Jimbo

Executables now execute that OA prevented

Recommended Posts

It gave me comfort having OA block unknown programs from executing.  For example, I would write and execute small command files and OA would ask for permission to allow them to run.  I would grant "one time only" permission and life was good.  Now, they just run.

 

It makes no sense to remove a security feature from a "more powerful" version of an Emsisoft security application so how do I enable this feature in EIS?

 

 

On the flip side, when "Delete Contents" was executed in Sandboxie OA asked for permission..   Later, while browsing, EIS stated that Sandboxie RMDIR "program" had changed. Sandboxie should not have been changed so, something strange is going on.  Any Sandboxie users know what happened?

Share this post


Link to post
Share on other sites

Yes.  Everytime you exit sandboxie and delete the sandbox, the command string is unique.  It contains a 16 character string that is unique each time.  That is what the BB is tripping on.  What you need to do is go to Protection>File Guard>Manage Whitelist    Once there click on Type and select Folder.  Then add c:\Program Files\Sandboxie.  That will exclude  sandboxie and the alert will go away.

  • Upvote 1

Share this post


Link to post
Share on other sites

It makes no sense to remove a security feature from a "more powerful" version of an Emsisoft security application so how do I enable this feature in EIS?

EIS isn't actually intended to be "more powerful" than Online Armor was. It's intended to be easier to use. It isn't going to show alerts when a program runs, but can do so when a behavior that EIS monitors for is performed (depending on your Application Rules).

  • Upvote 1

Share this post


Link to post
Share on other sites

Peter,

 

Thanks.  That makes sense.  There was an option to allow that "program" to change so it was allowed.  The entry does not appear in any list, including the Whitelist, so I can't remove it to test your suggestion. However, your information will be used in the future and is appreciated.

 

 

Updated.  Found the entry in the "Behavior Blocker Log".  After "Allow Always" was selected for the sandboxie program, the log listed "App rule added".  42 seconds later the log lists "App rule deleted."

 

I tried adding "c:\Program Files\Sandboxie\rmdir" as both a name and file and "c:\Program Files\Sandboxie" as a folder.  The entries disappear after clicking "ok".

 

So, what I have now is a program from a known vendor that I want to execute without having to give permission but can't and a program from an unknown vendor that want to disallow until I give it permission but can't.  ROFL  :D

 

Hey, I am sticking with EIS so I can't be all that upset... just curious as to the reasoning and/or how to get it to behave.

Share this post


Link to post
Share on other sites

Arthur,

 

Thanks for the response.

 

Sorry for using the term "more powerful".  It still makes no sense, to me, that a security program which makes a "Leap in technology" in order to prevent applications from "destroying your files..." would allow an unknown program to do what OA would not.

 

Online armor:

stopped unknown programs from executing and, if allowed to execute stopped the program from

deleting files

getting a list of files

executing ftp and sending data to an unknown website

 

Even when OA was told to allow that program to always execute, OA would ask again if the program changed.  EMSIS allows all those actions.

 

I'm not upset but many of the security applications currently used are changing and each have lost some functionality.  I rarely used any protection from 1980-2007 and then, finally, one of my computers finally got infected.  Now, I run with lots of protection often increased beyond the defaults.  So, losing protection is somewhat disappointing.  Hey, they really are out to get me...  :D

Share this post


Link to post
Share on other sites

Sorry for using the term "more powerful".  It still makes no sense, to me, that a security program which makes a "Leap in technology" in order to prevent applications from "destroying your files..." would allow an unknown program to do what OA would not.

Online Armor, for lack of a better way of saying it, wasn't intelligent and for the most part required some sort of user interaction to tell it whether or not something should be allowed. Technically this was by design, since Online Armor had a full-featured HIPS. EIS on the other hand tries to be smarter, and make decisions on its own. To this end, EIS doesn't have most of the advanced features that Online Armor did, since it isn't intended to function that way (hence the lack of an "advanced mode" like what Online Armor had).

 

Even when OA was told to allow that program to always execute, OA would ask again if the program changed.  EMSIS allows all those actions.

EIS will display an alert when an executable has changed, but in version 11 it only does it when an application performs a behavior EIS monitors for. It used to do it when an application was launched, however generating hashes every time a program starts in order to determine whether or not it has changed can have an unfortunate effect on application and computer performance.

Share this post


Link to post
Share on other sites

Guys

 

There is a bottom line here.   I receive quite a few emails with "gifts" attached.   I open and run them in a VM machine.   EIS/EAM consistently are the first to stop them.  So far no misses.  That is the bottom line.   It removes the opportunity for us Techies to allow something by mistake, which is the point GT500 was making

Share this post


Link to post
Share on other sites

Yes, malicious e-mail attachments are certainly the kind of unknown applications that the Behavior Blocker will display notifications for. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.