Jump to content

EAM in a developer Environment


OneofTen
 Share

Recommended Posts

we have issues with the Behaviour Blocker on our dev pc's. we are using incredibuild and visual studio 2013. When the compiling is started we get a lot of BB warnings and it will cause the building to fail.

Emsisoft Anti-Malware - Version 11.0
BB log

Date	PID	Application	Event	Detection	
05.02.2016 13:19:22	10136	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	
05.02.2016 13:19:14	8536	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	
05.02.2016 13:19:12	12668	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	

05.02.2016 13:17:49	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:17:34	0	C:\Windows\reg	App rule modified		
05.02.2016 13:17:23	0	C:\Windows\reg	App rule added		
05.02.2016 13:17:23	1004	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:16:50	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:16:50	0	C:\Windows\reg	App rule added		
05.02.2016 13:16:50	7848	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:15:32	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	App rule deleted		
05.02.2016 13:14:53	12564	C:\Windows\reg	Allowed once by user	Behavior.CodeInjector	
05.02.2016 13:14:03	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:14:02	0	C:\Windows\reg	App rule added		
05.02.2016 13:14:02	8416	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:14:01	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:14:01	11340	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:14:01	0	C:\Windows\reg	App rule added		
05.02.2016 13:13:44	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:13:44	11936	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:13:44	0	C:\Windows\reg	App rule added		
05.02.2016 13:12:14	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:12:14	0	C:\Windows\reg	App rule added		
05.02.2016 13:12:14	4260	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:11:33	6752	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 13:11:33	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_5B7BF.bat	App rule added		
05.02.2016 13:08:17	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_261FF.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{56227610-B173-4074-83BF-F7E2DFDB5942}.bat	App rule deleted		
05.02.2016 13:08:16	0	C:\Windows\reg	App rule deleted		
05.02.2016 12:55:42	0	C:\Windows\reg	App rule modified		
05.02.2016 12:55:39	0	C:\Windows\reg	App rule added		
05.02.2016 12:55:39	12544	C:\Windows\reg	Allowed always by user	Behavior.CodeInjector	
05.02.2016 12:55:21	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	App rule added		
05.02.2016 12:55:21	6124	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ibcmd{05063DA0-6C9D-45AF-A8AA-5F129F1A6712}.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 12:54:53	0	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	App rule added		
05.02.2016 12:54:53	7008	C:\Program Files (x86)\Xoreax\IncrediBuild\Temp\ib_BF200.bat	Allowed always by user	Behavior.CodeInjector	
05.02.2016 11:00:59	0	C:\Windows\reg	App rule deleted		
05.02.2016 13:19:10	2040	C:\Windows\reg	Blocked once by user	Behavior.CodeInjector	

is there a way other then just turning the BB off ? the c:\Windows\reg is not a real Applikation :-/ so no whitelisting possible

 

Many thanks

Link to comment
Share on other sites

It appears EAM fails to resolve the command line correctly. Would you mind sending the entire command line for the cmd.exe instance started by your build script so I can take a look at it? Other than that, excluding cmd.exe should fix that particular issue. Instructions on how to exclude processes can be found here:

https://helpdesk.emsisoft.com/Knowledgebase/Article/View/114/48/how-can-i-exclude-a-program-from-an-emsisoft-product

Link to comment
Share on other sites

  • 3 weeks later...

You can't white list folders from the Behavior Blocker. Only processes. There is currently no way to disable the debug logging. We may consider adding it in the future though.

 

I think here you mean that if we whitelist a folder from the Behavior Blocker in the following manner, it will not work?

 

post-34940-0-35460500-1457279750_thumb.png

Link to comment
Share on other sites

  • 2 weeks later...
  • 5 months later...

Yes this would be great to add Folder! and var like %users%.  I miss this features too in the EEC ! :unsure:

 

It's not all like home computers with full qualified path and .exe

 

So Fabian please push it to the todo list  :D

 

regards Zwergenmeister

 

We are considering some changes to EEC to allow more control. There is no ETA yet though.

 

Hello Fabian,

 

is there any update to allow wildcards in the future ?

 

regards Zwergenmeister

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...