JeremyNicoll

Member
  • Content Count

    1818
  • Joined

  • Last visited

  • Days Won

    28

Posts posted by JeremyNicoll


  1. The bottom line is that my EIS ran for several days without anything (apart from
    the colour of the tiny systray icon) telling me that updates had ceased.  It's a
    pity that your 'updates log' only seems to record the end of an update process,
    rather than also that one is starting, because it's therefore impossible for you
    or I to know if the problem was updates starting & failing, or not even being
    scheduled.

    If the Action Centre is meant to have told me, then either it or the interaction
    between it and EIS isn't working.


  2. Using EIS v11.6.1.6315 on a 64-bit W8.1 system.

    I noticed a few days ago that the 'Private Bytes' memory figure (as reported
    by Process Hacker), or 'Commit Charge' (task manager) grows and grows for
    a2service.exe.

    I realise a lot of this figure is virtual storage, but there's a finite pool of that

    available.  (Please don't give me a lecture on paging - I've actually written a

    paging subsystem in the past.)  OTOH, I don't fully understand the impact of

    this figure in Windows OSes.

    You may recall I said a few days ago I was going to try running EIS with debug
    logging on all the time; when I noticed this creeping increase in Private Bytes
    I turned logging off and did a complete power-off shutdown, and rebooted.

    Since then (just after midnight, very early on Friday):

    - immediately on login to Windows, a2service showed 'Private Bytes' was 472 MB.

    - at FRI 00:22    487 MB
    - at FRI 07:15    517 MB
    - at FRI 09:31    542 MB     (then the machine 'slept' for around 12 hours)
    - at FRI 21:54    687 MB
    - at SAT 11:00    817 MB
    - at SAT 20:20    1.3 GB

    If this growth continues at this rate, there's going to be a problem in a week
    or two.


  3. Arthur, are you aware that Task Manager (in W8 anyway, dunno about W7) has a command-line column that can be turned on now?  Having said

    that I just looked at a sample dllhost.exe entry in task manager (started from right-click on the taskbar - I don't usually have it running because I

    use ProcessHacker instead) and it displayed an empty command line, as indeed did Process Hacker itself.   Ah... both PH and TM need to run

    elevated to get that level of detail..  

     

    To start TM elevated I opened an elevated command prompt (from the Start menu) then typed in:  taskmgr.exe      Then one can turn on display

    of the command-line column in the usual way - right-click on column titles and pick the columns you want to see.   That's maybe easier for some

    users than downloading a new application...

     

    PH (which I use in preference to ProcessExplorer as it seems to show more and be under continuous development) has a 'Hacker' menu (which is

    what it calls its 'File' menu), and in there if you choose 'Show details for all Processes' it relaunches itself elevated.


  4. There's only one entry for EIS, in the Security section of the Action Centre, and it says that EIS is on.

     

    I know that back in XP days it was normal for the Security Centre to be bad at recognising if non-MS

    anti-virus/malware & firewall products were even installed, far less whether they were working properly,

    and I'd have thought that an element of the same is still true.

     

    Do you actually expect Action Centre to monitor whether EIS is updating properly, all by itself?  I'd

    have thought MS, at best, would provide an API that EIS would have to use, perhaps just telling

    Action Centre each time an update has been done, so that Action Centre can look for that not

    happening.  Otherwise, MS would need to poke around in the inner workings of all the different 

    security companies' products to try to see if updating is working.  


  5. As far as 'cancel' goes, my question then is: why didn't the hypothetical:

    threadToRun.terminate()

    work?  And yes, I do realise that in reality your 'cancel' is possibly more
    sophisticated than just a terminate call.  But surely it's easy to see in your
    code what action clicking on the X button does, apart from announcing that the
    cancel is taking effect?  So it should be comparitively easy to look for causes
    of the cancel not happening.

    "If you can figure out how to reproduce it...".   Well, I can't because I'm just
    a poor user who clicked on the cancel button your code provided and it didn't
    happen.  I'd have thought the fact that the GUI /did/ acknowledge the cancel, but
    then didn't actually manage to cancel anything is (compared with many much more
    vague bug reports) quite a good place to start looking for the cause.


  6. OK, I understand the support nightmare for that from your point of view.

    And I have no problem with the idea that the contents of exported files
    may change format at no notice.  That doesn't prevent anyone from making
    intelligent use of diffed export file sets.  After all, if an exported
    file contains a section mentioning a rule with a name that /I/ assigned to
    it, and what follows stays the same for days & days, and then changes, at
    least that gives me a clue that something in that rule might have changed.

    In any case, if you change a file format, there must be an indicator in
    the files that says so, so that you can decide whether importing an older
    format is safe or not.  Otherwise, why would a user ever bother exporting
    a rule set?

    Whenever I've written any code that runs through such a file I've always
    done it with a state-transition parser and defensive coding so if a file
    format changes my code is likely to notice.   But in any case I accept
    that that's my problem, not yours.

    Nevertheless I don't see why this should prevent your customers from asking
    for changes, and it's hard to see how that can happen if you're disallowing
    any discussion.


  7. I've got "Show icons and notifications" or "Only show notifications" set for every
    possible option.  But my question was more in trying to find out if the notification
    is caused by EIS saying to Windows "here's a notification that you might want to
    display", or whether some part of Windows itself, maybe its Security Centre, is
    meant to notice that updates have stopped for an installed security product.

    Should such an alert happen just once?  Or every 24 hours, or what?   If the 24-hour
    point comes when the machine is asleep, should it happen when the machine is next
    woken up?


  8. > Fabian: We are not discussing...

    If you don't mind me saying, that seems a rather terse response.

    I'm not expecting to be told confidential matters or those that relate to the
    security of the service that EIS provides.  But the original questions, about
    the format of exported settings files, and the level of detail provided in
    logs, matter to anyone who's concerned with managing change in rule sets.

    As far as I'm concerned the contents of an /exported/ settings file, or a log,
    are not "internal file formats".

    I cannot imagine that I am the only such user who cares about these things.
    Maybe it is rare amongst home users, but (based on my experience maintaing
    mainframe systems for thousands of users) I would have thought your corporate
    users would also welcome some improvements in logging (specifically logging the
    before & after values of changed rules).   If that isn't done, then our only
    alternative is either a tedious manual process of trying to document which
    boxes got ticked/unticked every time someone changes something, or exporting
    rules sets on a timed basis, maybe every hour, so that we can create our own
    diffed lists of what changed in what time period.  I'm sure if you supported
    this sort of thing better, you could use it as selling point.

    It's useful to be able to pinpoint exactly what changed when, when looking
    at other system problems.  It's the same reason that I turned on audit logging,
    so the system security event logs record the creation & termination of every
    process.  It means when weird errors happen and mention a pid, I can find out
    what process that was and how it got started.


  9. > The thread that was processing the update check probably got stuck

    Yes of course, but what I was asking is "has anyone thought about which thread and
    how it got stuck and why it couldn't be interrupted/terminated/whatever by your
    'cancel' process.  I mean, when I terminate a process in Process Hacker, it's very
    rare for that not to work.


    > cacheing debug info in RAM

    When I have had debugging turned on, frankly I have not noticed a performance problem,
    though I expect that depends a lot on the level of other activity on my machine, & so
    far when I have had debugging on I've been concentrating on trying to reproduce an EIS
    issue and not had much else happening at the same time.  But my machine is almost
    always lightly loaded.  I have the feeling that the cpu overhead of running with debug
    on all the time would either never bother me, or only rarely.  I'm going to turn on
    that logging and keep it on for a few days and see if my view on this changes...
                                                                                        


  10. I know SQLite's not a server... but it doesn't "bypass the need to have an actual
    database".  The logic in the SQLite DLLs and the user & control data in an SQLite
    file certainly do between them comprise "a database".

    I agree that in ordinary application programming it's common to read a whole file
    in one operation - it's much more efficient than iterating through one in many I/O
    operations... and subsequently write a whole file... but surely the whole point of
    using SQLite is that the caller just asks for an SQLite connection to be made to a
    database, and then asks for specific actions, eg "add a record to table x", and
    doesn't itself do any IO.   SQLite does what it needs to do to maintain the file.

    I'd be interested in confirmation, because I've come pretty close to asking specific
    questions about this on the SQLite users mail list, since what you've said is so
    much at odds with what I thought I understood about SQLite.  (The reason I've been
    reading its mail list for so long is because I anticipate using it at some point
    in the future, and hoped that lurking there would make the eventual learning curve
    less steep.)


  11. OK... leaving aside the possibility that I/O to TEMP was somehow not possible, has anyone
    thought about why clicking the X (which did cause the GUI to change to say 'Cancelling')
    didn't cancel anything?


    And another thing... debug logs.  It's great that EIS allows one to turn debug logging on
    and off dynamically - no more flipping a bit in the registry and then rebooting - but (as
    you must be aware) so often a problem happens and then one can't reproduce it, so can't
    collect useful logs.

    I've used systems in the past that cache (I guess in a queue or maybe deque structure) a
    certain amount of log/trace activity all the time, in RAM.  When a problem happens, that
    cached data gets written to disk; if the problem is very serious at least that trace data
    is visible in the core dumps.  I think it would be useful if EIS had some similar facility,
    perhaps configurable (maybe in terms of the size of the in-store cache), and there was a
    "dump it now" button in the GUI.  I'd expect the app to dump it itself if it knew that
    something wasn't right, but otherwise users who'd just experienced something odd could
    click the button and at least there'd be a chance that something useful would have been
    written out.  Some people at least (certainly me, with a powerful machine) would be very
    happy to accept the (I expect) tiny CPU & RAM overhead of such a thing, if it lead to
    easier resolution of bugs.  (I've often run other apps which create logging /files/ with
    detailed logging on all the time and archived weeks or months' worth of those logs, just
    for this sort of reason.)


  12. I still don't 'get' why you'd think SQLite would read or write the whole file just
    to update a single record.  I'd expect that when it opens the database it would read
    the control tables and then know where in the file the existing records are, and after
    that do I/O just to the required blocks.   SQLite files don't normally grow & shrink,
    unless one runs an explicit utility to do that, specifically because SQLite does its
    own management of the layout of the data within them.  (At least as far as I was aware;
    I've never used SQLite but I've been reading its support mail-list on & off for years.)


  13. It's been fine since my manual update, with about 11 updates each day so far.  But, the issue isn't so much whether

    it's working now, but that it was /silently/ failing before.  I find the tiny systray shield really doesn't attract the eye

    when it goes orange, not least because it's next to a whole load of multi-colour icons.  I think EIS should produce

    some sort of alert if it hasn't been updated for some (configurable threshhold?) length of time.

     

     

    Any chance of getting the product release number c&p-able?


  14. Using EIS v11.6.0.6267 on a 64-bit W8.1 system.

     

    (Incidentally, why can't I c&p that version number out of the 'About' screen?)

     

    My EIS is configured to update itself every hour.  I just noticed that the systray icon was orange, and looked at the

    'Security Overview' screen, which said it was several days since an update had happened.  I triggered a manual

    update, which worked ok. 

     

    The machine's been on for days, though 'asleep' quite a lot.  But I've been actively using it for many hours out of

    the last 12 or so, so it should have tried to update ten or eleven times in that period.   The update log shows

    hourly updates occurring on the 4th, 5th and 6th of April then nothing at all - no error messages - no success

    messages, until the 'Update successful' for the update I just did manually about half an hour ago. 


  15. One method of getting around this sort of thing is to replace the supplied  GoogleUpdate.exe  with another program, which does

    nothing at all, but give it the same name.   If Chrome never notices that the 'GoogleUpdate.exe' is no longer its own one, it will

    never replace it; and if you're not then running the updater it won't get updated by that either.  If Chrome checks that the registry

    entry is still in place to run the updater, well, it will still be there, so that won't cause a problem either.

     

    I use the DoNothing.exe  available from: http://www.stephan-brenner.com/?p=190 

     

    If I were doing this I'd rename GoogleUpdate.exe to something else so I could still run it myself if I wanted to, then put a copy of

    DoNothing.exe in its place and rename that to GoogleUpdate.exe  (and I'd probably also add a text file with a similar name with

    a reminder of what I'd done).


  16. Thanks for the /? output.

    Why couldn't I find any info at all about use of a2cmd in the help file?


    > You need to launch the Command Prompt with administrator rights...

    But when I didn't do that, I got a UAC prompt, satisfied that, and PH showed
    that a2cmd was elevated, so did that not achieve the same thing?

    In any case, while I can see that using a2cmd needs elevation, I don't see
    why producing the help info should.  Is there no way (even if it automatically
    relaunches to get elevation) that the first program could say something useful
    about that in the original command window?  Even a "Must run elevated" message
    would be better than a hang.


    > ... will execute in a new window and immediately close once it's finished.

    So you're saying that a2cmd executed in another window and (presumably) the
    output from the /? was available, very briefly, there.  OK, but that doesn't
    explain why the window where I entered the command became unusable.


    > use the /s parameter ... otherwise it will simply display an error message

    Is that the "Access is denied." message?  If it means "You have EIS installed
    and should have used the /s parameter." shouldn't it say so?