Jump to content

David Biggar

Emsisoft Employee
  • Posts

    195
  • Joined

  • Days Won

    10

Everything posted by David Biggar

  1. Thank all of you for continuing feedback and information. Libor: It would be very strange if an SSD is the thing here, especially since I've been replicating this in a virtual machine, which doesn't know that the parent device is an SSD. I won't discount the possibility however. I'm not going to ask you to do more, but if you do notice anything, I'm interested in what you find. endevite: I rather expected that after my own experience. I still haven't found the culprit, but I'm not giving up. neneduty: Thank you for your loyalty! Hopefully though we can figure out the Comodo conflict quickly so everyone has the choice to use it if they wish. JeremyNicoll: I think that's unrelated actually, but thank you for sending in that information and offering help/feedback!
  2. I feel funny saying this, but thanks, Door Knob! I agree, it's the 2018.3.x update that introduced (not 'caused') a conflict. That's not to lay blame on the code or version, Comodo or Emsisoft, since security software by its nature is complex and deals with systems that can bring them into conflict. Comodo's free firewall is not just a firewall even with parts disabled, so falls into that category as well. That's part of why many (most?) experts recommend avoiding having multiple active antivirus on one machine, for example. I sure don't know exactly where the conflict is yet, but no, I'm not giving up. It's interesting that so far, I think everyone reporting this is using an SSD instead of a platter drive. Anyone out there using non-SSD system drive who has the issue of a boot hang in normal mode?
  3. Libor, The issue IS replicable on my virtual machine, after days of not being able to replicate it. I'd mentioned that several posts ago. Then I find a workaround, seems to work, but doesn't work for you. Then, I find that even though after several stop/start/restarts it worked fine, the next day it fails and locks on startup again. It is indeed work for us at Emsisoft to do, but we do need testing to see if we have a fix for you or not. Each time I posted, I had done something that effectively fixed the issue on my virtual machine, which is configured similarly to your computer, even with SSD. So, I was interested in seeing if the fix worked for you as well. I'm glad you took extra steps to disable all of Comodo and note that it still happened. For whatever reason, it happens much more frequently and certainly on your computer than it does mine, so testing was, while tedious I'm sure, much faster than doing it here. So, it's back to the drawing board for me. No, our developers do not simply know what the conflict is. Programs of this nature are far, far more complex than that, and most of the time, the cause isn't so obvious. That's why this testing is important, so I can narrow down exactly which modules, features, or settings cause the problem to go away, so they know where in code to start looking. Standard troubleshooting and debugging steps, really. I'll avoid posting more things that seem to work unless they work for several days in a row. Have a great week!
  4. Libor (and others), The toggling of Comodo's av might not do the trick completely. It did work for me across several reboots, but during one of my virtual machine boots today, it hung. After loading into safe mode and re-confirming that its av was off, I rebooted into normal mode and things appear to be working just fine. I'll keep on it, and update if I learn more.
  5. Ransomware infections are unique in many ways. Most importantly, a lot of the natural instincts which are usually correct when dealing with malware infections can make things worse when dealing with ransomware. Please see the following steps as a guideline when dealing with your ransomware infection. Do not delete the ransomware infection The natural instinct of most users is first to remove the infection as quickly as possible. This instinct is, unfortunately, wrong. In most cases, we will require the ransomware executable to figure out what exactly the ransomware did to your files. Finding the right ransomware sample becomes infinitely more challenging when you deleted the infection and can't provide us with the ransomware. It is okay to disable the infection by disabling any autorun entries pointing to it or by quarantining the infection. However, it is important not to delete it from quarantine or to remove the malicious files right away without a backup. Disable any system optimisation and cleanup software immediately A lot of ransomware will store either itself or necessary files in your temporary files folder. If you do use system cleanup or optimisation tools like CCleaner, BleachBit, Glary Utilities, Clean Master, Advanced SystemCare, Wise Disk/Registry Cleaner, Wise Care, Auslogics BoostSpeed, System Mechanic, or anything comparable, disable those tools immediately and make sure there are no automatic runs scheduled. Otherwise, these applications may remove the infection or necessary ransomware files from your system, which may be required to recover your data. Create a backup of your encrypted files Some ransomware has hidden payloads that will delete and overwrite encrypted files after a certain amount of time. Decrypters may also not be one hundred percent accurate, as ransomware is often updated or simply buggy and may damage files in the recovery process. In those cases, an encrypted backup is better than having no backup at all. So we urge you to create a backup of your encrypted files first, before doing anything else. Server victims: Figure out the point of entry and close it Especially recently we have seen a lot of compromises of servers. The usual way in is by brute-forcing user passwords via RDP/Remote Desktop. We firmly suggest you check your event logs for a large number of login attempts. If you find such entries or if you find your event log to be empty, your server was hacked via RDP. It is crucial that you change all user account passwords immediately. We also suggest to disable RDP if at all possible or at least change the port. Also, it is important to check all the user accounts on the server, to make sure the attackers didn't create any backdoor accounts on their own that would allow them to access the system later. Figure out what ransomware infected you Last but not least it is important to determine what ransomware infected you. Services like VirusTotal, which allows you to scan malicious files, and ID Ransomware, which lets you upload your ransom note and encrypted files to identify the ransomware family, are incredibly useful and we will probably end up asking you for the results of either of these services. So by providing them right away, you can speed up the process of getting back your files. If you struggle with any of these points, please feel free to ask for help. Our ransomware first aid service comes with no-strings-attached and is free for both customers and non-customers.
  6. Libor, I was able to, once, get the system to hang after boot even with the exclusions. It is irregular though. Irregular enough that it did not happen over several restarts prior to suggesting the whitelisting. Please avoid using system restore in this situation. It is enough to boot into safe mode or safe mode with networking (Using the F8 key before the Windows splash screen appears during the boot process) and modify things from there to test. If you choose safe mode with networking, please don't use it for any generic surfing, as the computer will not be properly protected in that state. Consider it "emergency use". I've just tried something else, and it seems if I disable Comodo's VirusScope 'permanently', and remove all of the exclusions for Emsisoft files/folders, things still work (for me). Please boot into safe mode, open Comodo Firewall, then click on VirusScope's "Enabled" link. Change it to "Disabled", and when the popup appears, choose "Permanently". I'd very much like to know if that works for you. So far, for me, this also works. No glitches yet, but I need your feedback also. If it does work, and especially if it works for several people, that's information we (or Comodo) might be able to use for a better solution.
  7. Libor, did you exclude using the "Excluded applications" tab? The excluded paths one did not work for me, either. I'll see if I can replicate again with the exclusion I have, but it was "just working" after I did that on mine. Windows 7 x64 also, with SP1. Also with SSD, so I did what I needed to do in safe mode, not normal mode. From there it worked. Mind you that you probably have to reboot after creating the exclusion - I didn't have to since I worked in safe mode and our service wasn't running, but usually, whitelisting doesn't affect currently running processes. The process would need to be restarted. If you did not either set up the exclusion from safe mode as I'd mentioned, and did not reboot with the exclusion in place, please do so and let me know if that makes a difference. It sounds like you did restart, but I want to make sure it's clear for everyone.
  8. You're welcome, Libor. I just hope it works for everyone, otherwise it's back to the drawing board with replication and work-around or debugging. I'd just as soon put this particular issue to rest as soon as possible. I imagine everyone else thinks so too!
  9. I've made some headway here. Despite exclusions and adjustments to Emsisoft Anti-Malware, nothing I did rectified the issue. However, when I added an exclusion to keep Comodo Firewall from touching one of our programs, the problem went away. I reset the computer, booted into safe mode, started Comodo Firewall, opened it, clicked Settings, Advanced Protection, Scan Exclusions. I then clicked the Excluded Applications tab and added our Emsisoft Anti-Malware service executable, and restarted the computer to test. The problem (for me) was gone. If others would test this, I'd appreciate it. Please let me know how it goes.
  10. Edit: For those who are still having this issue, note that you can work around it by switching to the Delayed update feed so that Emsisoft Anti-Malware downgrades to an older version that does not have this issue. Here's how to do that: Open Emsisoft Anti-Malware. Click on Settings in the menu at the top. Click on Updates in the menu at the top. On the left, under Update Settings, click on the box to the right of Update feed and select Delayed from the list. Click on the Update now button on the right side. ___________________________________________________________ Hello Libor, thank you for your feedback. As I'd mentioned, "We're still unable to replicate the issue". Up until just a few minutes ago, we have not been able to replicate this issue at all, whatever we tried, and nobody had been able to provide usable debugging information. Those who were willing to try ended up having the problem go away prior to any information being gathered, so we were left with a problem we could not see to diagnose. Impossible as you might imagine. So no, we're far from asleep, we have just not been able to get any usable data other than "it happens", and that it's with current Emsisoft Anti-Malware, Comodo Firewall, and Windows 7 x64. By "up until this evening", I mean that I just had a virtual machine with Windows 7 x64, Emsisoft Anti-Malware, and Comodo Firewall (free) lock up well after the desktop was loaded. I'm going to try gathering information if I can, if the problem repeats itself. So, some progress possibly. I'll post back here with workaround instructions should I find any, and update with fix status as well once that comes.
  11. Hello fxdwg! If you can, would you also send the file listed below from one of the computers having the accounting issues to [email protected] and mention my name? I'd like to check the detections over and see if there's something long term that can be done, but I'm guessing short of the monitoring exclusion that Frank walked you through, anything we'd do to whitelist that application would be a temporary band-aid until its next update. C:\Program Files\Emsisoft Anti-Malware\Logs\Logs.db3
  12. We're still unable to replicate the issue, causing a no-boot problem where Emsisoft Anti-Malware and Comodo Firewall are active on the same computer, and attempts to recreate it by customers who reported it happening and who have replied have not met with any success either using the current stable or current beta versions. It seems the issue may have been related solely to the update that caused trouble on the 2nd of April, that is no longer available as of that same evening, Eastern USA time. If anyone can still replicate a boot issue with Comodo and Emsisoft Anti-Malware, and you're using our current beta version, please let me know right away, preferably via [email protected] If you can replicate the issue and are using our current stable version, please consider trying our beta and seeing if it continues. To switch to beta: Open your Emsisoft product. Click Settings in the top row, Updates in the second row. Change the drop-down menu from Stable update feed to Beta update feed. Press the Update now button. Reboot the computer when it's finished updating. If it has you reboot during the update, consider that your reboot; you don't have to do it again. For most people, please switch back to the stable version within a week, even if the beta works. Beta releases are just that, beta, and may be unstable in some cases. You may learn more about when releases come out, here: https://blog.emsisoft.com/en/category/emsisoft-news/product-updates/
  13. Manjusri108/Glenn: OK, that sounds good. I was hoping a safe mode boot was possible for gathering the logs. I'm still trying to replicate, but no luck so far. I'll try with the cloud based behavior analysis enabled next time, thanks. I personally also use Windows Firewall along with Emsisoft Anti-Malware, for what it's worth. endevite: Thank you for your feedback. The code integrity issue is 'normal' and has to do with a file not being recognised as a valid one due to the loaded file being monitored. However, those are application crashes listed. Would you email me at [email protected] please? I'd like to provide you with application crash memory dump gathering information so we can look at them and hopefully find the issue. While not dangerous, I'd just as soon not post them here and end up with an unexpected flurry of memory dumps. If anyone else would like to help, please email [email protected] and reference this forum thread.
  14. Manjusri108, (this applies to anyone having this problem, really) I have not of yet been able to reproduce the boot problem. When you installed Comodo Firewall, do you recall which of the additional features you enabled? Among those offered (I deselected all of them) were: Yahoo homepage, new tab, search engine default settings. Comodo Secure DNS Cloud based behavior analysis Anonymous crash reporting Comodo Dragon (it installed anyway) Comodo Internet Security Essentials (was not offered, but installed as part of it anyway) Hopefully I can better match your installation, but failing that, I'll try to get a usable method to gather information from your computer about the hang. I'm not so sure debug logs will be of much use here, but it would be a start. To enable: Open Emsisoft Anti-Malware, click the support link, and change the debug logging pulldown to one day. Close the program, restart the computer (resulting in the hang of course), and wait a good while, perhaps 15 minutes. Reboot into safe mode as you have been doing, remove Comodo Firewall, and restart again. On normal boot, open Emsisoft Anti-Malware, click the support link, and disable debug logging via the pulldown. Click the Send an email button, fill out the email form, and select all logs with the current day's date from the column on the right, then click send. Close Emsisoft Anti-Malware when finished if desired. Something else to try would be to exclude the Comodo Firewall program from monitoring: Reinstall Comodo Firewall. Don't restart after install. Open Emsisoft Anti-Malware, click "Settings" in the top row then "Exclusions" in the second row. Click 'add folder' in the exclude from monitoring section, navigate to the "C:\Program Files\COMODO\COMODO Internet Security\" folder, if you've installed in the same location it did for me, and click OK. Reboot to test. It may turn out that another of Comodo's files is conflicting, perhaps in the Windows folder structure. It's also possible a monitoring exclusion won't work, but I wanted to give you a direction at least since I haven't been able to replicate yet. Once I've received logs, I'll be replying via email in our ticket system to keep each person with their own logs and to advance each ticket until we find a fix; please do not post logs in this forum thread. When a fix is found, I'll post here.
  15. Alright Manjusri108, thanks for confirming the issue still exists with Comodo, and is an issue in addition to the one I mentioned. The other issue however was very real, was fixed, and tested. All I needed was confirmation your issue still existed, so is obviously a different one. I'll see what I can find out and get back to you. I should be able to test the current stable with it later today, and if I can replicate the issue, gather debug logs. In the meantime, feel free to switch to the delayed feed as endevite has suggested. If you'd like, there is a fresh beta version out right now that you can try and see if it has an affect on Comodo Firewall.
  16. Hello folks, First of all, endevite's method should work, even if it does a few things that aren't quite necessary. Good job figuring that out! Comodo isn't involved to the best of my knowledge. The issue had to do with computers that ran files stored on network shares at boot time. We've rolled back only the component of Emsisoft Anti-Malware responsible for the issue, so anyone able to update to the latest stable version should not have the problem again. We're also instituting extra testing that will keep this issue from happening in the future. A basic method to fix machines still having a problem, other than the one endevite mentioned, is this: Boot into safe mode. Using msconfig, disable Emsisoft Protection Service in the Services tab, and Emsisoft Anti-Malware in the Startup tab. Reboot the computer into normal mode. Run services.msc, and re-enable Emsisoft Protection Service by opening its properties and changing it to Automatic startup. Run Emsisoft Anti-Malware from the start menu. Click Update now on the Overview to update. Once updating is complete, run msconfig again to re-enable Emsisoft Protection Service and Emsisoft Anti-Malware (or just click normal boot if you haven't used msconfig to disable anything else). Restart the computer again - all should work fine. No need for delayed version unless you wish to use it. An alternative method is to use system restore from Windows Repair or any other mode you can get into, and once completed, update Emsisoft Anti-Malware before any other reboots are performed. Some did try this but had the problem again, because we hadn't updated with the culprit component rolled back by that time. For those computers that cannot get into safe mode or cannot use system restore, please contact [email protected] and we'll help with other methods. If after confirming the computer has Emsisoft Anti-Malware version 2018.3.0.8555 or newer installed there is still trouble with Comodo Firewall, please let me know, but it should be cleared up. The version number can be checked by opening Emsisoft Anti-Malware and clicking EMSISOFT in the upper left corner. Thank you for your patience, and I apologize for the hassle this has caused.
  17. Hello Pars, thank you for contacting Emsisoft support. I am working with Emsisoft support of Iran on this, as they contacted me about your situation, and I have already replied to them. They should be in touch with you soon. Unfortunately, GandCrab2 is not decryptable without paying the ransom. I cannot of course recommend that, but it may be your only choice.
  18. I noticed the report about 0xC0000005 errors. That is almost always due to conflict with another active protection security product. Do you have AVG, Avast, or anything else on the machine? If so, I'm going to recommend restarting in safe mode and removing either their software or ours. I'm biased here of course, and I'd like to point out that Emsisoft Anti-Malware is a broad-spectrum antimalware that includes antivirus and much more, so removing another antivirus program isn't going to leave you unprotected. Instructions for booting Windows 10 in safe mode can be found by clicking here. I recommend the "from sign-in screen" method in your case. Let us know if you have trouble, or if this doesn't work!
  19. Stapp and Minimalist are correct. Adding a monitoring exclusion for Media Player Classic's installation folder works for now. Instructions to add monitoring exclusions for a folder: Open your Emsisoft Anti-Malware or Internet Security product. Click "Settings" in the top row, then "Exclusions" in the second row. Click 'add folder' in the "Exclude from monitoring" section, and browse to the MPC installation folder, then press OK. If for some reason this doesn't work for you, let us know here, or drop us an email at [email protected] and reference this thread.
  20. Hello Brett! You've accidentally posted your private product key on a publicly viewable forum. I'll edit the key out for you. I've tried to replicate that issue using one of my own VMs, and it does scan just fine. Would you be willing to gather debug logs for us? I would also very much like to know what drive letters are being scanned, whether any network drives are in that list that aren't accessible at the time, and what other settings are being used, please. I will also suggest that you investigate Emsisoft Emergency Kit for that type of use, because it is designed with portability in mind, and may be more suitable for 'simple' file scans like you mention. To create and send debug logs: 1. Open Emsisoft Anti-Malware, then click 'Support', which is directly below the Quarantine box, then at the bottom, use the 'Debug logging' pulldown to enable debug logging. If you can easily reproduce the problem, enable it for a day. Otherwise, 7 days might be more appropriate. Leaving it on always isn't recommended because logs will fill the hard drive, eventually. Close the Emsisoft Anti-Malware window after making your selection. 2. Reproduce the issue you are having, twice if possible. The issue must occur, or the logs won't be of any use. 3. Once you have reproduced the issue, open Emsisoft Anti-Malware again, and click on Support again, then click on the button that says "Send an email". Select everything in the right hand column that shows today's dates. Fill in the e-mail contact form, and be sure to mention who was helping you. Click on "Send now" at the bottom once you are ready to send the logs. *Important* Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.
  21. It appears someone else already did it. Your machine hasn't exceeded its mapping limit today or yesterday. I'll reply via email to that thread.
  22. The issue described in this topic and the issue describe in the topic you linked, and your issue, are not the same things. They may seem to be because of the symptoms, but they are not. If you would, please either start a new topic here in the forum so we can investigate the issue you're having, or email [email protected] There may be a simple 'fix' for you, depending on how it turns out that you're using that ramdisk.
  23. Even though it looks similar on the surface, I don't believe the problem you're having is related, heroism. If you would, please email [email protected], mention that you posted here, and I'll do some investigating. Then we'll know for sure!
  24. Handling this via email. As it turns out, it's something quite unusual. I'll try to post the cause/cure here when we're finished.
  25. Unfortunately it does appear this is GlobeImposter 2.0, which is not currently decryptable.
×
×
  • Create New...