stapp

CLOSED Warning when block rule applied in 7838

Recommended Posts

EAM on Win 7 64 bit after manual update from 7797 

I did a block all rule for mspaint to test fix. 

This is warning I get when I tried to run it.

 

paint.PNG
Download Image

Share this post


Link to post
Share on other sites

Hi Frank

I understand where  that warning came from,  but I see trouble ahead when you use a message that says it's virus, when it isn't.   That is going to bite you.

 

Pete

Share this post


Link to post
Share on other sites

Hey Pete,

Such warnings have been here the since ages and none ever complained.
EAM/EIS just tells windows to block a process from executing and this warning is what windows makes of it, we  do not control that.

 

Share this post


Link to post
Share on other sites

Maybe though, at the point where EAM/EIS tells Windows to block the process, you should put up your own alert saying so and telling people to disregard the misleading message that Windows produces?

Share this post


Link to post
Share on other sites

that would be funny....:P

It is obvious that such apprules are added by experienced users, so when such waning shows up, they exactly know what caused it.

I can't recall a support request from confused users related to this windows warning.

 

 

Share this post


Link to post
Share on other sites

I think you'll also get people who act on advice (elsewhere perhaps) and set up such a rule.  If you're not going to produce a message of your own that's accurate, then the next best thing would be to describe this misleading message in the documentation, as a consequence of a total block rule.  And preferably also mention it within the application when someone creates such a rule.

Share this post


Link to post
Share on other sites

Now that 7838 is in the Stable feed, I tried this.  The message I get when (a non MS) application is blocked is slightly different:

    <the-program's-full-filepath>

   Operation did not complete successfully because the file contains a virus or potentially unwanted software.

 

Has the message text been changed from that described above (in which case, thank-you, I think it is better), or is my message (under W8.1) being produced for a slightly different reason?

As discussed elsewhere I note that the block is not logged at all; I hope that does get changed.

 

 

Share this post


Link to post
Share on other sites

Hi,

Quote

message text been changed from that described above (in which case, thank-you, I think it is better), or is my message (under W8.1) being produced for a slightly different reason?



As explained earlier, we do not control this windows messagebox. You run W8.1  and this might be the reason for a slightly different wording.

We already planned to add  a logrecord to the forensic log in a future release.

 

Share this post


Link to post
Share on other sites

Glad I found this thread... I had all of these things on my mind when I first tried it out.

I was honestly, just more happy that it was blocked correctly, I didn't really mind how I was notified.

When I blocked a program that came from the Explorer taskbar, it told me the link had been removed
and asked me if I wanted to delete the item.  Which is fine... its just detecting that the program is no
longer available as it once was.

In Windows 7 (32-bit) when I block mspaint.exe like stapp did, I do get a different Windows error message.

Mine is....
 

C:\Windows\System32\mspaint.exe  

The parameter is incorrect

 

Which I still think is fine.

If we start adding EIS Alerts to everything that was blocked, it might start to become intrusive.

I will admit, in the past, I've probably set a block and forgotten about it, but I eventually remembered i'd set it
and remembered this type of behavior.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.