Closed EAM behaviour blocker verifying

[stapp 160]

EAM 7353 on Win 10 Pro 64 bit build 1703.

What is this Mem Compression just shown as verifying?

 

 

[Frank H 110]

Hi stapp,

could you provide debuglogs, covering a reboot + opening the Behavior Blocker monitor screen ?

 

thanks

[stapp 160]

Machine was off so I turned it on, opened BB page and collected debug logs.

When I zipped the logs I noticed a2service log was still showing info from before I turned off the PC  (started machine at 19.44)

That's when I realised that build 1703 had enabled fast startup again on my machine 

Perhaps that may explain something?.

I will shut down and boot again and see if it still happens.

 

 

a2guard_20170413194445(1576).zip

[stapp 160]

So I have got the logs for after I disabled fast startup again, shutdown, turned on, and then opened BB screen

Still verifying.

 

a2start_20170413201747(5420).zip

[stapp 160]

Anyone able to reproduce this?

[Guest Tempus]

Hi stapp

Yes I can reproduce the issue.

1. Windows 10 Home 64 bit version 1703,  OS build 15063.138
2. Emsisoft Internet security version : 2017.3.1.7353
3. Reproduced stapp's issue by following the method from " Frank H " ... activated Debug logging /restarted the system/ Opened Emsisoft, went to the behavior blocker screen, waited for a  while before I disabled the debug logger.
4. No other security software besides Emsisoft is running on the system... ( Paragon  backup and Recovery is used, but only on demand)

Debug Logs.zip

[Pilis 3]

This is the process which shows the amount of memory which has been compressed through the memory compression feature introduced in Windows 10.
Originally this compressed memory (stored in "compression stores") was located in the "System"-process’s working set. With Win 10 1607 (Anniversary Update) this compressed memory has been split up into a separate process called "Memory Compression" to account for the general confusion why the "System"-process has been so "memory-greedy" compared to Win 8.1.

This process is hidden in the default Task Manager. But you can for example show it with an elevated PowerShell (Get-Process -Name "Memory Compression") or using Process Explorer:

I'm still on 1607 and for me EAM also hides this process in the Behavior Blocker window.
Since you are already on 1703 (Creators Update) it looks like there maybe have been some changes to this process and the exception Emsisoft created doesn't work anymore. Since there is no real executable for this process I guess there's no easy way to actually create hashes of it. Which most probably is the reason why the reputation keeps staying on "Verifying...". Cloud lookups won't work if they don't know the hash of the process.

Maybe Microsoft has only changed the name? (from "Memory Compression" to "MemCompression" like your screenshots say)
Can you show us the output of "Get-Process -Name "Memory Compression"? (or "Get-Process -Name "MemCompression" respectively)

It has always been called "MemCompression". Only third-party tools like Process Explorer or Process Hacker have named it "Memory Compression". (Source)
So that's not the issue. Still Emsisoft simply needs to hide it again.

 

[Guest Tempus]

I think you got it right Pilis..... but nevertheless i booted up in a elevated  Powershell and here is what i got :

 

 

[Peter2150 45]

For security I'd disable powershell.    It is used by a lot nasty stuff

[stapp 160]

True Peter, but we are talking about Emsi seeing MemCompression in the creators build.

[Pilis 3]

Still valid with 2017.4.0.7424. (I know it's a very minor issue, just mentioning.)

[Frank H 110]

The memcompression display issue has not been fixed in 2017.4 yet.

The fix will be included in next beta release.

[stapp 160]

Still happening in beta 7484

[stapp 160]

MOemCompression in now hidden in the build 7538 BB list, so I guess that is the fix  

[Frank H 110]

Hi stapp, yes, this has been fixed too in 7538

[stapp 160]

Should I see MemCompression in BB list using build 7640? (because I do..it's listed as good)

[Frank H 110]

Nope it should be hidden. On my W10 it's hidden.
what is your windows version ?

[stapp 160]

Win 10 Pro, latest build of 1703 Creators Update.

If you want a screenshot it will have to be later after dinner.

[Frank H 110]

no need stapp,  confirmed on w10 16181

[stapp 160]

Just for info Frank, my build number of 1703 is 15063.413

[stapp 160]

Memcompression still appears in BB list on Win 10, two of the right-click options are not clickable for it anyway (wonder what would happen if I did a block rule for it )

[stapp 160]

Mem compression still appears in BB list on beta 7904 on Windows 10 pro 64 bit 1703 (15063.540)

[Frank H 110]

thanks stapp, we are aware.

Due to the holidays season, we had other more important issues and new features to fix with limited occupation.

 

[stapp 160]

OK Frank, I understand I'll remind you again after the next beta

[Frank H 110]

There is no need to remind me  

it's a low prio issue and will be fixed one day.

[Frank H 110]

fyi: Issue is fixed in the upcoming beta.

[stapp 160]

On 22/11/2017 at 9:10 PM, Frank H said:

fyi: Issue is fixed in the upcoming beta.

Confirmed as fixed in  build 8219

[Frank H 110]

thanks stapp