OneofTen

EAM in a developer Environment

Recommended Posts

we have issues with the Behaviour Blocker on our dev pc's. we are using incredibuild and visual studio 2013. When the compiling is started we get a lot of BB warnings and it will cause the building to fail.

Emsisoft Anti-Malware - Version 11.0
BB log

Date	PID	Application	Event	Detection	
05.02.2016 13:19:22	10136	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	
05.02.2016 13:19:14	8536	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	
05.02.2016 13:19:12	12668	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	

05.02.2016 13:17:49	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:17:34	0	C:\Windows\reg	App rule modified		
05.02.2016 13:17:23	0	C:\Windows\reg	App rule added		
05.02.2016 13:17:23	1004	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:16:50	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:16:50	0	C:\Windows\reg	App rule added		
05.02.2016 13:16:50	7848	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:15:32	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	App rule deleted		
05.02.2016 13:14:53	12564	C:\Windows\reg	Allowed once by user	Behavior.CodeInjector	
05.02.2016 13:14:03	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:14:02	0	C:\Windows\reg	App rule added		
05.02.2016 13:14:02	8416	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:14:01	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:14:01	11340	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:14:01	0	C:\Windows\reg	App rule added		
05.02.2016 13:13:44	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:13:44	11936	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:13:44	0	C:\Windows\reg	App rule added		
05.02.2016 13:12:14	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:12:14	0	C:\Windows\reg	App rule added		
05.02.2016 13:12:14	4260	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:11:33	6752	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:11:33	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	App rule added		
05.02.2016 13:08:17	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_261FF.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{56227610-B173-4074-83BF-F7E2DFDB5942}.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Windows\reg	App rule deleted		
05.02.2016 12:55:42	0	C:\Windows\reg	App rule modified		
05.02.2016 12:55:39	0	C:\Windows\reg	App rule added		
05.02.2016 12:55:39	12544	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 12:55:21	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	App rule added		
05.02.2016 12:55:21	6124	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 12:54:53	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	App rule added		
05.02.2016 12:54:53	7008	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 11:00:59	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:19:10	2040	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	

is there a way other then just turning the BB off ? the c:\Windows\reg is not a real Applikation :-/ so no whitelisting possible

 

Many thanks

Share this post


Link to post
Share on other sites

It appears EAM fails to resolve the command line correctly. Would you mind sending the entire command line for the cmd.exe instance started by your build script so I can take a look at it? Other than that, excluding cmd.exe should fix that particular issue. Instructions on how to exclude processes can be found here:

https://helpdesk.emsisoft.com/Knowledgebase/Article/View/114/48/how-can-i-exclude-a-program-from-an-emsisoft-product

Share this post


Link to post
Share on other sites

Is there a way to change this behaviour ? the debug log gets spamed with a2hooks and id like to white list out complete folder structure ... we did that but still the a2hooks is flooding our logs.

 

vaubmbx5.png

Share this post


Link to post
Share on other sites

Yes this would be great to add Folder! and var like %users%.  I miss this features too in the EEC ! :unsure:

 

It's not all like home computers with full qualified path and .exe

 

So Fabian please push it to the todo list  :D

 

regards Zwergenmeister

Share this post


Link to post
Share on other sites

You can't white list folders from the Behavior Blocker. Only processes. There is currently no way to disable the debug logging. We may consider adding it in the future though.

 

I think here you mean that if we whitelist a folder from the Behavior Blocker in the following manner, it will not work?

 

post-34940-0-35460500-1457279750_thumb.png
Download Image

Share this post


Link to post
Share on other sites

Yes this would be great to add Folder! and var like %users%.  I miss this features too in the EEC ! :unsure:

 

It's not all like home computers with full qualified path and .exe

 

So Fabian please push it to the todo list  :D

 

regards Zwergenmeister

 

We are considering some changes to EEC to allow more control. There is no ETA yet though.

 

Hello Fabian,

 

is there any update to allow wildcards in the future ?

 

regards Zwergenmeister

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.