Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by iWarren

  1. yeah, and i've had this logging feature going for a year with hardly any issues. thats the only reason why i kind of wanted to take a look at what was going on, was because it was consuming tons of hard disk space... the game was relatively old, and it was from a trusted source, so i dont think there was any foul play, most likely... was antiquated programming that was directly accessing the hard disk. i doubt its worth investigating further. just thought i'd share that experience.
  2. i understand, i'll have to try to do some more testing later on. i do think that there is definitely an issue though with the detection of programs that are being run through conhost.exe i think its because of how I compile the program, using a /SUBSYSTEM:CONSOLE parameter. which i'm curious whether its a best practice for creating console applications. from my reading conhost creates a 3mb conhost program in memory for every execution of a console program. even Cmd.exe i think has to utilize Conhost.exe to operate. I just know that the detection of the program in "Behaviour Blocker" is hit and miss. I'll have to look again to see if its just not updating it, or if its being placed in a2rules.ini ------------------------------------------------------------------------------------------------ On a side note, I remember in EIS v9, you were able to specify an 'Ask' prompt on whether to run trustworthy programs... or to 'Ask' prompt on unknown programs. in EIS v11, it only gives you the "Ask, Allow, Block" options, for Firewall connections. in EIS v11 there is the "Privacy" section which lets you set up "Automatically allow programs with good reputation" and "Automatically quarantine programs with bad reputation." i really wish you could pass along a request to the developers about re-adding the feature, where you can get a prompt to allow a program (even if it is trusted.) what was great about EIS v9 as well, was that it gave you more detailed information about the drivers involved in creating the process, I do think the EIS v11 interface is a step up, but losing these vital features, i think was a step back as well. I dont think it would be terribly difficult to implement either, as most the menu interfaces are already setup, and the a2rules.ini should already contain the basic structure required to add this feature in smoothly. the reason to support this feature, is that most of the primary Windows programs, once accepted, the system will typically run smoothly without many additional prompts. Every now and then though, you have some questionable software or an installer that you want to allow/deny step by step.. and thats where it was really nice with v9, is that you could have more control over the process. I realize the idea is to make a one size fits all program, but I also like the idea of more advanced features, and worst case scenario, is... you could make a list of absolutely required Windows applications, that need to run. one perfect scenario, where this would have worked nicely... is that Windows recently asked me to run GWXconfig.exe or some related GWX program, that was designed to try to notify me to update to Windows 10... granted I blocked the application anyways, but it would have been nice to have had a prompt asking if wanted to run the program. something to think about.
  3. To reiterate, when i run the 'Unknown' console application, it creates an entry in "Behaviour Blocker" for Conhost.exe but doesn't add my 'Unknown' program as an entry. If I keep closing and running it, eventually the entry will get entered in. I thought that, maybe instead of setting the application rules for my program... that maybe instead I should try setting the application rules for Conhost.exe unfortunately, setting it to "Custom Rules", or setting it to "All Blocked", didn't seem to make any difference. (as it still connected) the Unknown program is designed to "Listen" like a server, so it should have tripped the "Incoming" filter.
  4. Well I think I discovered part of the issues I've been having... I thought it was weird how, i could type the name of my program into "Behaviour Blocker" and, half the time, it'd show up and the other half it wouldn't. It appears that EIS isn't adding my program name as an entry, because Conhost.exe is starting at the exact same time. which is why its hit and miss on when it adds the entry to the "Behaviour Blocker" table. The second issue is... that i was trying to connect to the program via, and then i realized that it probably has to go through the 192.168.0.x ip, as thats the network interface the filter is listening to. I tried connecting through the LAN ip, but it still didn't trigger the EIS Ask Alert. I did get a prompt though.... about an "Outgoing" connection (from a trusted program), but the "Incoming" connection wasn't being detected in the 'Unknown' program. (and I made sure to send some data back and forth through the connection.) Im just not sure if its because its still treating it like its a loopback, but even then, i think it would go through the EIS filter.
  5. Im not sure if you can classify this as an issue, but it was an issue for me I had forgotten to disable the verbose logging option in registry, and whenever I played a game for a few hours, I would discover that 60gb of my disk space was gone. I eventually discovered my missing disk space was going to ProgramData\Emsisoft\Logs Unfortunately I couldn't say what was really triggering the issue, as the log files were too big to be read by several programs. I disabled verbose debug output, and that solved that.
  6. Advanced Firewall Settings", under the "Automatic Rule Settings" option. All "Incoming / Outgoing" are set to "Ask" for both Trusted and Unknown connections. I would like you to verify though, that the "Ask" prompt is working for an Unknown program. I can now find the application listed under "Behavior Blocker", and I've removed the "Application Rule" for the program several times, and each time... it does not Prompt me to allow the connection. also... changing the "Advanced Firewall Setting" to 'block' an unknown program, does not add a block rule, like it does for the "Trusted programs" So I think the "Unknown program" feature isn't working properly. Can you confirm? Even manually setting the the "Application rule" to "Custom Rule", does not give me a prompt like it should. Also... another issue is, when I disable the "Settings -> Privacy -> "Automatically allow programs with good reputation" option and keep the "Look up reputation of programs", when I run a trusted program, it still allows it, does not prompt me, and does not create an application rule. i think that might be part of the unknown program issue, is that an application rule is not being generated for it, so it just continues like nothing happened.
  7. I've been using Visual Studio 2012 to create some socket related programs. I noticed though, that its not detecting my executable as a threat. is it because i've allowed CL.exe that its associating my executable with that program? I'm running the executable as a stand-alone program though, and i still dont even see an entry in "behaviour blocker" for that executable. this seems like a problem, especially if its using sockets.. i would expect at least some kind of detection involved. i think its an issue because, it means that a program could be constructed on the computer, and then elude detection.
  8. Microsoft allows developers to utilize a "Web Control" container allows you to browse within an application. I was curious, if EIS also extends into this custom web container? If so, are there any particular versions it is meant to support? Although, now that I think about it, EIS probably just filters websites, and doesn't have much interaction with the internal workings of the browser controls.
  9. not at this time, I havn't been at the computer recently. I did have some unrelated issues though where Emsisoft couldn't recover from an error. I would restart, and it would last about a minute, before it would come up with an error, I was hoping it would just be resolved in an update. seems to be okay now. I'm potentially battling a failing a hard drive, so I didn't want to complicate the matter by reporting on the issues. I looked through a2rules.ini and I found a reference to a file that is on another Hard Drive but is disconnected. I was wondering if perhaps this could not also be a cause for the pointer issue.
  10. Here are a few Log files, perhaps they can be of use, If I had to take a guess, its something to do with the "Quarantine" process. I went to Update today, and after updating I think it found something in one of the Windows Temp folders.... then it asked for a program Restart to finish updating. a couple weeks ago I had it find like 10 programs in the Temp folder, and then the following day, said they were false positives. C:\windows\Temp\tmp00000033\tmp00000f3d I sifted through the file, and there was a few website links, but I didn't investigate thoroughly. I submitted the file through Emsisoft - Quarantine Also note, I'm not certain if this quarantined item was even related to this error specifically, when I minimized my browser window, I found the "Invalid Pointer" window laying about, so I am unsure of its exact arrival. pointer.txt a2start-pointer2.txt a2start-pointer.txt
  11. I received this error as well today, and im using I wasn't going to say anything, because I wasn't exactly operating under EIS factory defaults. I could probably dig up a little debug information though, if you're interested... or wait until it happens again under more ideal circumstances. (Using Win7 x64)
  12. Firewall blocks without Alert when set to "Ask" Well, I have had in some cases where I wasn't provided an "Ask" dialog, but I usually fixed the issue by deleting the application rule entirely, and running the program again. Which got me thinking about the firewall [Remove Rule] not updating in real-time, and requiring an application restart to take effect. Could be mistaken for not blocking correctly. Also... are we talking about blocking Firewall Ports or Firewall Programs? Because if it was blocking most the programs, Windows probably wouldn't even start. I do agree there needs to be more verbose information provided about what is being allowed/blocked instead of just SHA hash information.
  13. I thought of that as well that 0 might not be a valid port, however I did recall v10 didn't have an issue with 0-65535 though as you said, if it can be probed in such a manner, it should probably be an option to be blocked.
  14. http://support.emsisoft.com/topic/19166-eis-v10-v11-not-blocking-0-65535/ perhaps that will be able to assist you. If you do create a log file, make sure to edit out your product keys from the logs. using a program like notepad+ and "Replace All"
  15. make sure to edit out your product keys from the logs. using a program like notepad+ and "Replace All"
  16. I was able to reproduce the issue, I tried a different port to see if it was exclusive to 67 but had the same result. Stops updating rules and stops responding, basically cripples the a2antimalware service. to fix it, i have to update a2rules.ini and a2rules.backup.ini and remove the custom address, and restart before the service will start again, otherwise the service just hangs and constantly says "Starting" eventually EIS says it has a serious error. I made a log and edited out my keys and such. you're going to be looking for the 11:49 thats the hour and minute i added the entry into the custom address. i wish now i got the exact second, but you should still be able to find it. i think i found the update rule a couple times, but i couldn't find anything relevant. also tried to see if it was a length issue, but it worked fine. worked fine as well. tried and it had no issue with that either. also note, the logs cover only when the entry was added, as well as a failed attempt to delete an entry. i didn't make a log of booting up with the service failing to start, because I figured it might be more helpful to see what initially causes it to glitch. eis5539.zip
  17. Okay, well I believe we're making progress Using Firefox to test this. I might try something else more thorough later. EIS V11.0.0.5935 a1. Blocking was not real-time when using [Remove Rule] I had to restart the application for the changes to take effect when removing the rule. Blocking was however real-time when adding a rule. a2. Blocking 0-65535 TCP Instead of blocking all ports, i believe it is instead "allowing" all ports. Blocking 1-65535 TCP This actually works successfully, so we can pin-point it as 0 being the culprit. Blocking 0 TCP "Allowed" all ports. Blocking (blank, no text) TCP Blocked all ports I think that clears things up substantially.
  18. I had that rule blocked for quite a while so I can't really say, for me it happened intermittently and only when connecting. I'm guessing Protocol 2 was an unlisted rule for IGMP
  19. I can also confirm EIS v11.0.0.5935 is working, without delay, with the very latest of Firefox beta 43.0b5
  20. I've tried all combinations of v10, stable v11 and beta v11 with Firefox 42.0 and Firefox 43 Beta, and they all had the same 22s delay.
  21. well, a beta from Firefox is nothing like a beta from Microsoft.
  22. Tried to sort out the lines with the largest delays over 700ms, but didnt see anything of interest. perhaps someone else can make use of it. Line 1064 Line 1068 Line 1079 Line 1083 Line 1094 Line 1098 Line 1109 Line 1113 Line 1266
  23. I am using EIS v11 and updated a moment ago as well, and still have the same issue. Firefox 43.0b3 i loaded the beta version because of its new feature "Disconnect.me" which has its own built-in ad-blocking. However a day before the stable firefox version wasn't working either, so i think the same issue is prevalent. I've attached the a2service log file, it starts at exactly the moment I began Firefox.exe -safe-mode and ends the moment it completes. vi.txt
  24. I noticed a week ago after some updates svchost.exe started displaying Protocol 2 : Port 0, when connecting, i looked it up in the EIS firewall logs and I believe it was listed as an [iGMP] Also, you are showing us whats in your "Incoming" connections, and although the dialog says its trying to receive incoming data, I believe its actually an "Outgoing" connection, so you should display whats in your outgoing connections. I typically see this port try to connect, only when your Internet connection is trying to be made. So your machine coming from a sleep is most likely trying to connect to the internet. 10:05:47.510 1476 FWEVT: [EFW]: [WFP] [IGMP] 0 --> 0 /ssConnect/ (System) PID: 4 Connection attempt 10:05:47.510 1476 FWSRV: ResolutionRequestSubCallback Proto=2; Dir=2; Local=; Remote=; Proc=4; App="System"; IPV6=0 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 0 --> 0 /ssConnect/ (System) PID: 4 No app rule found, asking for resolution 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 0 --> 0 /ssConnect/ (System) PID: 4 Asking for resolution 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 0 --> 0 /ssConnect/ (System) PID: 4 Asking...
  25. Our goal is to allow only whats necessary and block everything that's not. I consider getting the Firewall back on track to be a relatively high priority. Right now, I can't run my application, without opening up all of the ports up.
  • Create New...