iWarren

Member
  • Content Count

    138
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by iWarren

  1. To reiterate, when i run the 'Unknown' console application, it creates an entry in "Behaviour Blocker" for Conhost.exe but doesn't add my 'Unknown' program as an entry. If I keep closing and running it, eventually the entry will get entered in. I thought that, maybe instead of setting the application rules for my program... that maybe instead I should try setting the application rules for Conhost.exe unfortunately, setting it to "Custom Rules", or setting it to "All Blocked", didn't seem to make any difference. (as it still connected) the Unknown program is designed to "Listen" like a server, so it should have tripped the "Incoming" filter.
  2. Well I think I discovered part of the issues I've been having... I thought it was weird how, i could type the name of my program into "Behaviour Blocker" and, half the time, it'd show up and the other half it wouldn't. It appears that EIS isn't adding my program name as an entry, because Conhost.exe is starting at the exact same time. which is why its hit and miss on when it adds the entry to the "Behaviour Blocker" table. The second issue is... that i was trying to connect to the program via 127.0.0.1, and then i realized that it probably has to go through the 192.168.0.x ip, as thats the network interface the filter is listening to. I tried connecting through the LAN ip, but it still didn't trigger the EIS Ask Alert. I did get a prompt though.... about an "Outgoing" connection (from a trusted program), but the "Incoming" connection wasn't being detected in the 'Unknown' program. (and I made sure to send some data back and forth through the connection.) Im just not sure if its because its still treating it like its a loopback, but even then, i think it would go through the EIS filter.
  3. Im not sure if you can classify this as an issue, but it was an issue for me I had forgotten to disable the verbose logging option in registry, and whenever I played a game for a few hours, I would discover that 60gb of my disk space was gone. I eventually discovered my missing disk space was going to ProgramData\Emsisoft\Logs Unfortunately I couldn't say what was really triggering the issue, as the log files were too big to be read by several programs. I disabled verbose debug output, and that solved that.
  4. Advanced Firewall Settings", under the "Automatic Rule Settings" option. All "Incoming / Outgoing" are set to "Ask" for both Trusted and Unknown connections. I would like you to verify though, that the "Ask" prompt is working for an Unknown program. I can now find the application listed under "Behavior Blocker", and I've removed the "Application Rule" for the program several times, and each time... it does not Prompt me to allow the connection. also... changing the "Advanced Firewall Setting" to 'block' an unknown program, does not add a block rule, like it does for the "Trusted programs" So I think the "Unknown program" feature isn't working properly. Can you confirm? Even manually setting the the "Application rule" to "Custom Rule", does not give me a prompt like it should. Also... another issue is, when I disable the "Settings -> Privacy -> "Automatically allow programs with good reputation" option and keep the "Look up reputation of programs", when I run a trusted program, it still allows it, does not prompt me, and does not create an application rule. i think that might be part of the unknown program issue, is that an application rule is not being generated for it, so it just continues like nothing happened.
  5. I've been using Visual Studio 2012 to create some socket related programs. I noticed though, that its not detecting my executable as a threat. is it because i've allowed CL.exe that its associating my executable with that program? I'm running the executable as a stand-alone program though, and i still dont even see an entry in "behaviour blocker" for that executable. this seems like a problem, especially if its using sockets.. i would expect at least some kind of detection involved. i think its an issue because, it means that a program could be constructed on the computer, and then elude detection.
  6. Microsoft allows developers to utilize a "Web Control" container allows you to browse within an application. I was curious, if EIS also extends into this custom web container? If so, are there any particular versions it is meant to support? Although, now that I think about it, EIS probably just filters websites, and doesn't have much interaction with the internal workings of the browser controls.
  7. not at this time, I havn't been at the computer recently. I did have some unrelated issues though where Emsisoft couldn't recover from an error. I would restart, and it would last about a minute, before it would come up with an error, I was hoping it would just be resolved in an update. seems to be okay now. I'm potentially battling a failing a hard drive, so I didn't want to complicate the matter by reporting on the issues. I looked through a2rules.ini and I found a reference to a file that is on another Hard Drive but is disconnected. I was wondering if perhaps this could not also be a cause for the pointer issue.
  8. Here are a few Log files, perhaps they can be of use, If I had to take a guess, its something to do with the "Quarantine" process. I went to Update today, and after updating I think it found something in one of the Windows Temp folders.... then it asked for a program Restart to finish updating. a couple weeks ago I had it find like 10 programs in the Temp folder, and then the following day, said they were false positives. C:\windows\Temp\tmp00000033\tmp00000f3d I sifted through the file, and there was a few website links, but I didn't investigate thoroughly. I submitted the file through Emsisoft - Quarantine Also note, I'm not certain if this quarantined item was even related to this error specifically, when I minimized my browser window, I found the "Invalid Pointer" window laying about, so I am unsure of its exact arrival. pointer.txt a2start-pointer2.txt a2start-pointer.txt
  9. I received this error as well today, and im using 11.0.0.5984 I wasn't going to say anything, because I wasn't exactly operating under EIS factory defaults. I could probably dig up a little debug information though, if you're interested... or wait until it happens again under more ideal circumstances. (Using Win7 x64)
  10. Firewall blocks without Alert when set to "Ask" Well, I have had in some cases where I wasn't provided an "Ask" dialog, but I usually fixed the issue by deleting the application rule entirely, and running the program again. Which got me thinking about the firewall [Remove Rule] not updating in real-time, and requiring an application restart to take effect. Could be mistaken for not blocking correctly. Also... are we talking about blocking Firewall Ports or Firewall Programs? Because if it was blocking most the programs, Windows probably wouldn't even start. I do agree there needs to be more verbose information provided about what is being allowed/blocked instead of just SHA hash information.
  11. I thought of that as well that 0 might not be a valid port, however I did recall v10 didn't have an issue with 0-65535 though as you said, if it can be probed in such a manner, it should probably be an option to be blocked.
  12. http://support.emsisoft.com/topic/19166-eis-v10-v11-not-blocking-0-65535/ perhaps that will be able to assist you. If you do create a log file, make sure to edit out your product keys from the logs. using a program like notepad+ and "Replace All"
  13. make sure to edit out your product keys from the logs. using a program like notepad+ and "Replace All"
  14. I was able to reproduce the issue, I tried a different port to see if it was exclusive to 67 but had the same result. Stops updating rules and stops responding, basically cripples the a2antimalware service. to fix it, i have to update a2rules.ini and a2rules.backup.ini and remove the custom address, and restart before the service will start again, otherwise the service just hangs and constantly says "Starting" eventually EIS says it has a serious error. I made a log and edited out my keys and such. you're going to be looking for the 11:49 thats the hour and minute i added the 255.255.255.255 entry into the custom address. i wish now i got the exact second, but you should still be able to find it. i think i found the update rule a couple times, but i couldn't find anything relevant. also tried 111.111.111.111 to see if it was a length issue, but it worked fine. 255.255.255.254 worked fine as well. tried 0.0.0.0 and it had no issue with that either. also note, the logs cover only when the entry was added, as well as a failed attempt to delete an entry. i didn't make a log of booting up with the service failing to start, because I figured it might be more helpful to see what initially causes it to glitch. eis5539.zip
  15. Okay, well I believe we're making progress Using Firefox to test this. I might try something else more thorough later. EIS V11.0.0.5935 a1. Blocking was not real-time when using [Remove Rule] I had to restart the application for the changes to take effect when removing the rule. Blocking was however real-time when adding a rule. a2. Blocking 0-65535 TCP Instead of blocking all ports, i believe it is instead "allowing" all ports. Blocking 1-65535 TCP This actually works successfully, so we can pin-point it as 0 being the culprit. Blocking 0 TCP "Allowed" all ports. Blocking (blank, no text) TCP Blocked all ports I think that clears things up substantially.
  16. I had that rule blocked for quite a while so I can't really say, for me it happened intermittently and only when connecting. I'm guessing Protocol 2 was an unlisted rule for IGMP
  17. I can also confirm EIS v11.0.0.5935 is working, without delay, with the very latest of Firefox beta 43.0b5
  18. I've tried all combinations of v10, stable v11 and beta v11 with Firefox 42.0 and Firefox 43 Beta, and they all had the same 22s delay.
  19. well, a beta from Firefox is nothing like a beta from Microsoft.
  20. Tried to sort out the lines with the largest delays over 700ms, but didnt see anything of interest. perhaps someone else can make use of it. Line 1064 Line 1068 Line 1079 Line 1083 Line 1094 Line 1098 Line 1109 Line 1113 Line 1266
  21. I am using EIS v11 and updated a moment ago as well, and still have the same issue. Firefox 43.0b3 i loaded the beta version because of its new feature "Disconnect.me" which has its own built-in ad-blocking. However a day before the stable firefox version wasn't working either, so i think the same issue is prevalent. I've attached the a2service log file, it starts at exactly the moment I began Firefox.exe -safe-mode and ends the moment it completes. vi.txt
  22. I noticed a week ago after some updates svchost.exe started displaying Protocol 2 : Port 0, when connecting, i looked it up in the EIS firewall logs and I believe it was listed as an [iGMP] Also, you are showing us whats in your "Incoming" connections, and although the dialog says its trying to receive incoming data, I believe its actually an "Outgoing" connection, so you should display whats in your outgoing connections. I typically see this port try to connect, only when your Internet connection is trying to be made. So your machine coming from a sleep is most likely trying to connect to the internet. 10:05:47.510 1476 FWEVT: [EFW]: [WFP] [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Connection attempt 10:05:47.510 1476 FWSRV: ResolutionRequestSubCallback Proto=2; Dir=2; Local=169.254.217.249:0; Remote=224.0.0.22:0; Proc=4; App="System"; IPV6=0 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 No app rule found, asking for resolution 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Asking for resolution 10:05:47.510 1476 FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Asking...
  23. Our goal is to allow only whats necessary and block everything that's not. I consider getting the Firewall back on track to be a relatively high priority. Right now, I can't run my application, without opening up all of the ports up.
  24. I also discovered svchost.exe was connecting to UDP 443 to this ip 64.4.54.253 http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/ I looked online and found this article that mentions Microsoft using this to send back data, might be worth a read.
  25. Using latest version of EIS v11 (new installation today) I was trying to add custom addresses for svchost.exe for all the specific ports used for connectivity. Heres what I have for "Outgoing Connections" 5355 UDP - ALLOW - Custom Address: 224.0.0.252 53 UDP - ALLOW - Custom Address: 224.0.0.252, 192.168.0.1, (My ISP DNS Server Here) 67 UDP - ALLOW - All This setup is operational, however the trouble came when I tried to be specific with port 67, i entered in a custom address of 255.255.255.255 because i seen this was an address it used. Upon entering it in, EIS refused to update the entries or allow svchost rule to be removed. EIS more or less became despondant. When I rebooted the system it stalled for 30~ seconds, then the A2service failed to start, and was stuck in a mode of "Starting" and wouldnt stop or start no matter what I did. I couldn't get into a2start.exe because it kept saying "Eis is waiting on a service to start" So I deleted the "Custom Address = 255.255.255.255" entry in a2rules.ini for svchost.exe and restarted. Everything worked fine after that, I tried other addresses like 0.0.0.0 and it worked fine, it seems to be that one specific rule for 'broadcasting' that it seemed to flake out on. If someone could verify this. I understand it might not be a bug and more of an invalid settings issue for the crucial file svchost.exe Let me know what you think. Also, while i was in TcpView i noticed LSASS was connected to a TCP local port of 1032, but I noticed that the firewall by default blocks ports 1024 - 1030. So you might consider extending the range. I also poked around online and seen someone else had an lsass on port 1033 https://social.technet.microsoft.com/Forums/windowsserver/en-US/d1ed4af9-bdb2-4315-8b37-209397363f58/mmc-ports-for-managing-dhcp?forum=winserverPN and here they mention 1024 - 1034 https://support.microsoft.com/en-us/kb/908472 Not sure if its related, but they mention here something about blocking RPC ports 1024-5000