Jump to content


  • Posts

  • Joined

  • Days Won


hjlbx last won the day on February 3 2015

hjlbx had the most liked content!


2 Neutral

Profile Information

  • Gender
  • Location

Recent Profile Visitors

6966 profile views
  1. I'd be surprised if the BB\new fortification does not monitor for disabling of WFW by unknown processes and via abuse of trusted processes. Monitoring of modifications of the WFW portions of the registry, netsh, Set-NetFirewallProfile, etc is monitored by the BB if I am not mistaken - but the monitoring might be limited to only suspicious actions - and turning off WFW in and of itself is not a suspicious action. The context within which it is turned OFF is what differentiates legitimate from suspicious actions, but I do not know if EAM makes that distinction when turning OFF WFW. Windows itself already provides a notification when WFW is disabled - either a toaster on W10 or a Security Center tray icon tooltip. So, even if malware manages to somehow bypass the BB and disables WFW, Windows itself notifies the user "Hey !! WFW is OFF !" It is possible that Emsisoft chose to rely upon the Windows notification that WFW is OFF. If that is the case, then the ease with which that notification can be disabled should be considered. If the user manually disables the WFW, well then, that is on the user. Isn't it ? Ask Arthur (GT500).
  2. Keep in-mind both powershell.exe and cmd.exe are whitelisted processes. You can modify their respective BB categories for demonstration purposes. It isn't going to demonstrate the same thing as an unknown process attempting to disable Windows Firewall. Open an administrative PowerShell. Type Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False (to turn back on change False to True) or Open an administrative command prompt. Type netsh advfirewall set allprofiles state off (to turn back on change off to on)
  3. Did anyone try the typical default "forever" value of 0 ?
  4. Using a 3rd-party firewall does not automatically block nor ensure blocking of Microsoft data collection. It doesn't work that way.
  5. COMODO's firewall has rated highly in tests from years gone by. It has a HIPS and sandbox. If you intend to use the sandbox along with EAM's BB you can forget it as the sandbox interferes with the BB. I've seen misbehaviors. With a CFW EAM combo you are certain to get double alerts. You should ask Arthur (GT500) if EAM can even run alongside CFW nowadays.
  6. No. I had used EIS since it was released. It offered no significant advantage over Windows Firewall - mostly because 99.99 % of the time the laptop was behind a home NAT router and 100 % of that entire time the system was never infected. For public wifi usage a VPN is more relevant to security than a 3rd party firewall. The behavior blocker monitors for suspicious firewall\port activity. In other words, suspicious firewall\port activity triggers a behavior blocker alert. A lot of people just see a BB alert, but do not understand that it is alerting to suspicious firewall actions. In malware testing the BB is picking-off suspicious networking stuff.
  7. The absence of obvious conflicts on a day-to-day basis does not mean that conflicts between the two products cannot happen, especially when the system gets smacked with malware and both products simultaneously react to protect the system. One product's protection mechanisms can interfere with the other's. In the worst case scenario such a conflict can result in a protection failure in both products. Plus there can be double alerts - not to mention impact on system resources. While such combos are possible, they are not in a user's best interests. Perhaps it is counter-intuitive, but less is more.
  8. EAM *.7838 Windows 10 Pro 1703 OS Build 15063.540 x64 1. Execute malicious file (Locky variant) 2. Behavior blocker eventually detects suspicious activity, AMN query is performed, Bad reputation is returned, and the behavior blocker auto-resolves the file by terminating and sending to quarantine 3. The malicious process still appears in the behavior blocker list of actively running processes, but the process is not in active memory on the system 4. In the behavior blocker list, right-click on the process and select any of the context menu options and nothing happens (as expected) 5. Reboot system removes process from the behavior blocker active list 6. This same quirk happens when an active Bad reputation process, that just sits there and does nothing to trigger the behavior blocker, self-terminates Locky_Variant__diablo6.zip termsrv.zip
  9. EAM *.7838 Windows 10 Pro 1703 OS Build 15063.540 x64 1. Extract malware pack 2. Files are detected by File Guard real-time protection 3. Detected files are auto-quarantined and added to the Quarantine folder with .EIQF extension 4. Not all detected and auto-quarantine files appear in the GUI Quarantine list 5. Also some event logging quirks appeared in the Forensic Log during the process of detection and auto-quarantine There are occasional duplicate entries. The Component\Action sequences are OK. In the image below, take note of duplicate, identical line items for: xls.xls (there is a duplicate "infection quarantined") JbhbUsFs.exe (there is a double behavior blocker detection and Core notification) Minor GUI stuff; the applicable protections themselves are working. 11-8-17_6.7z
  10. I had a similar issue with Dell Command Update that I did not post here. Instead I supplied the utility by sending to [email protected] The issue was fixed. If that DetectDockW.vbs persists in that directory, then you'll want to send it along with the HP Recovery agent.
  11. Arief has everything and states it will be fixed over the next few updates. Please close-out this thread if you wish Frank.
  12. Office365 installer submitted to [email protected] along with a link to this thread. The Office365 installer was not auto-quarantined. Also, a file manually added to quarantine by the user cannot be submitted as a false positive; the false positive button is disabled when a user manually adds a file to quarantine.
  • Create New...