soilentgreen

Something wrong with EIS

Recommended Posts

Hi,

I have 2 problems:

1) QUARANTINE:

Any file I try to send manually to quarantine won't send. I got "c:/the path.. could not be removed/ please contact customer support for assistance" .

When I downloaded EICAR test file  from https://helpdesk.emsisoft.com/Knowledgebase/Article/View/11/13/how-can-i-determine-if-the-emsisoft-realtime-protection-is-running-and-working-correctly 

to check if it'll happen when EIS send a file by itself to quarantine, I got an alert that the file sent to quarantine and in the logs i got approve that the file sent to quarantine, but it didn't.

It all began when I update AMD app and I got alert from BB about the file atiacm64.dll. In the alert I choose to quarantine it, and in the log I got approve that the file sent to quarantine, but it didn't. so I tried to send it manually and I got: "c:/program files/amd/cnext/atiacm64.dll could not be removed/ please contact customer support for assistance"

2) SCAN:

something wrong with it.  All the time i choose Custom scan, and sometimes the scan stuck in 5/5- 80% sometimes it not continue, and sometimes it can stuck at 85% or 90% and only if I Pause and resume the scan it continue. sometimes I can't stop the scan it ask if I'm sure if I want to stop it and nothing happen.

The average time of the scan is hour, hour and a half. but now the scan can end after 5-15 minute. I get approve it scan all my file but it can't be. one time 300000+ file in an hour, and one time in 6 minutes.

Usually it happen in the first scan, and it works fine in the second time.

 

All of this start to happen after:

last update (I run version 12.1.17014) and minutes after the update of EIS I got the blue screen of windows: "your pc ran into a problem and needs to restart " https://www.google.co.il/search?q=your+pc+ran+into+a+problem+and+needs+to+restart+windows+10+fix&client=firefox-b-ab&prmd=ivns&source=lnms&tbm=isch&sa=X&ved=0ahUKEwim5bmUm__QAhVMHxoKHWN5BMMQ_AUIBQ

Maybe I should delete EIS with Emsiclean and reinstall it?

Thanks.

 

Share this post


Link to post
Share on other sites

Do you still have the dump file from the BSOD in C\Windows?

If not perhaps the event may be listed as ''Error'' in the Windows Event Viewer Application logs. Double click on the event for more info.

Share this post


Link to post
Share on other sites
On 12/18/2016 at 9:45 PM, soilentgreen said:

Maybe I should delete EIS with Emsiclean and reinstall it?

Go ahead and try that, and let me know if it helps. If not, then we can get some debug logs.

Share this post


Link to post
Share on other sites
On 12/20/2016 at 8:59 AM, GT500 said:

Go ahead and try that, and let me know if it helps. If not, then we can get some debug logs.

So I reinstall EIS.

1) I now running a scan to see if the scan problem solved.

The 5/5 stage  of the custom scan start at 80%, but it stuck for 1 minute or so until it continued. It should be like that?

2) About the quarantine issue:

EICAR test file - now it send to the quarantine.

Now I can send any file from desktop to quarantine, but still can not send a file from program files. I still get  "c:/the path.. could not be removed/ please contact customer support for assistance"  I even try to send  files I succeed to send before the update, and now I get this error.

Thanks

 

On 12/19/2016 at 7:16 AM, stapp said:

Do you still have the dump file from the BSOD in C\Windows?

If not perhaps the event may be listed as ''Error'' in the Windows Event Viewer Application logs. Double click on the event for more info.

Can you please explain  what I need to do. Don't know what is BSOD.

Thanks.

Share this post


Link to post
Share on other sites
1 minute ago, soilentgreen said:

The 5/5 stage  of the custom scan start at 80%, but it stuck for 1 minute or so until it continued. It should be like that?

That can happen. There's an issue with the scan engine that can cause the scans to be rather slow, especially on traditional magnetic hard drives (you shouldn't notice the issue on an SSD), due to an issue with how we read files from the hard drive. I would believe one of our developers is working on resolving that, and increasing file scan performance.

 

4 minutes ago, soilentgreen said:

... still can not send a file from program files. I still get  "c:/the path.. could not be removed/ please contact customer support for assistance"  I even try to send  files I succeed to send before the update, and now I get this error.

Lets try getting a diagnostic log. You can find the instructions and download at this link.

When it's done, it will open a log in Notepad (as explained in the instructions). Please save this log somewhere easy to find, such as on your Desktop or in your Documents folder, and then send it to me in a Private Message so that I can take a look at it.

Important: Don't post the log publicly. It contains a copy of your a2settings.ini file, which contains encrypted license information. If someone were to figure out how to break that encryption, then someone else could use your license key.

 

4 minutes ago, soilentgreen said:

Can you please explain  what I need to do. Don't know what is BSOD.

BSoD = Blue Screen of Death (the blue screen Windows shows when it crashes)

Windows will usually save a memory dump automatically as C:\Windows\MEMORY.dmp and that memory dump can help developers figure out why the crash happened. You'll need to compress it with something like 7-Zip or WinRAR (the 7z or RAR formats are recommended for smallest file size) so that the memory dump is small enough to send.

Share this post


Link to post
Share on other sites

Thank you Arthur.

1) The scan seems to be O.K.

Hoping the developers will fix it.

2) sent you the log.

3) I still have memory.dmp.  I need to send it to Microsoft to help me understand why the crush happened? How can I open it?

 

Share this post


Link to post
Share on other sites
23 hours ago, soilentgreen said:

2) sent you the log.

The log didn't show anything that appears to be wrong. What folder are you trying to drag files into the Quarantine from? I can drag them from my desktop without issues.

 

23 hours ago, soilentgreen said:

3) I still have memory.dmp.  I need to send it to Microsoft to help me understand why the crush happened? How can I open it?

I don't recommend trying to open the memory dump yourself. You need to compress it (either with 7-Zip or WinRAR is recommended) and then send it to Microsoft (assuming it was a Microsoft program/service/driver that caused the crash). File sharing services like WeTransfer can provide an easy way to send large files like that for free, however note that WeTransfer will usually delete uploaded files after a few days.

If you want to get a rough idea of whether or not the memory dump needs to be sent to Microsoft (or perhaps to someone else), then you can try something like WhoCrashed to see what program or driver the dump indicates was related to the crash. Note that this isn't 100% accurate, as sometimes a developer will look over the dump and find that something else was the actual source of the crash, even though the memory dump implicates a file that didn't cause the crash.

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

I don't recommend trying to open the memory dump yourself.......

Thank you for the information.

 

6 hours ago, GT500 said:

The log didn't show anything that appears to be wrong. What folder are you trying to drag files into the Quarantine from? I can drag them from my desktop without issues.

It seems everything I trying to send from program files and program files (x86) to the Quarantine, will not send. 

What concerned about it, is if I install a program that need to send to quarantine and EIS won't send it.

Can you drag them from program files?

Maybe it related of administrator rights and something wrong with it since Blue Screen of Death?

Share this post


Link to post
Share on other sites

When you say it won't send a file to the Quarantine, may I ask how you're trying to send the file to the Quarantine? Are you using the Add file button in the Quarantine, or are you trying to drag-and-drop files into the Quarantine? Are you only having problems with one method of adding files to the Quarantine, or are you having problems with multiple ways of doing it?

 

10 hours ago, soilentgreen said:

Can you drag them from program files?

Yes, you can drag files into the Quarantine from anywhere on your computer.

Share this post


Link to post
Share on other sites

I can't send files from "program files" and "program files (x86)", not with "add file" and not with "drag-and-drop" . But it's seems that I can send files from anywhere except  from "program files".

update:

deleted and reinstall EIS with "run as administrator" and now I can send any file to Quarantine. But now I can sent files with "add file" only. With "drug-and-drop", nothing happen. It should be like that?

A few questions:

Under "Settings"- "Permissions"- "Restricted users:"

1) What the different between: DefaultAccount, guest and administrator?

2) And as the administrator of my computer, it is matter what I choose (its now on DefaultAccount)

3) What is "use domain users"? should I check it?

Thanks.

Share this post


Link to post
Share on other sites
5 hours ago, soilentgreen said:

With "drug-and-drop", nothing happen. It should be like that?

Drag-and-drop is supposed to work the same way as the "Add file" button.

 

5 hours ago, soilentgreen said:

Under "Settings"- "Permissions"- "Restricted users:"

Have you changed any of the permissions? It's possible that the permissions for quarantining files have been restricted.

 

5 hours ago, soilentgreen said:

1) What the different between: DefaultAccount, guest and administrator?

These are user accounts on your computer. They are all built-in Windows user accounts. The Guest account is usually not used, however if you have turned it on then you can add permissions restrictions to it to keep guests from turning off the protection. The Administrator account is expected to have permissions to make any changes to the computer, and no restrictions should ever be added for it. The Default account may be your user account, or at least should have the same permissions as a regular user account.

 

5 hours ago, soilentgreen said:

2) And as the administrator of my computer, it is matter what I choose (its now on DefaultAccount)?

No restrictions should be applied to the Administrator account (although I'm fairly certain that all of the restrictions will be grayed-out for the Administrator account).

If you're not familiar with what permissions are, and what they do, then I recommend avoiding changing them for now.

 

5 hours ago, soilentgreen said:

3) What is "use domain users"? should I check it?

A Windows Domain is something used in a corporate network that has a domain server. If your computer is not part of such a domain, then you shouldn't select the option to use domain users.

Share this post


Link to post
Share on other sites

Arthur, I don't know what going on with EIS.

1) Now I turn on my computer and I can not send files from programs files to  quarantine again. when I  "drag-and-drop" I got "c:/the path.. could not be removed/ please contact customer support for assistance" . when I "Add file" I got "could not be removed. please contact customer support for assistance." . But when I "drag-and-drop" or "Add file" from desktop the file send to quarantine.

2) When I try to choose guest or administrator , it's stay on DefaultAccount.

3) I think that Emsisoft realtime protection is not working correctly. If a few days ago, after I reinstall EIS, it block the temporary file of EICAE the second I pressed   EICAR test file, at https://helpdesk.emsisoft.com/Knowledgebase/Article/View/11/13/how-can-i-determine-if-the-emsisoft-realtime-protection-is-running-and-working-correctly

now the protection respond only a few second after  ElCAR file is download and send it to quarantine, yes the file download to the desktop for a few seconds and then sent to quarantine.

4) once again the scan end a few minutes after it start the 5/5 stage at 80%, and I have 300000+ files.

What can I do?

Share this post


Link to post
Share on other sites

Lets get some Cleaning Engine Debug Logs. Here's what to do:

  1. Download and open the ZIP archive at this link.
  2. When the Emsisoft_Debug_Tool ZIP archive opens, double-click on the batch file called Emsisoft_Debug_Tool that was inside.
  3. If Windows asks you if you want to allow the Windows Command Processor to make changes to your computer, then say Yes.
  4. When you see a bright blue screen with a menu, click on it to make sure it is in focus, and then press 5 on your keyboard followed by Enter.
  5. Press Enter again to return the the main menu, and then Enter again to close the blue window.
  6. Restart your computer (on Windows 10 and 8.1 please right-click on the Start button, go to Shut down or sign out, and select Restart in order to do a full restart).
  7. Open Emsisoft Anti-Malware, and try to Quarantine something (try drag-and-drop and the "Add file" button) to reproduce the issue.
  8. Once the issue has been reproduced, close Emsisoft Anti-Malware.
  9. There should be a new file named clean.log in the Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware or C:\Program Files (x86)\Emsisoft Anti-Malware).
  10. Once you find the clean.log file, please attach it to a reply.

After sending us the clean.log file please be sure to run the Emsisoft_Debug_Tool (steps 1-6) again to turn off Scan Engine logs (option 6 in the menu this time).

Note: On 64-bit editions of Windows the Emsisoft_Debug_Tool will have extra options for the 32-bit (x86) version of Emsisoft Emergency Kit. You will not need to use those for Emsisoft Anti-Malware.

Share this post


Link to post
Share on other sites

OK, I have forwarded your log to our developers.

 

On 12/24/2016 at 4:12 PM, soilentgreen said:

...the protection respond only a few second after  ElCAR file is download and send it to quarantine, yes the file download to the desktop for a few seconds and then sent to quarantine.

Have you tried our latest beta? If not, then here's how to try it:

  1. Open Emsisoft Internet Security.
  2. Click on Settings in the menu at the top.
  3. Click on Updates in the menu at the top.
  4. On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list.
  5. Click on the Update now button on the right side.

Share this post


Link to post
Share on other sites

If I try a custom scan, which has 5 stages, there's a very clear allocation of 20% of the progress bar to each of the 5 stages.  As the first four stages run very quickly one gets to 80% (the start of the fifth stage, which is - here - the scan of all my files, as opposed to memory, rootkits etc) in a few seconds.  Then that last 20% of the progress bar's movement has (here) to show 510,000 or so files being scanned, so it does then move a great deal more slowly.   It's not, in my view, a useful indicator of anything.

Share this post


Link to post
Share on other sites
14 hours ago, GT500 said:

OK, I have forwarded your log to our developers.

Thank you hoping they find a solution- the beta didn't help.

14 hours ago, GT500 said:

Have you tried our latest beta? If not, then here's how to try it:....

Nothing changed about ElCAR. There is another test I can try?

Share this post


Link to post
Share on other sites
6 hours ago, soilentgreen said:

Nothing changed about ElCAR. There is another test I can try?

Lets get a log from FRST, and see if it shows the cause of the issue. Please download Farbar Recovery Scan Tool (FRST) from one of the following links, and save it to your Desktop (please note that some web browsers will automatically save all downloads in your Downloads folder, so in those cases please move the download to your desktop):

For 32-bit (x86) editions of Windows:

For 64-bit (x64) editions of Windows:

Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

  1. Run the FRST download that works on your computer (for Windows Vista, Windows 7, and Windows 8 please right-click on the file and select Run as administrator).
  2. When the tool opens click Yes for the disclaimer in order to continue using FRST.
  3. Press the Scan button.
  4. When the scan is done, it will save a log as a Text Document named FRST in the same place the tool was run from (if you had saved FRST on your desktop, then the FRST log will be saved there).
  5. Please attach the FRST log file to a reply using the More Reply Options button to the lower-right of where you type in your reply to access the attachment controls.
  6. The first time the FRST tool is run it saves another log (a Text Document named Addition - also located in the same place as the FRST tool was run from). Please also attach that log file along with the FRST log file to your reply.

Share this post


Link to post
Share on other sites

Soilentgreen

 

I can tell you EIS/EAM are working fine.  I have never tried Eicar, but what I have been doing in a virtual machine of course, is running my setup past real live malware.  This includes, keyloggers, other intrusive malware, and a varsity of Ransomware.   Not only does EIS/EAM catch them all but it is the first to respond.

 

 

Pete 

Share this post


Link to post
Share on other sites
19 hours ago, soilentgreen said:

Something new from the developers?

I haven't heard anything from them. I've asked for a bug report to be created.

BTW: When you send your clean.log, I forgot to ask what you tried to move to Quarantine so that we could look for it in the log. If you could let us know, then that will help in narrowing down the issue.

 

20 hours ago, soilentgreen said:

here is the log you asked

At first glance I don't see anything that could cause performance issues in the log. How long is the delay between saving the EICAR file and the protection responding? It may just be the amount of time it takes for the download to be renamed, or something like that.

Share this post


Link to post
Share on other sites

Arthur sorry for not answering until now.

I had a problem with my internet. so sorry about it.

On 12/30/2016 at 11:50 PM, GT500 said:

I haven't heard anything from them. I've asked for a bug report to be created.

BTW: When you send your clean.log, I forgot to ask what you tried to move to Quarantine so that we could look for it in the log. If you could let us know, then that will help in narrowing down the issue.

I think vlc but I don't remember. Basically any file I move get this error.

Do you want me to do it again?

Arthur it probably administrator issue.

Why EIS don't let me to change between DefaultAccount, guest and administrator?

How can I sure that EIS in did have administrator rights (I install it as "run as administrator")?

It's seems to me it act like it under gust account, because the fact is that I can send a file from desktop but not from program files. It's like it missing permission of administrator.

On 12/30/2016 at 11:50 PM, GT500 said:

 How long is the delay between saving the EICAR file and the protection responding? It may just be the amount of time it takes for the download to be renamed, or something like that.

A few seconds. But as I say at first EIS block the temporary file of EICAE the second I pressed   EICAR test file, now it download, and after few seconds it sent to quarantine.

 

Share this post


Link to post
Share on other sites
On 12/30/2016 at 3:37 PM, Peter2150 said:

Soilentgreen

 

I can tell you EIS/EAM are working fine.  I have never tried Eicar, but what I have been doing in a virtual machine of course, is running my setup past real live malware.  This includes, keyloggers, other intrusive malware, and a varsity of Ransomware.   Not only does EIS/EAM catch them all but it is the first to respond.

 

 

Pete 

I use Emsisoft for years- since they had 2 separate products OA and AM so I know it working until now... 

Share this post


Link to post
Share on other sites
16 hours ago, soilentgreen said:

I think vlc but I don't remember. Basically any file I move get this error.

Do you want me to do it again?

Another clean.log won't be necessary. One of our developers took a look at the log, and said that there were no errors related to deleting the files, so it's more than likely just a problem with the UI. We'll need to get regular debug logs so that our developers can see more about the problem. I'll post the instructions below for you.

 

16 hours ago, soilentgreen said:

Why EIS don't let me to change between DefaultAccount, guest and administrator?

How can I sure that EIS in did have administrator rights (I install it as "run as administrator")?

Because it isn't necessary. Emsisoft Internet Security is split into three applications, and only one of them needs administrative permissions:

  • a2guard.exe - Runs at startup with the same permissions as your user account. Responsible for drawing the System Tray/Notification Area icon, displaying notifications, and displaying alerts. Also pre-loads a2start.exe into memory in order to improve the speed that it opens.
  • a2start.exe - Runs when you open EIS with the same permissions as your user account. Responsible for showing the main EIS window. This is the main "UI" (User Interface) of EIS.
  • a2service.exe - Run as a service that starts when Windows starts, and runs under the SYSTEM account (which has the highest level of permissions on the system, just like an administrator). Responsible for performing the majority of the functions of EIS (protection, updates, scans, deleting files, etc) and interacting with our drivers.

Since the part of EIS that does the real work already has SYSTEM privileges, none of the other parts of EIS actually need to be run as administrator.

 

16 hours ago, soilentgreen said:

A few seconds. But as I say at first EIS block the temporary file of EICAE the second I pressed   EICAR test file, now it download, and after few seconds it sent to quarantine.

It can depend on the browser, but normally the EICAR test file will need to be saved on the computer and protection will match the signature. We don't block it with Surf Protection, so it doesn't get blocked before downloading.

 

As for the debug logs we need, here's how to get them:

  1. Open Emsisoft Internet Security from the icon on your desktop.
  2. In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
  3. At the bottom, turn on the option that says Enable advanced debug logging.
  4. Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
  5. Reproduce the issue you are having (try to quarantine files).
  6. Once you have reproduced the issue, open Emsisoft Internet Security again, and click on the gray box for Support again.
  7. Click on the button that says Send an email.
  8. Select the logs in the left that show today's dates.
  9. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  10. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  11. Click on Send now at the bottom once you are ready to send the logs.

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

  • Security Center
  • Protection Service
  • Real-Time Protection
  • Firewall
  • Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).

Share this post


Link to post
Share on other sites

You're welcome. ;)

I'll let you know if I hear anything from our developers about the logs, or if they need any more information.

  • Upvote 1

Share this post


Link to post
Share on other sites
On 1/18/2017 at 2:29 PM, GT500 said:

I'll let you know if I hear anything from our developers about the logs, or if they need any more information.

Arthur something new about how to resolve my problem?

Share this post


Link to post
Share on other sites

I haven't heard anything from our developers. I'm sure they'll take a look at it as soon as possible. ;)

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi Arthur, how are you?

2 days ago I reinstalled windows 10, and the problem still exist.

Arthur I don't blame you, But I don't know why it take so much time to the developers to understand what cause the problem and fix the problem.

Much worst it seems they ignore my problem. I sent you the last logs at January 17   and I have this problem since December 19 and still nothing. No fix.

So what it means? That I stuck with software with bug they can not fix?

That my computer stay with poor protection? I hope they understand that if I succeed to install malicious software I can not send it to quarantine!

Please check what going on with this.

Thank you.

 

Share this post


Link to post
Share on other sites
9 hours ago, soilentgreen said:

I don't know why it take so much time to the developers to understand what cause the problem and fix the problem.

The development team that will need to review the issue takes longer to review issues like this. I can say that they will get to it as soon as they can, it just takes them a bit of time due to the volume of cases they have to review.

 

9 hours ago, soilentgreen said:

That my computer stay with poor protection? I hope they understand that if I succeed to install malicious software I can not send it to quarantine!

You are unable to quarantine things from scan results? I was under the impression that this was only a problem manually adding things to the Quarantine by either dragging and dropping into the Quarantine, or using the "Add file" button in the Quarantine.

If you need something to test with, then feel free to use the EICAR test file, since it's safe and will be detected by the BitDefender scan engine in our products to test detection/removal.

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

The development team that will need to review the issue takes longer to review issues like this. I can say that they will get to it as soon as they can, it just takes them a bit of time due to the volume of cases they have to review.

O.K hoping they find a fix.

 

11 hours ago, GT500 said:

You are unable to quarantine things from scan results? I was under the impression that this was only a problem manually adding things to the Quarantine by either dragging and dropping into the Quarantine, or using the "Add file" button in the Quarantine.

If you need something to test with, then feel free to use the EICAR test file, since it's safe and will be detected by the BitDefender scan engine in our products to test detect/removal.

EIS succeeded to detected and removed EICAR test file, and the only problem is dragging and dropping into the Quarantine, or using the "Add file" button in the Quarantine.

I'm more concerned if I approve installing a malicious software by mistake and than I will not be able to send it to quarantine.

By the way, I  noticed  that every time I do a clean installing of EIS (reinstall EIS after I use  emsiclean or after I reinstall windows), EIS succeed  to "Add file" to the Quarantine, but after the first restart or shut down of the computer the problem appear again.

Thank you.

Share this post


Link to post
Share on other sites
14 hours ago, soilentgreen said:

I'm more concerned if I approve installing a malicious software by mistake and than I will not be able to send it to quarantine.

Since the real-time protection is able to quarantine things, I would be surprised if the scanner was unable to do so. The problem you are having is more than likely just with the Quarantine UI itself rather than other parts of the program. You can test this by disabling the File Guard, saving the EICAR test file on your Desktop, running a Malware Scan, and then deleting the EICAR test file when the scan is done.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.