malik4477

EIS_Application Rules set as "Always Block" does not work

Recommended Posts

Hello,

 

I have set a certain program "WsChrome.exe" of Wondershare Filmora when I run Filmora.exe but it still runs. See image attached. I do not know if EIS really blocks it or not but Process Hacker shows that it is still running. From I I understand and know WsChrome.exe should be blocked and NOR RUNNING at all. 

 

1001910WsChrome2.png

 

Using EIS version 12.0.1.6859

 

 

Please help :(

 

Share this post


Link to post
Share on other sites

If WsChrome.exe was running before EIS had finished starting, then EIS would not stop it from running.

Also, make sure that there are no exclusions that could prevent "WsChrome.exe" (or things in its folder) from being monitored.

Share this post


Link to post
Share on other sites
Hi GT500, 
 

If WsChrome.exe was running before EIS had finished starting, then EIS would not stop it from running.
 
Also, make sure that there are no exclusions that could prevent "WsChrome.exe" (or things in its folder) from being monitored. 
-- No WsChrome.exe is NOT running before EIS starts. WSChrome.exe is being triggered when you start Filmora.exe. It isn't an autorun. There are no exclusions to the Filmora folder as I place block rules there especially for outgoing/incoming connections.
 
See image when Filmora is not running.
 
6123162ph.png
 
See image when Filmora is executed. 
 
8335311ph3.png
 
EIS only blocks WsChrome.exe  when you manually double-click WsChrome.exe to run it. 
 
9706854ws.png

Share this post


Link to post
Share on other sites

I'll ask someone to be certain, however I am thinking that our Behavior Blocker will only block programs from running that are launched by Windows Explorer.

Share this post


Link to post
Share on other sites

> I'll ask someone to be certain, however I am thinking that our Behavior Blocker will only block programs from running that are launched by Windows Explorer

 

Goodness!  I hope that's not the case.  It would mean that an innocuous script could load a malware .exe and that wouldn't be blocked.

Share this post


Link to post
Share on other sites

Goodness!  I hope that's not the case.  It would mean that an innocuous script could load a malware .exe and that wouldn't be blocked.

Don't worry, there's a difference between the option in the Application Rules to prevent an application from running, and the normal protection functions of the Behavior Blocker. ;)

Share this post


Link to post
Share on other sites

I have been told that this issue is not reproducible with our latest beta version. Can you try switching to the Beta update feed, and let me know if that resolves the issue?

  • Open Emsisoft Internet Security.
  • Click on Settings in the menu at the top.
  • Click on Updates in the menu at the top.
  • On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list.
  • Click on the Update now button on the right side.

Share this post


Link to post
Share on other sites

Sorry for the very late reply I was hospitalized. So EIS does not block it..tsk..tsk..I recently checked in my Win 7 partition with EAM and it too has the same behavior. Will check out the beta. 
 

I have posted previously of this behavior and it's becoming an on-off issue with Emsisoft.....

Share this post


Link to post
Share on other sites
On ‎25‎/‎11‎/‎2016 at 10:14 AM, GT500 said:

Don't worry, there's a difference between the option in the Application Rules to prevent an application from running, and the normal protection functions of the Behavior Blocker. ;)

Do you mean: the former may prevent xyz.exe from executing at all, while the latter determines what xyz.exe can do once it is executing?  

If so, what's the difference between an app rule that stops pqr.exe from executing, and a BB rule that prevents xyz.exe from starting pqr.exe (if one can define that?)?  

Share this post


Link to post
Share on other sites
5 hours ago, malik76 said:

Sorry for the very late reply I was hospitalized. So EIS does not block it..tsk..tsk..I recently checked in my Win 7 partition with EAM and it too has the same behavior. Will check out the beta. 

It was published as a stable update on November 30th;)

 

4 hours ago, JeremyNicoll said:

Do you mean: the former may prevent xyz.exe from executing at all, while the latter determines what xyz.exe can do once it is executing?  

The primary function of the Behavior Blocker is to monitor for potentially malicious behavior, and alert the user to give them the option to allow/block/quarantine the application that the alert was for. While we do technically have a feature to block an application from running at all, it isn't the primary function of the Behavior Blocker, and there are times when it does not take effect (such as when an application that is to be blocked from running is already running).

I was incorrect about the Behavior Blocker only preventing applications from running if they are launched from Windows Explorer (this may have been an old limitation that was overcome over the years, or perhaps just a memory lapse on my part). I apologize for the confusion.

Share this post


Link to post
Share on other sites

GT500 said: "I was incorrect about the Behavior Blocker only preventing applications from running if they are launched from Windows Explorer (this may have been an old limitation that was overcome over the years, or perhaps just a memory lapse on my part). I apologize for the confusion".

I'm glad that you were wrong (!) in this case.

Share this post


Link to post
Share on other sites
4 minutes ago, JeremyNicoll said:

I'm glad that you were wrong (!) in this case.

Yeah, I prefer not to make a habit of that. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.