Jump to content

malik4477

Member
  • Posts

    41
  • Joined

  • Last visited

Posts posted by malik4477

  1. You may have missed this one at MalwareTips.com,


    The BB always has blocked suspicious outgoing connections. Even before the firewall was in the picture. That isn't going to change.

    The hardening or fortifying feature is something else though and has nothing to do with allowing or blocking outgoing or incoming connections. The biggest drawback of the Windows firewall is that Microsoft intended applications to interact with it. So any application (including malware) can just add rules for itself to the firewall so it allows the application's traffic to pass through. The new feature stops that and gives you control over which applications are allowed to mess with your firewall settings and which aren't.

    -- I think Emsisoft should have explained it more especially the new feature they are talking about there. They also should show howto set that up and not just with the Beta testers. 

  2. On 3/9/2017 at 2:52 PM, GT500 said:

    Do you just want to customize the rules as they are in EIS to allow/block certain ports or IP addresses? To do that you can open EIS, click on Protection, go to Firewall in the menu at the top to access the Global Firewall Rules, and then double-click on any rule you would like to edit.

    Yes :) Thanks will check that out :)

  3. OK will try that. So please check what I am about to do here:

     

    1. Reset ONLY Global firewall rules

    2. Check Application Rules if they are still the same.

    3. Backup settings again (so the new global firewall rules will be "exported" when I save my settings) as seen in the "Export Settings" dialogue box(all is checked). 

    Outside of that, how can I edit the global firewall rues?

    Thanks :)

  4. Does that mean in order for me to use the "new global rules" I have to again make all my application rules from scratch?!

    Isn't there a way for me to just edit the global rules manually so I when I save the new config it'll be with my existing application rules? Recreating all those specific rules per application is time consuming. 
     

  5. On 7/9/2015 at 8:11 PM, GT500 said:

    Here's how to reset the Global Firewall Rules to factory defaults:

    • Open Emsisoft Internet Security.
    • Click on Settings in the menu at the top.
    • Click on the Factory defaults button near the upper-right.
    • Make sure that only the option labeled Global firewall rules is selected.
    • Click the OK button to apply the changes.

    Hello,

     

    Just got confused as I also have received a similar pop-up when I updated earlier. Just wanna ask if I do the instructions above will I loose my existing application rules? I did not do the above yet and just saved my config settings. (Re: Anti-Malware Settings , see image below)

    81643942017-03-03_034259.png

    5886997export_settings.png

    I see that in the "export settings" the application and global firewall rules are together. What happens when I do the "instructions above" and then import it (saved config settings) again after?

    Thanks!

     

     

  6. Hi GT500, 
     

    If WsChrome.exe was running before EIS had finished starting, then EIS would not stop it from running.
     
    Also, make sure that there are no exclusions that could prevent "WsChrome.exe" (or things in its folder) from being monitored. 
    -- No WsChrome.exe is NOT running before EIS starts. WSChrome.exe is being triggered when you start Filmora.exe. It isn't an autorun. There are no exclusions to the Filmora folder as I place block rules there especially for outgoing/incoming connections.
     
    See image when Filmora is not running.
     
    6123162ph.png
     
    See image when Filmora is executed. 
     
    8335311ph3.png
     
    EIS only blocks WsChrome.exe  when you manually double-click WsChrome.exe to run it. 
     
    9706854ws.png
  7. If the GoogleUpdate.exe process manages to execute before a2service.exe is active, then it will not be terminated. Blocked processes are only terminated when they are executed, so if they are running before a2service.exe then they will be left alone.

    We are aware of the poor wording here, and I would believe we intend on changing it in the future since it isn't very clear.

    We're aware of the issue with the progress indicator in the UI, and we do have a bug report open. I don't think it was fixed in the latest stable build, but an issue with the percentage shown by the System Tray icon was.

     

    Thank you for the reply guys. 
     
    @GT500,
     
    On the gui updating issue and wording....will just wait for the fix.
    On the GoogleUpdate.exe loading before EIS..hmmm..if Sysinternal Autoruns keeps it at bay for week or until there's another chrome update then I'll let it stand. 
     
    Thanks Arthur :)
     
    @JeremyNicoll,
     
    Thanks for the tip there. I will check it out. 
  8. Back here for observations in Win 8.1. Rules were also the same for GoogleUpdate.exe. 

     

    There is no "dragon_updater.exe" in the Comod Dragon Portable browser unlike in Win 7.  See image below. 

     

    ZALRdHr.png

     

     

    Launching Process Hacker there was no instances of blocked programs running. It was until I checked SystInternals Autoruns that in the Scheduled Tasks I have unchecked GoogleUpdate.exe. That maybe the case why there was no instance of GoogleUpdate.exe upon boot. See image. 

     

     

    5TMZ1Wf.png

     

    Manually executing GoogleUpdate.exe was also blocked with the same misleading words. See image below. 

     

    O8FvW25.png

     

    Just to check I checked Opera browser's opera_autoupdate.exe and opera_crashreporter.exe.  Though the behavior is different --both only launch when launcher.exe of opera is executed manually. No instances of blocked programs seen. See images below. 

     

    IdbReAF.png

     

    The issue with the gui is the same(wasn't able to get the screenshot sorry). 

     

    Edit : This is the screenshot for the gui of Win 8.1

     

    Hpzp4b1.png
  9. Is the path for the file always the same? It's possible that there's more than one executable with the same name.

    -- Yes path is the same. Thanks for the reply. 

     

    Back here again,
     
    Just got home and booted to the Win 7 partitio with EIS. Deleted all the rules for Comodo Dragon browser and Google Chrome browser and recreated it from scratch. Restarted and opened Process Hacker. GoogleUpdate.exe was the only one remaining there running after boot. The setting was as the same "Always block...". Deleted that particular rule for GoogleUpdate.exe, rebooted. Set the rule again as "Alway block...". Rebooted and there it was running again after boot. 
     
    I had to use Systeinternals autoruns.exe to delete the scheduled task for Google Chrome update. Restarted/Rebooted. Check via Process Hacker if there was GoogleUpdate.exe running. There was none. 
     
    So I think it was the deletion of the scheduled task that prevented it from running after boot and not EIS because if I did ot delete the scheduled task it still executed after boot. 
     

    The rule is only processed when the blocked program starts. If it is already running when you create the rule, the rule doesn't take effect until the blocked program is terminated, and then it won't be able to execute again.
    -- GoogleUpdate.exe and dragon_updater.exe executes upon boot. Do you mean that EIS cannot block that behavior (autorun upon boot) and needs the "blocked-program" be executed for EIS to be able to apply the created rule of "Always block..." ?
     
    It has already been executed (autorun upon boot)... and EIS did not block GoogleUpdate.exe. 
     
     
    I went to, 
     
    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
     
    and double-click GoogleUpdate.exe and it was block but again it said that it was a virus. Thw wroding is misleading there. See image below. I rememebr I posted a similar observation previously http://support.emsisoft.com/topic/19332-always-block-this-applicationimpossible-to-run-because-the-file-contains-a-virus-etc/ 
     
    Ho7TfCP.png
     
    Manual execution of GoogleUpdate.exe is blocked by EIS. 
     
    Now for the gui --"Initializing but in actual it's already updating". In my other partition with EAM it's "Updating but the percentages are not in synch -- the tray icon seems t be correct always and notthe gui". I wasn't able to get the screenshots needed sorry. 
     
    Well I guess that all it takes is that EIS updates. It's just that when your in a hurry and need to be atop of every minute that counts that is a bit annoying...(only a bit :) can live with that) . It's the block rule that I am not amenable. 
     
    I can always install a 3rd party app like NVT_ERP or NVT_Smart Object Blocker but it would be redundant because EIS is powerful enough. That is why even I ahve MBAM Premium installed it's always used as on-demand. 
     
    Will still be observing and comparing Win7 and Win 8.1 EIS behavior. 

  10. posted by Aura

    Are you adding the "block" rule for the program when the process is running? Or do you kill the process, add the rule and then try to launch it again (and it works)? 

     

    posted by GT500

    The rule is only processed when the blocked program starts. If it is already running when you create the rule, the rule doesn't take effect until the blocked program is terminated, and then it won't be able to execute again.

    --- I created the rules from scratch so I did not run the program and wait for the pop-up so a rule will be created. If you know how and what EIS to implement a rule for programs you have. 

     

    Rule has been created beforehand and before I launched the program. I just happened to glance at Process Hacker --check if some programs aren't blocked and there it was running even though the rule has been created already beforehand. 

     

    To confirm I ran dragon.exe and also there it was dragon_updater.exe executed even thought (as stated) rules were created before launching the mother program. 

     

     

     


    There is a known issue with the update progress indicator in the UI. We have a bug report open on it, and intend on fixing it, however it is just a cosmetic issue and has no effect on the actual update process. 

    ​-- Last time I checked it seems to be functioning now but it is intermittent. Still observing here. Thanks there. 

  11. Hello, 

     

    Why when I set a certain program as "blocked" --Always block this application (impossible to run) still the program runs..? I thought that it is impossible to run...? What's the use of stating there that it's "impossible to run" but i reality the Behavioral Blocker decides on it's own. I wanna set it to block as I do manual updating. I update after I do a system image backup so if there are issues I can just go and recover. 

     

    See images below. 

     

    pto618m.png

     

    ccjAdN0.png

     

     

    I also wanna ask why the gui says always  "Initializing" but it's actually updating. See image below. Can't you fix this....? It used to be that when I right-click the tray icon >Update now, the gui shows exactly what is the percentage of the update. Now the last two version updates are like this. I have to point to the tray icon to see the status of the update. 

     

    I am not always connected to the internet and the gui isn't helping me to be informed "properly" if the updates are pushing through or taking so long...to be informed of the status I need to point to the tray icon. This is annoying. 

     

    wENNfSV.png

     

    Kindly explain please. 
  12. Thanks for the reply. 
     

    This is an old dialog that hasn't been changed in far too long, and could certainly use an update to more clearly convey why the application was blocked from running (as well as what blocked it). Our QA Manager is aware of this.
    -- Well I hope this will be corrected as it sends a wrong signal to the user. It can be done on the part of the devs. 
     

    It wasn't executed from explorer.exe, and probably wasn't blocked until it performed an action that our Behavior Blocker monitors for, however I will have to verify that with one of our developers.
    -- I just checked earlier and it's still like that. I was checking Process Explorer but it wasn't running. I guess it does get blocked I mean the wpsupdate.exe but the one that is bothering me is the trigger launch from the gui of wpp.exe. 
     

    You can submit it as a false positive via the quarantine. Was it quarantined automatically, or did you select to quarantine it from a Behavior Blocker alert? 
    -- Will submit. It was quarantined automatically. 
     
  13. Hello,

     

    Some questions on EIS if I may.

    A. Always block this application(impossible to run) -- because the file contains a virus!

    Setting "Always block this application(impossible to run)" to an executable in EIS produces an alert that the executable is a virus but EIS scan says it is not. It seems that EIS default pop-up alert for all that is set as "Always block this application(impossible to run)" is prejudged as "the file contains a virus" even it is not. It can be confirmed when you manually scan the executable file. Prejugding a file as containing a virus while EIS's own scanner says "No suspicious files were detected during the scan."

    See observations below:

    1. Set as Kingsoft's updateself.exe / wpsupdate.exe as "Always block this application(impossible to run)"
    Set Kingsoft's updateself.exe / wpsupdate.exe as "Always block this application(impossible to run)". Try to launch Kingsoft's updateself.exe / wpsupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan Kingsoft's updateself.exe / wpsupdate.exe with EIS. EIS says "No suspicious files were detected during the scan."

    See image below. View report below:

    updateself_virus.png
    AsdEFom.png

     

    Emsisoft Internet Security - Version 11.0.0.5958
    Last update: 11/29/2015 12:23:32 AM
    Initiated by: XXXXX-PC\XXXXX

    Scan settings:

    Scan type:
    Objects: C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\updateself.exe, C:\Program Files (x86)\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe

    Detect PUPs: On
    Scan archives: On
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start:    11/30/2015 12:17:30 AM

    Scanned    2
    Found    0

    Scan end:    11/30/2015 12:17:30 AM
    Scan time:    0:00:00


    Why is it that EIS is stating that the file "contains a virus" but when you scan it EIS says otherwise....?

    2. Set opera_autoupdate.exe as "Always block this application(impossible to run)". Try to launch opera_autoupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan opera_autoupdate.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

    opera_autoupdate_virus_popup.png
    D9ajV1v.png


     

    Emsisoft Internet Security - Version 11.0.0.5958
    Last update: 11/29/2015 12:23:32 AM
    Initiated by: XXXXX-PC\XXXXX

    Scan settings:

    Scan type:
    Objects: C:\Program Files (x86)\Opera\33.0.1990.58\opera_autoupdate.exe

    Detect PUPs: On
    Scan archives: On
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start:    11/30/2015 12:40:40 AM

    Scanned    1
    Found    0

    Scan end:    11/30/2015 12:40:41 AM
    Scan time:    0:00:01



    3. Set Glary Utilities 5 CheckUpdate.exe as "Always block this application(impossible to run)". Try to launch opera_autoupdate.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan opera_autoupdate.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

    glary_CheckUpdate_popup.png
    XHoSh5x.png

     

    Emsisoft Internet Security - Version 11.0.0.5958
    Last update: 11/29/2015 12:23:32 AM
    Initiated by: XXXXX-PC\XXXXX

    Scan settings:

    Scan type:
    Objects: C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.exe

    Detect PUPs: On
    Scan archives: On
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start:    11/30/2015 12:51:02 AM

    Scanned    1
    Found    0

    Scan end:    11/30/2015 12:51:02 AM
    Scan time:    0:00:00



    4. Set Emsisoft's very own HijackFree --a2hijackfree.exe as "Always block this application(impossible to run)". Try to launch a2hijackfree.exe via double-clicking it an alert will pop-up saying "Operation did not complete successfully because the file contains a virus". Scan a2hijackfree.exe with EIS. EIS says "No suspicious files were detected during the scan." See image below. View report  below:

    Emsisoft_a2hijackfree_virus popup.png
    fmS8U4B.png

     

    Emsisoft Internet Security - Version 11.0.0.5958
    Last update: 11/29/2015 12:23:32 AM
    Initiated by: XXXXX-PC\XXXXX

    Scan settings:

    Scan type:
    Objects: C:\Program Files (x86)\Emsisoft HiJackFree\a2hijackfree.exe

    Detect PUPs: On
    Scan archives: On
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start:    11/30/2015 12:58:52 AM

    Scanned    1
    Found    0

    Scan end:    11/30/2015 12:58:52 AM
    Scan time:    0:00:00


    B. Kingsoft wpsupdate.exe set at "Always block this application(impossible to run)" can run momentarily via wpp.exe gui

    As wpsupdate.exe has been blocked and set as "Always block this application(impossible to run)". I checked if it can be executed via the Kingsoft Office applications gui -- wps.exe -- Kingsoft Writer / et.exe -- Kingsoft Spreadsheets / wpp.exe -- Kingsoft Presentations.

    Clicked the question mark (?) at the top-right-corner of the gui. Drop down menu shows. Clicked "Check for Updates".
    There was no evidence of wpsupdate.exe executing or running with wps.exe / et.exe BUT with wpp.exe -- Kingsoft Presentations there is momentarily. There is a pop-up that says, "Can't access the Internet, please try it later. May be the internet connection is failed. Or the updater is blocked by the firewall. Or the proxy settings are incorrect."

    Why is it that there is still an execution of wpsupdate.exe. I believe if you set "Always block this application(impossible to run)" to an executable/application it should be impossible to run it right..?

    See images attached.

    XQ2lKdX.png


    nBjUfve.png


    m1swHrR.png


    C. Kingsoft's Presentation "wpp.exe" quarantined because it has been classified as "Behavior.DirectDiskAccess". What to do with this..?

    See image below.

    eC3Yv5U.png
     

     

  14. Hi,

     

    I am having issues with Online Armor Premium with restoring a saved configuration file. The install went fine after the approval of the license. Restarted and learning process went okay but when I restored a saved configuration the file name of the config file did not show. Not only that the "Programs tab" did not contain anything including the "Firewall tab". It was also very difficult to restart and I had to reboot via the desktop button. 

     

    This is on a Win 7 x64 bit desktop with Avira Free as main AV (formerly had a different firewall completely removed). Is there anything that I need to check or do? I can't seem to make it work out...Help please..

     

    Malik

     

  15. I just re-installed Online Armor Premium and it seems I cannot import/restore my saved configuration. Now it's a bit tiresome to do it again from scratch..can't there be a way to restore it successfully? 

     

    Tried to uninstall(booted twice)/re-install OA Premium but it was the same when I tried to import a saved config file. Never had this experience before..This is a first for me on this issue. Actually all my saved config file I cannot restore. 

     

    Help. 

  16. Hello Route 414,

    Thank you for reply.

    I seem to have noticed that when iw as setting a rule in OA Premium I cannot set it right. I was doing an Advanced Options>Start Application>Allow except rule but upon clicking OK the rule isn't set. The icon for the 'start applications' is still in "?" (Ask) and does not show an arrow (More). Only when I disabled EsetNOD32 HIPS did the problem vanished.

    Did you ran EsetNOD32 Hips alongside OA Premium..? I have EsetNOD32 ver5.0.95.0 alongside OA Premium 5.5.0.1557.

×
×
  • Create New...