ryerman

Emsisoft CLS ver 8.1.0.31 does not perform scans

Recommended Posts

Product: Command Line Scanner version 8.1.0.31, provided with EEK version 4.0.0.17
Operating System: Windows 7 Home Premium, 64 bit, SP1
Other Security: AVG Anti-Virus Free Edition 2014, Windows Firewall, Zemana AntiLogger Free ver. 1.7.2.364

The Command Line Scanner (a2cmd.exe) does not scan.
For example:

a2cmd.exe /quick

gives no results and Result Code (%errorlevel%) -1073741819 is returned. (see attached Screen-shot)

 

I believe a recent update breaks the CLS.
Scanning from the EEK graphic control panel works normally.

I have 2 versions of the EEK "installer" (EmsisoftEmergencyKit.exe), both obtained from http://www.emsisoft.com/en/software/eek
They are different sizes but I can't compare the content.

1. EmsisoftEmergencyKit.exe (VER. 1, older) - size: 220,049 KB, obtained approx. 1 month ago
-before updating, CLS works normally
-1st update (non-beta) includes Cleaning Engine (1.0.0.175) and requires re-start
-after updating, CLS does not scan

2. EmsisoftEmergencyKit.exe (VER. 2, newer) - size: 220,219 KB, obtained today
-before updating, CLS does not scan
-1st update (non-beta) does not include new modules and does not require re-start
-after updating, CLS does not scan


For many months I have used the CLS in various scripts.
I automatically updated by using "a2cmd.exe /ub" in Windows Task Scheduler.
Sometimes I would open EEK contol panel and verify that the updates had been applied.  They were.

Then, about a month ago, the CLS stopped scanning.
I deleted the old EEK and replaced it by running a new copy of EmsisoftEmergencyKit.exe (VER. 1, see above).
The new CLS worked properly until after the 1st update (which included beta updates), when the CLS failed again.

I then deleted EEK, reran EmsisoftEmergencyKit.exe (VER. 1), and updated without beta updates (changed command line in Task Scheduler to "a2cmd.exe /u")
The CLS worked properly for some days, but then eventually failed again.

I then downloaded a second copy of EEK (EmsisoftEmergencyKit.exe (VER. 2), see above)
The CLS provided in this EEK does not scan, even before updating.


Maybe a beta update has recently been incorporated into EEK and that is causing the problem?
I noticed that the Cleaning Engine (1.0.0.175) was recently updated.

 

Thanks for your attention.

post-2315-0-84628300-1398279094_thumb.jpg
Download Image

Share this post


Link to post
Share on other sites

I just updated the EEK on my Windows 7 x64 system, and then ran a quick scan in A2CMD:

post-18745-0-02817600-1398340871_thumb.p
Download Image

Have you tried disabling any security software to see if the scan runs unimpeded?

Share this post


Link to post
Share on other sites

Thanks for replying.

 

I disabled AVG Anti-virus and Zemana AntiLogger but A2CMD would not quick scan.

But when I open a command window "as administrator", A2CMD completes a quick scan.
So maybe this is a permissions problem?

 

But this is still different behaviour than in the recent past, when I could scan from any non-administrator command window.
And why does my VER. 1 scan without running as administrator but VER 2. does not? (see post #1)

Share this post


Link to post
Share on other sites

After further investigation, I may have found an explanation.

I have a copy of "EmsisoftEmergencyKit.exe" which provides an EEK where A2CMD will scan in any command window.
Before updating, I make a copy of the file "clean32.dll" (ver 1.0.0.173).
I then update, after which A2CMD will only scan in a command window opened as administrator.  This is the original problem.
After updating, I replace "clean32.dll" with the original pre-update copy.
Now, A2CMD will once again scan in any command window.

The Cleaning Engine has recently been updated to ver 1.0.0.175, so it seems that this causes the problem.

 

Is restricting scanning to an administrator command window desired behaviour?

 

Thank-you for your attention.

Share this post


Link to post
Share on other sites

Hello,

 

you are right. I can reproduce this issue here on a Windows 7 SP1 machine. Also it is not possible to start the Commandline Scanner from the EEK Startcenter (start.exe) without Administrator privileges. I will create a bug report for our developers to take a look on this issue.

  • Upvote 1

Share this post


Link to post
Share on other sites

Wow someone else that had issues with this. I have been trying to get this tool to work the way it used to for the longest time now. One of their support people had me re-register my registry files but the reason I had to do that was because I couldn't get the tool to register the driver that sends the stuff to Quarantine. I finally got it to work last night but I still can't get rid of the tracking cookies. Let me know if you find anything out new. I will do the same .

Emsisoft employee Christian Peters has verified that there is a problem with the latest version (1.0.0.175) of the Cleaning Engine (clean32.dll).

It may be causing your problems.

See http://support.emsisoft.com/topic/14233-emsisoft-cls-ver-81031-does-not-perform-scans/

Share this post


Link to post
Share on other sites

Emsisoft employee Christian Peters has verified that there is a problem with the latest version (1.0.0.175) of the Cleaning Engine (clean32.dll).

It may be causing your problems.

See http://support.emsisoft.com/topic/14233-emsisoft-cls-ver-81031-does-not-perform-scans/

That's an unrelated issue. Since the commandline scanner that comes bundled with the EEK doesn't use a service, it needs to be run from a elevated Command Prompt (a Command Prompt that has been launched with admin rights).

The Emergency Kit Scanner also required admin rights, but since it is launched through Windows Explorer and it contains a manifest that tells Windows it needs admin rights, on Windows Vista and newer consent.exe will automatically run to check the certificate used to sign the Emergency Kit Scanner and ask you if you would like to give it permission to make changes to your computer.

The behavior is different because of the way they are launched.

Share this post


Link to post
Share on other sites

That's an unrelated issue. Since the commandline scanner that comes bundled with the EEK doesn't use a service, it needs to be run from a elevated Command Prompt (a Command Prompt that has been launched with admin rights)......

On my system, if clean32.dll is version 1.0.0.173, the CLS runs without an elevated Command Prompt, which had been possible for years.

Now that clean32.dll has been updated to ver 1.0.0.175, the CLS must be run from an elevated prompt.

Hopefully, the developers will reinstate the original behaviour so that users will not need to explicitly use an elevated prompt for the CLS.

Share this post


Link to post
Share on other sites

On my system, if clean32.dll is version 1.0.0.173, the CLS runs without an elevated Command Prompt, which had been possible for years.

If it did run, then it wouldn't have access to make changes to most files on the system, so there wouldn't be much it could do. It might be able to delete things from the logged in user's profile directory (so from places like the desktop and My Documents folder), but nothing in the root of the C: drive would be accessible, nothing anywhere else on the hard drive would be accessible (it might be able to scan most of the files on the drive, but deletion would not be possible).

BTW: We're hijacking this guy's topic with this conversation, so I'm moving it all to your original topic about this issue.

Share this post


Link to post
Share on other sites

Some years ago, I began using my download manager to automatically scan all downloads with A2CMD.exe and the /f and /q switches.
At the time, the EICAR test files were successfully detected and quarantined.
I also checked the results code, knowing that it should be 0 or 1 for a successful scan.
My tests showed that this all worked as I desired without invoking administrator rights.

Now, no scan occurs.  Neither 0 or 1 is returned as the result code.
That is a big change and causes a problem for me.

But I am getting confused because it seems that Emsisoft support staff are not in agreement on this issue.

Here is Christian Peters:

Hello,

 

you are right. I can reproduce this issue here on a Windows 7 SP1 machine. Also it is not possible to start the Commandline Scanner from the EEK Startcenter (start.exe) without Administrator privileges. I will create a bug report for our developers to take a look on this issue.

 

It seems as if he believes there is a problem.
On the other hand, your explanation makes no mention of a problem or bug so I am left with the impression that you feel things are working as desired.

 

Perhaps a resolution will come after somebody looks at the bug report that is to be submitted.

Share this post


Link to post
Share on other sites

Our developers will look at the bug report and make any changes they believe are necessary.

Have you tried the stand-alone version available from here? If you run it as admin the first time, it installs a service, and since the service will run with admin rights and does all of the actual work, a2cmd.exe should be able to run from the Command Prompt without admin rights.

Share this post


Link to post
Share on other sites

Our developers will look at the bug report and make any changes they believe are necessary.

Have you tried the stand-alone version available from here? If you run it as admin the first time, it installs a service, and since the service will run with admin rights and does all of the actual work, a2cmd.exe should be able to run from the Command Prompt without admin rights.

Yes, once the service was installed, the /s switch allowed a2cmd.exe to scan without admin rights.

Thanks for the suggestion.

 

However, there may be a problem with the /quarantine switch.

My preliminary testing revealed that the zipped EICAR test files are not quarantined properly, even though they are detected.

Perhaps that is a topic for another thread, and I will wait for any response to the bug report.

 

At least the scans now return the appropriate result codes.

 

Thanks again.

Share this post


Link to post
Share on other sites

My preliminary testing revealed that the zipped EICAR test files are not quarantined properly, even though they are detected.

If they are zipped, then the cleaning engine is supposed to quarantine the ZIP archive that they are in. I take it that that was not what happened?

Share this post


Link to post
Share on other sites

If they are zipped, then the cleaning engine is supposed to quarantine the ZIP archive that they are in. I take it that that was not what happened?

Correct.  The message in the command window indicated an item was removed, but the ZIP archive was still in its original location.

 

Here's what I did:

1.   make sure the Quarantine list in EEK is empty

2.   download eicar_com.zip to C:\Downloads (or any convenient location)

3.   execute this command with admin rights: a2cmd /a /q /f="C:\Downloads"

4.   observe successful completion of scan, including statement that 1 item was removed

5.   open the download location and observe that eicar_com.zip is still there

6.   open the Quarantine folder and observe an .EQF file

      -Windows Explore says it is 26 bytes which is very small compared to 4 or 5 KB, the size of the EQF file that results when removing the unzipped eicar file

7.   open EEK (a2emergencykit.exe) and click the Quarantine tab

8.   observe the listed item, which is incompletely and/or unintelligibly described

9.   select the item and click "Restore"

10. observe the "unable to restore to original location" message and choose to restore to another location

11. EEK crashes when trying to save to the new location

 

Maybe you can confirm that the ZIP archive is not removed properly?

 

Thanks for your attention.

Share this post


Link to post
Share on other sites

Maybe you can confirm that the ZIP archive is not removed properly?

Confirmed.

I'll pass this along to one of our developers. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.