel, when I first went there around ten programmes were listed with no reputation value shown. I right-clicked each one in turn and chose 'Lookup online', and after a while the browser located a http://www.isthisfilesafe.com/?md5=???? page for each of them showing mainly a mix of 'Trusted' and 'New' statuses. For one program, 'rxapi', which is part of the ooREXX runtime environment, there is no info at all on the page, at: http://www.isthisfilesafe.com/?md5=EAB4342818FB59B0E8EE2DA7E8C8D7D6 and yet the BB panel now shows that this is a Good reputation program. How did the BB make that decision? I also noticed that several of the other originally no-value-for-reputation programs now display one. Does that mean that the BB was in the process of checking all of their statuses when I first displayed the BB panel, or does it mean that my 'Lookup online' action forced a decision?
  4. On a W8.1 machine, I just selected a Realtek update offered via Windows Update. For the last ten minutes or so I've had continuous notifications from OA that 'C:\Windows\System32\drvinst.exe is trusted'. If I close the notification balloon it comes straight back, and meantime it's nearly impossible to see any other systray notify text because the upcoming refresh of the OA info removes anything else's text to show the latest OA info. Is drvinst.exe likely to be being called many times per minute thus (perhaps) justifiably OA telling me each time that it is trusted?
  5. OK, well what's your experience of WIndows' new-network detection algorithm? I ask because quite some time ago I used Zone Alarm Pro and it was told me far more than twice (but not every time I changed) that a new network had been detected, but I only ever had the machine connected to one of two LANs. Of course I don't know if it used the WIndows method, and i don't know if there was a bug in whatever it did... but I do know that it was annoying. As for the cabled versus Wifi connection issue, I'm not a fan of WiFi either, and would normally have my machine's WiFi adapter turned off. But I was curious about what might happen if it was on (accidentally) and picked up an neighbour's insecure network... I suppose there's little chance, even if that would work, that it could happen without me realising.
  6. a) copying INI files: excellent! Not only can I back them up easily, I can also have analysis code read them directly. b) application rules: thanks for the screenshot. And thanks even more for taking the 'disable' idea forward.
  7. If OA has a future, can't someone chnage this so that it does start counting before the status display is opened?
  8. I don't have EIS, but have been reading posts here to try and get an idea how it works. In another thread: http://support.emsisoft.com/topic/16625-eis-firewall-component-udp-blocked-pingtrace/ there's a screenshot of the "Manage Networks" screen (in Charyb's post # 5, thumbnail 1). I'd like to know if, say, I connected my laptop via a LAN cable to several different home networks whether I'd end up with several entries on that screen (which I could name according to which house they were in), and perhaps assign differerent levels of trust to? I think I'm asking whether EIS detects a new network in terms of (say) the hardware MAC address of the router or gateway or something(?) on that network? I'm hoping that I wouldn't have to tell EIS that any/all networks I might attach myself to by LAN cable were either all private trusted ones, or all public ones? Also, does Windows support one having a WiFi network adapter and a wired adapter active at the same time? If so, could one (eg at home on a trusted wired network) have it set to private/trusted and at the same time indicate that any traffic reachine the machine over its wifi adapter was untrusted?
  9. Thanks! Looking at that I notice that EIS's FW settings (along with lots of other stuff can be exported), as one can in EAM v9. I tried that and am very happy to see that stuff exported from EAM creates plain text files. Can you say whether FW rules exported form EIS are also plain text? I like the idea because it means I can write code to compare the rule-sets I use on each computer, allowing for my own knowledge of which programs I have installed where on each one, etc. I'm slightly less impressed by the section of the export dialogue which allows one to choose the folder into which stuff will be exported. The dialog only shows a small length of a typical filepath so one cannot see where the files will go unless one pretends to choose a new location. Is there an external command (switch?) I could use, eg from a scheduled task, to force EAM or EIS to export its current settings? If so I could automate daily backups of the settings... Ideally one would want such a switch also to allow one to specify the output folder's name, rather than rely on whatever the GUI's currnt setting is. I also noticed that global FW rules are applied in the order they're displayed in, and one can change that order. For application FW rules (it's hard to tell from reading the manual without screenshots) I'm not sure if you can only have one rule per application, or multiple ones? If you can have multiple ones are they also tested in (displayed?) order? Can one mark a rule so it is temporarily disabled, for example if you want to try an alternative rule for a while?
  10. On an XP Home system... I noticed in some of the recent(ish) discussions about OA's future that some people praise the Firewall Status screen - invaluable in tracking down which app is doing most of the network traffic. I've never seen data on that screen which makes sense. For example this morning while an app named "Juice" was downloading podcasts, the Inbound Data graph showed (see screenshot) traffic of around 700 KB - 1 MB per second (which matched the speed display on Juice's status line). But as the screenshot shows in the chart below the graphs, virtually speeds of data transfer per app were negligible, and the other columns (do they show amounts in the last snapshot interval, or cumulative amounts?) are also too small to have any meaning. I find it hard to believe that OA can see the traffic well enough to record its overall volume, and hopefully see enough of its characteristics to manage it, but get these figures so wrong. Why does it not work for me?
  11. So.. what's a setting & what's a permission? Is there a downloadable manual for EIS?
  12. If I set such a password, do all aspects of OA's remembered setttings get protected? What happens if eg OA produces an alert for something a user is doing - can they make a decision to allow/prohibit the action without knowing the password? How about your new product - EIS - does it have per-user settings?
  13. Maybe I misunderstand the original question, but: For example, a malicious program cannot make a text file download from the internet but, as I understand it, it can use the host application that created that text file to perform various actions within the limits of its functionality. a) a malicious program (just like a non-malicious program) surely CAN download any file from elsewhere b) text files can be created by many applications; any program written in pretty much any programming language can create text files. No malware programme would need to use "the host application that created that text file" to do things to that text file.
  14. Do the checks made in the AMN consider the checksum of the newest valid version of the file?
  15. Ah, I see from a thread in the EIS forum, that there's a known bug affecting both EIS and EAM that causes repeated alerts. I'll live with it until the next stable version of EAM is released.
  16. Fabian, I suppose I can see what you mean, but I don't quite agree that they are /false/ positives. They are properly telling me that some app or other is trying to do something. If some actions on my part triggered that attempt then maybe I didn't need to be told it, but the thing that's being described DID still happen. But if some other combination of events triggered them, then I certainly want to know that they are being tried. I do not see how OA can know which combination of events (or what I was thinking when I did something) represents a genuine use of something which need not be alerted.
  17. XP Home SP3 as up-to-date as it can be My copy of the Dropbox client updated itself to v3.2.6 on 13th Feb. So far as I can tell that worked fine. So far as I remember I did at some point see an alert that Dropbox had changed and tell EAM to update the rule. The machine was rebooted yesterday and during boot EAM alerted me five tmes that Dropbox had changed, and asked if I wanted to update the existing rule or remove it. Each time I chose 'update'. So far as I can tell Dropbox worked fine. The machine was rebooted a couple of hours ago and again EAM produced alerts. Three this time; this time I clicked 'remove' then update then update, and again Dropbox appears to be working alright. In EAM, Protection - Application Rules has an entry for C:\Documents and Settings\TheBoss\Application Data\Dropbox\bin\Dropbox.exe showing "All allowed". I'm puzzled for several reasons: - why my 'update' choice doesn't seem to have stuck - why yesterday's boot asked me the same question 5 times - why today's boot asked me (at all), and why three times? I did wonder if the alert screen could have provided more info than it did, perhaps showing checksums of the dropbox.exe file concerned? I'm assuming that that info should have been visible but ( http://support.emsisoft.com/topic/16756-is-this-a-bug-gap-hole-on-eam-alert-windows/) means it wasn't. Should I be able to find a log entry describing each of the alerts and the decision I selected?
  18. I Know my avatar/info box says I'm using XP, but I also have a W8.1 machine. Today I was about to do one of my every-so-often tidy-ups of old 'program' configuration entries in OA and I wondered whether I should do this from an ordinary userid or my Admin userid. I started with the OA 'Program' display as seen by the ordinary user, and was able to delete old entries. Then I went and viewed the same display from my Admin userid... and the entries were gone. I find this quite alarming! I think I would have hoped that the ordinary user would either not be able to delete any entries at all, or they would have been entries that only applied to programs run by that userid. Does this suggest there's a problem with the way that I have OA installed?
  19. Hmmm. I'm also an EAM + OA user, and don't like the idea of using a product with fewer alerts. I like alerts - specifically I know which of the things I normally do generate alerts and by seeing these continue to appear I have increased confidence that unexpected processes would also generate alerts. If alerts cease, then I suppose I'd want to be sure that at least all the things that might previously have generated alerts would be logged in sufficient detail that one could always see what decisions had been made and why.
  20. Oops: when I typed EAM, I meant OA. Your answer is interesting though in another way... I didn't convert from EAM+OA to EIS, simply because at the time the offer came out I did not have time and energy to spend learning the ins and outs of a third product. And some time aqfter that I'm sure I read in a post on these forums somewhere that Emsisoft don't actually think that every EAM+OA user should change to EIS... but that wasn't at all clear in the original offer / description of EIS. So I wonder if everyone who did make the change actually did so for the right reason. If on the other hand you're effectively saying that - due to many fewer users using EAM + OA - that support for the separate products is going to fade away, I think you should make that quite clear to existing users. It would also help if there was a really good explanation somewhere of the differences between what one can do with EAM+OA, and EIS, and what one cannot do with EIS that one previously may have done with EAM+OA, for those of us who need it spelled out.
  21. Disappointing is right. But if lots of other users have the same problem, and don't know it's OA, does that mean they're not patching IE? Maybe that just means they never use IE; I hardly ever do... but IE is (or used to be) heavily integrated with the rest of the OS, and I'm not sure that all the updates to IE only affect its use as a browser.
  22. Presumably every Win8 user of EAM has this problem; I wonder why so few people have commented in the thread. I apply fixes manually though - which is probably fairly unusual. What happens with people who have Windows performs updates by magic overnight etc?