Jump to content

EAM behaviour blocker verifying


Recommended Posts

Machine was off so I turned it on, opened BB page and collected debug logs.

When I zipped the logs I noticed a2service log was still showing info from before I turned off the PC  (started machine at 19.44)

That's when I realised that build 1703 had enabled fast startup again on my machine :o

Perhaps that may explain something?.

I will shut down and boot again and see if it still happens.

 

 

a2guard_20170413194445(1576).zip

Link to post
Share on other sites
Guest Tempus

Hi stapp

Yes I can reproduce the issue.

  1. Windows 10 Home 64 bit version 1703,  OS build 15063.138
  2. Emsisoft Internet security version : 2017.3.1.7353
  3. Reproduced stapp's issue by following the method from " Frank H " ... activated Debug logging /restarted the system/ Opened Emsisoft, went to the behavior blocker screen, waited for a  while before I disabled the debug logger.
  4. No other security software besides Emsisoft is running on the system... ( Paragon  backup and Recovery is used, but only on demand)

Debug Logs.zip

A-O-one.png

Link to post
Share on other sites

This is the process which shows the amount of memory which has been compressed through the memory compression feature introduced in Windows 10.
Originally this compressed memory (stored in "compression stores") was located in the "System"-process’s working set. With Win 10 1607 (Anniversary Update) this compressed memory has been split up into a separate process called "Memory Compression" to account for the general confusion why the "System"-process has been so "memory-greedy" compared to Win 8.1.

This process is hidden in the default Task Manager. But you can for example show it with an elevated PowerShell (Get-Process -Name "Memory Compression") or using Process Explorer:

58f7d5d5a9a0a_CompressedMemory.thumb.PNG.655f76deb23e34db5f5f46faa56faa82.PNG

I'm still on 1607 and for me EAM also hides this process in the Behavior Blocker window.
Since you are already on 1703 (Creators Update) it looks like there maybe have been some changes to this process and the exception Emsisoft created doesn't work anymore. Since there is no real executable for this process I guess there's no easy way to actually create hashes of it. Which most probably is the reason why the reputation keeps staying on "Verifying...". Cloud lookups won't work if they don't know the hash of the process.

Maybe Microsoft has only changed the name? (from "Memory Compression" to "MemCompression" like your screenshots say)
Can you show us the output of "Get-Process -Name "Memory Compression"? (or "Get-Process -Name "MemCompression" respectively)

It has always been called "MemCompression". Only third-party tools like Process Explorer or Process Hacker have named it "Memory Compression". (Source)
So that's not the issue. Still Emsisoft simply needs to hide it again.

 

Link to post
Share on other sites
  • 2 weeks later...
  • 2 weeks later...
  • 2 weeks later...
  • 1 month later...
  • 1 month later...
  • 4 weeks later...
  • 2 months later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...