stapp

CLOSED EAM behaviour blocker verifying

By stapp, in Beta Community

Recommended Posts

Frank H    91

Frank H
Posted

Hi stapp,

could you provide debuglogs, covering a reboot + opening the Behavior Blocker monitor screen ?

 

thanks

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

Machine was off so I turned it on, opened BB page and collected debug logs.

When I zipped the logs I noticed a2service log was still showing info from before I turned off the PC  (started machine at 19.44)

That's when I realised that build 1703 had enabled fast startup again on my machine :o

Perhaps that may explain something?.

I will shut down and boot again and see if it still happens.

 

 

a2guard_20170413194445(1576).zip

Share this post

Link to post
Share on other sites

Guest Tempus   

Guest Tempus
Posted

Hi stapp

Yes I can reproduce the issue.

  1. Windows 10 Home 64 bit version 1703,  OS build 15063.138
  2. Emsisoft Internet security version : 2017.3.1.7353
  3. Reproduced stapp's issue by following the method from " Frank H " ... activated Debug logging /restarted the system/ Opened Emsisoft, went to the behavior blocker screen, waited for a  while before I disabled the debug logger.
  4. No other security software besides Emsisoft is running on the system... ( Paragon  backup and Recovery is used, but only on demand)

Debug Logs.zip

A-O-one.png
Download Image

Share this post

Link to post
Share on other sites

Pilis    3

Pilis
Posted

This is the process which shows the amount of memory which has been compressed through the memory compression feature introduced in Windows 10.
Originally this compressed memory (stored in "compression stores") was located in the "System"-process’s working set. With Win 10 1607 (Anniversary Update) this compressed memory has been split up into a separate process called "Memory Compression" to account for the general confusion why the "System"-process has been so "memory-greedy" compared to Win 8.1.

This process is hidden in the default Task Manager. But you can for example show it with an elevated PowerShell (Get-Process -Name "Memory Compression") or using Process Explorer:

58f7d5d5a9a0a_CompressedMemory.thumb.PNG.655f76deb23e34db5f5f46faa56faa82.PNG
Download Image

I'm still on 1607 and for me EAM also hides this process in the Behavior Blocker window.
Since you are already on 1703 (Creators Update) it looks like there maybe have been some changes to this process and the exception Emsisoft created doesn't work anymore. Since there is no real executable for this process I guess there's no easy way to actually create hashes of it. Which most probably is the reason why the reputation keeps staying on "Verifying...". Cloud lookups won't work if they don't know the hash of the process.

Maybe Microsoft has only changed the name? (from "Memory Compression" to "MemCompression" like your screenshots say)
Can you show us the output of "Get-Process -Name "Memory Compression"? (or "Get-Process -Name "MemCompression" respectively)

It has always been called "MemCompression". Only third-party tools like Process Explorer or Process Hacker have named it "Memory Compression". (Source)
So that's not the issue. Still Emsisoft simply needs to hide it again.

 

Share this post

Link to post
Share on other sites

Guest Tempus   

Guest Tempus
Posted

I think you got it right Pilis..... but nevertheless i booted up in a elevated  Powershell and here is what i got :

 

 

A-O-two.png
Download Image

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

True Peter, but we are talking about Emsi seeing MemCompression in the creators build.

Share this post

Link to post
Share on other sites

Frank H    91

Frank H
Posted

The memcompression display issue has not been fixed in 2017.4 yet.

The fix will be included in next beta release.

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

MOemCompression in now hidden in the build 7538 BB list, so I guess that is the fix :) 

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

Should I see MemCompression in BB list using build 7640? (because I do..it's listed as good)

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

Win 10 Pro, latest build of 1703 Creators Update.

If you want a screenshot it will have to be later after dinner.

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

Memcompression still appears in BB list on Win 10, two of the right-click options are not clickable for it anyway (wonder what would happen if I did a block rule for it :))

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted

Mem compression still appears in BB list on beta 7904 on Windows 10 pro 64 bit 1703 (15063.540)

Share this post

Link to post
Share on other sites

Frank H    91

Frank H
Posted

thanks stapp, we are aware.

Due to the holidays season, we had other more important issues and new features to fix with limited occupation.

 

Share this post

Link to post
Share on other sites

stapp    130

stapp
Posted
On 22/11/2017 at 9:10 PM, Frank H said:

fyi: Issue is fixed in the upcoming beta.

Confirmed as fixed in  build 8219

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.