soilentgreen

Behavior Blocker

Recommended Posts

Hello to all.

I have some questions abut the behavior blocker.

I try to understand why programs like firefox, SupportAssistAgent (dell), vlc, open office... are flag as something bad when I update them or uninstall them- for example.

When I uninstall firefox/vlc I get "Behavior.AutorunCreation".

When I update SupportAssitAgent I get "Behavior.HiddenInstallation" even it trusted by you (SupportAssitAgent.msi)

http://www.isthisfilesafe.com/sha1/CBD1065789C88216A63AF3850B16A7898E28BFAF_details.aspx. When I install OpenOffice I get "Behavior.CodeInjector"

 

All the programs are trusted, so why the behavior blocker alert and let me to choose to allow,block or quarantine the application? if a program is trusted why I need to make this decision? I try to understand the logic of EIS when I get alert when I want to uninstall a program, and open source one? If I get alert in trusted programs, How can I trust the behavior blocker when I get alert  about other programs that Less known?

 

Thank you.

  • Upvote 1

Share this post


Link to post
Share on other sites

But if we talking about trusted programs why the behavior might be questionable? And if it  questionable are we need to block it even if it trusted? I can not see the logic here! And why we need to get alert when we uninstall a program, even if it trusted? The behavior blocker should alert about untrusted programs. when it alert about trusted programs it lose the reliability and trust.

Share this post


Link to post
Share on other sites

Have you turned off the option to look up the reputation of programs in the Privacy settings? At least half of the applications you mentioned wouldn't be digitally signed, and our Anti-Malware Network would need to be contacted in order to determine if they are safe. If their safety cannon be determined, then you will see Behavior Blocker alerts for them whenever they perform any action that our Behavior Blocker monitors for.

Share this post


Link to post
Share on other sites

Hi Arthur,

 

The option to look up the reputation of programs in the Privacy settings is on.

 

At least half of the applications you mentioned wouldn't be digitally signed, and our Anti-Malware Network would need to be contacted in order to determine if they are safe. If their safety cannon be determined, then you will see Behavior Blocker alerts for them whenever they perform any action that our Behavior Blocker monitors for.

So what you saying is that if I install a program with digitally signed the behavior blocker will not alert, and if I install a program without digital signed it will alert.

SupportAssitAgent.msi is a trusted program by Emsisoft  page http://www.isthisfilesafe.com/sha1/CBD1065789C88216A63AF3850B16A7898E28BFAF_details.aspx

even though this program is without digitally signed. So don't you think Emsisoft should to update the behavior blocker so that it will stop to alert programs you trusted? Again I can't see any logic to get an alert from the behavior blocker when Emsisoft page trust it. If you trust a program in your page, you should make it trust in behavior blocker because if you not, you create contradiction that confuse me, And as a user without a lot of knowledge of trust and un-trust program how can I know what to do with a program I install?

Trust it? Block it? Allow it one time? Quarantine it? I don't know what I should do!

Share this post


Link to post
Share on other sites

So what you saying is that if I install a program with digitally signed the behavior blocker will not alert, and if I install a program without digital signed it will alert.

That is essentially accurate. Certificates to digitally sign software cost money, so malware rarely uses them. In the event that a malicious file is digitally signed, we blacklist the certificate so that anything signed with that certificate gets automatically quarantined. Digital signatures are a rather effective way of identifying software from safe vendors, and making sure that safe software doesn't get accidentally blocked.

SupportAssitAgent.msi is a trusted program by Emsisoft  page http://www.isthisfilesafe.com/sha1/CBD1065789C88216A63AF3850B16A7898E28BFAF_details.aspx

even though this program is without digitally signed. So don't you think Emsisoft should to update the behavior blocker so that it will stop to alert programs you trusted? Again I can't see any logic to get an alert from the behavior blocker when Emsisoft page trust it.

Are the SHA-1 and MD5 hashes (see my last answer below) of the file that was blocked the same as the ones listed on the page you linked to? You can upload the file in question to VirusTotal, and then post the link to the analysis here for me to verify that. I can also send it to our malware analysts if it is indeed the same hashes.

If the hashes don't match, then it's a different file, and the two files just have the same name. There could be a number of reasons for why they have the same name, such as two different versions of the same software.

If you trust a program in your page, you should make it trust in behavior blocker because if you not, ...

Technically we already do that. Emsisoft Anti-Malware will contact our Anti-Malware Network when it needs to verify the safety of an application, and will take certain actions based on how many other users have allowed or blocked the application in question. If a high enough percentage of users have allowed it, then it is considered "trusted", and automatically allowed. Likewise, if a high enough percentage of users have selected to block or quarantine the application, then it will be automatically quarantined.

It is possible for attempts to contact our Anti-Malware Network to fail, such as if a firewall blocks them or if there is a random problem with the Internet connection at the right moment. In this case you would be asked what to do regardless of whether or not the application was trusted in our Anti-Malware Network.

... you create contradiction that confuse me, And as a user without a lot of knowledge of trust and un-trust program how can I know what to do with a program I install?

Trust it? Block it? Allow it one time? Quarantine it? I don't know what I should do!

When you see a Behavior Blocker alert, there is something on the right side of the alert that you can click to view the details of the alert. In the details you will find the SHA-1 and MD5 hashes of the file that the alert is for. You can search for these hashes (the SHA-1 hashes is recommended since it is more accurate) to see if there is information on whether or not the file is safe. For instance, VirusTotal's search will show you the latest scan analysis of the file so that you can see if it was detected by any anti-virus software, and what other people have said about it in the comments. You can also search on Google, Yahoo!, Bing, DuckDuckGo, etc. to see if you can find any information on the file and its safety.

If you leave the alert open and come back to it later, then it freezes the application that caused the alert, which will keep it from doing anything bad while you verify its safety.

Share this post


Link to post
Share on other sites

It'd be good to know which component is preferred to temporarily disable to minimize such alerts during installation/uninstallation of programs while maintaining an acceptable amount of system security. File Guard? Behavior Blocker? Both? Disabling everything seems excessive (Pause protection).

 

Perhaps it'd be an interesting idea to create a special quick/tray setting/shortcut for this ("Pause for install/uninstall" or sth.)

Share this post


Link to post
Share on other sites

It'd be good to know which component is preferred to temporarily disable to minimize such alerts during installation/uninstallation of programs while maintaining an acceptable amount of system security. File Guard? Behavior Blocker? Both? Disabling everything seems excessive (Pause protection).

Disabling the Behavior Blocker is the only one that will have any effect on alerts. If you wish to do this when installing software, then I recommend doing it before you start an installation.

Perhaps it'd be an interesting idea to create a special quick/tray setting/shortcut for this ("Pause for install/uninstall" or sth.)

We do have options when right-clicking on the System Tray icon for pausing protection, and disabling individual Guards. Pausing protection will stop all of the Guards for a specific period of time (there are several options to choose from), whereas disabling a Guard will turn that Guard off until you turn it back on. You can also disable all of the Guards in a single click if you just want to be able to turn them all back on at your leisure.

  • Upvote 1

Share this post


Link to post
Share on other sites

Are the SHA-1 and MD5 hashes (see my last answer below) of the file that was blocked the same as the ones listed on the page you linked to? You can upload the file in question to VirusTotal, and then post the link to the analysis here for me to verify that. I can also send it to our malware analysts if it is indeed the same hashes.

If the hashes don't match, then it's a different file, and the two files just have the same name. There could be a number of reasons for why they have the same name, such as two different versions of the same software.

 

 

The program SupportAssist is come with my new computer, so I think it safe. I got the alert when i update from the program itself. There is any way to check if the  SHA-1 and MD5 hashes match after the program installed already?

 

Technically we already do that....

 

I think technically Emsisoft didn't do that. I get an alert for firefox which is an open source program, and see the alert detection "Bhavior.AutorunCreation" when I uninstalled firefox (and others programs). Why I should get alert of autorun when I chose to uninstall a program? Why Behavior Blocker tag it as autorun and ignore the fact that I chose to create this Behavior? Behavior Blocker shouldn't alert about behavior I choose to execute and about open source program like firefox.

 

When you see a Behavior Blocker alert, there is something on the right side of the alert that you can click to view the details of the alert. In the details you will find the SHA-1 and MD5 hashes of the file that the alert is for. You can search for these hashes (the SHA-1 hashes is recommended since it is more accurate) to see if there is information on whether or not the file is safe. For instance, VirusTotal's search will show you the latest scan analysis of the file so that you can see if it was detected by any anti-virus software, and what other people have said about it in the comments. You can also search on Google, Yahoo!, Bing, DuckDuckGo, etc. to see if you can find any information on the file and its safety.

If you leave the alert open and come back to it later, then it freezes the application that caused the alert, which will keep it from doing anything bad while you verify its safety.

 

Here is a good example to my claims. even when the SHA-1 and MD5 hashes are verified still I get an alert from the Behavior Blocker this is proves that Behvior Blocker ignore the  trusted hashes programs.

And I talking about the program "RevoUninPro" a program you include in a deal of get it free. So I install the program and get behavior alert of "program attempting to manipulate other processes":

 

Untitled.png

 

"MD5: 66CEBA2F4211538B839D592920729789

SHA-1: 53F3FC1787280E9F2A06859C1CD2500EDD86EA3C

Hashes of the detected object (RevoUninProSetup3170.tmp):

MD5: 66CEBA2F4211538B839D592920729789

SHA-1: 53F3FC1787280E9F2A06859C1CD2500EDD86EA3C

 

Verified information according to the digital certificate of the detected file (RevoUninProSetup3170.tmp):

This file is not digitally signed

 

File information according to the publisher of the detected file (may be faked) (RevoUninProSetup3170.tmp):

Company:

File description: Setup/Uninstall

Copyright:

File version: 51.1052.0.0"

 

The the SHA-1 and MD5 hashes are verified by Emsisoft :

Untitled2.png

 

And by VirusTotal:

https://www.virustotal.com/en/file/26b6dfa36b45d707691af15bd1af22a252f17a357c8a6bd0c2c6077e4ca1d365/analysis/

 

The same thing happen when I uninstall RevoUninPro.

 

And another thing. When I quarantine this file, it does not appear in the "quarantined objects". Is it because the file is .tmp?

Share this post


Link to post
Share on other sites

Mozilla digitally signs the executables for Firefox (Mozilla makes millions of dollars each year and can afford certificates to sign their executables with), so alerts should normally not be generated for Firefox's files as long as an official version of Firefox was downloaded from the Mozilla website. If you did see an alert for a signed executable that is known to be safe, then something is wrong with reading or validating digital signatures, and we'll need some debug logs.

As for the Revo file, that's not digitally signed according to VirusTotal, so an Anti-Malware Network lookup would have been done. We can use a tool such as Fiddler to intercept those, if you can reproduce the alert for either the Revo file or another file that is known to be trustworthy.

Share this post


Link to post
Share on other sites

Mozilla digitally signs the executables for Firefox (Mozilla makes millions of dollars each year and can afford certificates to sign their executables with), so alerts should normally not be generated for Firefox's files as long as an official version of Firefox was downloaded from the Mozilla website. If you did see an alert for a signed executable that is known to be safe, then something is wrong with reading or validating digital signatures, and we'll need some debug logs.

 

I downloaded firefox  English (us)  x64 from https://www.mozilla.org/en-US/firefox/all/#en-US

and get:

Untitled.png

 

How can I send you debug logs?

 

 

As for the Revo file, that's not digitally signed according to VirusTotal, so an Anti-Malware Network lookup would have been done. We can use a tool such as Fiddler to intercept those, if you can reproduce the alert for either the Revo file or another file that is known to be trustworthy.

I didn't understand how can i determine if Revo file is trustworthy?

 

Thank you for all your help GT500.

Share this post


Link to post
Share on other sites

VirusTotal shows that the Firefox related file is indeed digitally signed, so you are having an issue with Emsisoft Internet Security being unable to read/verify digital signatures.

Here are instructions for getting us debug logs:

  • Open Emsisoft Internet Security from the icon on your desktop.
  • In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
  • At the bottom, turn on the option that says Enable advanced debug logging.
  • Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
  • Reproduce the issue you are having with Behavior Blocker alerts for Firefox.
  • Once you have reproduced the issue, open Emsisoft Internet Security again, and click on the gray box for Support again.
  • Click on the button that says Send an email.
  • Select the logs in the left that show today's dates.
  • Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  • If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  • Click on Send now at the bottom once you are ready to send the logs.
Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

  • Security Center
  • Protection Service
  • Real-Time Protection
  • Firewall
  • Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).

Share this post


Link to post
Share on other sites

VirusTotal shows that the Firefox related file is indeed digitally signed, so you are having an issue with Emsisoft Internet Security being unable to read/verify digital signatures....

 

 

Hello GT500, so it seems that after the last update of EIS this problem is fixed. I don't get an alert from BB when I install firefox.

Many thanks for your help.

 

As for the Revo file, that's not digitally signed according to VirusTotal, so an Anti-Malware Network lookup would have been done. We can use a tool such as Fiddler to intercept those, if you can reproduce the alert for either the Revo file or another file that is known to be trustworthy.

 

I appreciate if you can help me understand how to determine if Revo file or other files without a digitally signed  are trustworthy. I didn't understand how to do it with Fiddler.

Again thank you for your help.

Share this post


Link to post
Share on other sites

You don't want to use Fiddler for trying to determine if files are safe. I had only recommended it as a way to capture communication between Emsisoft Internet Security and our servers to try to determine why automatic decisions were not being made for trusted applications.

The best way to determine the safety of a program is to search for its reputation online. You can try searching for the file name, however it is possible for multiple files to have the same name, so the SHA-1 hash will be more accurate for finding information about the file the alert is for. The VirusTotal search is a great way to search for a SHA-1 hash, since it's a huge database of files, including the results of many anti-virus scans on them and comments from others and ratings on their safety.

Share this post


Link to post
Share on other sites

So it seems that I do get an alert from BB when I uninstall firefox.

I sent debug logs.

 

The best way to determine the safety of a program is to search for its reputation online. You can try searching for the file name, however it is possible for multiple files to have the same name, so the SHA-1 hash will be more accurate for finding information about the file the alert is for. The VirusTotal search is a great way to search for a SHA-1 hash, since it's a huge database of files, including the results of many anti-virus scans on them and comments from others and ratings on their safety.

 

Thank you for your explanation.

Really appreciate it.

Share this post


Link to post
Share on other sites

Do you know when QA Manager will send me an answer?

Normally he creates a bug report and coordinates testing of the issue, and then our developers will look into the issue and see if they can come up with a resolution, which means I don't hear anything from him about reported bugs unless our developers need more debug information.

I do believe he told me yesterday that he wasn't able to reproduce the issue you're having. That tends to make the process a little slower, since we can't do all of the debugging and testing on our own.

Share this post


Link to post
Share on other sites

Apparently the debug logs you sent didn't show an alert for a digitally signed file. They only showed one for "C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe" which is not digitally signed and not trusted on our Anti-Malware Network. We'd probably need debug logs that showed an alert for "maintenanceservice.exe" or "maintenanceservice_tmp.exe", since it was the one you had reported seeing an alert for earlier that I was able to determine was digitally signed. I would believe you reported seeing the alert for this one when installing Firefox, so you may need to get us debug logs covering you installing Firefox so that the alert gets logged.

Share this post


Link to post
Share on other sites

Hi Arthur.

Thanks again for your help. (Sorry for all the questions, but I would appreciate if you can relate to all of them).

 

I uninstall and install firefox and sent the new debug logs.

The alerts I've seen was "C:\Users\VEGAN\AppData\Local\Temp\~nsu.tmp\Au_.exe - Behavior.AutorunCreation" and "C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe - Behavior.AutorunCreation.

 

So according for what you say, even if software is trusted, and with verified signature it can be with files without digitally signed? And it mean that any file without digitally signed will alert by BB? Because I thought that if software is trusted, and with verified signature BB will not alert of any file of it.

 

So I try to understand the difference between this case and other false positive files that Emsisoft employees whitelisted.  I had detection of "Behvior.CodeInjector" from the file "soffice.bin" of LiberOffice, and the Emsisoft Employee Arief Prabow whitelisted the file to the Anti-Malware network. So why can't do the same with files without digitally signed that come from a trusted, and verified signature softwares like firefox?

What is the difference?

Share this post


Link to post
Share on other sites

The alerts I've seen was "C:\Users\VEGAN\AppData\Local\Temp\~nsu.tmp\Au_.exe - Behavior.AutorunCreation"

The SHA-1 hash for that file is D00E668EB7ABEF53C4FA6BC7DD35DED2684D0A36 according to the logs, and I did not find it in our Anti-Malware Network when I searched for it. I did find it on VirusTotal (under a different name), and the file is not digitally signed.

and "C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe - Behavior.AutorunCreation

The SHA-1 hash for this file is also D00E668EB7ABEF53C4FA6BC7DD35DED2684D0A36 according to the logs. Yes, they're the same file. They just have different names and are in different folders.

If you uninstalled and then reinstalled Firefox, and didn't see an alert for maintenanceservice_tmp.exe or maintenanceservice.exe then I suspect it's because a rule was created to allow it in Emsisoft Internet Security. Technically this rule should automatically be deleted once the file has been removed, however sometimes you may need to open Emsisoft Internet Security, click on Protection, search for the rule in the list (uncheck the option for Hide fully trusted applications to see every rule), and delete it manually.

Note that maintenanceservice_tmp.exe or maintenanceservice.exe are the only files I'm really concerned about right now, since they are digitally signed, but your screenshot showed that our Behavior Blocker wasn't able to read the digital signature. If you are able to verify that there is no rule to allow them in Emsisoft Internet Security, and you no longer see alerts for them when you install Firefox, then I'd say that we no longer need to worry about that particular glitch and we won't need any more debug logs.

So according for what you say, even if software is trusted, and with verified signature it can be with files without digitally signed? And it mean that any file without digitally signed will alert by BB? Because I thought that if software is trusted, and with verified signature BB will not alert of any file of it.

Alerts are supposed to happen for software that is not digitally signed, and which does not have a good enough or bad enough reputation in our Anti-Malware Network for an automatic decision to be made. In your case I suspected there was a bug that was preventing digital signatures from being read.

So I try to understand the difference between this case and other false positive files that Emsisoft employees whitelisted.  I had detection of "Behvior.CodeInjector" from the file "soffice.bin" of LiberOffice, and the Emsisoft Employee Arief Prabow whitelisted the file to the Anti-Malware network. So why can't do the same with files without digitally signed that come from a trusted, and verified signature softwares like firefox?

What is the difference?

The difference here is that you saw alerts for something that is digitally signed, which I was hoping to be able to debug before we move on. For the files that aren't digitally signed, Arief can certainly whitelist them. I've asked him about that, and he will take a look at it once he gets online. Note that it's up to his discretion as to whether or not he does it (I can only ask him about it).

Also, please note that Behavior Blocker alerts are not technically false positives. The Behavior Blocker is supposed to alert when it isn't able to establish the safety of a file, so it is doing what it's supposed to do, it's just that (in at least one case you mentioned above) the alert reduction technologies we have built-in to the Behavior Blocker failed to function as expected. The alerts for Au_.exe and uninstaller.exe were normal, since they are not digitally signed and there is no reputation for them.

Share this post


Link to post
Share on other sites

GT500 said: "The alerts for Au_.exe and uninstaller.exe were normal, since they are not digitally signed and there is no reputation for them."

 

Why would there be no reputation for a Firefox uninstaller that must have been used by thousands/millions of users?

  • Upvote 1

Share this post


Link to post
Share on other sites

GT500 said: "The alerts for Au_.exe and uninstaller.exe were normal, since they are not digitally signed and there is no reputation for them."

 

Why would there be no reputation for a Firefox uninstaller that must have been used by thousands/millions of users?

More than likely because the rule is created during the uninstall process, and since the file gets removed the rule to allow it also gets removed, and thus it never gets reported to our Anti-Malware Network.

Share this post


Link to post
Share on other sites

That would help in this particular instance (alerts during an uninstall), however every rule that exists can decrease performance, so rules are generally not kept if they are not needed.

  • Upvote 2

Share this post


Link to post
Share on other sites

Arthur thank you for your responses, It help me to understand all of it better :-)

 

If you uninstalled and then reinstalled Firefox, and didn't see an alert for maintenanceservice_tmp.exe or maintenanceservice.exe then I suspect it's because a rule was created to allow it in Emsisoft Internet Security. Technically this rule should automatically be deleted once the file has been removed, however sometimes you may need to open Emsisoft Internet Security, click on Protection, search for the rule in the list (uncheck the option for Hide fully trusted applications to see every rule), and delete it manually.

Note that maintenanceservice_tmp.exe or maintenanceservice.exe are the only files I'm really concerned about right now, since they are digitally signed, but your screenshot showed that our Behavior Blocker wasn't able to read the digital signature. If you are able to verify that there is no rule to allow them in Emsisoft Internet Security, and you no longer see alerts for them when you install Firefox, then I'd say that we no longer need to worry about that particular glitch and we won't need any more debug logs.

 

So I open "protection" and deleted 2 rules of firefox. the first was firefox.exe and the second, I don't remember. I didn't find "maintenanceservice_tmp.exe or maintenanceservice.exe" in the rules.  I uninstalled and reinstalled firefox and vlc (to check another program ) - both are Signed file and verified signature by virus total.

 

The only alerts was: VLC\uninstall.exe / Mozilla Firefox\uninstall\uninstaller.exe / Temp\~nsu.tmp\Au_.exe - Behavior.AutorunCreation. No "maintenanceservice_tmp.exe or maintenanceservice.exe".

 

To all the alerts I chose "allow once", So now I have 2 new rules in the "apps rules": vlc.exe and firefox.exe- should I  leave it there?

 

Just so I understand: If firefox.exe is add as rule in "protection" it mean that BB won't alert when maintenanceservice_tmp.exe or maintenanceservice.exe executed ? or the maintenanceservice_tmp.exe or maintenanceservice.exe them-self need to add as rules?

 

I sent new debug logs.

 

Arthur can you please recommend me an app to install so we can be sure that BB is able to read digital signatures?

Share this post


Link to post
Share on other sites

The SHA-1 hash for "VLC\uninstall.exe" is 3E8271CC6E0DA4A8B1A3B7D0989E06CBAF6C6F80, and does not appear to be digitally signed.

The hash for "Firefox\uninstall\uninstaller.exe" and "Temp\~nsu.tmp\Au_.exe" is D00E668EB7ABEF53C4FA6BC7DD35DED2684D0A36, which is the same as before.

To all the alerts I chose "allow once", So now I have 2 new rules in the "apps rules": vlc.exe and firefox.exe- should I  leave it there?

Yes, you can leave those rules alone.

Just so I understand: If firefox.exe is add as rule in "protection" it mean that BB won't alert when maintenanceservice_tmp.exe or maintenanceservice.exe executed ? or the maintenanceservice_tmp.exe or maintenanceservice.exe them-self need to add as rules?

A rule for "firefox.exe" will not effect alerts for "maintenanceservice_tmp.exe" or "maintenanceservice.exe". Each file would need to have their own rule to prevent alerts.

Arthur can you please recommend me an app to install so we can be sure that BB is able to read digital signatures?

Try using Emsiclean. You can download it and run it, then select only the line for epp (C:\PROGRAM FILES\EMSISOFT INTERNET SECURITY), and click the Remove selected objects button. If only that one entry is removed, then it will be recreated when you computer is restarted. Also, if the digital signature isn't being read, then there will be an alert for Emsiclean. If there are no alerts, then Emsisoft Internet Security was able to verify its digital signature, and verify that Emsiclean is safe.

  • Upvote 1

Share this post


Link to post
Share on other sites

Try using Emsiclean. You can download it and run it, then select only the line for epp (C:\PROGRAM FILES\EMSISOFT INTERNET SECURITY), and click the Remove selected objects button. If only that one entry is removed, then it will be recreated when you computer is restarted. Also, if the digital signature isn't being read, then there will be an alert for Emsiclean. If there are no alerts, then Emsisoft Internet Security was able to verify its digital signature, and verify that Emsiclean is safe.

 

So I did it and I didn't get any alerts. The text log of EmsiClean: "could not be deleted! (Error: 5)" for all the files in this folder. It should be like this?

 

I checked "Application rules" and "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" appear.  3 days ago the rule didn't was there. I think it appear  after I update firefox to the latest version. What does it mean that EIS created this rule after update? And why EIS did it when there was no alert of maintenanceservice.exe by BB? How it  "decide" when to create a rule?

By creating this rule BB stop to verify the digital signature of firefox. So now I can't understand if EIS can or can not verify a digital signature.

Share this post


Link to post
Share on other sites

So I did it and I didn't get any alerts. The text log of EmsiClean: "could not be deleted! (Error: 5)" for all the files in this folder. It should be like this?

Nothing should be able to delete files in the EIS folder while EIS is running. ;)

I checked "Application rules" and "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" appear.  3 days ago the rule didn't was there. I think it appear  after I update firefox to the latest version. What does it mean that EIS created this rule after update? And why EIS did it when there was no alert of maintenanceservice.exe by BB? How it  "decide" when to create a rule?

By creating this rule BB stop to verify the digital signature of firefox. So now I can't understand if EIS can or can not verify a digital signature.

Application Rules are created automatically in EIS for trusted programs, so this is a sign that it recognized the digital signature and allowed it.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.