iWarren

Member
  • Content Count

    138
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by iWarren

  1. I switched to Beta feed, and all is working well Frank. Thank you for your quick action on this matter! Programs appear to be blocking as they should, Well done. I will continue to observe and report.
  2. That is understandable, but at the same time, this blocking issue did manage to make it through a beta feed, which is designed to catch things like this. Considering the nature of this feature, and that some people might not utilize the forums. a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes. it might be prudent to expedite the fix into the stable feed. Though I understand the need for due process as well. Well, I don't want to get into a technical battle with you GT500, lol but, not all Windows versions like Win7 Home, gives you access to modify group policy settings. I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious. one of the major reasons why I love EIS so much, is this application blocking ability... because it gives you a bit more control over what is happening behind the scenes. EIS is more than just a networking firewall, but an applications firewall as well. which are two features that really just complement each other. I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically. which, i know you could just disable that service and likely never see it again. Its just one of those programs, that if you're not using it, i don't want to take the chance that it can be executed without my knowledge. I think in the past I read it could be misused by an attacker. another good example of using the block feature, is to block GWX programs, which isn't as much an issue today, but when Microsoft was making its big push on Win10, the block feature was really invaluable in preventing Win10 installation attempts. I also use this blocking feature while gaming with Steam, as some games will try to access a google chrome extention through Steamwebhelper and it can potentially open you up to security flaws, as well as give you latency issues from adware. So its daily usage like this, that makes the blocking feature really a handy tool, and that's just "my" preferences, I'm sure others out there have equally useful usages.
  3. I know it is happening in the stable feed, but I was just judging by the timing that the blocking stopped working, and the creation of the forensic log feature was created, and suggested that it was probably a change made while doing work on the forensics. I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already a standard proven feature, and could be relatively important to a lot of people. Program blocking is a pretty crucial feature to the EIS suite. At very least, can you give an ETA on when the beta 2 build might be released?
  4. Have also tried it on other non-microsoft programs as well, (which are known to be safe, and signed properly), and the result is the same.
  5. I tested on Autoruns.exe (from sysinternalsuite), which modifies auto-run entries. as you probably know, if you set the program to "Custom Monitoring", before running it, it will tell you what behavior is a possible threat, and asks you to confirm running it. and Autoruns.exe blocks the same as Procexp.exe (process explorer) Because procexp triggers the "Modify auto-run entries" behavior, as well as "Attempts to modify other programs" so anything that has a behavior being trigggered, is being blocked correctly. where programs like Notepad and Mspaint, do not have these behaviors to worry about, so they are being allowed to run freely.
  6. In the "Behavior Blocker", when I hover over the (Company) column, the mspaint and notepad entries, says "Verified by digital signature" I think its more likely its something to do with the actual detection of the behaviors. Because it doesn't seem to matter which behavior is triggered, so long as a behavior is detected, before it agrees to block. probably when the forensics was being worked on, seems like an IF-condition was altered which results in this behavior. I think at this point, we'll probably just have to wait until the relevant code is reviewed.
  7. Peter, in GT500's defense, he makes a valid point regarding torrents, but also besides the point as well. lol At any rate, I'm sure he was being helpful, by offering me a potentially better program alternative.
  8. I might add, i have this occurring in both stable and beta versions. and had clean installations, and factory defaults.
  9. Thank you everybody for working with me on this, I was going a bit mental with this and glad its just not me. JeremyNicoll, on 32-bit windows theres only 1 copy of Notepad (unless you count the backup repositories) and on a 64-bit system, they have 2 copies, or maybe 3 copies as you stated.... In each case, each one would have their own specific rule, and you should be able to differentiate them by file location. The problem is as I stated earlier: If the program is set as blocked (do not run), and it detects anything in the "custom behaviors" list (even though no custom behaviors are set) It will block that application from running. If the program is set as blocked (do not run) and detects nothing in the "custom behaviors" list (even though no custom behaviors are set) It allows that application to run. (which is not good!) You can try it yourself, by finding a random program... like Winamp for example, if you set it to custom monitoring, you will notice it detects its connection attempt as suspicious activity.... so if you blocked winamp... it will block that program, because the trigger was in the custom behavior list. Then find a generic program, like Notepad, Mspaint, Audacity... you can set it to custom monitoring... identify that it has no suspicious activity.... then try to block the program... and you will notice it allows it to run. Hopefully we can get this cleared up soon. Thanks again!
  10. as i said previously, the block is 'only' triggering, on programs that have at least 1 of the unwanted behaviors. (ie. backdoor related activity, change the hosts file, etc.) and since programs like notepad or mspaint have none, it doesn't seem to be blocking them at all.
  11. Many programs out there incorporate some form of adware to maintain their free status, like Skype and MSN messenger are popular programs, that have incorporated ads into their functionality. That's neither here nor there though. My main issue is that programs are not being blocked properly.
  12. There is no folders or files in the exclusion list. remember, i had restored everything to factory defaults. has anyone tested theirs for similar behavior?
  13. I noticed, that it does block "some" programs, but not all of them. It looks like.... if 1 custom rule behavior is triggered when it is marked as "Blocked (impossible to run)" then it will block the program. However, if the program is set to be blocked, and none of the custom trigger behaviors are triggered, then it will not block the program. So typical programs like notepad and mspaint, are not being blocked, when they are set to be blocked. and atypical programs, that have potentials for undesired behavior, are getting blocked.
  14. I reinstalled again, this time running EmsiClean, it did not detect any additional residual files. Deleted Emsisoft folder manually in program files. Reinstalled, restarted. Still does not block the specified applications from running. testing on mspaint.exe and notepad.exe (and other files not located in System32) Installed Beta version and reset factory defaults, still does not block any programs.
  15. my problem appears to be a little more serious, as it doesn't seem that the Behaviour Blocker is blocking "any" of my programs i specify are to be blocked. Created several blocks for a variety of different applications, and it wouldn't block any of them. Even after a factory reset, and reinstallation of Emsisoft. Any ideas?
  16. I've had this installation of EIS running for quite some time. Emsisoft Internet Security Version: 2017.6.0.7681 Windows 7 (32-bit) Service Pack 1 (No other known conflicting software installed) In my Behavior Blocker - Application Rules, I have utorrent.exe allowed to run. Then I also have utorrentie.exe set to be blocked from running. When I start utorrent.exe, taskmgr shows that 2 instances of utorrentie.exe are being allowed to run. I think in the past, I think i recall that utorrentie was possibly being blocked normally. I am curious if these 2 instances are not being allowed, because its parent program is being allowed. I enabled advanced debug output (and restarted), and included the relative information. I was going to just reinstall EIS and see if the problem resolves, but I first thought it'd be helpful to collect as much information on the problem. Let me know if you need more information, and or whether you want me to reinstall. a2service Log 08:53:06.858 940 -> TFirewallRulesManager.UpdateRulesEnabling(RuleFileName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe) 08:53:06.858 940 -> DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe) 08:53:06.858 940 <- DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe): C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:06.858 940 -> TStoreManager.LocateSection('Rules','C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe','0'): TCustomSection 08:53:06.858 940 <- TStoreManager.LocateSection(...): Result = 00FACA38 firewall log 08:53:40.866 1384 FWDBG: [WFP] ProcessCreated: 3548 C:\Program Files\Emsisoft Internet Security\a2start.exe 08:53:42.551 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3580 08:53:42.566 1308 FWDBG: PROCESS: 3580 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe 08:53:42.566 1308 FWDBG: [WFP] ProcessCreated: 3580 C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe 08:53:42.988 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 58788, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:43.034 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 62531, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.142 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57738, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.267 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49166, Remote: 23.21.139.158: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.376 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 5351, Remote: 192.168.0.1: 5351, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.532 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57029, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.563 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 65467, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.594 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49191, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.626 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49167, Remote: 52.84.21.89: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.657 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49168, Remote: 208.111.179.219: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.657 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49169, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.688 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3816 08:53:44.688 1308 FWDBG: PROCESS: 3816 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.688 1308 FWDBG: [WFP] ProcessCreated: 3816 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.719 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49170, Remote: 52.84.19.74: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.782 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3848 08:53:44.782 1308 FWDBG: PROCESS: 3848 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.782 1308 FWDBG: [WFP] ProcessCreated: 3848 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.797 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49171, Remote: 52.84.19.74: 443, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.860 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 51879, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.891 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 60714, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 61338, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49172, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49173, Remote: 188.166.37.159: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE a2rules.ini [C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe] Revision=4 SectionType=1 SHA1=873D6472B719B6A07C9DBDCB09DBEB04FE56EBA2 GUID={6986CF07-4153-4EC9-907F-45C95273BBF4} Action=1 Worm=0 Dialer=0 Backdoor=0 Hijacker=0 Inject=0 Downloader=0 Spyware=0 Service=0 KeyLogger=0 Startup=0 HiddenInstall=0 Virus=0 Hosts=0 Rootkit=0 BrowserSettings=0 Debugger=0 RemoteControl=0 DirectDiskAccess=0 SystemPolicies=0 Exploit=0 CryptoMalware=0 FirewallInMode=0 FirewallOutMode=0 MD5=AFB311776018C6564FE8A25CD5FD78C9 Updated=1 [C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe] Revision=4 SectionType=1 SHA1=B677DD6E7B885A8E57C03FA6D4CE3BA4D655C2E5 GUID={229DB36D-F13F-4609-82AB-5BEAC079887C} Action=2 Worm=0 Dialer=0 Backdoor=0 Hijacker=0 Inject=0 Downloader=0 Spyware=0 Service=0 KeyLogger=0 Startup=0 HiddenInstall=0 Virus=0 Hosts=0 Rootkit=0 BrowserSettings=0 Debugger=0 RemoteControl=0 DirectDiskAccess=0 SystemPolicies=0 Exploit=0 CryptoMalware=0 FirewallInMode=1 FirewallOutMode=1 MD5=F233F4591F9CC22166095F109090DEB1 Updated=1 BehaviorBlockerEnabled=1 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_C4FD508883334C0FBB3F937002F8BF9B] Revision=1 SectionType=2 Name=Autorule Index=2 Type=APP Protocol=TCP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_464279183A724962B6C8738B54B67FF8] Revision=1 SectionType=2 Name=Autorule Index=1 Type=APP Protocol=TCPUDP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_003B5FE636FC40B485E8E508C2A748F9] Revision=1 SectionType=2 Name=Autorule Index=0 Type=APP Protocol=ICMP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0
  17. I think you can redesign something like Windows, but in this case, it'd be best to start almost from scratch... i realize it'd be a gigantic undertaking, but perhaps that is really the next leap forward for computer processing, is to realize a closer relationship between hardware and software, where the hardware and software are "meant" specifically for each other. Instead of a "one size fits all" kind of approach to software architecture, where there can be a dozen different ways to program 1 specific task, and not all of them desirable or even correct. That would require a more intimate relationship, between the chip designers, and the software developers. It seems to me that, software is becoming needlessly more and more complex... when it should be getting simpler. Its this mentality though that... in order to create new secure and compatible features, that we should keep adding on layer after layer of architecture, forcing the developer to constantly be learning new constructs... when most of this should all be taken care of automatically by the compiler. If you look at almost every version of windows.... you always saw, Visual Studio stepping along right beside them... like they'd improve their editor tools, and it was then demonstrated in Windows versions. So i think, maybe they kind of lost sight of this relationship, that building better tools, allowed them to keep building a better product. Software is coded by human beings, and yes... people make mistakes, but if they keep working at the same thing and gain practice.... they inevitably get better at it, or at very least learn their capabilities. Which is why you can't just create the core code, and leave it alone, it has to evolve with the rest of the hierarchy. I think its safe to say, that the core of Windows, probably hasn't gone through much of an overhaul, in a long time, judging by the appearance of the file structures. I think this is likely why Linux is so successful, is because it takes its ego out of the picture and has let people view and edit the core, pin pointing its flaws. The way things are going, I think Linux is going to give Windows a run for its money... and relatively quick like. As soon as Windows tries their "pay as you go" service on people, i think you're going to notice a huge impact in attitude.
  18. I think that's absolutely true, that the user is often responsible for driving the operating system into dangerous territory, with unsafe browsing practices. That being said, I think Windows "in general", doesn't really treat the internet like its a potentially dangerous place. This is evident in all of the default settings of a new installation... that everything comes pre-enabled, with a sort of "plug and play" mentality, that Windows MUST connect with every device in existance. Whether its a printer, or some random wireless network. Its like this laptop i worked on once, it was set to "Automatically connect" to basically any network with a viable signal, its that kind of mentality that everything must be connected "out of the box", that really gets people in trouble. The idea is... they don't want to have to deal with peoples insufficient knowledge for not knowing how to enable these devices... so they make it so easy a caveman could do it. Its like you said queietman7, that... the user is usually at fault, for a few reasons... * Unsafe browsing habits. (allowing javascript, using Flash, using Java, installing 3rd party addons, etc.) * Uninformed computer usage. (ie, not setting up user accounts, no passwords, weak passwords, poor decisions running programs, etc.) * Improper settings configured. (Allowing NETBIOS, Secondary Login service, print spooler, Remote Access Service, flawed File Permissions, Web Camera enabled, etc) All of these... all come down to just lack of information, and changing your computing habits. In a way... by allowing all of these things automatically, Microsoft does everyone a disservice, by never learning how to turn on/off the devices you want to run. They make little to no effort to try to educate people on how to keep their computer secure.... and would rather let the user sit in ignorant bliss during the installation, watching a progress bar (with no ETA), and telling everyone "How great these new features are", so that a few years down the road, they can trash it and call it all rubbish. I think if you expect people to practice basic security practices, they should make some effort to trying to educate people about them. People shouldn't have to go to college or read a "Windows for dummies" manual to understand how it all works... there should be integrated tutorials, and Windows Help and MSDN doesn't quite cut it. I think the "real" issue, comes down to Windows design... instead of trying to cover 1 root design problem with a dozen patches, it should all be redesigned from the ground up... i mean look at the Windows folder, there is still 16-bit files cluttering it up. lol and in my opinion, their cross compatability for 32-bit / 64-bit just makes development and usage in general a complete mess... i mean, you don't see people using 16-bit applications anymore, nor do we have architectures that serve it anymore. they made a decision to drop support for it, and they really need to do the same, so they can let go of an old architecture and just move on. Microsoft lost its way with Windows 8, going off of some really bad advice that PC's were dead and anybody who is anybody uses a smartphone or tablet. That didn't stop them from pushing it on us... and we were expected to "adapt" to the new design change... and then once it became concrete, that it was a flop, they actually stopped and listened to its users and redesigned it... it hasn't been so long though since Windows 8's release in retrospect. lol I just find it really hard to believe, that there has been some exponential leap in architecture, for them to make claims that 10 is better than 7... When 10 is more or less 8 with a new paint job, a new name, and some additional features and services. According to Steve ballmer, Windows 8 was the wave of the future, with its new touch-screen "panel" design.... Just finding it really hard now days, to trust that Microsoft is being "genuine" with us.
  19. is there some inherent architecture though, that Windows 10 has, that makes it invulnerable to security threats though? The way Microsoft reps are describing it.. at this point in time, you are "at risk", if you don't upgrade to Windows 10. Microsoft has been known to wait long periods of time before releasing security updates, to the point, that some individuals almost have to force their hand, just to get them to push the security updates out. So it just seems to me, like they would have even less motivations to push out security updates for 7 than they did before, especially if they're already touting the insecurities of 7. They might be offering "support" until 2020, but how dedicated and how broad is there team to continue this process? With the way companies are constantly trying to scale things back, and get more for less, it seems like this would be such an area they might try to scale back, because its no longer profitable for them.
  20. What happens when Windows 10 has evolved to the point, that it has becomes so bloated with features we don't want anymore. Will Microsoft one day look back on Windows 10 and call it a fat ugly child that nobody wants and kick it to the curb too, and offer us another alternative? The lack of loyalty to prior products, just seems a bit saddening... that whatever product you do choose with Microsoft, will one day become obsolete and put out to pasture, because some new pretty OS comes along that is more attractive and can cook and clean for us. What ever happened to til' death do us part? Also, a friend of mine suggested rumors, that Windows 10 is less secure from "big brother", ie Microsoft or government agencies. With "Call Home" features. Is that the cost of what we pay for security.... we have security from malware, but designed insecurity from its creators, and law enforcement? It kind of jogs my memory of a news article i read, about supposedly the NSA paying Microsoft not to use more advanced forms of RSA encryption, to make it easier for them to crack it. Whether that was true or not... just kind of seems like we're kind of being led astray... or being corralled into making a choice that just forces us to pay microsoft on their time table, and to give up our privacy, when they want it. what happened to the consumers freedom.... to pay, when "they" want it.... and their freedom... to share with the world, what "they" want to share. The more I learn about computer security, the more it just seems like its all an illusion, that there is no such thing as security..... and we all are at the mercy of some creepy old man behind a curtain. its at this time, someone generally suggests i use some linux distribution, we play a 5 minute musical montage of me learning linux, and then I spend another 20 years of rediscovering a parallel version of the yellow brick road, that generally leads to the same place.... a creepy old man behind a curtain. I miss the 90s... when ignorance was bliss, and curtains were brick walls.
  21. I've seen all over the internet, news articles cropping up, that say generally the same thing. That Microsoft has been saying that Windows 7 isn't as secure as Windows 10. Like this article here for example: https://www.extremetech.com/computing/242795-microsoft-warns-windows-7-dangerously-insecure-2017 So my question is... is there a legitimate security concern to be worried about with Windows 7, that if i really want a "secure" system, that I really should update to Windows 10? or..... is this just a push by Microsoft to scare users into purchasing their new software, and get as many people hooked as they can, before pushing their "pay as you go" monthly installment plan, and that spreading this propaganda that Windows 10 is inherently more secure than its predecessors, will eventually sink in, that a change to Windows 10 is "mandatory" if you want to stay secure. I mean, if the issue is.... that Windows 7 is not capable of adapting to real-time threats... then would not Emsisoft security fill in for that, doing much what Windows 10 does? Only advantage i could see, might be the sandboxing... but even then, just adding more frameworks, does not solve security issues, it just obstructs the path, generally until someone finds a way around it. Microsofts solution to security, seems to be putting layer upon layer of "safeguards" in the form of frameworks, that generally just seems to complicate the development process. (correct me if I'm wrong there.) I think what really kills me... is that when they release Windows 7... they push it as being the "bees knees", that its just better, new and improved, being more secure than its predecessors.... and then, after Windows 8 gets a bad rap, and they go into serious recovery mode, and go out of their way to rebrand Windows 8, and fix some problems.... that all of a sudden, Windows 7 becomes this evil monster that must be vanquished, and that if you don't jump ship... your computer will fall victim to the 7 hells of earth, or the Windows version of a step-brother you never wanted. Its like now that they have created a new version, there's now a huge push to try to discredit everything they worked for in the past..... it doesn't make sense. Why would you discredit a version you worked so hard to create? I mean.... i bet you, people would probably pay the same amount of $ for a new version of Windows, just to keep a steady stream of updates rolling in for Windows 7. It also begs the question, that just because Windows 10 is here... does that mean they're not going to give 7 the same love and attention to keep it secure... or if a new flaw crops up... are they just going to "let it happen", so that then they can just count it as another reason for you to upgrade to Win 10. I just feel a little put out by Microsoft in general.... even though I really do try to stand behind it. For years, I even stood behind Internet Explorer... before almost forcefully being switched, by an awful beta experience... I would really appreciate some input on this situation, and a focused response, on whether this is a "legitimate" security issue, or is just a marketing ploy. Thanks!
  22. yes, in the Online Armor v9, I would set it to "Ask" about every program, whether trusted or not. i remember several times, I would block critical windows programs, and then have Windows fail to start... and would have to boot into safe-mode to reset. Eventually though, I learned exactly which programs I needed to keep around to boot up Windows. my suggestion is... do the same exact thing that you did to the firewall options of "Emsisoft", if you try to block a2service.exe it states that it could cause undesirable issues. So you could just create a short list of the required Windows files . . . csrss.exe winlogon.exe wininit.exe userinit.exe lsm.exe lsass.exe smss.exe services.exe svchost.exe then just forbid those files from ever being blocked, while still allowing firewall options and custom rules to be applied. or alternatively, a better idea... just warn the user that the file is critical to normal operation and you tinker at your own risk. when I used to do the blocking in OA v9, by blocking all of the extra Windows programs floating around, my goal was to make it really easy to detect anything extra that tried to run, that's where the "Ask" prompt for trusted programs came in nicely... so that once the common programs were configured to "allow/block" ... it made it really easy to see if anything suspicious was trying to run in the background. i admit, it was a bit more time consuming, but i felt like i had more control of the security of the system. now it just seems like every program is automatically trusted just to ensure everyone has a smooth operating experience. i prefer to use my system on an "as needed" basis, if I need to use a printer... i start the (spoolsv.exe) printer service... then when i am not using the printer, the service is stopped. I don't expect Emsisoft to take care of that for me, but thats just my philosophy on how I think the system should be running... and not have Windows try to shotgun all the programs at startup, just because we "might" need to use it. I think thats where my suggestion i made once before might come into play.... where you could initiate "Timer-based Allowing/Blocking" so that when triggered... by clicking an icon/entry, or based on some type of event.... that EIS could execute a timer script, to say... Allow spoolsv.exe to run... (maybe initiate the running of the program as well) and then automatically Block it 10 minutes later.
  23. yeah, and i've had this logging feature going for a year with hardly any issues. thats the only reason why i kind of wanted to take a look at what was going on, was because it was consuming tons of hard disk space... the game was relatively old, and it was from a trusted source, so i dont think there was any foul play, most likely... was antiquated programming that was directly accessing the hard disk. i doubt its worth investigating further. just thought i'd share that experience.
  24. i understand, i'll have to try to do some more testing later on. i do think that there is definitely an issue though with the detection of programs that are being run through conhost.exe i think its because of how I compile the program, using a /SUBSYSTEM:CONSOLE parameter. which i'm curious whether its a best practice for creating console applications. from my reading conhost creates a 3mb conhost program in memory for every execution of a console program. even Cmd.exe i think has to utilize Conhost.exe to operate. I just know that the detection of the program in "Behaviour Blocker" is hit and miss. I'll have to look again to see if its just not updating it, or if its being placed in a2rules.ini ------------------------------------------------------------------------------------------------ On a side note, I remember in EIS v9, you were able to specify an 'Ask' prompt on whether to run trustworthy programs... or to 'Ask' prompt on unknown programs. in EIS v11, it only gives you the "Ask, Allow, Block" options, for Firewall connections. in EIS v11 there is the "Privacy" section which lets you set up "Automatically allow programs with good reputation" and "Automatically quarantine programs with bad reputation." i really wish you could pass along a request to the developers about re-adding the feature, where you can get a prompt to allow a program (even if it is trusted.) what was great about EIS v9 as well, was that it gave you more detailed information about the drivers involved in creating the process, I do think the EIS v11 interface is a step up, but losing these vital features, i think was a step back as well. I dont think it would be terribly difficult to implement either, as most the menu interfaces are already setup, and the a2rules.ini should already contain the basic structure required to add this feature in smoothly. the reason to support this feature, is that most of the primary Windows programs, once accepted, the system will typically run smoothly without many additional prompts. Every now and then though, you have some questionable software or an installer that you want to allow/deny step by step.. and thats where it was really nice with v9, is that you could have more control over the process. I realize the idea is to make a one size fits all program, but I also like the idea of more advanced features, and worst case scenario, is... you could make a list of absolutely required Windows applications, that need to run. one perfect scenario, where this would have worked nicely... is that Windows recently asked me to run GWXconfig.exe or some related GWX program, that was designed to try to notify me to update to Windows 10... granted I blocked the application anyways, but it would have been nice to have had a prompt asking if wanted to run the program. something to think about.