Jump to content


  • Posts

  • Joined

  • Days Won


Everything posted by hjlbx

  1. I'd be surprised if the BB\new fortification does not monitor for disabling of WFW by unknown processes and via abuse of trusted processes. Monitoring of modifications of the WFW portions of the registry, netsh, Set-NetFirewallProfile, etc is monitored by the BB if I am not mistaken - but the monitoring might be limited to only suspicious actions - and turning off WFW in and of itself is not a suspicious action. The context within which it is turned OFF is what differentiates legitimate from suspicious actions, but I do not know if EAM makes that distinction when turning OFF WFW. Windows itself already provides a notification when WFW is disabled - either a toaster on W10 or a Security Center tray icon tooltip. So, even if malware manages to somehow bypass the BB and disables WFW, Windows itself notifies the user "Hey !! WFW is OFF !" It is possible that Emsisoft chose to rely upon the Windows notification that WFW is OFF. If that is the case, then the ease with which that notification can be disabled should be considered. If the user manually disables the WFW, well then, that is on the user. Isn't it ? Ask Arthur (GT500).
  2. Keep in-mind both powershell.exe and cmd.exe are whitelisted processes. You can modify their respective BB categories for demonstration purposes. It isn't going to demonstrate the same thing as an unknown process attempting to disable Windows Firewall. Open an administrative PowerShell. Type Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False (to turn back on change False to True) or Open an administrative command prompt. Type netsh advfirewall set allprofiles state off (to turn back on change off to on)
  3. Did anyone try the typical default "forever" value of 0 ?
  4. Using a 3rd-party firewall does not automatically block nor ensure blocking of Microsoft data collection. It doesn't work that way.
  5. COMODO's firewall has rated highly in tests from years gone by. It has a HIPS and sandbox. If you intend to use the sandbox along with EAM's BB you can forget it as the sandbox interferes with the BB. I've seen misbehaviors. With a CFW EAM combo you are certain to get double alerts. You should ask Arthur (GT500) if EAM can even run alongside CFW nowadays.
  6. No. I had used EIS since it was released. It offered no significant advantage over Windows Firewall - mostly because 99.99 % of the time the laptop was behind a home NAT router and 100 % of that entire time the system was never infected. For public wifi usage a VPN is more relevant to security than a 3rd party firewall. The behavior blocker monitors for suspicious firewall\port activity. In other words, suspicious firewall\port activity triggers a behavior blocker alert. A lot of people just see a BB alert, but do not understand that it is alerting to suspicious firewall actions. In malware testing the BB is picking-off suspicious networking stuff.
  7. The absence of obvious conflicts on a day-to-day basis does not mean that conflicts between the two products cannot happen, especially when the system gets smacked with malware and both products simultaneously react to protect the system. One product's protection mechanisms can interfere with the other's. In the worst case scenario such a conflict can result in a protection failure in both products. Plus there can be double alerts - not to mention impact on system resources. While such combos are possible, they are not in a user's best interests. Perhaps it is counter-intuitive, but less is more.
  8. EAM *.7838 Windows 10 Pro 1703 OS Build 15063.540 x64 1. Execute malicious file (Locky variant) 2. Behavior blocker eventually detects suspicious activity, AMN query is performed, Bad reputation is returned, and the behavior blocker auto-resolves the file by terminating and sending to quarantine 3. The malicious process still appears in the behavior blocker list of actively running processes, but the process is not in active memory on the system 4. In the behavior blocker list, right-click on the process and select any of the context menu options and nothing happens (as expected) 5. Reboot system removes process from the behavior blocker active list 6. This same quirk happens when an active Bad reputation process, that just sits there and does nothing to trigger the behavior blocker, self-terminates Locky_Variant__diablo6.zip termsrv.zip
  9. EAM *.7838 Windows 10 Pro 1703 OS Build 15063.540 x64 1. Extract malware pack 2. Files are detected by File Guard real-time protection 3. Detected files are auto-quarantined and added to the Quarantine folder with .EIQF extension 4. Not all detected and auto-quarantine files appear in the GUI Quarantine list 5. Also some event logging quirks appeared in the Forensic Log during the process of detection and auto-quarantine There are occasional duplicate entries. The Component\Action sequences are OK. In the image below, take note of duplicate, identical line items for: xls.xls (there is a duplicate "infection quarantined") JbhbUsFs.exe (there is a double behavior blocker detection and Core notification) Minor GUI stuff; the applicable protections themselves are working. 11-8-17_6.7z
  10. I had a similar issue with Dell Command Update that I did not post here. Instead I supplied the utility by sending to [email protected] The issue was fixed. If that DetectDockW.vbs persists in that directory, then you'll want to send it along with the HP Recovery agent.
  11. Arief has everything and states it will be fixed over the next few updates. Please close-out this thread if you wish Frank.
  12. Office365 installer submitted to [email protected] along with a link to this thread. The Office365 installer was not auto-quarantined. Also, a file manually added to quarantine by the user cannot be submitted as a false positive; the false positive button is disabled when a user manually adds a file to quarantine.
  13. EIS 2017.7.0.7797 Office365 (all versions) The Office365 installer launches Powershell. Powershell code triggers Emsi's anti-exploit protection.
  14. I can't resist on this one. I sure as hell wouldn't want you sitting in my trial jury box. It would be all over for me. "Awhfff wit 'is head !!" LOL...
  15. Yeah, well, unless they get more users reporting similar slowdowns it isn't going to be prioritized for a fix. I mean I am the only one who is reporting it. And I searched for prior similar reports as far back as I could go and basically found nothing.
  16. Tested as follows: 1. Surf Protection enabled 2. Surf Protection disabled 3. All protections disabled. 4. Power Plan set to Maximum (for laptops) Same results as originally reported. The test systems have high-end hardware specs. So instead of taking only about 1 to 2 seconds to connect and load a webpage when launching Edge, it is taking 5 to 10 seconds. That's 2.5 X to 5 X longer for a browser load with EIS installed versus without it installed. It takes less than 10 seconds for me to boot into Windows on some of these systems. Hopefully you will get feedback from additional users.
  17. EIS 2017.6.0.7681 Windows 10 Pro Version 1703 OS Build 15063.483 64-bit Microsoft Edge 40.15063.0.0 With either EAM or EIS installed, I notice a distinct slowdown in the connection of Edge to IP addresses. This happens every single time I launch Edge or click on a link within a webpage. I have tested multiple high-end machines (i7 7700K, 64 GB RAM, 15+ Mbps networking speed) as well as different networks with speeds in excess of 80 Mbps. Edge connection to URLs\IPs is notably faster after EAM or EIS is uninstalled.
  18. This is just a FYI as it is a Windows bug Windows 10 Pro Version 1703 OS Build 15063.483 64-bit EIS 2017.6.0.7681 1. Windows Security Center shows EIS Firewall ON and Windows Firewall OFF (Cap1 below) 2. Despite 1 above, Windows Firewall GUI shows Public Profile - Windows Firewall ON (Cap2 below) 3. Within Windows Firewall GUI, change Public Profile - Windows Firewall from ON to OFF and then Save Settings 4. The change made in Step 3 does not always persist; Public Profile sometimes reverts from OFF back to ON (Cap2 below) 5. After attempting to set Windows Firewall Public Profile to OFF multiple times, it stays OFF (Cap3 below)
  19. Fabian mentioned somewhere in the past (I think on Wilders): 1. Powershell script parsing is an ongoing project due the many ways powershell can be used to attack 2. Attributing action to a script requires it to be unobfuscated (he made a brief distinction between unobfuscated and obfuscated) And Windows powershell is not powershell.exe; Windows powershell is System.Management.Automation. Disabling powershell.exe on a system is not 100 % absolute protection against powershell abuse. A custom .exe and .dll can be used to execute powershell even with powershell.exe is disabled. Is all of this something you should be paranoid about ? Statistically it is "fringe" stuff and should not be a day-to-day concern. The litmus test is this question: "How many dedicated Emsisoft users actually have their system(s) compromised under typical computing conditions ?" What do you think - is it a tiny, a small or a big number ? Anyway, potentially serious security issues seem to be pretty much always addressed by Emsisoft.
  20. I can confirm this behavior. If a VM is cloned or copied, then moved to another host, the HWID and MAC address of the VM changes. VM cloning and then moving it to a different system or sometimes even keeping it on the same system causes quite a bit of frustrating software deactivation and\or breakage.
  21. Just curious, how does the parser and behavior blocker handle obfuscated malicious scripts ? Same for in memory-only ? Or does File Guard simply treat obfuscated scripts as potentially malicious ?
  22. Excluding WinWord.exe in HMP.A fixes the behavior blocker; excluding WinWord.exe in Emsisoft does not fix HMP.A (stable or beta) I am not saying there is a problem with Emsisoft; from what I see, HMP.A is the problem I could care less about HMP.A - I don't use it - so I am only submitting this issue to give you a heads-up Users will have to test programs in a way to verify that HMP.A is not breaking Emsisoft's behavior blocker - and how many people are going to do that ? Personally, I don't think people should combo anti-exploits with Emsisoft - but a lot of people do
  • Create New...