nkrontir

Partial Protection Only

Recommended Posts

After the recent upgrade, Surf Protection, File Guard and Behavior Blocker are disabled and cannot be enabled. This is true for any of the methods that can be used to enable any one or all of these components (from the icon-> protection status->enable all components, from the icon->protection status-> enable file guard, from the UI->Protection->Activate File Guard, etc).

 

Any clues?

 

Thanks.

 

post-33853-0-63059700-1425380363_thumb.jpg
Download Image

Share this post


Link to post
Share on other sites

Hello nkrontir,

It looks like something went wrong during the installation of the latest drivers during the last update. To diagnose and remove the left over old drivers, I would require a log of our dedicated cleaning utility from you. Please download Emsiclean from this link (be sure to save it on your Desktop), and follow the instructions below to get me a log:

  • Run the Emsiclean download that you saved on your Desktop.
  • Read the disclaimer. Note that you must agree to it in order to proceed.
  • Once the scan is finished, simply exit Emsiclean, and do not remove anything.
  • A new file will be saved on your Desktop with a log of what was detected. Please attach that to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
Thanks! :)

Share this post


Link to post
Share on other sites

Take your time. There is no need to hurry. Once you have 30 minutes or so of free time, download the TeamViewer QuickSupport module from here:

 

http://www.teamviewer.com/en/download/windows.aspx

 

Once you run it, it will display an ID and a password. Just send me both via private message and I will be able to connect to your system.

Share this post


Link to post
Share on other sites

I will. Based on the dump you have some other file system filter drivers installed. We are currently testing all of them if there are any incompatibilities as your case is currently unfortunately the only report we have.

Share this post


Link to post
Share on other sites

I looked closer into your case today. The problem is the fact that you are using Windows XP with a lot of software that installs a process creation notification routine. These routines are essentially callbacks that are called by Windows whenever a process starts. The problem is, that on Windows XP only a maximum of 8 such callbacks can be installed. On your systems the 8 callbacks are already taken:

[*] PspCreateProcessNotifyRoutine:
     Procedure: 0xFFFFFFFFB34DD130 (nv4_mini) 
     Procedure: 0xFFFFFFFFAE396DAC (pfmfs_463!ReleaseForCcFlush) 
     Procedure: 0xFFFFFFFFAE19279E (fwtdi32!Create_Process_Notify_Routine) 
     Procedure: 0xFFFFFFFFAE05C4FA (cbfs3) 
     Procedure: 0xFFFFFFFFAE023CDF (cbfs) 
     Procedure: 0xFFFFFFFFADF6D92A (vmci!VMCIQueue_Peek) 
     Procedure: 0xFFFFFFFFAC5B69B0 (SbieDrv) 
     Procedure: 0xFFFFFFFFAC365145 (000) 

nv4_mini is your graphics card driver, you most likely won't be able to get rid of that one. pfmfs_463 is related to a product called Pismo File Mount. fwtdi32 is our firewall engine, so if using EAM instead of EIS is an option, that might work. cbfs3 and cbfs are related to a company selling off the shelf file system filter drivers. Which product exactly hides behind those is unclear. vmci is related to VMware. SbieDrv is related to Sandboxie. The last driver 000 is related to a Cyberlink product. 

 

The bottom line is, unless you free up at least one more callback slot EIS will not run on your system, as the driver will refuse to load because it can't register its notify routine. So you unfortunately have to uninstall one of the applications that is taking up a slot at the moment. Another option would be to upgrade to Windows Vista or later. In Vista and later the 8 routine limit was increased to 64.

 

Sorry but outside of these 2 options there is unfortunately nothing I can do for you.

Share this post


Link to post
Share on other sites

I uninstalled VMware workstation but the problem persists. I didn't uninstall vSphere client, it's important to my work and I don't think it would need such access to my system. Maybe the VMware workstation uninstaller doesn't do a great job. I'll keep trying to sort this out and keep you posted.

 

Edit: This is just weird, there's no vmci.sys anymore on my system so that routine should be gone completely

Share this post


Link to post
Share on other sites

It is not impossible that a different driver took its place given the amount of applications you have installed on that system and the limitations Windows XP imposes.

 

Easiest way to check is to use a tool that allows you to view which drivers have these callbacks registered at the moment. Many anti-rootkit scanners, like this one for example, have that ability. You can find the option under "Kd +", "System Notify Callbacks". Only the entries of callback type "CreateProcess" are relevant. That number of such entries needs to be below 7 so both the EIS firewall driver (fwtdi32.sys) as well as the EIS File Guard and Behavior Blocker driver (epp32.sys) can install their callbacks.

 

If you want I can also take another look at it via TeamViewer.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.