stapp

CONFIRMED EAM behaviour blocker verifying

Recommended Posts

Hi stapp,

could you provide debuglogs, covering a reboot + opening the Behavior Blocker monitor screen ?

 

thanks

Share this post


Link to post
Share on other sites

Machine was off so I turned it on, opened BB page and collected debug logs.

When I zipped the logs I noticed a2service log was still showing info from before I turned off the PC  (started machine at 19.44)

That's when I realised that build 1703 had enabled fast startup again on my machine :o

Perhaps that may explain something?.

I will shut down and boot again and see if it still happens.

 

 

a2guard_20170413194445(1576).zip

Share this post


Link to post
Share on other sites
Guest Tempus

Hi stapp

Yes I can reproduce the issue.

  1. Windows 10 Home 64 bit version 1703,  OS build 15063.138
  2. Emsisoft Internet security version : 2017.3.1.7353
  3. Reproduced stapp's issue by following the method from " Frank H " ... activated Debug logging /restarted the system/ Opened Emsisoft, went to the behavior blocker screen, waited for a  while before I disabled the debug logger.
  4. No other security software besides Emsisoft is running on the system... ( Paragon  backup and Recovery is used, but only on demand)

Debug Logs.zip

A-O-one.png
Download Image

Share this post


Link to post
Share on other sites

This is the process which shows the amount of memory which has been compressed through the memory compression feature introduced in Windows 10.
Originally this compressed memory (stored in "compression stores") was located in the "System"-process’s working set. With Win 10 1607 (Anniversary Update) this compressed memory has been split up into a separate process called "Memory Compression" to account for the general confusion why the "System"-process has been so "memory-greedy" compared to Win 8.1.

This process is hidden in the default Task Manager. But you can for example show it with an elevated PowerShell (Get-Process -Name "Memory Compression") or using Process Explorer:

58f7d5d5a9a0a_CompressedMemory.thumb.PNG.655f76deb23e34db5f5f46faa56faa82.PNG
Download Image

I'm still on 1607 and for me EAM also hides this process in the Behavior Blocker window.
Since you are already on 1703 (Creators Update) it looks like there maybe have been some changes to this process and the exception Emsisoft created doesn't work anymore. Since there is no real executable for this process I guess there's no easy way to actually create hashes of it. Which most probably is the reason why the reputation keeps staying on "Verifying...". Cloud lookups won't work if they don't know the hash of the process.

Maybe Microsoft has only changed the name? (from "Memory Compression" to "MemCompression" like your screenshots say)
Can you show us the output of "Get-Process -Name "Memory Compression"? (or "Get-Process -Name "MemCompression" respectively)

It has always been called "MemCompression". Only third-party tools like Process Explorer or Process Hacker have named it "Memory Compression". (Source)
So that's not the issue. Still Emsisoft simply needs to hide it again.

 

Share this post


Link to post
Share on other sites
Guest Tempus

I think you got it right Pilis..... but nevertheless i booted up in a elevated  Powershell and here is what i got :

 

 

A-O-two.png
Download Image

Share this post


Link to post
Share on other sites

True Peter, but we are talking about Emsi seeing MemCompression in the creators build.

Share this post


Link to post
Share on other sites

The memcompression display issue has not been fixed in 2017.4 yet.

The fix will be included in next beta release.

Share this post


Link to post
Share on other sites

MOemCompression in now hidden in the build 7538 BB list, so I guess that is the fix :) 

Share this post


Link to post
Share on other sites

Should I see MemCompression in BB list using build 7640? (because I do..it's listed as good)

Share this post


Link to post
Share on other sites

Nope it should be hidden. On my W10 it's hidden.
what is your windows version ?

Share this post


Link to post
Share on other sites

Win 10 Pro, latest build of 1703 Creators Update.

If you want a screenshot it will have to be later after dinner.

Share this post


Link to post
Share on other sites

Just for info Frank, my build number of 1703 is 15063.413

Share this post


Link to post
Share on other sites

Memcompression still appears in BB list on Win 10, two of the right-click options are not clickable for it anyway (wonder what would happen if I did a block rule for it :))

Share this post


Link to post
Share on other sites

Mem compression still appears in BB list on beta 7904 on Windows 10 pro 64 bit 1703 (15063.540)

Share this post


Link to post
Share on other sites

thanks stapp, we are aware.

Due to the holidays season, we had other more important issues and new features to fix with limited occupation.

 

Share this post


Link to post
Share on other sites

OK Frank, I understand I'll remind you again after the next beta :)

Share this post


Link to post
Share on other sites
On 22/11/2017 at 9:10 PM, Frank H said:

fyi: Issue is fixed in the upcoming beta.

Confirmed as fixed in  build 8219

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.