Jump to content

Da Phu

Member
  • Posts

    242
  • Joined

  • Last visited

  • Days Won

    7

Posts posted by Da Phu

  1. 22 hours ago, Raynor said:

    Fair enough, but what's with fresh installations of v1803/v1809 ?

    According to MS, the memory integrity feature is always switched on
    on qualifying modern PCs (with virtualization support, UEFI and stuff)
    when Windows is installed from scratch.

    Wouldn't then "average" users be greeted by a big fat blue screen when they try to install EAM ?
    Or am I missing something here / am I getting something wrong ?

    https://www.auslogics.com/en/articles/core-isolation-and-memory-integrity/

    Quote

    Why is Memory Integrity Disabled by Default?

    You shouldn’t encounter with the main Core Isolation feature. As long as the Windows 10 PC has the features needed to support it, it will be automatically enabled. Moreover, there is no interface for disabling it.

    On the other hand, Memory Integrity protection can cause problems with other low-level Windows applications and some device drivers. This is also the reason why the feature is disabled by default on upgrades. Microsoft has been pushing device manufacturers and developers to make their software and drivers compatible. By default, the feature is enabled on new installations of Windows 10 and new PCs.

    If one of the drivers essential in booting your computer is incompatible with Memory Protection, your system will disable the feature. This is why even after enabling it, you find it disabled when you reboot your PC.

    Sometimes, when you enable Memory Protection, you might encounter malfunctioning software or problems with other devices. It is recommended that you check for updates with the specific driver or application. You should turn off Memory Protection if you discover that there are no updates available.

    As previously mentioned, Memory Integrity might also be incompatible with certain applications that need exclusive access to the virtualization hardware of the system. It is also worth mentioning that tools like debuggers may need exclusive access to this hardware. Moreover, they won’t work when Memory Integrity is enabled.

     

  2. On ‎7‎/‎30‎/‎2018 at 12:37 PM, GT500 said:

    Scanning archives isn't used in a Malware Scan, so if it happens when running a Malware Scan then let me know what file is being scanned when it happens (or take a screenshot of EAM so that I can see what it's scanning).

    Tested 2 days straight, and it seems like Windows Defender is no longer detect anything related to Emsisoft as a threat. In addition, Microsoft replied to my reported ticket that they already fixed this false positive detection.

     

  3. 4 hours ago, GT500 said:

    It was probably the contents of an archive (ZIP, RAR, 7z, etc) that was extracted to the TEMP folder for scanning. The BitDefender scan engine does that if the option to scan inside archives is selected.

    Update: 7/26 1:11 AM EST 

    I have that option enable on Custom Scan. Malware Scan also triggered it as well. 

    Windows Defender latest signatures detect one of the Emsisoft's temp files in temp folder located Appdata Local as a Trojan during malware scan. The detection name is Trojan: Win32/Zpevdo.A. 

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Zpevdo.A&ThreatID=-2147240153

     

     

  4. 18 hours ago, JeremyNicoll said:

    But   "Appdata > Local > temp"   is where all the temporary files created by many applications, and by the OS itself on your behalf, will be put.

    And a file/folder inside that named "Tempxxxxxx"  could have been created by any application or by the OS.  

    Is what you're saying just that you've got some files in %temp% which Windows Defender says are infected, but EEK did not think were infected?    If so, that could mean that WD was wrong - maybe the files are ok.  If you still have them you could upload them to VirusTotal, one at a time, to see what it thinks about them.  If it thinks they are ok then there's no issue.  If it thinks they are infected then for each of those it would be useful if you tell us the URL of the VT report that says that for each file.

     The VirusTotal site is at: https://www.virustotal.com/en-gb/

    Their service is public so if the files concerned contain confidential data of yours, you might not want to upload them there.

    It was created by EEK. The temp folder appeared when I opened EEk, and disappear when I closed EEK. I wish I can restore the files that Windows Defender detected, but for some reasons Windows Defender automatically removed the files instead of quarantined it. 

     

    4 hours ago, GT500 said:

    Do you have a copy of the scan report with the full path? They're usually saved in the following folder:

    • C:\EEK\Reports

    I ran a malware scan in EEK and this is where Windows Defender detected some files in EEK temp folder in Appdata > Local as a threat. Windows Defender automatically removed the threat instead of quarantine the threat. I just did a malware scan today with EEK latest signatures, and it seems like Windows Defender no longer detect EEK files in EEK temp folder as a threat anymore.  

  5. 7 hours ago, JeremyNicoll said:

    Why do you describe that folder as the "EEK temporary folder"?     Its name suggests it's the normal system temporary folder... and if there's an iffy file in there surely you'd want to know about it?

    It is in the Appdata > Local > temp > Tempxxxxxx folder. This is where Windows Defender removed the threat and it didn't quarantined it during Emsisoft scan.  There is some files in Emsisoft temp folder in Appdata Local that Windows Defender detect when doing a scan. 

  6. On 6/15/2018 at 6:42 PM, GT500 said:

    It's probably just not responding well to our hooking method (some programs have issue with other applications injecting code into them).

    I just tested again, and the delay is only 2 seconds for me when minimizing or closing HWinfo without exclusions. Possibly because there's nothing else on the test system (just drivers and a few web browsers).

     

    I recommend doing that for now. If it's the same issue that MPC-HC has, then it won't be easy to fix, however I will let QA know so that they can look into it.

    Okay. Any update from the QA team? 

  7. On 6/13/2018 at 8:15 PM, GT500 said:

    It is slower to minimize when not excluded from EAM, however in my test setup the difference in time it takes to minimize is only a second or two. I don't think I noticed it being slow to close, but it's possible the difference between excluded and not excluded wasn't enough for me to notice it.

    Do you launch it in "Sensors only" mode, or have you changed any of the default settings for HWinfo? Did you install it, or use the portable version?

    Hey, I am back. Do I have to add HWInfo64 into exclusion permanently? 

  8. 29 minutes ago, GT500 said:

    We removed the option and made it an "always on" feature.

    All it did was set a2service to run as the System user and change the startup type of the service so that it would run on boot instead of after logon, which is now how EAM always operates.

     

    12 hours ago, JeremyNicoll said:

    I think that "Settings - General - Guard Settings - Start on Windows Startup"  covers that, as if it's on from as early in boot as possible, it's clearly on before anyone logs in.

    Thank you very much for answering my question. As you can see, I am back to Emsisoft again. I ditch Bitdefender because Bitdefender support is nowhere as good as Emsisoft. 

×
×
  • Create New...