iWarren

Not detecting compiled programs.

Recommended Posts

I've been using Visual Studio 2012

to create some socket related programs.

 

I noticed though, that its not detecting my executable as a threat.

 

is it because i've allowed CL.exe that its associating my executable

with that program?

 

I'm running the executable as a stand-alone program though, and i still

dont even see an entry in "behaviour blocker" for that executable.

 

this seems like a problem, especially if its using sockets.. i would expect

at least some kind of detection involved.

 

i think its an issue because, it means that a program could be constructed

on the computer, and then elude detection.

Share this post


Link to post
Share on other sites

You need to change the default settings in EIS for it to display alerts for most TCP/UDP traffic.

Share this post


Link to post
Share on other sites

Advanced Firewall Settings", under the "Automatic Rule Settings" option.

All "Incoming / Outgoing" are set to "Ask" for both Trusted and Unknown connections.

 

I would like you to verify though, that the "Ask" prompt is working for an Unknown program.

 

I can now find the application listed under "Behavior Blocker", and I've removed the "Application Rule"

for the program several times, and each time... it does not Prompt me to allow the connection.

also... changing the "Advanced Firewall Setting" to 'block' an unknown program, does not add

a block rule, like it does for the "Trusted programs"

 

So I think the "Unknown program" feature isn't working properly. Can you confirm?

 

Even manually setting the the "Application rule" to "Custom Rule", does not give me a prompt

like it should. 

 

Also... another issue is, when I disable the "Settings -> Privacy -> "Automatically allow programs with good reputation" option

and keep the "Look up reputation of programs",  when I run a trusted program, it still allows it, does not prompt me, and does

not create an application rule.

 

i think that might be part of the unknown program issue, is that an application rule is not being generated for it,

so it just continues like nothing happened.

Share this post


Link to post
Share on other sites

I would like you to verify though, that the "Ask" prompt is working for an Unknown program.

How does this look?

 

post-18745-0-45246800-1473831327.png

post-18745-0-81544300-1473831376.png

... I've removed the "Application Rule" for the program several times, and each time... it does not Prompt me to allow the connection.

If you clicked 'Allow', then it's allowed for the entire session. If you selected to always allow it, then it's allowed based on a rule. Note that the application needs to be closed to properly test this.

also... changing the "Advanced Firewall Setting" to 'block' an unknown program, does not add a block rule, like it does for the "Trusted programs"

Where are you expecting to see a block rule? No new rules are being created when I change the setting, either in Application Rules or in the global rules.

Also... another issue is, when I disable the "Settings -> Privacy -> "Automatically allow programs with good reputation" option and keep the "Look up reputation of programs",  when I run a trusted program, it still allows it, does not prompt me, and does not create an application rule.

Programs are automatically trusted based on digital signature. If an application has no digital signature, then (and only then) will the Anti-Malware Network be contacted to see if there is a known reputation for the program in question. If there is a known reputation, and it falls within the criteria to make an automated decision, then it will either be automatically allowed or blocked based on that reputation.

Application Rules for Trusted programs are hidden automatically, and the checkbox to hide them needs to be unchecked before they will appear in the list of Application Rules (this includes the search results, as the search is only a filter for what is displayed in the list).

post-18745-0-45246800-1473831327_thumb.p
Download Image

post-18745-0-81544300-1473831376_thumb.p
Download Image

Share this post


Link to post
Share on other sites

Well I think I discovered part of the issues I've been having... I thought it was weird how,

i could type the name of my program into "Behaviour Blocker" and, half the time, it'd show up

and the other half it wouldn't.

 

It appears that EIS isn't adding my program name as an entry, because Conhost.exe is starting

at the exact same time. which is why its hit and miss on when it adds the entry to the "Behaviour Blocker" table.

 

The second issue is... that i was trying to connect to the program via 127.0.0.1, and then i realized that

it probably has to go through the 192.168.0.x ip, as thats the network interface the filter is listening to.

 

I tried connecting through the LAN ip, but it still didn't trigger the EIS Ask Alert.

 

I did get a prompt though.... about an "Outgoing" connection (from a trusted program), but the "Incoming" connection wasn't being

detected in the 'Unknown' program. (and I made sure to send some data back and forth through the connection.)

 

Im just not sure if its because its still treating it like its a loopback, but even then, i think it would go through the EIS filter.

Share this post


Link to post
Share on other sites

To reiterate, when i run the 'Unknown' console application, it creates an entry in "Behaviour Blocker"

for Conhost.exe but doesn't add my 'Unknown' program as an entry.

 

If I keep closing and running it, eventually the entry will get entered in.

 

I thought that, maybe instead of setting the application rules for my program... that maybe instead I

should try setting the application rules for Conhost.exe

 

unfortunately, setting it to "Custom Rules", or setting it to "All Blocked", didn't seem to make any difference.

(as it still connected)

 

the Unknown program is designed to "Listen" like a server, so it should have tripped the "Incoming" filter.

Share this post


Link to post
Share on other sites

The second issue is... that i was trying to connect to the program via 127.0.0.1, and then i realized that

it probably has to go through the 192.168.0.x ip, as thats the network interface the filter is listening to.

 

I tried connecting through the LAN ip, but it still didn't trigger the EIS Ask Alert.

Both client and server are running on the same computer? Our firewall isn't really designed to filter traffic that isn't actually leaving the computer (normally we wouldn't want to interfere with that traffic at all), so it's probably not going to produce the test results that you're looking for.

Share this post


Link to post
Share on other sites

i understand, i'll have to try to do some more testing later on.

i do think that there is definitely an issue though with the detection of programs

that are being run through conhost.exe

i think its because of how I compile the program, using a /SUBSYSTEM:CONSOLE

parameter. which i'm curious whether its a best practice for creating console applications.

from my reading conhost creates a 3mb conhost program in memory for every execution

of a console program. even Cmd.exe i think has to utilize Conhost.exe to operate.

I just know that the detection of the program in "Behaviour Blocker" is hit and miss.

I'll have to look again to see if its just not updating it, or if its being placed in a2rules.ini

------------------------------------------------------------------------------------------------

On a side note, I remember in EIS v9, you were able to specify an 'Ask' prompt on whether

to run trustworthy programs... or to 'Ask' prompt on unknown programs.

in EIS v11, it only gives you the "Ask, Allow, Block" options, for Firewall connections.

in EIS v11 there is the "Privacy" section which lets you set up

"Automatically allow programs with good reputation"

and

"Automatically quarantine programs with bad reputation."

i really wish you could pass along a request to the developers about re-adding the feature,

where you can get a prompt to allow a program (even if it is trusted.)

what was great about EIS v9 as well, was that it gave you more detailed information about the

drivers involved in creating the process,

I do think the EIS v11 interface is a step up, but losing these vital features, i think was a step back as well.

I dont think it would be terribly difficult to implement either, as most the menu interfaces are already setup,

and the a2rules.ini should already contain the basic structure required to add this feature in smoothly.

the reason to support this feature, is that most of the primary Windows programs, once accepted, the system

will typically run smoothly without many additional prompts. Every now and then though, you have some

questionable software or an installer that you want to allow/deny step by step.. and thats where it was really

nice with v9, is that you could have more control over the process.

I realize the idea is to make a one size fits all program, but I also like the idea of more advanced features,

and worst case scenario, is... you could make a list of absolutely required Windows applications, that need to run.

one perfect scenario, where this would have worked nicely... is that Windows recently asked me to run GWXconfig.exe

or some related GWX program, that was designed to try to notify me to update to Windows 10... granted I blocked

the application anyways, but it would have been nice to have had a prompt asking if wanted to run the program.

something to think about.

Share this post


Link to post
Share on other sites

I've asked about the first part of your message, and hopefully will receive a reply by some time tomorrow.

As for the feature request, when we had more advanced controls for the Behavior Blocker we often had people turn those options on without fully understanding what they did, and then complain about the outcome. I guess they expected our Behavior Blocker to work like WinPatrol, which alerts you after thing happen, rather than blocking them until they are allowed (either automatically or by clicking a button in an alert) like our Behavior Blocker does.

Of course, I can submit a feature request if you want me to, however I do recommend trying our new version 12 beta (you will need to uninstall version 11, reboot twice, and install version 12 as there is no beta update available yet) first and leave any feedback you have about how the Behavior Blocker works in the beta forum for our QA team. ;)

Share this post


Link to post
Share on other sites

yes, in the Online Armor v9, I would set it to "Ask" about every program, whether trusted or not.

 

i remember several times, I would block critical windows programs, and then have Windows fail to start...

and would have to boot into safe-mode to reset.  Eventually though, I learned
exactly which programs I needed to keep around to boot up Windows.

my suggestion is... do the same exact thing that you did to the firewall options of "Emsisoft", if you try to block
a2service.exe it states that it could cause undesirable issues.

 

So you could just create a short list of the required Windows files . . .

 

csrss.exe

winlogon.exe

wininit.exe

userinit.exe

lsm.exe

lsass.exe

smss.exe

services.exe

svchost.exe

 

then just forbid those files from ever being blocked, while still allowing firewall options and custom rules to be applied.

or alternatively, a better idea... just warn the user that the file is critical to normal operation and you tinker at your own risk.

 

when I used to do the blocking in OA v9, by blocking all of the extra Windows programs floating around,

my goal was to make it really easy to detect anything extra that tried to run, that's where the "Ask" prompt for

trusted programs came in nicely... so that once the common programs were configured to "allow/block" ... it made it really

easy to see if anything suspicious was trying to run in the background.

 

i admit, it was a bit more time consuming, but i felt like i had more control of the security of the system.

now it just seems like every program is automatically trusted just to ensure everyone has a smooth operating experience.

 

i prefer to use my system on an "as needed" basis, if I need to use a printer... i start the (spoolsv.exe) printer service...

then when i am not using the printer, the service is stopped.  I don't expect Emsisoft to take care of that for me, but thats

just my philosophy on how I think the system should be running... and not have Windows try to shotgun all the programs

at startup, just because we "might" need to use it.

 

I think thats where my suggestion i made once before might come into play.... where you could initiate "Timer-based Allowing/Blocking"

so that when triggered... by clicking an icon/entry, or based on some type of event.... that EIS could execute a timer script, to say...

Allow spoolsv.exe to run... (maybe initiate the running of the program as well) and then automatically Block it 10 minutes later.

Share this post


Link to post
Share on other sites

Whitelisting by name would cause problems, as some infections will replace system files or patch them, and then we wouldn't be able to warn the user about them because they are whitelisted. What we do now is allow any file that is digitally signed by Microsoft, and if there is no digital signature from Microsoft (or another publisher we trust) then EIS will query the Anti-Malware Network and alert the user if needed. You can take the Anti-Malware Network out of the equation already, which just leaves our digital signature whitelisting.

Since any system file that has been replaced or patched by malware will no longer have an intact digital signature, this allows the Behavior Blocker to warn you in the event that this were to happen. We do have a sort of system file protection that keeps system files from being deleted, so if you do select to quarantine one in an alert them a message will be displayed telling you that a system file has been infected and to contact our malware removal support via the forums.

As for an option to not whitelist by digital signatures, we used to have such an option (called "Paranoid Mode"), and it caused a number of problems for people who used it and generated a lot of complaints. We ended up deciding to remove it (possibly in version 9) so that users would no longer be confused by it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.