iWarren 7 Report post Posted July 27, 2017 I've had this installation of EIS running for quite some time. Emsisoft Internet Security Version: 2017.6.0.7681 Windows 7 (32-bit) Service Pack 1 (No other known conflicting software installed) In my Behavior Blocker - Application Rules, I have utorrent.exe allowed to run. Then I also have utorrentie.exe set to be blocked from running. When I start utorrent.exe, taskmgr shows that 2 instances of utorrentie.exe are being allowed to run. I think in the past, I think i recall that utorrentie was possibly being blocked normally. I am curious if these 2 instances are not being allowed, because its parent program is being allowed. I enabled advanced debug output (and restarted), and included the relative information. I was going to just reinstall EIS and see if the problem resolves, but I first thought it'd be helpful to collect as much information on the problem. Let me know if you need more information, and or whether you want me to reinstall. a2service Log 08:53:06.858 940 -> TFirewallRulesManager.UpdateRulesEnabling(RuleFileName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe) 08:53:06.858 940 -> DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe) 08:53:06.858 940 <- DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe): C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:06.858 940 -> TStoreManager.LocateSection('Rules','C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe','0'): TCustomSection 08:53:06.858 940 <- TStoreManager.LocateSection(...): Result = 00FACA38 firewall log 08:53:40.866 1384 FWDBG: [WFP] ProcessCreated: 3548 C:\Program Files\Emsisoft Internet Security\a2start.exe 08:53:42.551 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3580 08:53:42.566 1308 FWDBG: PROCESS: 3580 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe 08:53:42.566 1308 FWDBG: [WFP] ProcessCreated: 3580 C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe 08:53:42.988 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 58788, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:43.034 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 62531, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.142 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57738, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.267 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49166, Remote: 23.21.139.158: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.376 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 5351, Remote: 192.168.0.1: 5351, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.532 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57029, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.563 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 65467, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.594 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49191, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.626 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49167, Remote: 52.84.21.89: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.657 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49168, Remote: 208.111.179.219: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.657 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49169, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.688 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3816 08:53:44.688 1308 FWDBG: PROCESS: 3816 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.688 1308 FWDBG: [WFP] ProcessCreated: 3816 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.719 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49170, Remote: 52.84.19.74: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.782 1300 FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3848 08:53:44.782 1308 FWDBG: PROCESS: 3848 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.782 1308 FWDBG: [WFP] ProcessCreated: 3848 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe 08:53:44.797 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49171, Remote: 52.84.19.74: 443, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.860 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 51879, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.891 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 60714, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 61338, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49172, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE 08:53:44.938 1300 FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49173, Remote: 188.166.37.159: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE a2rules.ini [C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe] Revision=4 SectionType=1 SHA1=873D6472B719B6A07C9DBDCB09DBEB04FE56EBA2 GUID={6986CF07-4153-4EC9-907F-45C95273BBF4} Action=1 Worm=0 Dialer=0 Backdoor=0 Hijacker=0 Inject=0 Downloader=0 Spyware=0 Service=0 KeyLogger=0 Startup=0 HiddenInstall=0 Virus=0 Hosts=0 Rootkit=0 BrowserSettings=0 Debugger=0 RemoteControl=0 DirectDiskAccess=0 SystemPolicies=0 Exploit=0 CryptoMalware=0 FirewallInMode=0 FirewallOutMode=0 MD5=AFB311776018C6564FE8A25CD5FD78C9 Updated=1 [C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe] Revision=4 SectionType=1 SHA1=B677DD6E7B885A8E57C03FA6D4CE3BA4D655C2E5 GUID={229DB36D-F13F-4609-82AB-5BEAC079887C} Action=2 Worm=0 Dialer=0 Backdoor=0 Hijacker=0 Inject=0 Downloader=0 Spyware=0 Service=0 KeyLogger=0 Startup=0 HiddenInstall=0 Virus=0 Hosts=0 Rootkit=0 BrowserSettings=0 Debugger=0 RemoteControl=0 DirectDiskAccess=0 SystemPolicies=0 Exploit=0 CryptoMalware=0 FirewallInMode=1 FirewallOutMode=1 MD5=F233F4591F9CC22166095F109090DEB1 Updated=1 BehaviorBlockerEnabled=1 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_C4FD508883334C0FBB3F937002F8BF9B] Revision=1 SectionType=2 Name=Autorule Index=2 Type=APP Protocol=TCP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_464279183A724962B6C8738B54B67FF8] Revision=1 SectionType=2 Name=Autorule Index=1 Type=APP Protocol=TCPUDP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0 [FirewallRules_229DB36DF13F460982AB5BEAC079887C_003B5FE636FC40B485E8E508C2A748F9] Revision=1 SectionType=2 Name=Autorule Index=0 Type=APP Protocol=ICMP Resolution=BLOCK Direction=OUT NetworkType=ANY ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe Enabled=0 Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 27, 2017 my problem appears to be a little more serious, as it doesn't seem that the Behaviour Blocker is blocking "any" of my programs i specify are to be blocked. Created several blocks for a variety of different applications, and it wouldn't block any of them. Even after a factory reset, and reinstallation of Emsisoft. Any ideas? Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 27, 2017 I reinstalled again, this time running EmsiClean, it did not detect any additional residual files. Deleted Emsisoft folder manually in program files. Reinstalled, restarted. Still does not block the specified applications from running. testing on mspaint.exe and notepad.exe (and other files not located in System32) Installed Beta version and reset factory defaults, still does not block any programs. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 27, 2017 I noticed, that it does block "some" programs, but not all of them. It looks like.... if 1 custom rule behavior is triggered when it is marked as "Blocked (impossible to run)" then it will block the program. However, if the program is set to be blocked, and none of the custom trigger behaviors are triggered, then it will not block the program. So typical programs like notepad and mspaint, are not being blocked, when they are set to be blocked. and atypical programs, that have potentials for undesired behavior, are getting blocked. Share this post Link to post Share on other sites
GT500 495 Report post Posted July 27, 2017 Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you? As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded? Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 Why would (eg) mspaint not get blocked, if it's meant to be....? Has the whole of C:\WINDOWS, or one of its subfolders, been excluded from monitoring? Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 There is no folders or files in the exclusion list. remember, i had restored everything to factory defaults. has anyone tested theirs for similar behavior? Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 Quote Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you? As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded? Many programs out there incorporate some form of adware to maintain their free status, like Skype and MSN messenger are popular programs, that have incorporated ads into their functionality. That's neither here nor there though. My main issue is that programs are not being blocked properly. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 as i said previously, the block is 'only' triggering, on programs that have at least 1 of the unwanted behaviors. (ie. backdoor related activity, change the hosts file, etc.) and since programs like notepad or mspaint have none, it doesn't seem to be blocking them at all. Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 I know there's more than one copy of notepad.exe (I've never understood why)... Maybe the one that's executing isn't the blocked one? Under XP (if I remember right) and maybe W7, they are C:\Windows\notepad.exe and C:\Windows\System32\notepad.exe; on my W8.1 64bit system there's 3 copies - the two I just mentioned and also C:\Windows\SysWOW64\notepad.exe On the other hand there's only two copies of mspaint.exe on my system (and so I'd guess perhaps only one on yours). My two are in \System32 and \SysWOW64. Worse, I just tried blocking specifically: C:\Windows\notepad.exe and it runs. I've PMed debug logs to Arthur. Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 When I explicitly blocked that instance of notepad.exe, I then tested it by executing in a cmd.exe window C:\>C:\WIndows\notepad.exe Since then I've added the other variants to the app rules block list and also tried it by double-clicking a .log file (which would normally open in notepad), and by right-clicking other types of file and choosing "Edit with notepad", which is a context menu item I defined (so I can choose to edit any file with that editor, and similarly other editors). In all instances notepad ran. Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 Here's a screenshot of app rules: https://www.dropbox.com/s/1r9b527016v7bdl/20170728 0758 02 notepad-dot-exe not blocked - app rules.jpg?dl=0 Oh, should have said: EIS, stable feed. Share this post Link to post Share on other sites
stapp 120 Report post Posted July 28, 2017 Perhaps it has to do with notepad being a Microsoft thing as it doesn't block for me either. However if I open CCleaner GUI and then open EAM GUI and open Behaviour Blocker screen I see CCleaner in the list. I highlight and right-click on it and select 'Create Rule' then block it. I close Emsi GUI and CCleaner and then try to open CCleaner again.. I cannot, I get this in Forensic Log 28/07/2017 09:08:27 Behavior Blocker detected suspicious behavior "AutorunCreation" of "C:\Program Files\CCleaner\CCleaner64.exe" 28/07/2017 09:08:28 Terminated by rule Same block occurs with Process Explorer after I do the above steps. Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 I just tried with a non-MS desktop reminders program. It didn't get blocked. Stapp, your experiments show BB blocking suspicious behaviour, not preventing a program from being started in the first place. Share this post Link to post Share on other sites
stapp 120 Report post Posted July 28, 2017 30 minutes ago, JeremyNicoll said: I just tried with a non-MS desktop reminders program. It didn't get blocked. Stapp, your experiments show BB blocking suspicious behaviour, not preventing a program from being started in the first place. That may be what the Forensics log says, but the fact is the 2 programs I tested with, CCleaner and Process Explorer, were both unable to start using beta build 7797 Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 Stapp, if they really didn't start then there's another bug: a log message that's inaccurate. I think it's more likely that the apps concerned tried to do something in their startup processing that BB intercepted so that the started process was then terminated and you saw nothing (the event logs might show if the processes were created to contain the starting applications, depending on how your system is configured). Processor Explorer is certainly going to do lots of iffy (if you don't trust it) things; CCleaner was probably trying to set/reset a registry entry. Share this post Link to post Share on other sites
stapp 120 Report post Posted July 28, 2017 Jeremy the bit that caught my eye was Terminated by rule (I'm sure the devs will sort things if needed, after all the Forensic logs are in an early stage) Share this post Link to post Share on other sites
Peter2150 43 Report post Posted July 28, 2017 15 hours ago, GT500 said: Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you? As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded? Arthur I am going assume you were tired when you wrote that. Other wise it is beyond lame. I block one or two windows processes and also two Quickbooks processes. By that logic I shoudn't run them? But here's the real problem, and I will test this weekend. If the new beta BB isn't blocking based on the always block rule that is catastrophic. If that rule doesn't work how can I trust the BB at all? Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 28, 2017 @Peter2150 - never mind the new beta, the "do not run" rules I've tried are not working on the EIS stable feed. Share this post Link to post Share on other sites
Peter2150 43 Report post Posted July 28, 2017 Thanks Jeremy. That is indeed very bad Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 Thank you everybody for working with me on this, I was going a bit mental with this and glad its just not me. JeremyNicoll, on 32-bit windows theres only 1 copy of Notepad (unless you count the backup repositories) and on a 64-bit system, they have 2 copies, or maybe 3 copies as you stated.... In each case, each one would have their own specific rule, and you should be able to differentiate them by file location. The problem is as I stated earlier: If the program is set as blocked (do not run), and it detects anything in the "custom behaviors" list (even though no custom behaviors are set) It will block that application from running. If the program is set as blocked (do not run) and detects nothing in the "custom behaviors" list (even though no custom behaviors are set) It allows that application to run. (which is not good!) You can try it yourself, by finding a random program... like Winamp for example, if you set it to custom monitoring, you will notice it detects its connection attempt as suspicious activity.... so if you blocked winamp... it will block that program, because the trigger was in the custom behavior list. Then find a generic program, like Notepad, Mspaint, Audacity... you can set it to custom monitoring... identify that it has no suspicious activity.... then try to block the program... and you will notice it allows it to run. Hopefully we can get this cleared up soon. Thanks again! Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 I might add, i have this occurring in both stable and beta versions. and had clean installations, and factory defaults. Share this post Link to post Share on other sites
Frank H 84 Report post Posted July 28, 2017 Hello, We are analysing the issue atm. Thanks for your feedback. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 Peter, in GT500's defense, he makes a valid point regarding torrents, but also besides the point as well. lol At any rate, I'm sure he was being helpful, by offering me a potentially better program alternative. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 28, 2017 Thank you Frank Share this post Link to post Share on other sites
GT500 495 Report post Posted July 29, 2017 11 hours ago, Peter2150 said: But here's the real problem, and I will test this weekend. If the new beta BB isn't blocking based on the always block rule that is catastrophic. If that rule doesn't work how can I trust the BB at all? I actually tested it with a pre-existing block rule that I had in place, and EAM did terminate the application in exactly the same way it used to. I also just created a new block rule for Process Explorer (since it was sitting on my desktop), and tried to run it, and it was not able to execute. At the time I expected that there was another reason the process wasn't being blocked (such as an exclusion). Process Explorer is digitally signed by Microsoft, and the first program I tested the other day also appears to have a digital signature (which I did not expect since it's from a game). Oddly enough, neither MSPaint or Notepad have digital signatures. On a hunch, I created a block rule for FRST (which is not digitally signed), and it ran without problem. Perhaps the issue only applies to executables that are not digitally signed? 11 hours ago, Peter2150 said: I am going assume you were tired when you wrote that. Other wise it is beyond lame. I block one or two windows processes and also two Quickbooks processes. By that logic I shoudn't run them? Issues with µTorrent are well known, as is the fact that it isn't necessarily the safest torrent client out there. qBittorrent was developed specifically as a replacement for µTorrent due to its lack of trustworthiness, which is why I recommended replacing it. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 29, 2017 In the "Behavior Blocker", when I hover over the (Company) column, the mspaint and notepad entries, says "Verified by digital signature" I think its more likely its something to do with the actual detection of the behaviors. Because it doesn't seem to matter which behavior is triggered, so long as a behavior is detected, before it agrees to block. probably when the forensics was being worked on, seems like an IF-condition was altered which results in this behavior. I think at this point, we'll probably just have to wait until the relevant code is reviewed. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 29, 2017 I tested on Autoruns.exe (from sysinternalsuite), which modifies auto-run entries. as you probably know, if you set the program to "Custom Monitoring", before running it, it will tell you what behavior is a possible threat, and asks you to confirm running it. and Autoruns.exe blocks the same as Procexp.exe (process explorer) Because procexp triggers the "Modify auto-run entries" behavior, as well as "Attempts to modify other programs" so anything that has a behavior being trigggered, is being blocked correctly. where programs like Notepad and Mspaint, do not have these behaviors to worry about, so they are being allowed to run freely. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 29, 2017 Have also tried it on other non-microsoft programs as well, (which are known to be safe, and signed properly), and the result is the same. Share this post Link to post Share on other sites
stapp 120 Report post Posted July 29, 2017 I know Frank and the other devs are looking into ''the notepad issue'' so I'm sure things will be sorted very soon Share this post Link to post Share on other sites
JeremyNicoll 45 Report post Posted July 29, 2017 The non-MS desktop reminder program I tried to block, which ran perfectly, IS digitally signed. This is NOT a problem caused by the new forensic log. It's happening here on the stable feed. Share this post Link to post Share on other sites
stapp 120 Report post Posted July 29, 2017 1 hour ago, JeremyNicoll said: This is NOT a problem caused by the new forensic log. It's happening here on the stable feed. Nobody said it was caused by the log, but the log does show an issue regarding it (and is a separate issue) Share this post Link to post Share on other sites
Frank H 84 Report post Posted July 29, 2017 Hi, This issue has been analysed, fixed and will be included in the upcoming beta 2 release. Share this post Link to post Share on other sites
Peter2150 43 Report post Posted July 29, 2017 Which issue Frank. There are to issues. 1)If I set an exe to always block, is it always blocked and 2) How is it logged. Share this post Link to post Share on other sites
Frank H 84 Report post Posted July 29, 2017 Hey Pete, The issue that related to the topic of this thread: Program instances not being blocked. has been fixed In previous versions nothing was logged when a 'block all' rule was applied, so with this fix it doesn't log too. We might improve that though. Share this post Link to post Share on other sites
iWarren 7 Report post Posted July 29, 2017 11 hours ago, JeremyNicoll said: The non-MS desktop reminder program I tried to block, which ran perfectly, IS digitally signed. This is NOT a problem caused by the new forensic log. It's happening here on the stable feed. I know it is happening in the stable feed, but I was just judging by the timing that the blocking stopped working, and the creation of the forensic log feature was created, and suggested that it was probably a change made while doing work on the forensics. 9 hours ago, Frank H said: Hi, This issue has been analysed, fixed and will be included in the upcoming beta 2 release. I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already a standard proven feature, and could be relatively important to a lot of people. Program blocking is a pretty crucial feature to the EIS suite. At very least, can you give an ETA on when the beta 2 build might be released? Share this post Link to post Share on other sites
Frank H 84 Report post Posted July 31, 2017 FYI: we've just released a new Beta with the fix. I'd appreciate it if you could switch to beta and provide feedback. http://changeblog.emsisoft.com/2017/07/31/beta-updates-2017-07-31/ Share this post Link to post Share on other sites
GT500 495 Report post Posted August 1, 2017 On 7/28/2017 at 10:26 PM, iWarren said: In the "Behavior Blocker", when I hover over the (Company) column, the mspaint and notepad entries, says "Verified by digital signature" Funny, Windows says they're not digitally signed when I check those files on Win 7 x64, however I just tested with Sigcheck and it says they're signed. Silly Windows. On 7/29/2017 at 3:00 PM, iWarren said: I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already a standard proven feature, and could be relatively important to a lot of people. It's dangerous to push fixes directly to stable without being tested first. We could end up breaking something else with the fix, so we publish a beta first so that people can try it and give us feedback, and then if everything is OK people can continue to use the beta until we no longer need to publish more changes to the beta and are confident that the beta is stable enough for the Stable feed. On 7/29/2017 at 3:00 PM, iWarren said: Program blocking is a pretty crucial feature to the EIS suite. Actually, considering that this is a feature already built in to Windows, blocking programs from running is a minor feature of security software. Obviously there are limitations to the way blocking applications from running works in Windows, however there are also limitations to how it works in EIS (if a program is already running when a2service.exe starts, then no action is taken against it). Note that this feature (selectively blocking applications as configured in the Application Rules) is handled completely differently than how our Behavior Blocker handles blocking malicious applications. Share this post Link to post Share on other sites
iWarren 7 Report post Posted August 1, 2017 Quote It's dangerous to push fixes directly to stable without being tested first. We could end up breaking something else with the fix, so we publish a beta first so that people can try it and give us feedback, and then if everything is OK people can continue to use the beta until we no longer need to publish more changes to the beta and are confident that the beta is stable enough for the Stable feed. That is understandable, but at the same time, this blocking issue did manage to make it through a beta feed, which is designed to catch things like this. Considering the nature of this feature, and that some people might not utilize the forums. a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes. it might be prudent to expedite the fix into the stable feed. Though I understand the need for due process as well. Quote Actually, considering that this is a feature already built in to Windows, blocking programs from running is a minor feature of security software. Obviously there are limitations to the way blocking applications from running works in Windows, however there are also limitations to how it works in EIS (if a program is already running when a2service.exe starts, then no action is taken against it). Well, I don't want to get into a technical battle with you GT500, lol but, not all Windows versions like Win7 Home, gives you access to modify group policy settings. I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious. one of the major reasons why I love EIS so much, is this application blocking ability... because it gives you a bit more control over what is happening behind the scenes. EIS is more than just a networking firewall, but an applications firewall as well. which are two features that really just complement each other. I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically. which, i know you could just disable that service and likely never see it again. Its just one of those programs, that if you're not using it, i don't want to take the chance that it can be executed without my knowledge. I think in the past I read it could be misused by an attacker. another good example of using the block feature, is to block GWX programs, which isn't as much an issue today, but when Microsoft was making its big push on Win10, the block feature was really invaluable in preventing Win10 installation attempts. I also use this blocking feature while gaming with Steam, as some games will try to access a google chrome extention through Steamwebhelper and it can potentially open you up to security flaws, as well as give you latency issues from adware. So its daily usage like this, that makes the blocking feature really a handy tool, and that's just "my" preferences, I'm sure others out there have equally useful usages. Share this post Link to post Share on other sites
iWarren 7 Report post Posted August 1, 2017 15 hours ago, Frank H said: FYI: we've just released a new Beta with the fix. I'd appreciate it if you could switch to beta and provide feedback. http://changeblog.emsisoft.com/2017/07/31/beta-updates-2017-07-31/ I switched to Beta feed, and all is working well Frank. Thank you for your quick action on this matter! Programs appear to be blocking as they should, Well done. I will continue to observe and report. Share this post Link to post Share on other sites
GT500 495 Report post Posted August 2, 2017 18 hours ago, iWarren said: Considering the nature of this feature, and that some people might not utilize the forums. a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes. it might be prudent to expedite the fix into the stable feed. Though I understand the need for due process as well. They might be more upset if we broke things more than they already are, whether they know the feature isn't working or not. It's best to do the beta testing just to be sure that there are no new major issues. 18 hours ago, iWarren said: Well, I don't want to get into a technical battle with you GT500, lol but, not all Windows versions like Win7 Home, gives you access to modify group policy settings. I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious. Actually, adding the rules directly via the registry (using .reg files to import them) is easier than using the Group Policy Editor. Granted there is AppLocker as well, although that isn't going to work on Windows 7 unless you have the Ultimate or Enterprise editions, so Software Restriction Policies tend to be the preferred way since they will work on any version of Windows NT (as far back as at least Windows XP, if not older). You can even block execution of files via file permissions, which might be more effective even than our Behavior Blocker (Our Behavior Blocker has the limitation that if a program starts before the Emsisoft Protection Service, a2service.exe, then it can't be prevented from executing). Here's an example of file permissions that will prevent execution of an application: Download Image 18 hours ago, iWarren said: I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically. which, i know you could just disable that service and likely never see it again. Its just one of those programs, that if you're not using it, i don't want to take the chance that it can be executed without my knowledge. I think in the past I read it could be misused by an attacker. Just disable the service, and it won't run. It can start if the service is set to Manual, but if set to Disabled the service won't start. That being said, we don't generally recommend disabling default Windows services. Just make sure the latest updates are installed, make sure that your security software is up to date, and of course make sure that third-party software and plugins you use are also up-to-date and that will minimize any security risk. Share this post Link to post Share on other sites
iWarren 7 Report post Posted August 2, 2017 You said that a2service.exe won't block a program if it starts before the a2service. Out of curiosity, do you happen to know how Windows decides what program is to run first? ie. which executable takes precedence.... is it alphabetical order? Which might make sense, considering the starting characters "a2", or is it perhaps by order of added entry? Share this post Link to post Share on other sites
GT500 495 Report post Posted August 2, 2017 16 hours ago, iWarren said: Out of curiosity, do you happen to know how Windows decides what program is to run first? ie. which executable takes precedence.... is it alphabetical order? Which might make sense, considering the starting characters "a2", or is it perhaps by order of added entry? There are a number of factors that can effect load order (service start type, certain service settings, etc). If I remember right there's also a number stored somewhere (possibly in the settings for each service) that dictates where in the load order it should be started. The size of an executable, how much data it needs to load into RAM, and what all the executable needs to do while initializing can also slow down the process of starting a program. EIS has to load a 400+MB collection of database files into RAM while the computer is starting, which takes some time. Share this post Link to post Share on other sites
