DarkLBP

VPNArea freezes Emsisoft on startup

10 posts in this topic

Hi,

I recently installed VPNArea Chamaleon software (https://vpnarea.com/front/home/wincham) 

Everything okay until I checked the option to start the software at startup. The next time I boot the computer, Emsisoft freezes completelly and VPN Area does not start and even some programs remain unusable.

The problem occurs when the VBS file VPNArea uses at startup is executed to start itself with UAC:

 

Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\Users\darkl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNArea Chameleon.lnk", "", "", "runas", 1

I have Windows 10 Creators Update x64 and the latest version of Emsisoft Internet Security.

 

[UPDATE]

I made some tests and changing the VBS Script above to use another path to another LNK file in you desktop for example, also causes the antivirus freeze. At least I changed the path to the Discord lnk in my desktop and happened the same. So this issue seems that has nothing to do with VPNArea.

Also, this seems to only happen when Behavior Blocker is turned on.

 

0

Share this post


Link to post
Share on other sites

The problem is that the program isn't running as an administrator, so it uses the code you showed to restart itself with admin authority.  But the Behaviour Blocker correctly intercepts that - you really wouldn't want any old program that wasn't running as admin to be able to elevate itself without being intercepted as that would be a huge security hole.

Presumably, because all this happens at startup, before any user is logged on, there is no person able to see the BB alert (if indeed there actually is an alert when there's no user logged on), hence the hang.  Maybe Emsisoft should change that behaviour so that rather than an alert the program is immediately terminated?

You might be able to get around this by placing the VPNArea Chameleon's binaries folder (or maybe just its main .exe) in the exceptions table - at Settings - Exclusions - Exclude from monitoring. 

Does this not also happen if you try to start the program yourself, not at startup?

0

Share this post


Link to post
Share on other sites

Emsisoft also hangs if I run the script manually not only at startup.

VPNArea works fine if I start the program by myself. The issue is that script. When is run (at startup or not), everything freezes. Sometimes a popup appears saying that Emsisoft is checking the Antimalware Network but it never disappears and if I click on it says that the program do not respond.

I tried changing the path that points that script to another .lnk file and the result is the same.

 

0

Share this post


Link to post
Share on other sites

The path pointing to th elink isn't the issue, it's the attempt to elevate that's the problem.    However it IS interesting that you mention the AMN popup and no response when you click on that.  I reported that to Emsisoft a while ago, and sent them full memory dumps (as in on-purpose BSOD dumps of the system) to help them fix it.  You might want to read:  https://support.emsisoft.com/topic/27330-system-hang-after-suspicious-activity-box-could-not-be-dismissed/

 

0

Share this post


Link to post
Share on other sites
20 minutes ago, JeremyNicoll said:

The path pointing to th elink isn't the issue, it's the attempt to elevate that's the problem.    However it IS interesting that you mention the AMN popup and no response when you click on that.  I reported that to Emsisoft a while ago, and sent them full memory dumps (as in on-purpose BSOD dumps of the system) to help them fix it.  You might want to read:  https://support.emsisoft.com/topic/27330-system-hang-after-suspicious-activity-box-could-not-be-dismissed/

 

Well, strangely I changed the script path to the path of the shortcut the script was pointing and now it works. Seems this issue happens when opening shortcuts (.lnk files) through the script.

 

Version of the script that do not hang the antivirus:

 

Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\Program Files\VPNArea Chameleon\bin\vpnmanager.exe", "", "", "runas", 1

 

0

Share this post


Link to post
Share on other sites

Is it possible to create a Scheduled Task to run the VPN software on startup with highest privileges, so that it doesn't have to use the VBScript? You can open the Task Scheduler by clicking on the Start button, going to Windows Administrative Tools, and selecting Task Scheduler. When the Task Scheduler opens, click on Task Scheduler Library in the list on the left, and in the middle near the top you'll see a list of Scheduled Tasks. On the far right side of the Task Scheduler you can click on Create Task create a Scheduled Task (if you click "Create Basic Task" instead then you will need to edit the properties afterwards to select that it runs with highest privileges).

Below are some example screenshots from a Scheduled Task that runs Steam at startup with administrator rights (it is set to run the Scheduled Task 3 minutes after a user logs in to the computer).

Disclaimer: If you have Steam, then never actually configure a Scheduled Task to run Steam like the following example. For some reason it has major performance problems when run as a Scheduled Task. Also, Steam is no longer able to successfully connect to its network if you use the -tcp parameter/argument, so avoid that as well. These warnings only apply to Steam, and not to your VPN.

bandicam 2017-07-18 02-33-17-165.png
Download Image

bandicam 2017-07-18 02-33-19-879.png
Download Image

bandicam 2017-07-18 02-34-00-303.png
Download Image

bandicam 2017-07-18 02-34-08-844.png
Download Image

bandicam 2017-07-18 02-34-16-109.png
Download Image

bandicam 2017-07-18 02-34-27-397.png
Download Image

bandicam 2017-07-18 02-34-30-360.png
Download Image

0

Share this post


Link to post
Share on other sites

You said: Version of the script that do not hang the antivirus:

Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\Program Files\VPNArea Chameleon\bin\vpnmanager.exe", "", "", "runas", 1

Maybe when the BB looks at the elevation request it also checks (in this case) the target ...vpmanager.exe ... and perhaps it knows that that is a legitimate program.  Could it be possible that the BB when it looks at a shortcut DOESN'T look at the target of the shortcut?   After all if that shortcut of yours pointed at  vpnmanager.exe, it should (according to your experiment) been ok.  But if the BB actually tests path "C:\Users\darkl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPNArea Chameleon.lnk"  without recognising that it's a shortcut and looking at the target, then that might explain why it then tries to use the AMN to verify the reputation /of the shortcut file/.  That would somewhat resemble the AMN hang issue I reported, where AMN appeared to be trying to verify the reputation of a script of mine (ie something that couldn't have a predefined reputation in the AM network).

0

Share this post


Link to post
Share on other sites
On 7/17/2017 at 6:15 AM, DarkLBP said:

Well, strangely I changed the script path to the path of the shortcut the script was pointing and now it works. Seems this issue happens when opening shortcuts (.lnk files) through the script.

 

Version of the script that do not hang the antivirus:

 


Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\Program Files\VPNArea Chameleon\bin\vpnmanager.exe", "", "", "runas", 1

 

Would you be willing to collect some debug logs for us? If so, then here's how to get them:

  1. Open Emsisoft Internet Security from the icon on your desktop.
  2. In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
  3. At the bottom, turn on the option that says Enable advanced debug logging.
  4. Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
  5. Edit the VBScript file to point to VPNArea Chameleon.lnk and then restart your computer to reproduce the freezing issue.
  6. Once you have reproduced the issue, edit the VBScript file to point to vpnmanager.exe, and then restart your computer again.
  7. After restarting again, open Emsisoft Internet Security again, and click on the gray box for Support again.
  8. Click on the button that says Send an email.
  9. Select the logs in the left that show today's dates.
  10. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  11. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  12. Click on Send now at the bottom once you are ready to send the logs.

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

  • Security Center
  • Protection Service
  • Real-Time Protection
  • Firewall
  • Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).

0

Share this post


Link to post
Share on other sites
16 hours ago, GT500 said:

Would you be willing to collect some debug logs for us? If so, then here's how to get them:

 

  1. Open Emsisoft Internet Security from the icon on your desktop.
  2. In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
  3. At the bottom, turn on the option that says Enable advanced debug logging.
  4. Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
  5. Edit the VBScript file to point to VPNArea Chameleon.lnk and then restart your computer to reproduce the freezing issue.
  6. Once you have reproduced the issue, edit the VBScript file to point to vpnmanager.exe, and then restart your computer again.
  7. After restarting again, open Emsisoft Internet Security again, and click on the gray box for Support again.
  8. Click on the button that says Send an email.
  9. Select the logs in the left that show today's dates.
  10. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  11. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  12. Click on Send now at the bottom once you are ready to send the logs.

 

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

  • Security Center
  • Protection Service
  • Real-Time Protection
  • Firewall
  • Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).

 

Everything has been submitted

0

Share this post


Link to post
Share on other sites

OK, I've received your debug logs.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.