Jump to content

iWarren

Member
  • Posts

    140
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by iWarren

  1. yeah, and i've had this logging feature going for a year with hardly any issues.

    thats the only reason why i kind of wanted to take a look at what was going on, was because it was

    consuming tons of hard disk space...

    the game was relatively old, and it was from a trusted source, so i dont think there was any foul

    play, most likely... was antiquated programming that was directly accessing the hard disk.

    i doubt its worth investigating further.

    just thought i'd share that experience.

  2. i understand, i'll have to try to do some more testing later on.

    i do think that there is definitely an issue though with the detection of programs

    that are being run through conhost.exe

    i think its because of how I compile the program, using a /SUBSYSTEM:CONSOLE

    parameter. which i'm curious whether its a best practice for creating console applications.

    from my reading conhost creates a 3mb conhost program in memory for every execution

    of a console program. even Cmd.exe i think has to utilize Conhost.exe to operate.

    I just know that the detection of the program in "Behaviour Blocker" is hit and miss.

    I'll have to look again to see if its just not updating it, or if its being placed in a2rules.ini

    ------------------------------------------------------------------------------------------------

    On a side note, I remember in EIS v9, you were able to specify an 'Ask' prompt on whether

    to run trustworthy programs... or to 'Ask' prompt on unknown programs.

    in EIS v11, it only gives you the "Ask, Allow, Block" options, for Firewall connections.

    in EIS v11 there is the "Privacy" section which lets you set up

    "Automatically allow programs with good reputation"

    and

    "Automatically quarantine programs with bad reputation."

    i really wish you could pass along a request to the developers about re-adding the feature,

    where you can get a prompt to allow a program (even if it is trusted.)

    what was great about EIS v9 as well, was that it gave you more detailed information about the

    drivers involved in creating the process,

    I do think the EIS v11 interface is a step up, but losing these vital features, i think was a step back as well.

    I dont think it would be terribly difficult to implement either, as most the menu interfaces are already setup,

    and the a2rules.ini should already contain the basic structure required to add this feature in smoothly.

    the reason to support this feature, is that most of the primary Windows programs, once accepted, the system

    will typically run smoothly without many additional prompts. Every now and then though, you have some

    questionable software or an installer that you want to allow/deny step by step.. and thats where it was really

    nice with v9, is that you could have more control over the process.

    I realize the idea is to make a one size fits all program, but I also like the idea of more advanced features,

    and worst case scenario, is... you could make a list of absolutely required Windows applications, that need to run.

    one perfect scenario, where this would have worked nicely... is that Windows recently asked me to run GWXconfig.exe

    or some related GWX program, that was designed to try to notify me to update to Windows 10... granted I blocked

    the application anyways, but it would have been nice to have had a prompt asking if wanted to run the program.

    something to think about.

  3. To reiterate, when i run the 'Unknown' console application, it creates an entry in "Behaviour Blocker"

    for Conhost.exe but doesn't add my 'Unknown' program as an entry.

     

    If I keep closing and running it, eventually the entry will get entered in.

     

    I thought that, maybe instead of setting the application rules for my program... that maybe instead I

    should try setting the application rules for Conhost.exe

     

    unfortunately, setting it to "Custom Rules", or setting it to "All Blocked", didn't seem to make any difference.

    (as it still connected)

     

    the Unknown program is designed to "Listen" like a server, so it should have tripped the "Incoming" filter.

  4. Well I think I discovered part of the issues I've been having... I thought it was weird how,

    i could type the name of my program into "Behaviour Blocker" and, half the time, it'd show up

    and the other half it wouldn't.

     

    It appears that EIS isn't adding my program name as an entry, because Conhost.exe is starting

    at the exact same time. which is why its hit and miss on when it adds the entry to the "Behaviour Blocker" table.

     

    The second issue is... that i was trying to connect to the program via 127.0.0.1, and then i realized that

    it probably has to go through the 192.168.0.x ip, as thats the network interface the filter is listening to.

     

    I tried connecting through the LAN ip, but it still didn't trigger the EIS Ask Alert.

     

    I did get a prompt though.... about an "Outgoing" connection (from a trusted program), but the "Incoming" connection wasn't being

    detected in the 'Unknown' program. (and I made sure to send some data back and forth through the connection.)

     

    Im just not sure if its because its still treating it like its a loopback, but even then, i think it would go through the EIS filter.

  5. Im not sure if you can classify this as an issue, but it was an issue for me :P

     

    I had forgotten to disable the verbose logging option in registry, and whenever

    I played a game for a few hours, I would discover that 60gb of my disk space was gone.

     

    I eventually discovered my missing disk space was going to ProgramData\Emsisoft\Logs

     

    Unfortunately I couldn't say what was really triggering the issue, as the log files were too

    big to be read by several programs.

     

    I disabled verbose debug output, and that solved that.

  6. Advanced Firewall Settings", under the "Automatic Rule Settings" option.

    All "Incoming / Outgoing" are set to "Ask" for both Trusted and Unknown connections.

     

    I would like you to verify though, that the "Ask" prompt is working for an Unknown program.

     

    I can now find the application listed under "Behavior Blocker", and I've removed the "Application Rule"

    for the program several times, and each time... it does not Prompt me to allow the connection.

    also... changing the "Advanced Firewall Setting" to 'block' an unknown program, does not add

    a block rule, like it does for the "Trusted programs"

     

    So I think the "Unknown program" feature isn't working properly. Can you confirm?

     

    Even manually setting the the "Application rule" to "Custom Rule", does not give me a prompt

    like it should. 

     

    Also... another issue is, when I disable the "Settings -> Privacy -> "Automatically allow programs with good reputation" option

    and keep the "Look up reputation of programs",  when I run a trusted program, it still allows it, does not prompt me, and does

    not create an application rule.

     

    i think that might be part of the unknown program issue, is that an application rule is not being generated for it,

    so it just continues like nothing happened.

  7. I've been using Visual Studio 2012

    to create some socket related programs.

     

    I noticed though, that its not detecting my executable as a threat.

     

    is it because i've allowed CL.exe that its associating my executable

    with that program?

     

    I'm running the executable as a stand-alone program though, and i still

    dont even see an entry in "behaviour blocker" for that executable.

     

    this seems like a problem, especially if its using sockets.. i would expect

    at least some kind of detection involved.

     

    i think its an issue because, it means that a program could be constructed

    on the computer, and then elude detection.

  8. Microsoft allows developers to utilize a "Web Control" container

    allows you to browse within an application.

     

    I was curious, if EIS also extends into this custom web container?

     

    If so, are there any particular versions it is meant to support?

     

    Although, now that I think about it, EIS probably just filters websites,

    and doesn't have much interaction with the internal workings of the

    browser controls.

     

  9. not at this time, I havn't been at the computer recently.

     

    I did have some unrelated issues though where Emsisoft couldn't recover

    from an error. I would restart, and it would last about a minute, before it

    would come up with an error, I was hoping it would just be resolved in an

    update.  seems to be okay now.

     

    I'm potentially battling a failing a hard drive, so I didn't want to complicate

    the matter by reporting on the issues.

     

    I looked through a2rules.ini and I found a reference to a file that is on

    another Hard Drive but is disconnected. I was wondering if perhaps this

    could not also be a cause for the pointer issue.

  10. Here are a few Log files, perhaps they can be of use,

     

    If I had to take a guess, its something to do with the "Quarantine" process.

     

    I went to Update today, and after updating I think it found something in one of

    the Windows Temp folders.... then it asked for a program Restart to finish updating.

     

    a couple weeks ago I had it find like 10 programs in the Temp folder, and then the

    following day, said they were false positives.

     

    C:\windows\Temp\tmp00000033\tmp00000f3d

     

    I sifted through the file, and there was a few website links, but I didn't investigate thoroughly.

    I submitted the file through Emsisoft - Quarantine

     

    Also note, I'm not certain if this quarantined item was even related to this error specifically,

    when I minimized my browser window, I found the "Invalid Pointer" window laying about, so I

    am unsure of its exact arrival.

    pointer.txt

    a2start-pointer2.txt

    a2start-pointer.txt

  11. Hello, every 4 days or so i get this Invalid pointer operation error, it pops up behind everything so i don't notice the issue till i minimized everything, after i press ok i don't see anything else happen(no crashes or other errors) so its more just trying to fix a error.

    emsisoft internet security 10.0.0.5735

    windows 10 pro x64

    only emsisoft is installed no other security applications

    I received this error as well today, and im using 11.0.0.5984

     

    I wasn't going to say anything, because I wasn't exactly operating under EIS factory defaults.

     

    I could probably dig up a little debug information though, if you're interested... or wait until it happens again under more ideal circumstances.

     

    (Using Win7 x64)

  12. Firewall blocks without Alert when set to "Ask"

     

    Well, I have had in some cases where I wasn't provided an

    "Ask" dialog, but I usually fixed the issue by deleting the

    application rule entirely, and running the program again.

     

    Which got me thinking about the firewall [Remove Rule] not updating

    in real-time, and requiring an application restart to take effect.

    Could be mistaken for not blocking correctly.

     

    Also... are we talking about blocking Firewall Ports or Firewall Programs?


    If Firewall is set to "Ask" it blocks most of the programs that I've used from running properly, without any information.

     

    Because if it was blocking most the programs, Windows probably wouldn't even start.

     

    I do agree there needs to be more verbose information provided about what is being allowed/blocked

    instead of just SHA hash information.

  13. I was able to reproduce the issue, I tried a different port to see if it was exclusive to 67
    but had the same result.  Stops updating rules and stops responding, basically cripples
    the a2antimalware service.

    to fix it, i have to update a2rules.ini and a2rules.backup.ini
    and remove the custom address, and restart before the service will start again, otherwise
    the service just hangs and constantly says "Starting"

    eventually EIS says it has a serious error.

    I made a log and edited out my keys and such.
    you're going to be looking for the 11:49
    thats the hour and minute i added the 255.255.255.255 entry into the custom address.

    i wish now i got the exact second, but you should still be able to find it.
    i think i found the update rule a couple times, but i couldn't find anything relevant.

    also tried 111.111.111.111 to see if it was a length issue, but it worked fine.
    255.255.255.254 worked fine as well.
    tried 0.0.0.0 and it had no issue with that either.

     

    also note, the logs cover only when the entry was added, as well as a failed attempt to delete an entry.

     

    i didn't make a log of booting up with the service failing to start, because I figured it might

    be more helpful to see what initially causes it to glitch.

    eis5539.zip

  14. Okay, well I believe we're making progress

    Using Firefox to test this. I might try something else more thorough later.
    EIS V11.0.0.5935

    a1.
     Blocking was not real-time when using [Remove Rule]
      I had to restart the application for the changes to take effect when removing the rule.

     Blocking was however real-time when adding a rule.

    a2.
     Blocking 0-65535 TCP
      Instead of blocking all ports, i believe it is instead "allowing" all ports.

     Blocking 1-65535 TCP
      This actually works successfully, so we can pin-point it as 0 being the culprit.

     Blocking 0 TCP
      "Allowed" all ports.

     Blocking (blank, no text) TCP
      Blocked all ports

     

     

    I think that clears things up substantially.

  15. I am using EIS v11 and updated a moment ago as well, and still have the same issue.

     

    Firefox 43.0b3 i loaded the beta version because of its new feature "Disconnect.me"

    which has its own built-in ad-blocking.

     

    However a day before the stable firefox version wasn't working either,

    so i think the same issue is prevalent.

     

    I've attached the a2service log file, it starts at exactly the moment I began

     

    Firefox.exe -safe-mode

     

    and ends the moment it completes.

    vi.txt

  16. I noticed a week ago after some updates svchost.exe started displaying Protocol 2 : Port 0, when connecting,

    i looked it up in the EIS firewall logs and I believe it was listed as an [iGMP]

     

    Also, you are showing us whats in your "Incoming" connections, and although the dialog says its

    trying to receive incoming data, I believe its actually an "Outgoing" connection, so you should display

    whats in your outgoing connections.

     

    I typically see this port try to connect, only when your Internet connection is trying to be made.

    So your machine coming from a sleep is most likely trying to connect to the internet.

    10:05:47.510    1476  FWEVT: [EFW]: [WFP] [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Connection attempt
    10:05:47.510    1476  FWSRV: ResolutionRequestSubCallback Proto=2; Dir=2; Local=169.254.217.249:0; Remote=224.0.0.22:0; Proc=4; App="System"; IPV6=0
    10:05:47.510    1476  FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 No app rule found, asking for resolution
    10:05:47.510    1476  FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Asking for resolution
    10:05:47.510    1476  FWEVT: [EFW]: [IGMP] 169.254.217.249: 0 --> 224.0.0.22: 0 /ssConnect/ (System) PID: 4 Asking...
    
×
×
  • Create New...