Raul90 Posted May 23, 2013 Report Share Posted May 23, 2013 Hi, Well it's my first spin with EAM so I was dumbfounded as to why EAM is blocking Gmail and Google-analytics etc. I could not connect to it since yesterday. I already made a rule to "Dont Block" in EAM>Guard>Host Rules. Saw to it that I rebotted after the rule setting. But it did not help. See image attached. This was going on since yesterday so I disabled Surf Protection in the meantime.I tested Gmail in the next partition I had but it was okay. That partition had Avira/Outpost Pro firewall. No issues like that were observed. Booted again to the partition with Emsisoft IS Pack butthe issue seems to still remain. Thus I decide3d to disable Surf Protection. Any ideas here..?Oh and also I wanted to ask if I can do a custom install for EAM. If ever I do not want the Surf Protection as I have Online Armor Premium(as part of the Emsisoft IS Pack) or any other component for that matter, can I remove them via a custom install? How can I do that? In addition, I observed this and compared to the other partition with Avira and Outpost Pro firewall. I also cannot connect to Wilders on the partition with EAM/OA. See also images on Gmail. This with Surf Protection disabled. Wilders is placed in OA Premium>Domain>Trusted in partition with EAM/OA. From partition with Avira and Outpost Pro firewall From partition with EAM/OA From partition with EAM/OA Dragon portable Maxthon Portable in RunSafer From partition with EAM/OA_Gmail on Google Chrome Exclude browsers in Guard>Application Rules..correct? Add new rule>Select Application --browser>Always allow this application...correct? Question: If I disable Surf Protection will the rules in the Host Rule matter..? I see an "import host file" at the left-bottom corner of the Host Rules tab. Is that the same as that of the MVPS host file or say, blocklist as that of OA Premium? If it is well it seems to be redundant because OA has it already. Or EAM's is different from OA's...I Think I saw during an update of EAM that it downloaded a host file or something... On testing if Wilders will load okay when EAM is "off", it was like that. Turning off EAM loads all nicely except Wilders. I accidently discovered that when I delete all the Blocklist Pro contents I placed in the Firewall Blacklist, Wilders opens okay(that is with Surf Protection still disabled). Gmail displays the same in Dragon/Maxthon Portables. I use the blocklist for OA from http://blocklistpro.com/downloads.html (use the one for Outpost and manually input it to OA). I have also an error that I noticed yesterday when I boot to the partition with EAM/OA from another partition.See image attached. I have already excluded BCDedit / iReboot in EAM and OA but the error still showed. (exclusions in EAM/OA are highligeted). Any ideas...? Been 6 days now and the "bcdedit' error is the same. Earlier I turned on the pc and EAM did not start (using Win 7 SP1). I had to start it manually. After a restart it was okay. I will observe again. I was placing a file on the exclusions of EAM. Guard>Application Rules>Add new rule>Select Application --browser>Always allow this application...correct? And then I tested if EAM will scan it. It did. How can I effectively exclude a file from being scanned..? How can I exclude a folder from being scanned..? When I was using just OA Premium, it felt heavy on the system and it would be slow...bordering on dead slow..like my experience with Bitdefender. But this version is different. It's okay and zippy. Just these issues I experience mostly with EAM and of course the 'blocklist'. Previosuly I was using the blocklist from COU but Ms. Donna has passed away... that was a great loss.. Anyway, please help me as I wanna make this one work out Thank you! Link to comment Share on other sites More sharing options...
GT500 Posted May 24, 2013 Report Share Posted May 24, 2013 Have you searched for any of these blocked websites in EAM's Host Rules? Have you checked the logs in EAM and OA to see if they show the websites being blocked? Link to comment Share on other sites More sharing options...
Raul90 Posted May 24, 2013 Author Report Share Posted May 24, 2013 I booted and the same error with the "bdcedit" showed. See image. This is the most prominent in the EAM logs(when Surf Protection is still "on"). There is no wilderssecurity.com in the host file. I use the same blocklist in Outpost but Wilders is not blocked. Placing it in the domain of OA as "Trusted" should allow all to display correctly and not be blocked as I clicked "Ignore Online Armor domain list" right? See host file of OA. I am using the MVPS Host file for April 2013. This is the behavior with Surf Protection "on" for EAM but no Blocklist in OA. Wilders displays right/correct. Exclusions as stated in the previous post. OA issue...right..or something else? May I be enlightened on these please: Question: If I disable Surf Protection will the rules in the Host Rule matter..? I see an "import host file" at the left-bottom corner of the Host Rules tab. Is that the same as that of the MVPS host file or say, blocklist as that of OA Premium? If it is well it seems to be redundant because OA has it already. Or EAM's is different from OA's...I Think I saw during an update of EAM that it downloaded a host file or something... Or is OA's Host File different from the MVPS Host file? If I have a host file for OA and MVPS host file, is it advisable to run both..? What if I "import a host file" in EAM..what now...? Isn't this redundant...host file in EAM and separately a host file in OA? Or both are the same..? What blocklist do you guys recommend with OA..? What Host file do you recommend with OA? ..with EAM..? Here is what I use: (as of the moment have deleted all (text files) from OA) http://blocklistpro.com/viewcategory/9-blocklists-zip-files.html BlocklistPro has it's own Host file but I do not use it. Link to comment Share on other sites More sharing options...
GT500 Posted May 25, 2013 Report Share Posted May 25, 2013 Which HOSTS file or blocklist you use if up to you. hpHosts and MVPS HOSTS are both good. Would it be possible for you to attach your screenshots to your posts? They are all too small for me to read, and clicking on them only takes me to the bild.me homepage. Also, lets get an OTL log, since it sounds like this is more than just an EAM/OA issue. Please run OTL by following the instructions below: Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run'). Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them. Link to comment Share on other sites More sharing options...
Raul90 Posted May 25, 2013 Author Report Share Posted May 25, 2013 Here are the direct links I have. I have already deleted the other images as I have printed it already in .pdf so I do not have any copy here with me. I am attaching the OTL text files for your perusal. The machine with EAM/OA is in a 3 boot arrangment. The other partitions are with Avira IS/Outpost Pro ver8 Firewall/ Exploitshield Alpha and Avast IS ver8. Uploading also seems taking forever or my ISP is fx$#%@kng with me again http://s1.bild.me/bilder/150113/5336542eam_surf.png http://i.imgur.com/Dhy0jFM.png http://s1.bild.me/bilder/150113/6943424eam.png http://s1.bild.me/bilder/150113/3652286iron_on_emsisoft_pack.png http://s1.bild.me/bilder/150113/7108737eam_dragon_google.png http://s1.bild.me/bilder/150113/6031089maxthon_port_eam_gmail.png http://s1.bild.me/bilder/150113/9899524g.png http://i.imgur.com/ubXbqGQ.png http://s1.bild.me/bilder/150113/3538330bcdedit.png Link to comment Share on other sites More sharing options...
GT500 Posted May 28, 2013 Report Share Posted May 28, 2013 Do you connect to the Internet through a mobile broadband card? Link to comment Share on other sites More sharing options...
Raul90 Posted May 29, 2013 Author Report Share Posted May 29, 2013 Do you connect to the Internet through a mobile broadband card? Hi GT500, Yes and sometimes through an old dial-up service. I accidentally ( I think ) solved the issue with iReboot / bcdedit.exe error I am having all I needed to do was "allow" ICMP / RAW in the Fiurewall settings of OA. Question: Is it okay to allow it? While I think it's a safe application I am dumbfounded as to why I am having this error with OA. Thanks again for the help here. Raul90 Link to comment Share on other sites More sharing options...
GT500 Posted May 30, 2013 Report Share Posted May 30, 2013 Question: Is it okay to allow it? While I think it's a safe application I am dumbfounded as to why I am having this error with OA. ICMP isn't a major security risk. People will be able to ping your IP address over the Internet, but you will still be protected by Online Armor. As for iReboot specifically, it appears to be from NeoSmart Technologies, which is supposed to be a reputable software company (I've used their EasyBCD in the past). bcdedit.exe is a Microsoft program called "Boot Configuration Data Editor", and it is safe (as long as you don't accidentally break your boot configuration with it). You can read a little more about it here. Link to comment Share on other sites More sharing options...
Raul90 Posted May 30, 2013 Author Report Share Posted May 30, 2013 Thanks for the infomation/explanation there. The issues seems to have died down but I am "not" (still) using a blocklist in OA. I do not know why when I use a blocklist some sites don't display right eventhough they are not listed in the said blocklist.. Any particular blocklist you suggest so I can try it out in this prtition...? I'd like very much to try it out. Along this line, the other partition with Avira (IS --no firewall/Proactive/Backup) and Outpost Firewall Pro ver8 is now, Avira + OA. Just uninstalled OPver8 in the meantime and installed OA to observe whether it is an OA issue with the blocklist or an EAM issue evethough Surf Protection is "off". On Neosmart Technologies, I have also EASYBCD and I've been using it a long time now. With iReboot about two years since I did a triple-boot. On the other questions I posted, allow me to ask again please: 1. I see an "import host file" at the left-bottom corner of the Host Rules tab. Is that the same as that of the MVPS host file or say, blocklist as that of OA Premium? If it is well it seems to be redundant because OA has it already. Or EAM's is different from OA's...I Think I saw during an update of EAM that it downloaded a host file or something... Does EAM have it's own host list? I seem to catch a glance when it updates that it downloads a host list...If it does, what's the difference with that of MVPS or hpHost's..? To have both seems to be redundant..correct? 2. Question: If I disable Surf Protection will the rules in the Host Rule matter..? Will it..? 3. Is this the correct way of "excluding a process" from the Behavioral Shield..? Guard>Application Rules>Add new rule>Select Application --browser>Always allow this application. 4. Isn't it redundant/overkill to have a Behavioral Shield (EAM's Mamutu)and (OA's)HIPS running...? Some insights will be helpfull so I can distinguish both. 5. How can I exclude a file or folder from being "scanned again" in EAM..? Thanks again and will wait for your reply. Link to comment Share on other sites More sharing options...
GT500 Posted May 30, 2013 Report Share Posted May 30, 2013 Any particular blocklist you suggest so I can try it out in this prtition...? I'd like very much to try it out. I am not personally aware of any. The last time I did a search I was only able to find one that was in the format that Online Armor uses, however I imagine that there are more than one out there. Does EAM have it's own host list? I seem to catch a glance when it updates that it downloads a host list...If it does, what's the difference with that of MVPS or hpHost's..? To have both seems to be redundant..correct? Yes, we maintain our own Host Rules for EAM so that the Surf Protection offers protection against malicious websites without needing to import your own rules. We actually used to use the database from hpHosts to supplement our host rules, however we are currently maintaining the database on our own. The databases in MVPS HOSTS and hpHosts will contain things that we do not include in our Host Rules. For instance, Steven Burn will add things to hpHosts that we wouldn't normally add to our own Host Rules. Question: If I disable Surf Protection will the rules in the Host Rule matter..? I remember this question, but I thought I had already answered it. The Host Rules are the rules for the Surf Protection. No other component in EAM uses them, so if you turn off Surf Protection then the Host Rules are not being used. 3. Is this the correct way of "excluding a process" from the Behavioral Shield..? Guard>Application Rules>Add new rule>Select Application --browser>Always allow this application. Technically that's not 'excluded', that's just set to "Always Allow". The program would still be monitored, it would just always be allowed rather than asking you what to do. If you want to completely exclude something from protection, then follow these instructions: Open Emsisoft Anti-Malware from the icon on the desktop. Click Guard in the menu on the left. Go to the File Guard tab. In the lower-left corner, just above Alerts, click on the Manage whitelist link. In the box under Type click the little down arrow and change it from File to Process (you may need to click in the box for the arrow appear). Click in the white box below Item to make a button with three dots (...) appear, and then click the ... button. Navigate to the directory where the files you wish to exclude are located, and double-click on one of them to add it. Repeat the last 3 steps as needed to add each file to the exclusions list. Click the OK button at the bottom when done, and close Emsisoft Anti-Malware. 4. Isn't it redundant/overkill to have a Behavioral Shield (EAM's Mamutu)and (OA's)HIPS running...? Some insights will be helpfull so I can distinguish both. The Behavior Blocker in EAM/Mamutu and the HIPS in Online Armor work differently. The Behavior Blocker actually tries to determine if a program is safe, whereas anything not 'Trusted' in OA will generate a warning about behavior monitored by the HIPS. 5. How can I exclude a file or folder from being "scanned again" in EAM..? The process is similar to adding a Process exclusion to the Whitelist, however you would add it as a File exclusion rather than a Process exclusion. Link to comment Share on other sites More sharing options...
Raul90 Posted June 3, 2013 Author Report Share Posted June 3, 2013 Hi, Thanks for the reply and explanation there. This is a bit long and I beg for your patience and understanding as to the "bcdedit.exe error" I am experiencing while using EAM / OA. As of last post I mentioned that I now set the second partition which formerly was Avira IS (no firewall etc) + Outpost Firewall Pro ver8 to have Avira IS (no firewall etc) + Online Armor Premium. Now I am also having bcdedit.exe error as of the partition with EAM/OA (let's call it partiton A). See image attached. This partition when it was with Avira IS (no firewall etc) + Outpost Firewall Pro ver8 (let's call it partition B) "never" had any issues like this one. I used the same partition as of the EAM/OA. What I did was to make an image of the partition using Acronis True Image 2011. Deleted the partition housing the former Avira IS (no firewall etc) + Outpost Firewall Pro ver8 and restored that system image to it. a. imaged partiton A with EAM/OA b. deleted/formatted partition B c. restored imaged partiton A with EAM/OA to partition B d. uninstalled EAM via Revo Uninstaller, rebooted 2x e. installed Avira IS (no firewall etc) and updated it via the internet). f. rebooted g. error in bcdedit.exe Now I have searched for some possible resolve in this issue as I do not want to just not use a prduct because of this. I made an upgrade of iReboot from 1.0 to iReboot 1.1.1. Now I remember that the reason that I was using 1.0 is that I do not want iReboot 1.1.x trying to use port xxx (I think I was with Comodo at that time (or Avast IS firewall). For me those that do not need to call home I block. I went to Neosmart Forums and saw this: iReboot 1.1.x needs an open port to work talk between the service and the taskbar icon to get around UAC.... If you really don't want this, you can use iReboot 1.0 which did not have that feature... iReboot doesn't open a port on the physical network adapter, it uses the local loopback IP 127.0.0.1 which won't trigger a WoL call to the physical LAN adapter... This is the link where I got the info, http://neosmart.net/forums/showthread.php?t=8089 Now as of this writing, I am leaning on the idea that it's OA whose blocking or not allowing iReboot to function properly eventhough that it's iReboot 1.0.x which as stated in a thread in Neosmart forums does not behave like iReboot ver1.1.1(uses the local loopback IP 127.0.0.1 and needs an open port to work/talk between the service and the taskbar icon to get around UAC). This is what I see in 'Process Hacker ver2 > Network': Name : iRebootd.exe (3956) Local Address : 0.0.0.0 Local Port : 9076 Remote Address: Remote Port: Protocol : TCP State : Listen Owner : iReboot I was not able to check the behavior when I was still in iReboot 1.0.x (sorry..dont wanna revert back to an image..I'm tired now). Also I cannot check the Process Hacker log as I do not have internet at the moment as the dumb guys of my ISP have borked something and connection is not available at the moment(well at least not now). Now as mentioned I have upgraded to iReboot 1.1.1 and I see that the issue has disappeared for both the partitions (Partition A and B). I have booted around 5x on both partitions, even coming from a cold boot and there is no issue. While the issue is solved, I'd like some explanation as to why is this happening in OA ver6 and iReboot ver1.0.x. Now to test I blocked iReboot in the firewall and removed it from the "Exclusions" and rebooted. There was no error of the same sort but I cannot even use iReboot now. I cannot even right-click the icon to select what partition I would like to boot to. The icon is there but I cannot use the application. Checking 'Process Hacker ver2 > Network' there was no entry of iReboot. This is the pop-up that OA gave when it booted. In the "History" tab it says there, C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe (?) (2364) wants to start C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe(?) (3500) C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe (?) Outgoing TCP acces blocked to: 127.0.0.1:9076 So I set in the Firewall, Status: Allowed ICMP: Blocked RAW : Blocked Program: iReboot.exe Program Name : iReboot Not Excluded: "C:\Program Files\NeoSmart Technologies\iReboot" Logged-off so OA will adopt the new rule. After I came from the log-off, I got a pop-up from OA asking me about iReboot as it blocked it. I clicked "Allow" (just 'Allow' and not 'Trust'). See image below. After I "allowed" it, I got a second pop-up from OA warning me of iReboot wanting to remotely control another process. I clicked "Remember my decision > Allow". Afterwhich I checked via the right-click if iReboot will function. It will not and I still cannot use iReboot > right-click to select a partition to boot to. I tested again and changed the rule in the firewall to: Status: Allowed ICMP: Allowed RAW : Allowed Program: iReboot.exe Program Name : iReboot Excluded: "C:\Program Files\NeoSmart Technologies\iReboot" Afterwards rebooted. I got a pop-up about iReboot asking to 'Create a rule' about loopback. I answered, 'Create Rule > Allow'. Another pop-up came asking about "A program wants to run" C:\Program Files\NeoSmart Technologies\iReboot\bcdedit.exe on which I answered "Remember my decision > Allow" after that I logged-off so OA will adopt the rule. See images below. After coming off from the log-off I checked and I can now use iReboot. See image below. So in order for iReboot to run properly the firewall rule has to be: (Rule 1) in "Firewall", Status: Allowed ICMP: Allowed RAW : Allowed Program: iReboot.exe Program Name : iReboot Status: Allowed ICMP: Allowed RAW : Allowed Program: bcdedit.exe Program Name : Boot Configuration Data Editor in "Programs", ("Allowed" but not necessarily "Trusted") Allowed > C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe Allowed > C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe Allowed > C:\Program Files\NeoSmart Technologies\iReboot\bcdedit.exe Not Excluded : C:\Program Files\NeoSmart Technologies\iReboot or, (Rule 2) Status: Allowed ICMP: Ask RAW : Ask Program: iReboot.exe Program Name : iReboot Status: Allowed ICMP: Ask RAW : Ask Program: bcdedit.exe Program Name : Boot Configuration Data Editor in "Programs", ("Allowed" but not necessarily "Trusted") Allowed > C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe Allowed > C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe Allowed > C:\Program Files\NeoSmart Technologies\iReboot\bcdedit.exe Not Excluded : C:\Program Files\NeoSmart Technologies\iReboot -- Question: If you exclude the folder "C:\Program Files\NeoSmart Technologies\iReboot" in the Exclusions tab, why does OA still block iReboot processes...? Ain't it suppose to be that the whole folder and everything in it get's automatically allowed? In iReboot ver1.0.x exclusions were in place for "C:\Program Files\NeoSmart Technologies\iReboot" but still there was an error of bcdedit.exe. When I upgraded iReboot to ver1.1.1 there was no error of the same kind. Exclusions for "C:\Program Files\NeoSmart Technologies\iReboot" were still in place and so as the rule set: in "Firewall", Status: Allowed ICMP: Allowed RAW : Allowed Program: iReboot.exe Program Name : iReboot Status: Allowed ICMP: Allowed RAW : Allowed Program: bcdedit.exe Program Name : Boot Configuration Data Editor Excluded: "C:\Program Files\NeoSmart Technologies\iReboot" in "Programs", ("Allowed" but not necessarily "Trusted") Allowed > C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe Allowed > C:\Program Files\NeoSmart Technologies\iReboot\bcdedit.exe NOTE: iRebootd.exe is not included (it maybe because "C:\Program Files\NeoSmart Technologies\iReboot" is excluded that there was no pop-up or any kind in reference to iRebootd.exe) So what is the best rule in OA for iReboot...? Also since you have to Allow > TCP Outbound for iReboot to run, how can it be controlled as to not call home or connec to any site other than local loopback IP 127.0.0.1...? I do appreciate the help and again please have patience on this long post. I really wanna make this one work well. And by the way there was no pop-up of any sort for EAM. Thanks. Link to comment Share on other sites More sharing options...
Raul90 Posted June 3, 2013 Author Report Share Posted June 3, 2013 I'd like to attach this photo(edited) so it would not cause confusion. I marked the partitions with the Avira_OA and EAM_OA in it. Thanks for the patience. Link to comment Share on other sites More sharing options...
GT500 Posted June 4, 2013 Report Share Posted June 4, 2013 Assuming that all NeoSmart applications on your system are in subfolders of C:\Program Files\NeoSmart Technologies, then may I ask if you have tried adding that folder to the exclusions rather than just adding each folder individually? Link to comment Share on other sites More sharing options...
Raul90 Posted June 5, 2013 Author Report Share Posted June 5, 2013 Assuming that all NeoSmart applications on your system are in subfolders of C:\Program Files\NeoSmart Technologies, then may I ask if you have tried adding that folder to the exclusions rather than just adding each folder individually? Hello GT500, I tried that the first time I had installed EAM/OA and got the bcdedit.exe error the first time. I thought that it was EasyBCD that is being blocked or somewhat conflicting with EAM and OA. In OA I placed the exclusions and also allowed iReboot / Easybcd.exe in the firewall. It was only when I had to exit/re-start iReboot everytime I was to boot to the other partitions that I had the inkling that it might be iReboot that's conflicting and not EasyBCD. When I checked both folders has "bcdedit.exe". Even when I removed the exclusions for, C:\Program Files\NeoSmart Technologies\iReboot still had the error. There was also no pop-ups(still at iReboot ver1.0). I upgraded to iReboot 1.1.1 from 1.0 and it disappeared. No errors of the same kind but pop-ups occurred specifically for iReboot. Link to comment Share on other sites More sharing options...
GT500 Posted June 6, 2013 Report Share Posted June 6, 2013 If you removed the exclusion, then Online Armor will monitor any executables running out of that folder. You can make sure that an executable is marked as Trusted and Allowed in the Programs list to prevent notifications from being displayed by Online Armor for that application. Link to comment Share on other sites More sharing options...
Raul90 Posted June 9, 2013 Author Report Share Posted June 9, 2013 May I ask again if, So what is the best rule in OA for iReboot...? Also since you have to Allow > TCP Outbound for iReboot to run, how can it be controlled as to not call home or connec to any site other than local loopback IP 127.0.0.1...? Personally I do not want to exclude something which is not a security application like that Avira, Malwarebytes..etc. So I am asking what maybe the correct/safe rule for iReboot. Thanks and will wait for your reply. Link to comment Share on other sites More sharing options...
GT500 Posted June 12, 2013 Report Share Posted June 12, 2013 I don't know of any reason why you should be concerned about iReboot having Internet access. Exclusions should be perfectly safe for that application, however you can mark it as Allowed and Trusted on the Programs list and Blocked on the Firewall list, which should achieve what you are wanting. Link to comment Share on other sites More sharing options...
Raul90 Posted June 14, 2013 Author Report Share Posted June 14, 2013 Okay thanks for the help Link to comment Share on other sites More sharing options...
GT500 Posted June 15, 2013 Report Share Posted June 15, 2013 You're quite welcome. Link to comment Share on other sites More sharing options...
Recommended Posts