Program instances not being blocked.

[iWarren 7]

I've had this installation of EIS running for quite some time.

Emsisoft Internet Security

Version: 2017.6.0.7681

Windows 7 (32-bit)  Service Pack 1

(No other known conflicting software installed)

 

In my Behavior Blocker - Application Rules, I have utorrent.exe allowed to run.

Then I also have utorrentie.exe set to be blocked from running.

 

When I start utorrent.exe,  taskmgr shows that 2 instances of utorrentie.exe are being allowed to run.

I think in the past, I think i recall that utorrentie was possibly being blocked normally.

 

I am curious if these 2 instances are not being allowed, because its parent program is being allowed.

 

I enabled advanced debug output (and restarted), and included the relative information.

I was going to just reinstall EIS and see if the problem resolves, but I first thought it'd be helpful to collect

as much information on the problem.  Let me know if you need more information, and or whether you

want me to reinstall.

 

 

a2service Log

08:53:06.858    940               -> TFirewallRulesManager.UpdateRulesEnabling(RuleFileName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe)
08:53:06.858    940                  -> DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe)
08:53:06.858    940                  <- DeviceToDrive(C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe): C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
08:53:06.858    940                  -> TStoreManager.LocateSection('Rules','C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe','0'): TCustomSection
08:53:06.858    940                  <- TStoreManager.LocateSection(...): Result = 00FACA38

 

firewall log

08:53:40.866	1384  FWDBG: [WFP] ProcessCreated: 3548 C:\Program Files\Emsisoft Internet Security\a2start.exe
08:53:42.551	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3580
08:53:42.566	1308  FWDBG: PROCESS: 3580 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe
08:53:42.566	1308  FWDBG: [WFP] ProcessCreated: 3580 C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe
08:53:42.988	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 58788, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:43.034	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 62531, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.142	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57738, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.267	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49166, Remote: 23.21.139.158: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.376	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 5351, Remote: 192.168.0.1: 5351, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.532	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 57029, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.563	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 65467, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.594	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49191, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.626	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49167, Remote: 52.84.21.89: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.657	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49168, Remote: 208.111.179.219: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.657	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49169, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.688	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3816
08:53:44.688	1308  FWDBG: PROCESS: 3816 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
08:53:44.688	1308  FWDBG: [WFP] ProcessCreated: 3816 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
08:53:44.719	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49170, Remote: 52.84.19.74: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.782	1300  FWDBG: [WFP_EVENT_DATA]: {PROCESS_CREATED} Flags = 0, Type = {REQUEST/1}, PID: 3848
08:53:44.782	1308  FWDBG: PROCESS: 3848 --> (client-resolved) C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
08:53:44.782	1308  FWDBG: [WFP] ProcessCreated: 3848 C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
08:53:44.797	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49171, Remote: 52.84.19.74: 443, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.860	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 51879, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.891	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 60714, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 1588, Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {SEND_DATAGRAM} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 61338, Remote: 192.168.0.1: 53, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49172, Remote: 208.111.179.83: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE
08:53:44.938	1300  FWDBG: [WFP_EVENT_DATA]: {CONNECT} Flags = 120, Type = {NOTIFICATION/2}, AF: 2, Direction: <--(1), Local: 192.168.0.2: 49173, Remote: 188.166.37.159: 80, ILuid: 0.0, INetType: 3, PID: 3580, Name: C:\USERS\xxx\APPDATA\ROAMING\UTORRENT\UTORRENT.EXE

a2rules.ini

[C:\Users\xxx\AppData\Roaming\uTorrent\uTorrent.exe]
Revision=4
SectionType=1
SHA1=873D6472B719B6A07C9DBDCB09DBEB04FE56EBA2
GUID={6986CF07-4153-4EC9-907F-45C95273BBF4}
Action=1
Worm=0
Dialer=0
Backdoor=0
Hijacker=0
Inject=0
Downloader=0
Spyware=0
Service=0
KeyLogger=0
Startup=0
HiddenInstall=0
Virus=0
Hosts=0
Rootkit=0
BrowserSettings=0
Debugger=0
RemoteControl=0
DirectDiskAccess=0
SystemPolicies=0
Exploit=0
CryptoMalware=0
FirewallInMode=0
FirewallOutMode=0
MD5=AFB311776018C6564FE8A25CD5FD78C9
Updated=1

[C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe]
Revision=4
SectionType=1
SHA1=B677DD6E7B885A8E57C03FA6D4CE3BA4D655C2E5
GUID={229DB36D-F13F-4609-82AB-5BEAC079887C}
Action=2
Worm=0
Dialer=0
Backdoor=0
Hijacker=0
Inject=0
Downloader=0
Spyware=0
Service=0
KeyLogger=0
Startup=0
HiddenInstall=0
Virus=0
Hosts=0
Rootkit=0
BrowserSettings=0
Debugger=0
RemoteControl=0
DirectDiskAccess=0
SystemPolicies=0
Exploit=0
CryptoMalware=0
FirewallInMode=1
FirewallOutMode=1
MD5=F233F4591F9CC22166095F109090DEB1
Updated=1
BehaviorBlockerEnabled=1

[FirewallRules_229DB36DF13F460982AB5BEAC079887C_C4FD508883334C0FBB3F937002F8BF9B]
Revision=1
SectionType=2
Name=Autorule
Index=2
Type=APP
Protocol=TCP
Resolution=BLOCK
Direction=OUT
NetworkType=ANY
ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
Enabled=0

[FirewallRules_229DB36DF13F460982AB5BEAC079887C_464279183A724962B6C8738B54B67FF8]
Revision=1
SectionType=2
Name=Autorule
Index=1
Type=APP
Protocol=TCPUDP
Resolution=BLOCK
Direction=OUT
NetworkType=ANY
ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
Enabled=0

[FirewallRules_229DB36DF13F460982AB5BEAC079887C_003B5FE636FC40B485E8E508C2A748F9]
Revision=1
SectionType=2
Name=Autorule
Index=0
Type=APP
Protocol=ICMP
Resolution=BLOCK
Direction=OUT
NetworkType=ANY
ObjectName=C:\Users\xxx\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe
Enabled=0

 

[iWarren 7]

my problem appears to be a little more serious,

as it doesn't seem that the Behaviour Blocker is blocking "any" of my programs i specify are to be blocked.

 

Created several blocks for a variety of different applications, and it wouldn't block any of them.

Even after a factory reset, and reinstallation of Emsisoft.

 

Any ideas?

[iWarren 7]

I reinstalled again, this time running EmsiClean, it did not detect any additional residual files.

Deleted Emsisoft folder manually in program files.

Reinstalled, restarted. Still does not block the specified applications from running.

testing on mspaint.exe and notepad.exe (and other files not located in System32)

 

Installed Beta version and reset factory defaults, still does not block any programs.

[iWarren 7]

I noticed, that it does block "some" programs, but not all of them.

It looks like.... if  1 custom rule behavior is triggered when it is marked as "Blocked (impossible to run)" then it will block the program.

However, if the program is set to be blocked, and none of the custom trigger behaviors are triggered, then it will not block the program.

 

So typical programs like notepad and mspaint, are not being blocked, when they are set to be blocked.

and atypical programs, that have potentials for undesired behavior, are getting blocked.

 

 

[GT500 594]

Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you?

As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded?

[JeremyNicoll 58]

Why would (eg) mspaint not get blocked, if it's meant to be....?    Has the whole of C:\WINDOWS, or one of its subfolders, been excluded from monitoring?

[iWarren 7]

There is no folders or files in the exclusion list.  remember, i had restored everything to factory defaults.

has anyone tested theirs for similar behavior?

[iWarren 7]

Quote

 

Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you?

As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded?

 Many programs out there incorporate some form of adware to maintain their free status, like Skype and MSN messenger are popular programs, that have incorporated ads into their functionality.

That's neither here nor there though.  My main issue is that programs are not being blocked properly.

[iWarren 7]

as i said previously, the block is 'only' triggering, on programs that have at least 1 of the unwanted behaviors. (ie. backdoor related activity, change the hosts file, etc.)

and since programs like notepad or mspaint have none, it doesn't seem to be blocking them at all.

 

[JeremyNicoll 58]

I know there's more than one copy of notepad.exe (I've never understood why)...  Maybe the one that's executing isn't the blocked one?   Under XP (if I remember right) and maybe W7, they are C:\Windows\notepad.exe  and  C:\Windows\System32\notepad.exe; on my W8.1 64bit system there's 3 copies - the two I just mentioned and also C:\Windows\SysWOW64\notepad.exe

On the other hand there's only two copies of mspaint.exe on my system (and so I'd guess perhaps only one on yours).  My two are in \System32 and \SysWOW64.

Worse, I just tried blocking specifically: C:\Windows\notepad.exe   and it runs.  I've PMed debug logs to Arthur.

[JeremyNicoll 58]

When I explicitly blocked that instance of notepad.exe, I then tested it by executing in a cmd.exe window

C:\>C:\WIndows\notepad.exe

Since then I've added the other variants to the app rules block list and also tried it by double-clicking a .log file (which would normally open in notepad), and by right-clicking other types of file and choosing "Edit with notepad", which is a context menu item I defined (so I can choose to edit any file with that editor, and similarly other editors).

In all instances notepad ran.

[JeremyNicoll 58]

Here's a screenshot of app rules: https://www.dropbox.com/s/1r9b527016v7bdl/20170728 0758 02 notepad-dot-exe not blocked - app rules.jpg?dl=0

Oh, should have said: EIS, stable feed.

[stapp 130]

Perhaps it has to do with notepad being a Microsoft thing as it doesn't block for me either.

However if I open CCleaner GUI and then open EAM GUI and open Behaviour Blocker screen I see CCleaner in the list.

I highlight and right-click on it and select 'Create Rule' then block it.

I close Emsi GUI and CCleaner and then try to open CCleaner again.. I cannot, I get this in Forensic Log

 28/07/2017 09:08:27
Behavior Blocker detected suspicious behavior "AutorunCreation" of "C:\Program Files\CCleaner\CCleaner64.exe"

28/07/2017 09:08:28
Terminated by rule

Same block occurs with Process Explorer after I do the above steps.
 

[JeremyNicoll 58]

I just tried with a non-MS desktop reminders program.  It didn't get blocked.  

Stapp, your experiments show BB blocking suspicious behaviour, not preventing a program from being started in the first place. 

[stapp 130]

30 minutes ago, JeremyNicoll said:

I just tried with a non-MS desktop reminders program.  It didn't get blocked.  

Stapp, your experiments show BB blocking suspicious behaviour, not preventing a program from being started in the first place. 

That may be what the Forensics log says, but the fact is the 2 programs I tested with, CCleaner and Process Explorer, were both unable to start using beta build 7797

[JeremyNicoll 58]

Stapp, if they really didn't start then there's another bug: a log message that's inaccurate.  I think it's more likely that the apps concerned tried to do something in their startup processing that BB intercepted so that the started process was then terminated and you saw nothing (the event logs might show if the processes were created to contain the starting applications, depending on how your system is configured).  Processor Explorer is certainly going to do lots of iffy (if you don't trust it) things; CCleaner was probably trying to set/reset a registry entry.

[stapp 130]

Jeremy the bit that caught my eye was    Terminated by rule

(I'm sure the devs will sort things if needed, after all the Forensic logs are in an early stage)

[Peter2150 45]

15 hours ago, GT500 said:

Firstly, if your torrent client is doing something you feel is necessary to block, then why are you continuing to use it? Perhaps something such as qBittorrent would be better for you?

As for the issue at hand, have you checked the exclusions to make sure that the folder utorrentie.exe is in (or any parent folders) are not excluded?

Arthur

I am going assume you  were tired when you wrote that.  Other wise it  is beyond lame.   I block one or two windows processes and also two Quickbooks processes.   By  that  logic I shoudn't run them?

But here's the real problem, and  I will test this weekend.   If the new beta BB isn't blocking based on the always block rule that is catastrophic.  If that rule doesn't work how can I trust the BB at all?

[JeremyNicoll 58]

@Peter2150 - never mind the new beta, the "do not run" rules I've tried are not working on the EIS stable feed.

[Peter2150 45]

Thanks Jeremy.    That is indeed very bad

[iWarren 7]

Thank you everybody for working with me on this, I was going a bit mental with this and glad its just not me.

 

JeremyNicoll, on 32-bit windows theres only 1 copy of Notepad (unless you count the backup repositories)

and on a 64-bit system, they have 2 copies, or maybe 3 copies as you stated....

 

In each case, each one would have their own specific rule, and you should be able to differentiate them by file location.

 

The problem is as I stated earlier:

 

If the program is set as blocked (do not run), and it detects anything in the "custom behaviors"  list (even though no custom behaviors are set)

It will block that application from running.

 

If the program is set as blocked (do not run) and detects nothing in the "custom behaviors"  list (even though no custom behaviors are set)

It allows that application to run.  (which is not good!)

 

You can try it yourself, by finding a random program... like Winamp for example,  if you set it to custom monitoring, you will notice it detects its

connection attempt as suspicious activity.... so if you blocked winamp... it will block that program, because the trigger was in the custom behavior list.

 

Then find a generic program, like Notepad, Mspaint, Audacity... you can set it to custom monitoring... identify that it has no suspicious activity....

then try to block the program... and you will notice it allows it to run.

 

Hopefully we can get this cleared up soon. Thanks again!
 

[iWarren 7]

I might add, i have this occurring in both stable and beta versions.  and had clean installations, and factory defaults.

[Frank H 91]

Hello,

We are analysing the issue atm.

Thanks for your feedback.

 

[iWarren 7]

Peter, in GT500's defense, he makes a valid point regarding torrents, but also besides the point as well. lol

At any rate, I'm sure he was being helpful, by offering me a potentially better program alternative.

[iWarren 7]

Thank you Frank

[GT500 594]

11 hours ago, Peter2150 said:

But here's the real problem, and  I will test this weekend.   If the new beta BB isn't blocking based on the always block rule that is catastrophic.  If that rule doesn't work how can I trust the BB at all?

I actually tested it with a pre-existing block rule that I had in place, and EAM did terminate the application in exactly the same way it used to. I also just created a new block rule for Process Explorer (since it was sitting on my desktop), and tried to run it, and it was not able to execute. At the time I expected that there was another reason the process wasn't being blocked (such as an exclusion).

Process Explorer is digitally signed by Microsoft, and the first program I tested the other day also appears to have a digital signature (which I did not expect since it's from a game). Oddly enough, neither MSPaint or Notepad have digital signatures. On a hunch, I created a block rule for FRST (which is not digitally signed), and it ran without problem. Perhaps the issue only applies to executables that are not digitally signed?

 

11 hours ago, Peter2150 said:

I am going assume you  were tired when you wrote that.  Other wise it  is beyond lame.   I block one or two windows processes and also two Quickbooks processes.   By  that  logic I shoudn't run them?

Issues with µTorrent are well known, as is the fact that it isn't necessarily the safest torrent client out there. qBittorrent was developed specifically as a replacement for µTorrent due to its lack of trustworthiness, which is why I recommended replacing it.

[iWarren 7]

In the "Behavior Blocker", when I hover over the (Company) column,  the mspaint and notepad entries,  says "Verified by digital signature"

I think its more likely its something to do with the actual detection of the behaviors.  Because it doesn't

seem to matter which behavior is triggered, so long as a behavior is detected, before it agrees to block.

 

probably when the forensics was being worked on, seems like an IF-condition was altered which results

in this behavior.  I think at this point, we'll probably just have to wait until the relevant code is reviewed. 

[iWarren 7]

I tested on Autoruns.exe (from sysinternalsuite), which modifies auto-run entries.

as you probably know,  if you set the program to "Custom Monitoring", before running it, it will tell you what behavior

is a possible threat, and asks you to confirm running it.

and Autoruns.exe blocks the same as Procexp.exe (process explorer)

Because procexp triggers the "Modify auto-run entries" behavior, as well as "Attempts to modify other programs"

 

so anything that has a behavior being trigggered, is being blocked correctly.

where programs like Notepad and Mspaint, do not have these behaviors to worry about, so they are being allowed to run freely.

 

 

[iWarren 7]

Have also tried it on other non-microsoft programs as well, (which are known to be safe, and signed properly),

and the result is the same.

[stapp 130]

I know Frank and the other devs are looking into ''the notepad issue'' so I'm sure things will be sorted very soon

[JeremyNicoll 58]

The non-MS desktop reminder program I tried to block, which ran perfectly, IS digitally signed.

This is NOT a problem caused by the new forensic log.  It's happening here on the stable feed.

[stapp 130]

1 hour ago, JeremyNicoll said:

 

This is NOT a problem caused by the new forensic log.  It's happening here on the stable feed.

Nobody said it was caused by the log, but the log does show an issue regarding it (and is a separate issue)

[Frank H 91]

Hi,

This issue has been analysed, fixed and will be included in the upcoming beta 2 release.

 

[Peter2150 45]

Which issue Frank.   There are to issues.    1)If I set an exe to always block, is it always blocked and 2) How is it logged.

[Frank H 91]

Hey Pete,

The issue that related to the topic of this thread: Program instances not being blocked. has been fixed

In previous versions nothing was logged when a 'block all' rule was applied, so with this fix it doesn't log too.

We might improve that though.

 

[iWarren 7]

11 hours ago, JeremyNicoll said:

The non-MS desktop reminder program I tried to block, which ran perfectly, IS digitally signed.

This is NOT a problem caused by the new forensic log.  It's happening here on the stable feed.

I know it is happening in the stable feed, but I was just judging by the timing that the blocking stopped

working, and the creation of the forensic log feature was created, and suggested that it was probably

a change made while doing work on the forensics.

 

9 hours ago, Frank H said:

Hi,

This issue has been analysed, fixed and will be included in the upcoming beta 2 release.

 

I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already

a standard proven feature, and could be relatively important to a lot of people.  Program blocking is a pretty crucial

feature to the EIS suite.  At very least, can you give an ETA on when the beta 2 build might be released?

[Frank H 91]

FYI: we've just released a new Beta with the fix. I'd appreciate it if you could switch to beta and provide feedback.

http://changeblog.emsisoft.com/2017/07/31/beta-updates-2017-07-31/

 

[GT500 594]

On 7/28/2017 at 10:26 PM, iWarren said:

In the "Behavior Blocker", when I hover over the (Company) column,  the mspaint and notepad entries,  says "Verified by digital signature"

Funny, Windows says they're not digitally signed when I check those files on Win 7 x64, however I just tested with Sigcheck and it says they're signed. Silly Windows.

 

On 7/29/2017 at 3:00 PM, iWarren said:

I was kind of hoping once fixed, you'd be able to push it into the Stable feed, considering it was already a standard proven feature, and could be relatively important to a lot of people.

It's dangerous to push fixes directly to stable without being tested first. We could end up breaking something else with the fix, so we publish a beta first so that people can try it and give us feedback, and then if everything is OK people can continue to use the beta until we no longer need to publish more changes to the beta and are confident that the beta is stable enough for the Stable feed.

 

On 7/29/2017 at 3:00 PM, iWarren said:

Program blocking is a pretty crucial feature to the EIS suite.

Actually, considering that this is a feature already built in to Windows, blocking programs from running is a minor feature of security software. Obviously there are limitations to the way blocking applications from running works in Windows, however there are also limitations to how it works in EIS (if a program is already running when a2service.exe starts, then no action is taken against it).

Note that this feature (selectively blocking applications as configured in the Application Rules) is handled completely differently than how our Behavior Blocker handles blocking malicious applications.

[iWarren 7]

Quote

It's dangerous to push fixes directly to stable without being tested first. We could end up breaking something else with the fix, so we publish a beta first so that people can try it and give us feedback, and then if everything is OK people can continue to use the beta until we no longer need to publish more changes to the beta and are confident that the beta is stable enough for the Stable feed.

That is understandable, but at the same time, this blocking issue did manage to make it through a beta feed, which is designed to catch things like this.

Considering the nature of this feature, and that some people might not utilize the forums.

a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes.

it might be prudent to expedite the fix into the stable feed.   Though I understand the need for due process as well.

 

 

Quote

Actually, considering that this is a feature already built in to Windows, blocking programs from running is a minor feature of security software. Obviously there are limitations to the way blocking applications from running works in Windows, however there are also limitations to how it works in EIS (if a program is already running when a2service.exe starts, then no action is taken against it).

Well, I don't want to get into a technical battle with you GT500, lol but,

not all Windows versions like Win7 Home, gives you access to modify group policy settings.

I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious.

 

one of the major reasons why I love EIS so much, is this application blocking ability... because it gives you a bit more control over

what is happening behind the scenes. EIS is more than just a networking firewall, but an applications firewall as well.   which are

two features that really just complement each other.

 

I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically.  which, i know you could

just disable that service and likely never see it again.  Its just one of those programs, that if you're not using it, i don't want to take the

chance that it can be executed without my knowledge.  I think in the past I read it could be misused by an attacker. 

 

another good example of using the block feature, is to block GWX programs, which isn't as much an issue today, but when Microsoft

was making its big push on Win10, the block feature was really invaluable in preventing Win10 installation attempts.

 

I also use this blocking feature while gaming with Steam,  as some games will try to access a google chrome extention through Steamwebhelper

and it can potentially open you up to security flaws, as well as give you latency issues from adware.  So its daily usage like this, that makes

the blocking feature really a handy tool, and that's just "my" preferences, I'm sure others out there have equally useful usages.

 

 

[iWarren 7]

15 hours ago, Frank H said:

FYI: we've just released a new Beta with the fix. I'd appreciate it if you could switch to beta and provide feedback.

http://changeblog.emsisoft.com/2017/07/31/beta-updates-2017-07-31/

 

I switched to Beta feed,

and all is working well Frank.  Thank you for your quick action on this matter!

 

Programs appear to be blocking as they should, Well done.

I will continue to observe and report.

[GT500 594]

18 hours ago, iWarren said:

Considering the nature of this feature, and that some people might not utilize the forums. a user might block an item like I did with utorrentie, and just expect it to be blocking behind the scenes. it might be prudent to expedite the fix into the stable feed.   Though I understand the need for due process as well.

They might be more upset if we broke things more than they already are, whether they know the feature isn't working or not. It's best to do the beta testing just to be sure that there are no new major issues.

 

18 hours ago, iWarren said:

Well, I don't want to get into a technical battle with you GT500, lol but, not all Windows versions like Win7 Home, gives you access to modify group policy settings. I'm sure if you dug deep enough, you could probably find some registry settings as a workaround, but it'd be tedious.

Actually, adding the rules directly via the registry (using .reg files to import them) is easier than using the Group Policy Editor. Granted there is AppLocker as well, although that isn't going to work on Windows 7 unless you have the Ultimate or Enterprise editions, so Software Restriction Policies tend to be the preferred way since they will work on any version of Windows NT (as far back as at least Windows XP, if not older).

You can even block execution of files via file permissions, which might be more effective even than our Behavior Blocker (Our Behavior Blocker has the limitation that if a program starts before the Emsisoft Protection Service, a2service.exe, then it can't be prevented from executing). Here's an example of file permissions that will prevent execution of an application:

Download Image

 

18 hours ago, iWarren said:

I prefer to block other programs too, like spoolsv.exe for example, a service designed for printers specifically.  which, i know you could just disable that service and likely never see it again.  Its just one of those programs, that if you're not using it, i don't want to take the chance that it can be executed without my knowledge.  I think in the past I read it could be misused by an attacker. 

Just disable the service, and it won't run. It can start if the service is set to Manual, but if set to Disabled the service won't start. That being said, we don't generally recommend disabling default Windows services. Just make sure the latest updates are installed, make sure that your security software is up to date, and of course make sure that third-party software and plugins you use are also up-to-date and that will minimize any security risk.

[iWarren 7]

You said that a2service.exe won't block a program if it starts before the a2service.

Out of curiosity,  do you happen to know how Windows decides what program is to run first?
ie. which executable takes precedence.... is it alphabetical order?  Which might make sense,
considering the starting characters "a2", or is it perhaps by order of added entry?

[GT500 594]

16 hours ago, iWarren said:

Out of curiosity,  do you happen to know how Windows decides what program is to run first?
ie. which executable takes precedence.... is it alphabetical order?  Which might make sense,
considering the starting characters "a2", or is it perhaps by order of added entry?

There are a number of factors that can effect load order (service start type, certain service settings, etc). If I remember right there's also a number stored somewhere (possibly in the settings for each service) that dictates where in the load order it should be started.

The size of an executable, how much data it needs to load into RAM, and what all the executable needs to do while initializing can also slow down the process of starting a program. EIS has to load a 400+MB collection of database files into RAM while the computer is starting, which takes some time.