Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by iWarren

  1. Using latest version of EIS v11 (new installation today)

    I was trying to add custom addresses for svchost.exe for

    all the specific ports used for connectivity.

    Heres what I have for "Outgoing Connections"

    5355 UDP - ALLOW - Custom Address:

    53 UDP - ALLOW - Custom Address:,, (My ISP DNS Server Here)

    67 UDP - ALLOW - All

    This setup is operational, however the trouble came when I tried to be specific with port 67,

    i entered in a custom address of because i seen this was an address it used.

    Upon entering it in, EIS refused to update the entries or allow svchost rule to be removed.

    EIS more or less became despondant. When I rebooted the system it stalled for 30~ seconds,

    then the A2service failed to start, and was stuck in a mode of "Starting" and wouldnt stop or start

    no matter what I did. I couldn't get into a2start.exe because it kept saying "Eis is waiting on a service to start"

    So I deleted the "Custom Address =" entry in a2rules.ini for svchost.exe and restarted.

    Everything worked fine after that, I tried other addresses like and it worked fine, it seems to be

    that one specific rule for 'broadcasting' that it seemed to flake out on.

    If someone could verify this. I understand it might not be a bug and more of an invalid settings issue for the

    crucial file svchost.exe

    Let me know what you think.

    Also, while i was in TcpView i noticed LSASS was connected to a TCP local port of 1032, but I noticed that the firewall by default

    blocks ports 1024 - 1030. So you might consider extending the range.

    I also poked around online and seen someone else had an lsass on port 1033


    and here they mention 1024 - 1034


    Not sure if its related, but they mention here something about blocking RPC ports 1024-5000

  2. Yeah thats what I eventually ended up doing, was set the "Ask to block", to "Block" automatically.

    it is a specific program though, its a game server, and when it goes to refresh the server listings,

    it gets flooded with port requests until it eventually has too many and blocks 0-65535 on its own.

    which because 0-65535 is over-riding everything, it then blocks that 1 port i wanted to use.

    so i have to delete that entry to get it to work again.

    also firefox has issues with it as well, trying to connect to a random local port on startup.

    right now its inconvenient, but i still think should be moved up on the priority list.

  3. Hello,


    I've posted this issue a few times already (Since August), and I hate to keep

    bugging you about it, but I really need this feature to work.


    putting a port block of 0-65535 underneath your allowed port, blocks the allowed port.


    it was working before August, then it stopped.

    Without this feature, certain applications will bombard you with port allowance requests.

    (because i have it set up to "ask" to allow a port)



  4. EIS v11.0.0.5847

    Windows 7 Home 64-bit

    Firefox v41.0.2 (Safe-mode)


    I captured this in Firefox w/ safe-mode enabled (no plugins loaded),

    this capture is from the moment it was started to the moment firefox

    prompts to enter safe-mode, which brings the window open immediately.


    I believe the point of interest is possibly


    02:29:44.216    3900  -> TDelayedInitializator.Refresh()


    However judging by the time-stamp I'm not certain if that can account for

    all of the delay, unless perhaps some sort of multi-threaded delay?


  5. in that HostsMan link there is a hosts file that refers here: http://hostsfile.org/Downloads/hosts.txt


    perhaps i'm completely reading it wrong, but it appears that it has linked all of those websites to localhost.

    it says its supposed to be used as a filter, but if thats the case why does it initially link with localhost?


    can you fill me in on that one?

    • Upvote 1
  6. Windows 7 Home - 64-bit


    I'm having a bit of issues with the logging process.


    I enabled it in command prompt, admin access.


    I did this before I updated to v11, as i wanted to capture the 'transition process' as well.

    I confirmed that it was logging and then I was prompted to Restart to finish v11 installation.


    So i moved those log files to another location, and proceeded to restart.


    After returning from the restart, Programdata\Emsisoft\Logs had no log files, and now it refuses to provide

    any more logs. 


    I verified in the registry that the logging option is set, and disabled/enabled it again.


    So I am curious if perhaps this logging option hasn't been disabled in v11?


    Also, before sharing any logs, is there any pieces of data shared within the log files that could

    be a security issue by sharing? ie certain hashes?

  7. I've only used the 'Surf Protection' a few times and i've used EIS for a few years.


    I use, Adblock Plus to block ads.


    RequestPolicy to block cross-site requests. 


    "Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites  knowing your browsing habits"


    and NoScript to block Javascript from running on pages by default.


    With the exception of Adblock running seemlessly behind the scenes,

    Generally you have to pick and choose what you want to allow, and I think a lot of people

    just can't be bothered to click a few extra buttons and discern between what looks suspicious.


    I think EIS's strength, is that although something has the potential to get past the browser, its generally

    good at preventing the malicious software from going any further, and if it does go further, will alert you

    to some unordinary activity.


    The first and fore-most defense against malicious websites/software will always be common sense.

    Personally I prefer not to visit any foreign country domains, as much as i'd like to trust all of our

    international neighbors.


    Another thing is to avoid using Flash if at all possible, as it has more security holes than a block of swiss cheese.

    I havn't had Flash installed in years, and i can get on without it quite easily with the advent of HTML5.


    I was going to say I don't think its EIS's job to really police your browser, but it is a part of "internet security"

    on the other hand, you have so many browsers out there: Firefox, Safari, Opera, IE, Chrome, Thunderbird etc.

    it would be hard for emsisoft to babysit each and every one of them, as they all handle things a little differently.


    bottom line is... you're going to have to police your own browser.


    who would have thought you needed so much security just to display some text/pictures/videos on the screen?

  8. (Using v11)

    I am running the latest Firefox v41.0.2 in safemode (disables all addons)

    and it still hangs for 22 seconds before opening the window.

    the firefox program is running, but after loading about 8 typical threads it pauses.

    it seems about the right time that it would probably be loading an emsi driver.

    i suspected it was the 'surf protection' but it still doesn't work with 'surf protection' disabled.

    i turned off the firewall, and firefox instantly comes up. so its something to do

    with the firewall module.

    i think we can safely rule out firefox as an issue as it works fine with v10

  9. yeah i'm up for it. I actually already tried to collect some debug info regarding the firefox delay.

    using sysinternals DebugView, i tried to capture the win32/kernel calls upon firefox startup, but it didn't

    seem to display anything relevant or useful.

    I expected to see possibly some duplicate calls to something, but i didnt see many calls at all.

    makes me think maybe DebugView isnt the right program for windows pipe viewing.

    on the bright side, i did see some websites that firefox was accessing on startup, so if anyone is curious

    about what websites firefox is connecting to (ie for addons and such), or even other programs, then i

    recommend using DebugView for this.

  10. Firewall Enabled Causes Delay in Application Startup



    using v11, starting Firefox with Firewall Disabled, Firefox starts in 1 second.


    with firewall enabled... average startup time is 22 seconds, although creating new instances once its open causes no delay.


    For the record, this computer has a fresh 32-bit Windows 7 pro install, fully updated.

  11. Upgrade from EIS 

                       to EIS (Beta)


    I currently have for the 'Advanced Firewall Settings' to "Ask" to allow incoming/outgoing firewall rules. (all 4 options are set to Ask)


    Application Rules did not Update after Upgrade



    After the upgrade/restart i deleted the custom rules to allow ports 80/443 and yet it still allowed the connection even after restarting firefox

    and did not prompt me to allow it again either. 


    So I went to Settings -> "Factory Defaults"


    this seemed to do the trick, and this time asked me to allow the port connections 80 / 443.



    Real-Time Firewall Blocking



    At first I allowed port 80 / 443, and then tried adding a BLOCK TCP/UDP 0-65535 (below to the first rule)

    i could still browse successfully (where before in v10,  0-65535 was over-riding everything)


    However then i removed the rules, then tried this time to "block" the connections, except it was still allowing

    the connection, even though 80 / 443 were blocked.  It wasn't until I restarted firefox that the blocking rule took effect.


    so it appears real-time firewall blocking of the application is not quite working.



    Real-time Application Blocking (or Suggestion)



    Another issue ,prevalent in v10 also,  is when you block an application in Application Rules or Behaviour Blocker,

    it does not close the application once blocked, it just prevents it from running the next time. Where in v9 i remember

    it used to close the application immediately once blocked.



    Automatic Custom Montioring (Suggestion)



    Even though I have automatic firewall settings set to "Ask" about trustworthy applications, the behaviour blocker

    still sets everything to "All Allowed", so each time I do say.. a Factory Reset or new install, I have to reset each

    application to "Custom Monitoring" if I want to be confronted with potential behavioural threats.


    The behavioural blocking is the pride and joy of EIS, so I think it should be an option in "Advanced Firewall Settings"

    to set "All Allowed" to "Custom Monitoring" by default. Which will warn you about code injection and such. 


    Automatic Behavior Blocking Template(Suggestion)


    Also think you should be able to create something like a Template that applies

    to all applications by default, for example.. "Block Backdoor Related Activity" "Block Spyware Related Activity"

    could be set by default, based on your template you created.


    More Detailed Information About Intrusions (Suggestion)


    I mentioned in the previous suggestion about behavioural blocking, and how it warns you about code injection and

    potential intrusions.  These errors can come from system applications, for example... when changing

    personalize settings, a message appears saying Explorer.exe wants to change something, or when Firefox

    tries to run a program from the downloads menu, it will say something along the lines that Firefox is acting like

    a trojan or something to that nature.  These are scenarios where it was likely a false detection, but was warning of a

    potential problem, which is great! However, there are also scenarios where Explorer.exe or Firefox.exe may be doing

    something it shouldn't, and yet the options are to Allow something potentially bad, or Block, which closes the application, not

    really knowing what you just blocked. 


    So what i'd really love to see.... is the offending command, i believe v9 had it right... when it popped up the behaviour,

    it gave you much more verbose input, like  Explorer.exe -> Shell32.dll -> hotdog.dll -> somethingweird.exe


    then i could tell the difference between, a simple desktop entry being modified, or of an actual threat that needs to be dealt with.


    So would really really love to see an option in "Advanced rule settings" for [ X ] verbose behaviour messages


    Application Rules & Behavior Rules Merging (Suggestion)


    I think v9 also had it right in this case.... all of the application rules were all in one neat tidy window,

    maybe i'm a little daft, but i don't quite understand why these two are seperated, and why some applications

    will show up in Behavior Blocker and not in Application Rules, and if i want one in the other, i have to create the

    rule myself. Then tediously set everything to Custom Monitored, to get it to monitor its behavior.


    Theming (Suggestion)


    I know i've said this before, but i'll say it again... i'd love to have an option to theme/skin the EIS application, maybe to

    something with more neutral colors.





    If everything gets automatically allowed, then its only passively protecting the system for the sake of letting Windows run smoothly,


    The goal here is easy to use security, i think its important not to let security take a back seat for the sake of making it easy to use.


    In the Blog you make mention that everything should be kind of behind the scenes without much intervention

    and fiddling around with settings, however I think a lot of people don't really mind the extra popups as long as

    they know their system is actually being protected.


    Special Thanks


    I'd like to thank the emsisoft team for their dedication and hard work on this amazing application.

    I hope everything i've said has not been discouraging but has inspired you to keep working to make

    this program even better.  Keep up the good work, and please tell Santa about everything on my wish list.



    • Upvote 2
  12. hey that's great you were able to reproduce the issue,

    After the install, i searched again for 'EfwTdiFlt' and could not locate the service or the file itself.

    checked the "emsisoft internet security" folder as well as windows/drivers and Registry.

    are you positive that is a necessary file?

    at any rate, you identified the firewall issue, so that's something.

  13. i did as you asked, uninstalled, restarted twice, installed from provided link.

    If you could tell me what driver i should be looking for, maybe i can see if its present now.

    I am noticing though, I can no longer block ports 0-65535 without it overriding the rule above and blocking everything.

    for example allowing ports 80, 443 on firefox and then blocking ports 0-65535 below that rule... is also blocking 80, 443.

    is this something new from the update? or is there still a problem somewhere?

  • Create New...