Offline Sword

The "auto-delete" bug persists

Recommended Posts

  • Which product, product edition and exact product version number your support request refers to: Emsisoft Internet Security 11.6.1.6135 (64-bit version)

  • Your operating system including the edition, service pack level and the bit-depth (32 or 64 bit) if they apply: Windows 7 Pro 64-bit

Other security applications you may have installed: Sandboxie (Invincea) and Novirusthanks EXE Radar Pro. 

If my memory serves me correctly, about one year ago, I found that EIS could automatically delete some rules (like Firewall rules) immediately after these rules were created by answering the alert window. This bug or feature caused a problem that some applications would frequently trigger alerts (like Firewall alerts or Behavior Blocker alerts). of EIS, which I think is disturbing. At that time, the staff here told me that this problem could not be reproduced, though I could reproduce it.

 

Today, it seems that this problem persists. Please check the following screenshot.

post-34940-0-26401200-1460722387_thumb.png
Download Image

As you can see, the rule for "rmdir" is automatically deleted. So each time Sandboxie remove the contents in a sandbox, it will trigger an alert like this:

post-34940-0-40763700-1460722536_thumb.png
Download Image

 

How to reproduce this problem?

 

1. Create a sandbox in Sandboxie. Configure it such that all the contents inside this sandbox will be automatically deleted when the processes running inside this sandbox exist.

2. Running some applications, such as Chrome, in this sandbox.

3. Close all the applications running inside this sandbox. I think you should see the alert for rmdir like the screenshot above. Choose "Allow always " such that an allow-rule will be created by EIS for rmdir.

4. Open the "Application Rules" Tab in the main window of EIS. I do not mean that this step is essential. But with this step, I could definitely reproduce this problem.

5. Perform Step 2 and Step 3 again. Then you should see the alert window shown above again.smile.png

 

If you still could not reproduce this problem...I give up...

Share this post


Link to post
Share on other sites

It the directory does not exist, then the rules for applications in those folders are deleted. As an example, I downloaded wget for Windows, ran it, when the Behavior Blocker displayed an alert I selected to always allow it, and then I deleted the folder and the rule in EIS was also deleted. Here's a copy and paste from the Behavior Blocker log:

4/16/2016 5:43:24 AM	0	C:\Users\GT500\Desktop\wget-1.11.4-1-bin\bin\wget.exe	App rule deleted
4/16/2016 5:42:18 AM	0	C:\Users\GT500\Desktop\wget-1.11.4-1-bin\bin\wget.exe	App rule modified
4/16/2016 5:42:07 AM	0	C:\Users\GT500\Desktop\wget-1.11.4-1-bin\bin\wget.exe	App rule added
4/16/2016 5:42:06 AM	12596	C:\Users\GT500\Desktop\wget-1.11.4-1-bin\bin\wget.exe	Allowed always by user	Behavior.Spyware
  • Upvote 1

Share this post


Link to post
Share on other sites

It the directory does not exist, then the rules for applications in those folders are deleted.

 

You are right. To solve this problem, I think EIS can reserve the behavior blocker rules & firewall rules for non-exist files rather than remove them automatically.

If we really does not need an outdated rule, then we can remove it manually.

You can also provide a button when allows the user to remove all the rules for non-exist files in a batch, like what we can do with Spyshelter and EXE Radar Pro.

Share this post


Link to post
Share on other sites

It would be best to use the whitelist, as entries in it are not automatically removed.

  • Upvote 1

Share this post


Link to post
Share on other sites

It would be best to use the whitelist, as entries in it are not automatically removed.

 

Thank you. It actually works.

 

By the way, I find that whitelisting a folder from the Behavior Blocker now also works. For example, whitelisting the folder of Sandboxie could depress the alerts shown in #1. It is amazing to me, since in the past, @Fabain Wosar ever said that we could not whitelist an entire folder from the BB: http://support.emsisoft.com/topic/19719-eam-in-a-developer-environment/?p=147193 . I guess this problem was fixed in the recent versions?

Share this post


Link to post
Share on other sites

It's always been able to suppress BB alerts with Folder exclusions, however Folder exclusions do not prevent the BB from opening hooks to running processes. If there are compatibility issues (freezing/hanging for instance) then Process exclusions can fix those, but for simply suppressing alerts the Folder exclusions work just fine.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.