• Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by JeremyNicoll

  1. W8.1 64bit


    I just restarted EIS in response to the msg about a new version installing itself, then read in the blog about improvements

    to, amongst other things a2cmd.  What's that I thought?  Nothing in th ehelp file so I looked in the install directory.  Ah, a

    tooltip says "command-line scanner".  Ok, better help?  Let's see what it says:


    In a command window I issued:


    C:\"C:\Program Files\Emsisoft Internet Security\a2cmd.exe" /?


    which produced a UAC password prompt which I answered.  And then what?   Nothing.  No response at all in the command

    window, though any attempt to move the window or click in it makes the system play an error 'bong' sound.


    ProcessHacker shows it's doing nothing, but IS elevated.  I used PH to terminate it, and whatever that did, I did then get a

    response in the command window.  It says, simply, "Access is denied".   That's a pretty odd response to a /?  I feel.

  2. I'm one of those people who hung onto XP systems until the very last moment, but now I use a laptop

    with W8.1 on it.    I'm contemplating a new desktop system at the moment & am quite likely to put W7

    on that, or maybe W8.1.     I tend to think that I will never install W10, because of all the snooping it

    does (though I'm aware that W8.1 has quite a lot of that too).


    Part of my decision on what to install is obviously down to the Microsoft planned end-of-life dates

    for each OS, as described here:


    (I'm puzzled by the fact that this MS webpage sets a very definite end-of-life for W10, despite the

    considerable amount of marketing MS have done telling people that W10 is the 'last' version of

    Windows they'll ever need.  What's going to happen after that date?)


    I'm also wondering what you plan to do about ending support for W7 and W8.1?


  3. > It's best to have the logs in memory so that they can be easily modified. You don't
    > want to have to read the entire file just to write a single line to it, so you keep
    > it in memory and when it get modified you only need to perform a write operation
    > instead of a read and then a write with processing in the middle (which makes things
    > very slow).

    But... the logs are in an SQLite database.  Such databases can be vastly bigger than
    the amount of RAM in a machine & one of the points of having a database represented
    by a single file is that the SQLite DLL is entirely responsible for writing just the
    changes to the on-disk file.  I can't imagine that any normal database application
    "reads the whole file" anyway; what a waste of time that would be.

  4. Sorry for delay in replying; hit a bad patch in my chronic illness.

    > If there's a reason why EIS can't read from or write to the a2temp folder, then there's
    > no reason to believe it would be able to delete the folder.

    Indeed, but assuming that the update process & use of a2temp has worked for a particular
    machine previously, it seems to me that the only likely reason for a one-off problem is
    going to be either a change of ownership or that some other application program or bit of
    the OS has the folder in use.  Creating a new folder for a specific set of updates would
    at least prevent that issue.  The failure to delete old folder(s) would still need to be
    reported to the user but would be less likely to prevent the app being kept uptodate.

    > ... then I'll ask about this as well, ...


    > As for creating a new folder each time, that is possible, however it would eat up TEMP
    > space rather quickly.  It also might not prevent these issues, depending on what is
    > causing them. After all, it's just a folder, and if EIS can't read from or write to one
    > folder in TEMP then there's no guarantee that it can create a new folder in TEMP and be
    > able to read from or write to that new folder.

    Absolutely, but it might reduce the incidence of failed updates.  If EIS were suddenly
    unable to create a subfolder in TEMP, it's not unreasonable to think that other programs
    would have the same problem... that is, it would be a global problem with TEMP rather
    than a problem with EIS.      

  5. OK, all those answers are fair enough from a theoretical point of view.  But I have no
    reason to suppose that there's any reason why EIS couldn't read/write its own folder in
    %TEMP%, when it seemed to have a stalled update.

    If I had disk controller / other hardware issues, why would they only affect EIS's temp
    folder?  And I don't have other security software.

    I've seen suggestions to other users that the a2temp folder should be deleted, when they
    appear to have had update problems.  To me that suggests there's an underlying problem
    with that folder.  Maybe EIS should create a new one, eg a2temp-yyyymmddhhmmss, each time
    it needs to create a set of temporary files?  And (usually) having created its latest one
    try to delete the older such folders?

  6. OK, so you just want the list of host rules to say when you customized a built-in rule to change the default behavior.


    I hadn't thought about that; my experiments so far had been when I added a

    totally new rule.  I had the "Hide built-in list' option unselected & added

    a rule for '', which obviously displays right

    at the top of the list.

    Suppose I add it with "Don't block" set.  Then in the whole list of rules the

    "Don't block" text shown in green next to it looks identical to the "Don't

    block" text shown in green next to sites which are in your supplied rules.

    The point I was making is that the "Don't block" decision in the entries you

    supply is different from the one that I added.  My one will remain at "Don't

    block" even if I change the appropriate global option, whereas all the ones

    in the supplied sites list will change.

    If I edit one of your supplied rules for a site classed as a Privacy Risk,

    changing the "Don't block" value it has (because that's the global setting),

    to "Alert" and then back to "Don't block", it's again not entirely obvious

    that that "Don't block" will remain set that way even if the global setting

    is subsequently changed.  (Yes I know that it's clear that its now a rule

    in 'My Own' set, with a date & time of change.)

    All I was suggesting is that the values set because they came from global

    settings should say that.

    Meantime, I now have a Privacy Risk site whose entry used to say "Don't block"

    because you supplied it tagged as a Privacy Risk.   How do I get back to the

    original status where it exists just as a supplied rule?  If I delete it does

    the next update reinstate it with your setting?




    To my knowledge, the entire contents of the SQLite database file are read when a2service.exe starts, and loaded into memory. I would believe that a2start.exe simply reads the log entries out of a2service.exe's memory in order to display them. In order to make scrolling of the logs faster, the entire log is loaded at once.


    If that's true, that the old log entries are cached in memory, I think that's

    quite odd, considering that many users might want EIS' memory footprint to be

    as low as possible.  I'd have thought that few people look often at the logs,

    and when someone does they could live with a short delay while the first screenful

    is parsed.


  7. Yesterday, I returned to my own house, with the laptop having been completely
    powered off during its journey back.  The EIS 'Manage Networks' display
    continues to show that it thinks I'm on a private network, as it did when I was
    last here, when ping etc worked ok.  But now they don't.

    I exported all settings to 'C:\Users\...\Desktop\EIS\20160317 before unplug'.

    Then unplugged LAN connection

    Then unticked Manage Networks' "use Windows setting...".   The 'Category for new
    connections' remains set to Private.   The Manage Networks display correctly
    shows there's no network connection at the moment

    Plugged LAN cable back in ... and now it shows
            Network 3    Private

    I should have screen-shotted the old display, I've a feeling it might have said
    "Network 4".

    Is it EIS or the OS that's numbering network definitions?  How do I see what they
    all are?  (I see on Control Panel - Network and Sharing Center - that 'Network 3'
    is liste, so presumably it's the OS.)

    If I click on "Network 3" in EIS I see:; [80FE:0000:0000:0000:5124:2BA9:0000:0000]

    which shares some (see **) values (endianness apart) with one line in the ethernet
    adaptor's display from an: ipconfig /all:

    Ethernet adapter Ethernet 2:

       Link-local IPv6 Address . . . . . : fe80::2451:a92b:d83c:627%3(Preferred)
    **                                     ^^^^  ^^^^ ^^^^

    Ping and the nettime utility now work.

    I exported all settings again, to 'C:\Users\...\Desktop\EIS\20160317 later on'.
    When I compared these with those exported earlier I was surprised to see nothing
    much changed & in particular no sign of a changed setting for "Manage Networks"'s
    "Use Windows settings".

    I've said before that it's my intention to run always with the OS and EIS set to
    'Public' so that there's no surprises when I really do use a genuinely public
    network, so in a way my current difficulties using Private are irrelevant.

    But even though I think you might say this is all working as intended, I think
    there's a problem.  Even if EIS had previously silently used the "Windows setting"
    and decided (both when I went to mum's house and when I came back here) that the
    network in each place was a Public one... the Manage Networks display shows EIS
    thinks it is Private, which led me to think that it was applying the FW rules that
    are appropriate for such a network.  If it had actually said Public, I could have
    fixed that.

    I tried this again.  I re-ticked "Use Windows settings" and unplugged & replugged
    the LAN cable.  As soon as I plugged it back in I went back to a command window
    and tried ping again:


    Pinging [] with 32 bytes of data:
    General failure.
    General failure.
    Reply from bytes=32 time=39ms TTL=51
    Reply from bytes=32 time=30ms TTL=51

    Ping statistics for
        Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 30ms, Maximum = 39ms, Average = 34ms


    What?  That worked?  (Assuming that the first two 'General failure.' messages were
    just caused by a not-yet initialised connection...)

    And now "Manage Networks" says I'm on a Private Network.

    Hmm, maybe after I reticked "Use Windows Settings" and disconnected & reconnected
    the LAN cable, I didn't exit from that dialog. Let's try again...

       - closed GUI windows
       - systray icon - Security Overview
       - Protection - Firewall - Manage Networks
         currently showing: Private network
                            Category for new: Private
                            TICKED Use Windows Settings
         Clicked OK to close dialog.
         Clicked X to close GUI window.

       - unplug LAN cable, and wait 15 seconds

       - replug cable, and wait 30 seconds

       - try a ping... which works

       - systray icon - Security Overview
       - Protection - Firewall - Manage Networks
         still shows: Private network
                      Category for new: Private
                      TICKED Use Windows Settings

       - This time it seems to have ignored "Use Windows settings" and given me a
         private network, even though a hour ago it seemed certain that it was
         using the Windows settings and giving me a Public network, despite saying
         Private in this display.

         I really don't understand this.

         Control Panel - Network and Sharing Center - still says I'm on a Public

    I've used another firewall product in the past that too-often in my view told me
    that a new network had been detected and asked what I wanted to choose.  The
    product never differentiated between 'completely new' and 'new connection to a
    previously seen network' although it allowed me to attach a nickname to a
    connection (that is, if I nicknamed one connection "mum's house", it never seemed
    to recognise that it had been there before).  It was very annoying, especially as
    there was no way to see why it thought a network was new.

    Either it (and EIS) can recognise that they have seen a particular network before
    (maybe from the MAC of the next device out?) or they can't.  If they can recognise
    I think they should say "We've been here before, and last time you wanted the
    connection classed as Private, do you still that want that?".  If they can't they
    should say "We don't think we've seen this network before, what level of trust do
    you want?".

  8. I assume you mean in the notifications displayed when the Surf Protection blocks something?


    No, actually I meant on the Protection -> Surf Protection screen, where the list

    of defined rules is displayed.



    It isn't an issue with the database itself, it's an issue with EIS parsing that many log entries. The more log entries it has to parse, the longer it takes. You'll usually only experience it as UI slowdowns or freezes, however it does also slow down the service starting, and thus slows down initialization of the Guards on startup.


    Except for when a user wants a log displayed, why would EIS have to parse log entries?

    And if there's a problem when there are lots, surely it should only parse enough to

    display a single screenful (and then either keep doing so in the background, or cease

    until the user tries to scroll the display)?  But... parsing... these things things

    should be trivial.  Is, by any chance, the cause of the slowdown that you repeatedly

    ask SQLite for the next log record, rather than asking for a chunk (eg 100 at a time)

    of them?

    And, why would EIS need to reread old log records during startup?  That's not normal

    in database processing.

  9. These ... issues ... would be on behalf of EIS?  What could suddenly prevent it from reading
    or writing to a folder within the current-user's %TEMP% directory?   Is there an underlying
    Windows problem with access to that?    And, why Safe Mode?  I'm able to rename/delete
    %TEMP%\a2temp  normally, if I try to.

  10. The laptop's been 'asleep' since last night and I just noticed that the nettime
    tool is showing loss of connectivity... and ping's getting "General failure."
    again.  I've not changed network settings since last night's change in EIS from
    the unexpected Public setting back to Private. And in EIS, Manage Networks still
    says Private.  If it's EIS that's blocking nettime's and ping traffic, there's
    nothing in the FW log that says so.

    I then used: Overview -> Support -> Enable debug logging

    and told nettime to try to update
    and after that announced its failure did a ping:


    Pinging [] with 32 bytes of data:
    General failure.
    General failure.
    General failure.
    General failure.

    Ping statistics for
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    then turned off debug logging.   I'll pm the debug logs to you.

  11. As far as I know I've only ever had one network (anything connected to the laptop's ethernet socket)

    defined there   And it currently says Public, which is what I configured it as when I first set it up.    But

    inside EIS, I've had Private set since the initial difficulties described upthread.


    Windows has only ever asked me once what the network type should be, which doesn't
    really make sense if something about the difference in what I'm plugged into (a
    network switch connected to an Asus router at my house; a network switch, powerline
    adapters and a netgear router upstairs at my mum's house; just powerline adapters &
    the netgear router at downstairs at mum's house) is significant.  Although at both
    houses the different types of cable modem are plugged into the smae cable-TV company's
    network I'm pretty sure they're connected to different servers at the cable company.

    [i've noted previously, but not looked closely recently, that tracerts from mum's or
    my house pass through differently named bits of equipment in the cable company's
    network, and also that the ip address assigned to me differs according to which
    house I'm at.  The ip address changes even at a single house, from time to time -
    it's not a static address, jst a rarely changing one.]

    So, does EIS do its own detection of 'a different network', or rely on Windows to tell

  12. I've had another occurrence of things suddenly ceasing to work, amongst them ping...   I had been using my laptop

    in one part of the house (where the laptop's connected via a pair of 'powerline' adapters to a netgear router and that 

    to a cable modem), then moved the laptop and adapter to another part of the house, where the laptop is then connected

    to a small network switch which is connected via the powerline adapters to the netgear router & cable modem.


    Suddenly neither the nettime application nor, as I found out when I widened the scope of tests, ping, worked, ping

    in particular reporting a 'general failure'.


    I looked at the firewall 'manage networks' setting and discovered it had changed from private to public - which completely

    explains the failures (as I've not yet changed rules to allow ping etc to work in the way we discussed above). 


    But what does surprise me is that the network suddenly changed its classification.  What's that based on?  Is it just whether

    or not EIS/Windows has seen a network accessed through the next device out's MAC before? 


    My first reaction is that the laptop's been used with both configurations many times, but ... maybe this is the first time that

    EIS (rather than OA/EAM, or WIndows) has seen the laptop-switch-powerlines... option.    Is there any way to tell when each

    network was first seen?


    Also, if Windows/EIS is changing from one type of network to another should there not be some sort of alert, or user choice?

  13. It depends on your settings for the Surf Protection. For instance, if you have Privacy risks set to Don't block, then that will be reflected in the list of Surf Protection rules where it will say "Don't block" for any privacy risk hosts.


    OK... and I see that if I add a rule of my own although it may also be set "Don't block"

    and display in green like the supplied rules, at least its Category is listed as "My Own"

    rather than "Malware hosts/Phishing hosts/PUP hosts/Privacy risks", which makes things

    clearer.  Nevertheless it might be clearer still, if the action listed for one of these

    supplied rules when it inherits a user-setting from the foot of the screen, said eg

       "Global user: Don't block"

    and when a user sets one of their own rules it could say eg:

       "User custom: Don't block"

    to emphasise the fact that all the former ones change if a user changes a global setting.


    It is some sort of timestamp, however I'm not sure how to read/decode it.


    I googled, which I suppose I should have done at the start, sorry.  I found a website

    where one can plug a number like this in and get it converted, at:

    [For anyone who's curious, the big number is basically the number of seconds since the

    start (at 00:00:00) of 01 Jan 1970.  As there are 24 * 60 * 60 = 86400 secs in a day,

       1457125846 divided by 86400   is  16864 (days) plus 76246 seconds.

    In a particular programming language I use a lot, I was able to calculate what day was

    16864 days later than 01 Jan 1970... and it's 4th March 2016.

    The remaining 76246 seconds is clearly nearly a whole day (as a day is 86400 secs).

    76246 divided by 3600 (ie number of seconds in an hour)  is 21 remainder 646

    &  646 divided by     60 (ie number of seconds in a minute) is 10 remainder 46

    So 1457125846 represent local time   21:10:46  on  4th March 2016.] 


    The only place I am aware of to see when a host rule was created is in the list of host rules in the Surf Protection settings. Note that dates/times are only displayed for custom host rules.


    Presumably that's because regular updates from Emsisoft change the contents of the supplied rules on

    a user's system, and there's no point in telling us when a particular set of rules first got a specific rule

    added to it?


    We don't log when Application Rules are created/edited. It might be possible if we add another table to the local logs database, but of course this further increases the size of the logs, and with increased log size comes decreased performance. I'll pass this feature request along as well.


    I'm pretty sure SQLITE scales well, and unless one's storing millions of records, or maybe significantly more,

    there won't be much performance impact increasing log sizes.   If that turns out not to be the case you could

    always supply that log option with a default table size of 0 records, so only users who want the function could

    enable it.


  14. I know, from previous use of EAM, how to add entries to the Whitelist.  But no-one could possibly understand how to

    use the dialog based on the totally inadequate information in your help file, which only says:


          The Manage whitelist button allows you to specify files or folders to exclude from scanning and/or from

          real-time monitoring


    Surely you can do better than that?


    The dialog itself is well overdue for a rewrite.  It's user-hostile. 


    There's no explanation at all of what a 'Name' represents, if one wants to whitelist one, instead of a file, folder or

    process.  What's it the name OF?


    If you return to the dialog having previously added file or folder definitions other than trivial ones of items in the

    root folder, you can't see enough of the listed file/folder paths to tell entries apart.  There's not even a tooltip

    that pops up to show the whole value of something.   Surely you can do better than this?   (I know one can

    export the list and then browse it, but that doesn't necessarily help you then click on the right entry in the GUI.)




  15. Using v11.5.0.6191

    A few days ago (while conducting experiments with v11.5.0.6191 and rule deletion, to see
    if I could recreate the problem of ping/tracert suddenly not working) I had something odd
    happen in the GUI.   I've read some other reports of odd behaviour and wonder if this
    is related.

    I'd shut it, then (by right-click on the systray icon & selection of 'Overview') reopened
    it.  It came up with the lefthand grey box saying "Initializing..." & a grey/white moving
    band moving from left to right on the bottom border of the grey box. What? There was also
    a rotating progress arrow at the top right of the GUI, just under the X that one would
    click to shut the window.

    The Initializing grey box also said 'Last Update  1 Hr ago'. That made me wonder if there
    was a stalled newer update.

    See screenshot.

    I clicked the X in the grey box, which changed to say "Cancelling".  Cancelling what?  The
    cancel didn't seem to make any difference.

    Meantime the bit of the taskbar that represents the EIS GUI had a green stripe that passed
    across it every few seconds...

    I then tried systray icon - shutdown all protection - which seemed to stop the GUI ok, then
    double-clicked the EIS desktop shortcut which seemed to restart it.  But it still said it
    was Initializing...

    I then rebooted.  After that I opened the EIS GUI, which no longer said Initializing.  The
    last update was a while back so I clicked 'update now'.  It then said Initializing... again,
    but only for a couple of seconds before going ahead and doing an update without any trouble.

    Download Image

    • Upvote 1

  16. Why do some entries in the supplied surf protection (aka Host Rules?) set have
    action "Don't block"?   Why supply those rules at all?

    When I export the host rules, the file created is named: a2user./dat/   But all the
    other exports create .ini files.  Is that intentional?  I also note that some of the
    .ini files contain only a timestamp if there's no content, whereas a2user.dat isn't
    created at all if you have no user HRs.  Surely all this should be done the same way?

    Within the exported host rules in a2user.dat there's a value, eg "1457125846" which
    looks to me as if it might be a timestamp.  If it is, how does one convert it to a
    form that makes sense, and what's it the time of?  Is it when the rule was created?
    [i suppose the surf protection log shows when such a rule is actually used.]

    Likewise the firewall and behaviour blocker logs show when parts of the application
    rules are used.  If that info is only stored in the logs then I guess it's more or
    less impossible to display when a rule was last created/modified, and when it was
    last used, within the rule-editing dialogs?

    The app rules dialogs allow one to make quite complicated sets of changes.  Is there
    any possibility code could be added to log a rule's settings on entry to the editing
    dialog and again on exit, so one could more easily keep track of what gets changed?    

  17. I see the default size for the EIS log file is 300 records.  I know I can set a
    higher number, or 0 for no limit.  If I alter the limit value upward does that
    take effect immediately?

    If I alter it downward to a non-zero value are records deleted immediately?  Or
    would I be warned and/or given a chance to export them first?  If records are
    deleted immediately, is it the oldest ones that go?

    The GUI rather implies that the number one provides here is the total number of
    log records, but I found when I increased the value from 300 to 1000 then later
    exported settings and looked at them, that I had (in a2settings):


    Does this really mean that the total size of the log is 5000?  Then again, there's
    seven types of log data - so maybe 7000?  Why are there only five size settings?

    I'm aware that the log data is held in a single file - an SQLITE database.  Can you
    tell me if the on-disk file always contains the current log data - ie that after
    each record is created the disk file is updated?

    I am wondering how to archive logs, if the log database file is in use all the time
    that EIS is running.  I know I can use your GUI to display each log in turn, click
    on export, and save a file... but that's no use for a proper archiving scheme, run
    under a scheduled task.  It seems to me that IF the on-disk SQLITE file supports
    such a thing, an SQLITE utility that copies the open database file elsewhere then
    dumps the contents of the copied file might be a good solution (and involve no work
    on your part either...).

    Does the way in which you've defined the database allow that?

    Alternatively, can the developers PLEASE add a command-line option to force export
    of all the log data to a specified directory?

    Frankly, I would like the same thing CLI-driven option for saving all the current
    settings, as well.

  18. PIngs etc: yes, from command prompt.


    Your link made interesting reading, though the concerns discussed there are mainly regarding firewalling public servers.

    There are also somewhat different concerns on large (corporate) networks where there's a higher chance of a compromised

    machine sending fake ICMP traffic outbound... that is something that looks to a firewall like an outbound ping or tracert

    request, but carries some other data with it.  That (as some of the posters say) could be as simple as a piece of malware

    telling its command & control server that it's alive and running on your own PC.


    But - as other people pointed out - malware can hijack any protocol to do that....  For example it could send a fake DNS request

    to its C&C server... and no-one's likely to block outbound DNS requests, unless they run their own DNS server on their own

    internal network. 


    I found this page:

    interesting too.


    I remain unconvinced that for a single personal machine, even on a public network, that sending ping / tracert requests outbound is

    dangerous.  Or at least, that when I choose to send a ping/tracert request, that that's dangerous.  Yes, I can see that a ping/tracert or 

    any other request that something bad is sending, is a problem.  I just have to hope that the other parts of EIS can stop that happening!

  19. You said: "Did you change the network adapter to Private, or did you change the category for new connections?"


    I did say at the start that immediately after making that change (whichever it was) that tracert and ping started working.  They then failed after I'd

    deleted an app rule for nettime.



    You said: "It's a general statement I make when telling people about customizing the rules...."

    OK, got it.  The rule order works the way I expect, but you're used to advising people who don't think about the consequences of whatever is

    defined inside the app rules section...



    You said: "Technically, all you should have to do is edit the rule for Trusted network traffic (ICMP)..."

    Yes, I know... but the problem I reported wasn't "how do I edit a rule to make tracert/ping work", but instead the fact that they suddenly ceased to

    work when (as I think it must have been) deleting an unrelated app rule screwed up the list of rules.   And remember that I also said that without

    me changing anything (certainly not any rules) the new version of EIS fixed the problem.   I was hoping for someone who knows precisely what

    changed in the new version's fix for 'problems deleting rules' to say whether it's likely that that DID fix the problem, or whether there is some 

    other issue underlying this.



    You said: "Some people believe that if a computer/router/etc. replies to a probe..."

    OK; I think the precise answer to my question might be that the default global rules group all the public network ICMP stuff together into one blocking

    rule, because for many people that's a good idea.   I can't see any reason why it would be a bad idea for me to be able to send ping/tracert requests

    outbound on any kind of network, nor why it would be a bad idea for me to receive the replies from those requests that I initiated.  As far as I can see

    neither of those scenarios have anything to do with the probe 'issue'.   Or have I misunderstood?   

  20. Thanks for your reply.   I'm struggling (healthwise) to find the energy to pursue this..


    I understood your first point about ping & tracert not being meant to work in public networks, but my experience was that

    they didn't work - not even after a reboot - in a private network, after I'd deleted app rules for the nettime program.


    However, still without having changed anything else, and with the network still configured as a private one, I found that

    nettime redefined itself (and worked ok) and ping & tracert both started working again after a reboot after EIS updated

    itself to v11.5.0.6191.   I did wonder if that might help (because of the reference in that update's list of things changed),     
    to a fix for a problem that affected rule deletion.   Maybe when I deleted the rule for nettime, the list of rules got damaged

    and those further down the global list meant to allow ping/tracert to work couldn't be found any longer? 


    I'm contemplating resetting to default rules and then trying to replicate the situation that seemed to cause the problem;

    I might do that tomorrow.   Though if the latest version did fix it, replicating it mightn't be possible...



    I'm puzzled though by your statement: 

       "be sure that any custom firewall rules are above the line for 'Traffic               
        handled by application rules' otherwise they will be ignored."                       


    because the help page for firewall rules says that rules are tried one at a time starting at the top of the list, and the first

    matching one is used.  So surely the order is

       1) Windows Services (TCP)                                                             
       2) Windows Services (UDP)                                                             
       3) all the application rules                                                          
       4) then the other general rules                                                       


    so - provided there's no application rule for ping or tracert, which there seems not to be according to the 'application

    rules' page - a new rule for them could go in the bottom part of the list.  Surely all that's essential is that such a new

    rule is above the default entries for ping & tracert further down the list?    If not, why not?  



    I'm also puzzled, in a different way, about what it is about ping & tracert replies, that makes receiving them on a public

    network a bad idea.  Is there something about them that makes it impossible for the firewall to distinguish between

    such replies coming in to the machine and responses to other people's pings or tracerts targeting the machine being

    sent out?