Jump to content

iWarren

Member
  • Posts

    140
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by iWarren

  1. Glad I found this thread... I had all of these things on my mind when I first tried it out.

    I was honestly, just more happy that it was blocked correctly, I didn't really mind how I was notified.

    When I blocked a program that came from the Explorer taskbar, it told me the link had been removed
    and asked me if I wanted to delete the item.  Which is fine... its just detecting that the program is no
    longer available as it once was.

    In Windows 7 (32-bit) when I block mspaint.exe like stapp did, I do get a different Windows error message.

    Mine is....
     

    C:\Windows\System32\mspaint.exe  
    
    The parameter is incorrect

     

    Which I still think is fine.

    If we start adding EIS Alerts to everything that was blocked, it might start to become intrusive.

    I will admit, in the past, I've probably set a block and forgotten about it, but I eventually remembered i'd set it
    and remembered this type of behavior.

     

  2. You said that a2service.exe won't block a program if it starts before the a2service.

    Out of curiosity,  do you happen to know how Windows decides what program is to run first?
    ie. which executable takes precedence.... is it alphabetical order?  Which might make sense,
    considering the starting characters "a2", or is it perhaps by order of added entry?

  3. 15 hours ago, Frank H said:

    FYI: we've just released a new Beta with the fix. I'd appreciate it if you could switch to beta and provide feedback.

    http://changeblog.emsisoft.com/2017/07/31/beta-updates-2017-07-31/

     

    I switched to Beta feed,

    and all is working well Frank.  Thank you for your quick action on this matter!

     

    Programs appear to be blocking as they should, Well done.

    I will continue to observe and report.

  4. Quote

    It's dangerous to push fixes directly to stable without being tested first. We could end up breaking something else with the fix, so we publish a beta first so that people can try it and give us feedback, and then if everything is OK people can continue to use the beta until we no longer need to publish more changes to the beta and are confident that the beta is stable enough for the Stable feed.

    That is understandable, but at the same time, this blocking issue did manage to make it through a beta feed, which is designed to catch things like this.

    Considering the nature of this feature, and that some people might not utilize the forums.

    a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes.

    it might be prudent to expedite the fix into the stable feed.   Though I understand the need for due process as well.

     

     

    Quote

    Actually, considering that this is a feature already built in to Windows, blocking programs from running is a minor feature of security software. Obviously there are limitations to the way blocking applications from running works in Windows, however there are also limitations to how it works in EIS (if a program is already running when a2service.exe starts, then no action is taken against it).

    Well, I don't want to get into a technical battle with you GT500, lol but,

    not all Windows versions like Win7 Home, gives you access to modify group policy settings.

    I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious.

     

    one of the major reasons why I love EIS so much, is this application blocking ability... because it gives you a bit more control over

    what is happening behind the scenes. EIS is more than just a networking firewall, but an applications firewall as well.   which are

    two features that really just complement each other.

     

    I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically.  which, i know you could

    just disable that service and likely never see it again.  Its just one of those programs, that if you're not using it, i don't want to take the

    chance that it can be executed without my knowledge.  I think in the past I read it could be misused by an attacker. 

     

    another good example of using the block feature, is to block GWX programs, which isn't as much an issue today, but when Microsoft

    was making its big push on Win10, the block feature was really invaluable in preventing Win10 installation attempts.

     

    I also use this blocking feature while gaming with Steam,  as some games will try to access a google chrome extention through Steamwebhelper

    and it can potentially open you up to security flaws, as well as give you latency issues from adware.  So its daily usage like this, that makes

    the blocking feature really a handy tool, and that's just "my" preferences, I'm sure others out there have equally useful usages.

     

     

  5. 11 hours ago, JeremyNicoll said:

    The non-MS desktop reminder program I tried to block, which ran perfectly, IS digitally signed.

    This is NOT a problem caused by the new forensic log.  It's happening here on the stable feed.

    I know it is happening in the stable feed, but I was just judging by the timing that the blocking stopped

    working, and the creation of the forensic log feature was created, and suggested that it was probably

    a change made while doing work on the forensics.

     

    9 hours ago, Frank H said:

    Hi,

    This issue has been analysed, fixed and will be included in the upcoming beta 2 release.

     

    I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already

    a standard proven feature, and could be relatively important to a lot of people.  Program blocking is a pretty crucial

    feature to the EIS suite.  At very least, can you give an ETA on when the beta 2 build might be released?

  6. I tested on Autoruns.exe (from sysinternalsuite), which modifies auto-run entries.

    as you probably know,  if you set the program to "Custom Monitoring", before running it, it will tell you what behavior

    is a possible threat, and asks you to confirm running it.

    and Autoruns.exe blocks the same as Procexp.exe (process explorer)

    Because procexp triggers the "Modify auto-run entries" behavior, as well as "Attempts to modify other programs"

     

    so anything that has a behavior being trigggered, is being blocked correctly.

    where programs like Notepad and Mspaint, do not have these behaviors to worry about, so they are being allowed to run freely.

     

     

  7. In the "Behavior Blocker", when I hover over the (Company) column,  the mspaint and notepad entries,  says "Verified by digital signature"

    I think its more likely its something to do with the actual detection of the behaviors.  Because it doesn't

    seem to matter which behavior is triggered, so long as a behavior is detected, before it agrees to block.

     

    probably when the forensics was being worked on, seems like an IF-condition was altered which results

    in this behavior.  I think at this point, we'll probably just have to wait until the relevant code is reviewed. 

  8. Thank you everybody for working with me on this, I was going a bit mental with this and glad its just not me.

     

    JeremyNicoll, on 32-bit windows theres only 1 copy of Notepad (unless you count the backup repositories)

    and on a 64-bit system, they have 2 copies, or maybe 3 copies as you stated....

     

    In each case, each one would have their own specific rule, and you should be able to differentiate them by file location.

     

    The problem is as I stated earlier:

     

    If the program is set as blocked (do not run), and it detects anything in the "custom behaviors"  list (even though no custom behaviors are set)

    It will block that application from running.

     

    If the program is set as blocked (do not run) and detects nothing in the "custom behaviors"  list (even though no custom behaviors are set)

    It allows that application to run.  (which is not good!)

     

    You can try it yourself, by finding a random program... like Winamp for example,  if you set it to custom monitoring, you will notice it detects its

    connection attempt as suspicious activity.... so if you blocked winamp... it will block that program, because the trigger was in the custom behavior list.

     

    Then find a generic program, like Notepad, Mspaint, Audacity... you can set it to custom monitoring... identify that it has no suspicious activity....

    then try to block the program... and you will notice it allows it to run.

     

    Hopefully we can get this cleared up soon. Thanks again!
     

  9. Quote

     

    Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you?

    As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded?


     Many programs out there incorporate some form of adware to maintain their free status, like Skype and MSN messenger are popular programs, that have incorporated ads into their functionality.

    That's neither here nor there though.  My main issue is that programs are not being blocked properly.

  10. I noticed, that it does block "some" programs, but not all of them.

    It looks like.... if  1 custom rule behavior is triggered when it is marked as "Blocked (impossible to run)" then it will block the program.

    However, if the program is set to be blocked, and none of the custom trigger behaviors are triggered, then it will not block the program.

     

    So typical programs like notepad and mspaint, are not being blocked, when they are set to be blocked.

    and atypical programs, that have potentials for undesired behavior, are getting blocked.

     

     

  11. I reinstalled again, this time running EmsiClean, it did not detect any additional residual files.

    Deleted Emsisoft folder manually in program files.

    Reinstalled, restarted. Still does not block the specified applications from running.

    testing on mspaint.exe and notepad.exe (and other files not located in System32)

     

    Installed Beta version and reset factory defaults, still does not block any programs.

  12. my problem appears to be a little more serious,

    as it doesn't seem that the Behaviour Blocker is blocking "any" of my programs i specify are to be blocked.

     

    Created several blocks for a variety of different applications, and it wouldn't block any of them.

    Even after a factory reset, and reinstallation of Emsisoft.

     

    Any ideas?

  13. I've had this installation of EIS running for quite some time.

    Emsisoft Internet Security

    Version: 2017.6.0.7681

    Windows 7 (32-bit)  Service Pack 1

    (No other known conflicting software installed)

     

    In my Behavior Blocker - Application Rules, I have utorrent.exe allowed to run.

    Then I also have utorrentie.exe set to be blocked from running.

     

    When I start utorrent.exe,  taskmgr shows that 2 instances of utorrentie.exe are being allowed to run.

    I think in the past, I think i recall that utorrentie was possibly being blocked normally.

     

    I am curious if these 2 instances are not being allowed, because its parent program is being allowed.

     

    I enabled advanced debug output (and restarted), and included the relative information.

    I was going to just reinstall EIS and see if the problem resolves, but I first thought it'd be helpful to collect

    as much information on the problem.  Let me know if you need more information, and or whether you

    want me to reinstall.

     

     

    a2service Log
    
    08:53:06.858    940               -> TFirewallRulesManager.UpdateRulesEnabling(RuleFileName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe)
    08:53:06.858    940                  -> DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe)
    08:53:06.858    940                  <- DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe): C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    08:53:06.858    940                  -> TStoreManager.LocateSection('Rules','C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe','0'): TCustomSection
    08:53:06.858    940                  <- TStoreManager.LocateSection(...): Result = 00FACA38

     

    firewall log
    
    08:53:40.866	1384  FWDBG: [WFP] ProcessCreated: 3548 C:\Program Files\Emsisoft Internet Security\a2start.exe
    08:53:42.551	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3580
    08:53:42.566	1308  FWDBG: PROCESS: 3580 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe
    08:53:42.566	1308  FWDBG: [WFP] ProcessCreated: 3580 C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe
    08:53:42.988	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 58788, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:43.034	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 62531, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.142	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57738, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.267	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49166, Remote: 23.21.139.158: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.376	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 5351, Remote: 192.168.0.1: 5351, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.532	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57029, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.563	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 65467, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.594	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49191, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.626	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49167, Remote: 52.84.21.89: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.657	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49168, Remote: 208.111.179.219: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.657	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49169, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.688	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3816
    08:53:44.688	1308  FWDBG: PROCESS: 3816 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    08:53:44.688	1308  FWDBG: [WFP] ProcessCreated: 3816 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    08:53:44.719	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49170, Remote: 52.84.19.74: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.782	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3848
    08:53:44.782	1308  FWDBG: PROCESS: 3848 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    08:53:44.782	1308  FWDBG: [WFP] ProcessCreated: 3848 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    08:53:44.797	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49171, Remote: 52.84.19.74: 443, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.860	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 51879, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.891	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 60714, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 61338, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49172, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49173, Remote: 188.166.37.159: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
    a2rules.ini
    
    [C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe]
    Revision=4
    SectionType=1
    SHA1=873D6472B719B6A07C9DBDCB09DBEB04FE56EBA2
    GUID={6986CF07-4153-4EC9-907F-45C95273BBF4}
    Action=1
    Worm=0
    Dialer=0
    Backdoor=0
    Hijacker=0
    Inject=0
    Downloader=0
    Spyware=0
    Service=0
    KeyLogger=0
    Startup=0
    HiddenInstall=0
    Virus=0
    Hosts=0
    Rootkit=0
    BrowserSettings=0
    Debugger=0
    RemoteControl=0
    DirectDiskAccess=0
    SystemPolicies=0
    Exploit=0
    CryptoMalware=0
    FirewallInMode=0
    FirewallOutMode=0
    MD5=AFB311776018C6564FE8A25CD5FD78C9
    Updated=1
    
    [C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe]
    Revision=4
    SectionType=1
    SHA1=B677DD6E7B885A8E57C03FA6D4CE3BA4D655C2E5
    GUID={229DB36D-F13F-4609-82AB-5BEAC079887C}
    Action=2
    Worm=0
    Dialer=0
    Backdoor=0
    Hijacker=0
    Inject=0
    Downloader=0
    Spyware=0
    Service=0
    KeyLogger=0
    Startup=0
    HiddenInstall=0
    Virus=0
    Hosts=0
    Rootkit=0
    BrowserSettings=0
    Debugger=0
    RemoteControl=0
    DirectDiskAccess=0
    SystemPolicies=0
    Exploit=0
    CryptoMalware=0
    FirewallInMode=1
    FirewallOutMode=1
    MD5=F233F4591F9CC22166095F109090DEB1
    Updated=1
    BehaviorBlockerEnabled=1
    
    [FirewallRules_229DB36DF13F460982AB5BEAC079887C_C4FD508883334C0FBB3F937002F8BF9B]
    Revision=1
    SectionType=2
    Name=Autorule
    Index=2
    Type=APP
    Protocol=TCP
    Resolution=BLOCK
    Direction=OUT
    NetworkType=ANY
    ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    Enabled=0
    
    [FirewallRules_229DB36DF13F460982AB5BEAC079887C_464279183A724962B6C8738B54B67FF8]
    Revision=1
    SectionType=2
    Name=Autorule
    Index=1
    Type=APP
    Protocol=TCPUDP
    Resolution=BLOCK
    Direction=OUT
    NetworkType=ANY
    ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    Enabled=0
    
    [FirewallRules_229DB36DF13F460982AB5BEAC079887C_003B5FE636FC40B485E8E508C2A748F9]
    Revision=1
    SectionType=2
    Name=Autorule
    Index=0
    Type=APP
    Protocol=ICMP
    Resolution=BLOCK
    Direction=OUT
    NetworkType=ANY
    ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
    Enabled=0

     

  14. I think you can redesign something like Windows, but in this case,

    it'd be best to start almost from scratch... i realize it'd be a gigantic undertaking, but perhaps

    that is really the next leap forward for computer processing, is to realize a closer relationship

    between hardware and software, where the hardware and software are "meant" specifically for

    each other.  Instead of a "one size fits all" kind of approach to software architecture, where

    there can be a dozen different ways to program 1 specific task, and not all of them desirable

    or even correct.

     

    That would require a more intimate relationship, between the chip designers, and the software

    developers. 

     

    It seems to me that, software is becoming needlessly more and more complex... when it should be

    getting simpler.  Its this mentality though that... in order to create new secure and compatible features,

    that we should keep adding on layer after layer of architecture, forcing the developer to constantly be

    learning new constructs... when most of this should all be taken care of automatically by the compiler.

     

    If you look at almost every version of windows.... you always saw, Visual Studio stepping along right

    beside them... like they'd improve their editor tools, and it was then demonstrated in Windows versions.

     

    So i think, maybe they kind of lost sight of this relationship, that building better tools, allowed them to keep

    building a better product.

     

    Software is coded by human beings, and yes... people make mistakes, but if they keep working at the same
    thing and gain practice.... they inevitably get better at it, or at very least learn their capabilities.  Which is why

    you can't just create the core code, and leave it alone, it has to evolve with the rest of the hierarchy.

    I think its safe to say, that the core of Windows, probably hasn't gone through much of an overhaul, in a long time,

    judging by the appearance of the file structures.

     

    I think this is likely why Linux is so successful, is because it takes its ego out of the picture and has let

    people view and edit the core, pin pointing its flaws. The way things are going, I think Linux is going to give

    Windows a run for its money... and relatively quick like.  As soon as Windows tries their "pay as you go"

    service on people, i think you're going to notice a huge impact in attitude.

     

     

     

  15.                       windows_devolution.jpg
     

     

    I think that's absolutely true, that the user is often responsible for driving the operating system into dangerous

    territory, with unsafe browsing practices.

     

    That being said, I think Windows "in general", doesn't really treat the internet like its a potentially dangerous place.

    This is evident in all of the default settings of a new installation... that everything comes pre-enabled, with a sort of

    "plug and play" mentality, that Windows MUST connect with every device in existance.  Whether its a printer, or some

    random wireless network. 

     

    Its like this laptop i worked on once, it was set to "Automatically connect" to basically any network with a viable signal,

    its that kind of mentality that everything must be connected "out of the box", that really gets people in trouble.

    The idea is... they don't want to have to deal with peoples insufficient knowledge for not knowing how to enable these

    devices... so they make it so easy a caveman could do it.  

    Its like you said queietman7, that... the user is usually at fault, for a few reasons...

     

    Security-Functionality-and-Ease-Of-Use-T

     

    * Unsafe browsing habits. (allowing javascript, using Flash, using Java, installing 3rd party addons, etc.)

    * Uninformed computer usage.   (ie, not setting up user accounts, no passwords, weak passwords, poor decisions running programs, etc.)

    * Improper settings configured.  (Allowing NETBIOS, Secondary Login service, print spooler, Remote Access Service, flawed File Permissions, Web Camera enabled, etc)

     

    All of these... all come down to just lack of information, and changing your computing habits.

    In a way... by allowing all of these things automatically, Microsoft does everyone a disservice, by never learning how to turn on/off the devices you want to run.

    They make little to no effort to try to educate people on how to keep their computer secure.... and would rather let the user sit in ignorant bliss during the

    installation, watching a progress bar (with no ETA),  and telling everyone "How great these new features are", so that a few years down the road, they can trash it

    and call it all rubbish.  

     

    I think if you expect people to practice basic security practices, they should make some effort to trying to educate people about them.

    People shouldn't have to go to college or read a "Windows for dummies" manual to understand how it all works... there should be integrated tutorials, and

    Windows Help and MSDN doesn't quite cut it.

     

    I think the "real" issue, comes down to Windows design... instead of trying to cover 1 root design problem with a dozen patches, it should all be redesigned

    from the ground up... i mean look at the Windows folder, there is still 16-bit files cluttering it up. lol and in my opinion, their cross compatability for

    32-bit / 64-bit just makes development and usage in general a complete mess... i mean, you don't see people using 16-bit applications anymore,

    nor do we have architectures that serve it anymore.  they made a decision to drop support for it, and they really need to do the same, so they can

    let go of an old architecture and just move on.

     

    Microsoft lost its way with Windows 8, going off of some really bad advice that PC's were dead and anybody who is anybody uses a smartphone or tablet.

    That didn't stop them from pushing it on us... and we were expected to "adapt" to the new design change... and then once it became concrete, that it was

    a flop, they actually stopped and listened to its users and redesigned it... it hasn't been so long though since Windows 8's release in retrospect. lol I just find

    it really hard to believe, that there has been some exponential leap in architecture, for them to make claims that 10 is better than 7... When 10 is more or less

    8 with a new paint job, a new name, and some additional features and services.   According to Steve ballmer, Windows 8 was the wave of the future, with its

    new touch-screen "panel" design.... Just finding it really hard now days, to trust that Microsoft is being "genuine" with us.

    microsoft-genuine-software-mar.jpg

  16. is there some inherent architecture though, that Windows 10 has, that makes it invulnerable to security threats though?

    The way Microsoft reps are describing it.. at this point in time, you are "at risk", if you don't upgrade to Windows 10.

     

    Microsoft has been known to wait long periods of time before releasing security updates, to the point, that some individuals

    almost have to force their hand, just to get them to push the security updates out.   So it just seems to me, like they would have

    even less motivations to push out security updates for 7 than they did before, especially if they're already touting the insecurities of 7.

     

    They might be offering "support" until 2020, but how dedicated and how broad is there team to continue this process?

    With the way companies are constantly trying to scale things back, and get more for less, it seems like this would be such an area

    they might try to scale back, because its no longer profitable for them.

  17. What happens when Windows 10 has evolved to the point, that it has becomes so bloated with features we

    don't want anymore.  Will Microsoft one day look back on Windows 10 and call it a fat ugly child that nobody wants

    and kick it to the curb too, and offer us another alternative?

     

    The lack of loyalty to prior products, just seems a bit saddening... that whatever product you do choose with

    Microsoft, will one day become obsolete and put out to pasture, because some new pretty OS comes along that

    is more attractive and can cook and clean for us.  What ever happened to til' death do us part? 

     

    Also, a friend of mine suggested rumors, that Windows 10 is less secure from "big brother", ie Microsoft

    or government agencies. With "Call Home" features.

     

    Is that the cost of what we pay for security.... we have security from malware, but designed insecurity from

    its creators, and law enforcement?  

     

    It kind of jogs my memory of a news article i read, about supposedly the NSA paying Microsoft not to use more advanced

    forms of RSA encryption, to make it easier for them to crack it.  Whether that was true or not... just kind of seems like

    we're kind of being led astray... or being corralled into making a choice that just forces us to pay microsoft on their time table,

    and to give up our privacy, when they want it.

     

    what happened to the consumers freedom.... to pay, when "they" want it.... and their freedom... to share with the world,

    what "they" want to share.   The more I learn about computer security, the more it just seems like its all an illusion,  that there

    is no such thing as security..... and we all are at the mercy of some creepy old man behind a curtain.

     

    its at this time, someone generally suggests i use some linux distribution, we play a 5 minute musical montage of me learning

    linux, and then I spend another 20 years of rediscovering a parallel version of the yellow brick road, that generally leads to the same

    place.... a creepy old man behind a curtain.

     

    I miss the 90s... when ignorance was bliss, and curtains were brick walls.

  18. I've seen all over the internet, news articles cropping up, that say generally the same thing.

    That Microsoft has been saying that Windows 7 isn't as secure as Windows 10.

    Like this article here for example:

    https://www.extremetech.com/computing/242795-microsoft-warns-windows-7-dangerously-insecure-2017

     

    Quote

    Meanwhile, Microsoft says Windows 10 is the most secure OS it has ever released.

    It includes biometric login support, application sandboxing, and advanced threat protection via Windows Defender.

    These features make Windows 10 capable of repelling some threats it hasn’t even been specifically patched for yet.

     

    So my question is... is there a legitimate security concern to be worried about with Windows 7,

    that if i really want a "secure" system, that I really should update to Windows 10?

    or..... is this just a push by Microsoft to scare users into purchasing their new software, and get

    as many people hooked as they can, before pushing their "pay as you go" monthly installment plan,

    and that spreading this propaganda that Windows 10 is inherently more secure than its

    predecessors, will eventually sink in, that a change to Windows 10 is "mandatory" if you want to stay secure.

     

    I mean, if the issue is.... that Windows 7 is not capable of adapting to real-time threats... then would not

    Emsisoft security fill in for that, doing much what Windows 10 does?

     

    Only advantage i could see, might be the sandboxing... but even then, just adding more frameworks, does

    not solve security issues, it just obstructs the path, generally until someone finds a way around it. 

    Microsofts solution to security, seems to be putting layer upon layer of "safeguards" in the form of frameworks,

    that generally just seems to complicate the development process. (correct me if I'm wrong there.)

     

    I think what really kills me... is that when they release Windows 7... they push it as being the "bees knees",

    that its just better, new and improved, being more secure than its predecessors....

     

    and then, after Windows 8 gets a bad rap, and they go into serious recovery mode, and go out of their

    way to rebrand Windows 8, and fix some problems.... that all of a sudden, Windows 7 becomes this evil monster

    that must be vanquished, and that if you don't jump ship... your computer will fall victim to the 7 hells of earth,

    or the Windows version of a step-brother you never wanted.  

     

    Its like now that they have created a new version, there's now a huge push to try to discredit everything they worked

    for in the past..... it doesn't make sense.  Why would you discredit a version you worked so hard to create?

     

    I mean.... i bet you, people would probably pay the same amount of $ for a new version of Windows, just to keep

    a steady stream of updates rolling in for Windows 7.   It also begs the question, that just because Windows 10 is here...

    does that mean they're not going to give 7 the same love and attention to keep it secure... or if a new flaw crops up...

    are they just going to "let it happen", so that then they can just count it as another reason for you to upgrade to Win 10.

     

    I just feel a little put out by Microsoft in general.... even though I really do try to stand behind it. For years, I even stood

    behind Internet Explorer... before almost forcefully being switched, by an awful beta experience...

     

    I would really appreciate some input on this situation, and a focused response, on whether this is a "legitimate" security issue,

    or is just a marketing ploy.

     

    Thanks!

  19. yes, in the Online Armor v9, I would set it to "Ask" about every program, whether trusted or not.

     

    i remember several times, I would block critical windows programs, and then have Windows fail to start...

    and would have to boot into safe-mode to reset.  Eventually though, I learned
    exactly which programs I needed to keep around to boot up Windows.

    my suggestion is... do the same exact thing that you did to the firewall options of "Emsisoft", if you try to block
    a2service.exe it states that it could cause undesirable issues.

     

    So you could just create a short list of the required Windows files . . .

     

    csrss.exe

    winlogon.exe

    wininit.exe

    userinit.exe

    lsm.exe

    lsass.exe

    smss.exe

    services.exe

    svchost.exe

     

    then just forbid those files from ever being blocked, while still allowing firewall options and custom rules to be applied.

    or alternatively, a better idea... just warn the user that the file is critical to normal operation and you tinker at your own risk.

     

    when I used to do the blocking in OA v9, by blocking all of the extra Windows programs floating around,

    my goal was to make it really easy to detect anything extra that tried to run, that's where the "Ask" prompt for

    trusted programs came in nicely... so that once the common programs were configured to "allow/block" ... it made it really

    easy to see if anything suspicious was trying to run in the background.

     

    i admit, it was a bit more time consuming, but i felt like i had more control of the security of the system.

    now it just seems like every program is automatically trusted just to ensure everyone has a smooth operating experience.

     

    i prefer to use my system on an "as needed" basis, if I need to use a printer... i start the (spoolsv.exe) printer service...

    then when i am not using the printer, the service is stopped.  I don't expect Emsisoft to take care of that for me, but thats

    just my philosophy on how I think the system should be running... and not have Windows try to shotgun all the programs

    at startup, just because we "might" need to use it.

     

    I think thats where my suggestion i made once before might come into play.... where you could initiate "Timer-based Allowing/Blocking"

    so that when triggered... by clicking an icon/entry, or based on some type of event.... that EIS could execute a timer script, to say...

    Allow spoolsv.exe to run... (maybe initiate the running of the program as well) and then automatically Block it 10 minutes later.

×
×
  • Create New...