Zen Seeker

OA issues with Program Guard

Recommended Posts

Hello, I've first noted this issue with Fabian Wosar on BC in a privet message a few months ago, but we both had been busy with work, since then I haven't been able to resolve the issue.

 

OS: Windows 7 x64 Updated to current date

AV/FW: EAM & OA Current versions

- EAM 8.1.0.4

- OA 6.0.0.1736 and 6.0.0.1798 until auto updated

AV/FW 2: MSSE & FW Current versions

- Antimalware Client Version: 4.3.215.0
- Engine Version: 1.1.9800.0
- Antivirus definition: 1.157.425.0
- Antispyware definition: 1.157.425.0
- Network Inspection System Engine Version: 2.1.9800.0
- Network Inspection System Definition Version: 107.2.0.0

 

 

Only work around other than uninstalling is to disable "Program Guard".

 

Issue: At some point after May 15th 2013 Progam Guard started hanging my system. For almost a year I haven't had any major issue even though I tend to heavy-hand what applications are allowed out to the internet. I update Windows and EAM/OA on a weekly if not daily basis. I'm always scanning and testing things for both myself and prior to use for clients.

 

When OA with PG is activated after login things start to slow down to a crawl until everything is either hung or popups appear stating that either I don't have access or the application doesn't have write permissions. This includes taskmgr, process explorer, and autoruns. I'm unable to take snapshots as I have to manually reboot the system and then disable PG before rebooting once more to a usable system.

 

I went a few months with PG disabled to finish some work but have spend days here and there trying to resolve this without success. From reading posts I've found here and there on Google or this forum I tried some noted solutions but nothings worked.

 

I've uninstalled and reinstalled with no change. Once learning mode is finished and a final reboot is done it's back to hanging issues. I've also DL and tried version 6.0.0.1798 which was in one of the posts but as it upgrades as soon as I enter my license and I can't use it without it being licensed I can't say if it helps or not.

 

I do use VirtualBox but not in bridged mode and it was fine for year prior to this issue. I also have a laptop which is setup very near the same as my desktop but it's not having any issues at all and I use VirtualBox on it all the time as well. (I share the VM images between the two machines and I also dual boot both systems between Windows 7 x64 and Linux AMD64.) VB is the latest version, 4.2.1.6, and all images are 100% up to date via windows update. As long as OA has PG disabled on the desktop I have no issue. On the laptop GP is still enabled and I have no issues running my VMs.

 

I did try to capture and read the logs after enabling debug mode but it seems I need a proprietary tool to read these logs. Attempting to see what is causing the issue with things like Sysinternals Process Explorer failed as they never open. At best I get a popup error as noted above or it just fails to open.

 

The only thing that I've noted different recently is that the laptop still shows OA version 5.5 in add/remove programs but after uninstalling and reinstalling on the desktop is properly shows 6.0.

 

From what I recall from all the reading I've done on the subject this type of issue was resolved in 2010 and OA version 6.0+ should have been a fix for all.

 

Anyone else having this issue or know what it might be?

 

Regards,

Zen

 

 

 

Share this post


Link to post
Share on other sites

Program Guard Additional information:

I've also tried adding MSSE and EAM folders, x86 included, to the exclusions tab in OA options. No change.

Currently no additional rules or changes have been made after learning mode was finished but in past attempts I even tried to add all the same settings and rules that continue to work for the laptop. The result was I wasn't able to work on the desktop even after many reboots. I wasn't able to turn off "PG" as OA no longer loaded and showed up on the task bar, neither did EAM for that matter. The system was so busy or locked up that I couldn't open the start menu or task manager. Sysinternal tools unable to open as well. I had to boot into safe mode and uninstall the application, then reinstalled. (I was impressed that that was possible as it's been my experience that you can't install or uninstall applications in safe mode.)

I've never had a BSOD due to this issue, only hanging and loss of permissions to do anything to the point of manually having to reboot.

System Specs:

RAM: 32GB

CPU: Intel QC i7-3820 3.6GHz

SSD: 120GB for OS's only, plenty of room left

HDD: 3TB for data only, 1.5TB free

If you need screen shots or logs just let me know.

Zen

Share this post


Link to post
Share on other sites

Have you tried uninstalling Virtual Box and deleting its networking driver? Online Armor and Virtual Box's networking driver are not compatible, and if they are installed on the same computer then it could cause strange issues.

Share this post


Link to post
Share on other sites

Hello Zen Seeker,

 

Can I ask you to reproduce the problem with debug mode enabled and send me a zipped "Logs" folder via pm?

 

If so:

1) Please enable debug mode by going to "Options->General" and ticking the "Enable debug mode" checkbox.

2) Close & shutdown Online Armor

3) Start Online Armor

4) reproduce the issue

5) Zip the contents of the "Logs" directory (it's located in the folder you installed OA to).

Please note, that you'd probably need to close & shutdown OA in order to be able to access the contents of the logs folder.

6) Send me the zip archive via PM.

 

Thank you in advance,

Share this post


Link to post
Share on other sites

 

Have you tried uninstalling Virtual Box and deleting its networking driver? Online Armor and Virtual Box's networking driver are not compatible, and if they are installed on the same computer then it could cause strange issues.

 

Yes I have and it made no difference. I've also been using VB with OA & EAM for over a year without issue on two systems. I wasn't aware of the VB issues as it never came up and I had VB installed prior to using Emsisoft. (It wasn't until I uninstalled OA and tried to do a clean install that I became aware of the issue when OA had a popup warning regarding the bridged networking driver.) As noted above I still have no issues on the laptop.

Share this post


Link to post
Share on other sites

 

Hello Zen Seeker,

 

Can I ask you to reproduce the problem with debug mode enabled and send me a zipped "Logs" folder via pm?

 

If so:

1) Please enable debug mode by going to "Options->General" and ticking the "Enable debug mode" checkbox.

2) Close & shutdown Online Armor

3) Start Online Armor

4) reproduce the issue

5) Zip the contents of the "Logs" directory (it's located in the folder you installed OA to).

Please note, that you'd probably need to close & shutdown OA in order to be able to access the contents of the logs folder.

6) Send me the zip archive via PM.

 

Thank you in advance,

 

I'll see if I can arrange that tonight. Everything related to OA was removed then I did a new clean install so the logs should be fresh. I'll just enable debugging again first so when it hangs we'll be good to go. As I have to do a hard reboot I'll have OA NOT start when the system reboots.

Thanks for the reply,

Zen

Share this post


Link to post
Share on other sites

   

I'll see if I can arrange that tonight. Everything related to OA was removed then I did a new clean install so the logs should be fresh. I'll just enable debugging again first so when it hangs we'll be good to go. As I have to do a hard reboot I'll have OA NOT start when the system reboots.

Thanks for the reply,

Zen

 

Ok,thanks in advance :)

 

Please note the steps 2 and 3 - this way you'll make sure the logs contain information about the executables OA detected, their trust/allow statuses, etc.

Share this post


Link to post
Share on other sites

Will do. I dual boot and happen to be in Linux right now catching up on today's stuff or I'd start right now. Just got in after being stuck behind a traffic accident for 2 hours on the HWY.

Share this post


Link to post
Share on other sites
6) Send me the zip archive via PM.

 

Here you go Andrew. I had to try it a few times as I had everything disabled and OA was not set to start on login. It started to happen again on the third restart.

It usually takes a few minutes before it starts happening. I usually have enough time to open task manager and/or disable OA Program Guard before things start to lock up. Applications where I hold down the shift key to run as administrator almost always cause it, such as Sysinternals Process Explorer. I get the feeling that consent.exe is involved or that it's waiting for something that I can't see or respond to.

 

I'll add this update to the forum thread as well for continuity.

 

T & R,

Zen

Share this post


Link to post
Share on other sites

Thanks Andrey for the PM and suggestion to try the beta 7.0.0.1860. It didn't seem to help so after the hang and reboot I booted into Linux and sent you the new logs folder in a zip file.

 

In answer to your question regarding exclusions; Yes I have excluded the MSSE files and folders for both x86 and x64 in OA back in May, but only now added EAM & OA exclusions to MSSE. (It's never been an issue before so I never thought to apply it.)

 

Hanging still occured, even after turning learning mode on and rebooting, once Program Guard was re-enabled. After hard rebooting to test this a few times I had to disable PG again, reboot, and now things seem stable again. I'll try enabling PG again to test once a few more updates have been applied now that I've added the exclusion to MSSE.

 

Let me know what you would like me to try or apply next.

 

Regards,

Zen

 

 

PS: I'm updating this thread as most of the support is now going through PM. If anyone else has this sort of issue they can at least see where we are and what has been noted and applied. I've followed support threads in the past that never include the solution or fix so thought it would be a good idea to share the updates for others.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.