EIS v11 - Issues & Suggestions (Christmas Wish List)

[iWarren]

Upgrade from EIS 10.0.0.5735 

                   to EIS 11.0.0.5847 (Beta)

 

I currently have for the 'Advanced Firewall Settings' to "Ask" to allow incoming/outgoing firewall rules. (all 4 options are set to Ask)

 

Application Rules did not Update after Upgrade

 -----------------------------------------------------------

 

After the upgrade/restart i deleted the custom rules to allow ports 80/443 and yet it still allowed the connection even after restarting firefox

and did not prompt me to allow it again either. 

 

So I went to Settings -> "Factory Defaults"

 

this seemed to do the trick, and this time asked me to allow the port connections 80 / 443.

 

 

Real-Time Firewall Blocking

------------------------------------

 

At first I allowed port 80 / 443, and then tried adding a BLOCK TCP/UDP 0-65535 (below to the first rule)

i could still browse successfully (where before in v10,  0-65535 was over-riding everything)

 

However then i removed the rules, then tried this time to "block" the connections, except it was still allowing

the connection, even though 80 / 443 were blocked.  It wasn't until I restarted firefox that the blocking rule took effect.

 

so it appears real-time firewall blocking of the application is not quite working.

 

 

Real-time Application Blocking (or Suggestion)

-------------------------------------------------------------------

 

Another issue ,prevalent in v10 also,  is when you block an application in Application Rules or Behaviour Blocker,

it does not close the application once blocked, it just prevents it from running the next time. Where in v9 i remember

it used to close the application immediately once blocked.

 

 

Automatic Custom Montioring (Suggestion)

-------------------------------------------------------------------

 

Even though I have automatic firewall settings set to "Ask" about trustworthy applications, the behaviour blocker

still sets everything to "All Allowed", so each time I do say.. a Factory Reset or new install, I have to reset each

application to "Custom Monitoring" if I want to be confronted with potential behavioural threats.

 

The behavioural blocking is the pride and joy of EIS, so I think it should be an option in "Advanced Firewall Settings"

to set "All Allowed" to "Custom Monitoring" by default. Which will warn you about code injection and such. 

 

Automatic Behavior Blocking Template(Suggestion)

-----------------------------------------------------

Also think you should be able to create something like a Template that applies

to all applications by default, for example.. "Block Backdoor Related Activity" "Block Spyware Related Activity"

could be set by default, based on your template you created.

 

More Detailed Information About Intrusions (Suggestion)

----------------------------------------------------------------------------------

I mentioned in the previous suggestion about behavioural blocking, and how it warns you about code injection and

potential intrusions.  These errors can come from system applications, for example... when changing

personalize settings, a message appears saying Explorer.exe wants to change something, or when Firefox

tries to run a program from the downloads menu, it will say something along the lines that Firefox is acting like

a trojan or something to that nature.  These are scenarios where it was likely a false detection, but was warning of a

potential problem, which is great! However, there are also scenarios where Explorer.exe or Firefox.exe may be doing

something it shouldn't, and yet the options are to Allow something potentially bad, or Block, which closes the application, not

really knowing what you just blocked. 

 

So what i'd really love to see.... is the offending command, i believe v9 had it right... when it popped up the behaviour,

it gave you much more verbose input, like  Explorer.exe -> Shell32.dll -> hotdog.dll -> somethingweird.exe

 

then i could tell the difference between, a simple desktop entry being modified, or of an actual threat that needs to be dealt with.

 

So would really really love to see an option in "Advanced rule settings" for [ X ] verbose behaviour messages

 

Application Rules & Behavior Rules Merging (Suggestion)

----------------------------------------------------------------------

I think v9 also had it right in this case.... all of the application rules were all in one neat tidy window,

maybe i'm a little daft, but i don't quite understand why these two are seperated, and why some applications

will show up in Behavior Blocker and not in Application Rules, and if i want one in the other, i have to create the

rule myself. Then tediously set everything to Custom Monitored, to get it to monitor its behavior.

 

Theming (Suggestion)

----------------------------

I know i've said this before, but i'll say it again... i'd love to have an option to theme/skin the EIS application, maybe to

something with more neutral colors.

 

Insights

----------

 

If everything gets automatically allowed, then its only passively protecting the system for the sake of letting Windows run smoothly,

 

The goal here is easy to use security, i think its important not to let security take a back seat for the sake of making it easy to use.

 

In the Blog you make mention that everything should be kind of behind the scenes without much intervention

and fiddling around with settings, however I think a lot of people don't really mind the extra popups as long as

they know their system is actually being protected.

 

Special Thanks

--------------------

I'd like to thank the emsisoft team for their dedication and hard work on this amazing application.

I hope everything i've said has not been discouraging but has inspired you to keep working to make

this program even better.  Keep up the good work, and please tell Santa about everything on my wish list.

 

 

 

[iWarren]

Firewall Enabled Causes Delay in Application Startup

--------------------------------------------------------------------

 

using v11, starting Firefox with Firewall Disabled, Firefox starts in 1 second.

 

with firewall enabled... average startup time is 22 seconds, although creating new instances once its open causes no delay.

 

For the record, this computer has a fresh 32-bit Windows 7 pro install, fully updated.

[iWarren]

* Always block this application (impossible to run) is not blocking applications, even after restart.

[GT500]

All of the above is about version 11, correct?

[iWarren]

yes, v11.0.0.5847 (beta) with fresh install windows 7 32-bit

i was thinking i should have sent this to [email protected]

but I wasn't sure who would receive it.

I've switched back to v10 now for stability.

[GT500]

[email protected] is read by our management, whereas what you post here is read by support and other users. Sometimes our management will get involved in discussions on the forums as well, since they do want to see feedback about new versions of our software. I've sent them an e-mail to make sure that they are aware of your forum topic.

I'm going to ask our QA Manager if the two issues you reported are already known. If not, then we can collect some debug information if you feel up to it.

[iWarren]

yeah i'm up for it. I actually already tried to collect some debug info regarding the firefox delay.

using sysinternals DebugView, i tried to capture the win32/kernel calls upon firefox startup, but it didn't

seem to display anything relevant or useful.

I expected to see possibly some duplicate calls to something, but i didnt see many calls at all.

makes me think maybe DebugView isnt the right program for windows pipe viewing.

on the bright side, i did see some websites that firefox was accessing on startup, so if anyone is curious

about what websites firefox is connecting to (ie for addons and such), or even other programs, then i

recommend using DebugView for this.

[iWarren]

(Using v11)

I am running the latest Firefox v41.0.2 in safemode (disables all addons)

and it still hangs for 22 seconds before opening the window.

the firefox program is running, but after loading about 8 typical threads it pauses.

it seems about the right time that it would probably be loading an emsi driver.

i suspected it was the 'surf protection' but it still doesn't work with 'surf protection' disabled.

i turned off the firewall, and firefox instantly comes up. so its something to do

with the firewall module.

i think we can safely rule out firefox as an issue as it works fine with v10

[GT500]

I'm going to paste some canned instructions for getting debug logs below. Obviously you'll need to do this once for each of the issues you had reported. After getting the first logs you can turn debug logging off, restart your computer, delete the logs, turn debug logging back on, and then restart again to get the logs for the second issue. Here's the instructions:

In order to get debug logs, you will first need to run a batch file to enable debug logging. This batch file is contained in the ZIP archive at this link (this ZIP archive also contains a batch file to disable debug logging).

Please save that ZIP archive on your desktop, extract its contents, and then follow these instructions:

• Run the enable_debug_output batch file (if your computer has Windows Vista, Windows 7, or Windows 8 then please right-click on the batch file and select Run as administrator).
• You will see a black window pop up, and then disappear very quickly. After that happens, please restart your computer.
• Reproduce the issue you are having.
• Once you have reproduced the issue, hold down the Windows key on the keyboard (the one with the Windows logo on it, usually in between the Ctrl and Alt keys) and tap the R key to open the Run dialog.
• Type the following into the Run dialog, and then click OK:

  %ALLUSERSPROFILE%\Emsisoft

• A window should open and you should see a Logs folder. Right-click on that Logs folder, go to Send to, and select Compressed (zipped) folder.
• Move the new ZIP archive you created with the logs folder in it to your desktop.
• Attach the ZIP archive containing the logs to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Note: If you get an error message when trying to send the Logs folder to a Compressed (zipped) folder then you may need to try a utility such as 7-Zip or WinRar to compress the folder. Both 7-Zip and WinRar have options to create an archive and save it in another location (such as on your desktop), which should prevent the error message. Here are links to the download pages for 7-Zip and WinRar.

After posting the debug logs, you can run the disable_debug_output batch file (be sure to run it as administrator as well) and restart your computer again to disable debug logging.

[Frank H]

May I ask what bitversion of WIN7 you are running ?

[Frank H]

I can confirm the Firefox Slow start issue with EIS, there is no need to provide debuglogs for that issue.

 

I cannot not reproduce your issue where a block all rule doesn't block the application to start.

Please note to add exactly the same path+appname in the rule as you are trying to run.

If you have confirmed this please provide debuglogs for that issue.

 

thanks

[iWarren]

Windows 7 Home - 64-bit

 

I'm having a bit of issues with the logging process.

 

I enabled it in command prompt, admin access.

 

I did this before I updated to v11, as i wanted to capture the 'transition process' as well.

I confirmed that it was logging and then I was prompted to Restart to finish v11 installation.

 

So i moved those log files to another location, and proceeded to restart.

 

After returning from the restart, Programdata\Emsisoft\Logs had no log files, and now it refuses to provide

any more logs. 

 

I verified in the registry that the logging option is set, and disabled/enabled it again.

 

So I am curious if perhaps this logging option hasn't been disabled in v11?

 

Also, before sharing any logs, is there any pieces of data shared within the log files that could

be a security issue by sharing? ie certain hashes?

[iWarren]

I tried resetting all firewall settings and it still wouldn't log.

I uninstalled emsisoft v11 and then installed v10 again, updated to v11.

then ran the debug_output batch file.

there does appear to be a couple of log files, but I'm thinking they may be

left behind by the firewall driver install, as they're not being appended to.

any ideas?

[iWarren]

I can also confirm Chrome does not have the delay like Firefox

[Frank H]

When you have installed EAM/EIS x64 you will have to set another registry key, as EAm x86 looks in Wow6432Node for this key.

We will have to update those batchfiles, sorry for the inconvenience.

 

Please add this key and restart your pc to enable debuglogging

 

HKEY_LOCAL_MACHINE\SOFTWARE\Emsi Software GmbH

"GenerateDebugOutput"=dword:00000001

[iWarren]

yeah that works now.

 

I forgot that even though it might be a 64-bit application that it still relies on 32-bit architecture.

 

backwards compatability makes a real mess of things.

[iWarren]

yeah i'd definitely be careful about asking people to post their emsisoft logs, as the users license key is listed inside.

[Frank H]

I forgot that even though it might be a 64-bit application that it still relies on 32-bit architecture.

 

 

Please clarify

 

Emsisoft Anti-Malware X64 and Emsisoft Internet Security X64 are both fully 64-bit applications.

During installation or migration from v10 to v11, the bitness of the OS is detected and the correct X64 or X86 version is being installed.

 

cheers

[iWarren]

First I'd like to clear up, in my initial post i was on a 32-bit OS, i then switched over to a 64-bit OS.

I was under the idea that 64-bit keys were stored in the wow6432node key and 32-bit keys in the Software hierarchy,

which I now see is backwards.

I am however sticking to my original premise, backwards compatability makes a mess of things

[iWarren]

EIS v11.0.0.5847

Windows 7 Home 64-bit

Firefox v41.0.2 (Safe-mode)

 

I captured this in Firefox w/ safe-mode enabled (no plugins loaded),

this capture is from the moment it was started to the moment firefox

prompts to enter safe-mode, which brings the window open immediately.

 

I believe the point of interest is possibly

 

02:29:44.216    3900  -> TDelayedInitializator.Refresh()

 

However judging by the time-stamp I'm not certain if that can account for

all of the delay, unless perhaps some sort of multi-threaded delay?

FirefoxDelay.txt

[GT500]

From what I saw earlier today, our developers are now aware of why this is happening, and are working on resolving it.

[bobbonomo]

I was going to post something about FF being slow but you are on it.

[Frank H]

FYI:

The FF slow start issue has been fixed in EIS v11.0.0.5911 stable