• Content Count

  • Joined

  • Last visited

Community Reputation

1 Neutral

About Roland

  • Rank
    New Member
  1. Okay perhaps i have to be more specific. I had not made any excludes in the first grid (the one that Exclude fom scanning). First grid is empty. Had only made the one for the said folder in the second grid (Exclude from Monitor). So i think when there is a malware in this folder only behavior blocker should be disabled and file guard should catch the known malware sample (using no excludes EAM will hit this sample). But it did not (at least for me) it launched the samples without any warning also no message in the logs appeared. Perhaps someone other could test if she/he has the same behavior. Myself i will try to re-check tomorrow tu ensure that i did not make any mistakes and probably will make a screen recording.
  2. Sorry i forgot but i think might be helpful. Tested on Windows 7 SP1 32bit version including all critical and important Microsoft OS patches.
  3. Okay tested this with eicar testfile and real cryptowall and petya samples. Made a new folder d:\testfiles, added an exception to monitoring d:\test*. Did an on-demand scan from explorer context menu for this folder. EAM found all three samples. Clicked at the eicar sample that gave me the known com error. Got a little bit nervous made an image of the pc and detached networking. Clicked at the cryptowall sample it started did some changes without alerting and tried to start the decrypted malware in temp folder which EAM blocked as this was not a whitelisted folder. Clicked at the petya sample (this is straight so no decryption or the fancy stuff) and as expected it launched without any warning restarted the PC and began encryption. (No Problem as this was for testing only) So for me it looks like exclude monitoring will exclude all other than on-demand or it is a bug. I would greatly appreciate the behavior/logic you explained excluding only behavior/monitoring based detection separated from signature based.
  4. Did just make some test with the whitelist features. Very nice to see wildcards! At this step it is a little bit annoying to add new entries as you at least has to enter one folder and then you are able to alter the path clicking the new entry. But for me this is more a cosmetic issue. Now to the main topic. As i did not find a pop-up or other info i assume the exclude options disables/excludes from all on-demand (scheduled), on-access (realtime) and behavior blocker in contrast to exclude from monitoring only means on-access and behavior blocker leaving on-demand active. Also noticed that excluding for example putty.exe does not remove the Behavior Blocker Hooks DLL as it was in EAM11. Is it possible to exclude injecting these DLLs in some rare case that an applications crashes while using behavior blocker? Is it also possible or planned to use an behavior blocker only whitelist as i find it important to have at least realtime protection and do not want to exlude all checks? For example we have a large admin maintained install share where a lot of software installers are placed, some of them will trigger an behavior blocker alert. We have whitelisted this folder in EAM (using ECC) but only from behavior blocker which is possible in EAM11. So our automated installations run fine but we have at least some kind of protection if we unintentional upload a malware to this share.