Quarantine issues

[Peter2150]

I've got a strange issue.   I had an objected quarantined, and it's now driving me nuts.   I keep getting a pop up that makes no sense.   It says "After re-scanning the quarantined objects  with the updated sign. were previously falsly detected (false  positives). Do you want to now?"    It then lists the object quarantined.   Do I want to what??   How do I get rid of this.   No option to delete or anything>

[JeremyNicoll]

I think it may mean that the object shouldn't have been quarantined, but was because of a false positive.  Now signatures have changed and it's possibly offering to restore the item to where it came from.   (I'm guessing based on something I read in another thread a few days ago.)

[JeremyNicoll]

Alternatively, Settings - Advanced - Quarantine re-scan after updates....  you could turn this off so thing don't get rescanned (at least until GT500 can produce better advice).

[Peter2150]

Thanks Jeremy.   I'll try that.   No option to just delete the thing though

 

[JeremyNicoll]

There's no reason why the average user would want to delete a falsely-quarantined file though... that's the sort of thing likely to cause grief.

It's better that the unnecessary quarantine action is reversed.  Of course if the quarantining has drawn their attention to a file they know they don't want, they can unquarantine it and then delete it as they would any other file. 

[Peter2150]

I saw no option to either delete or un quarantine

 

[JeremyNicoll]

/If/ the question was asking you if the thing should be unquarantined, then you did.

The normal quarantine display in the gui has a Delete button, which is presumably active if you select a listed object.

[Peter2150]

Okay Thanks.  That is not what I am seeing in this case

[JeremyNicoll]

Are you saying that (after answering, or not, the repeated question), that if you go into the Quarantine view, there's no object listed?

[Peter2150]

Theere is an object listed,, but no options to delete or unquarintine.     Note the object is from a click to run installation, and when it was quarantined the program re downloaded it

[JeremyNicoll]

What does "click to run"  mean?   Is it something different from a normal installer/exe that a browser downloads where one can instead r-click it and save the thing before running it?

It sounds as if you have two issues: the garbled/incomprehensible message you were getting, and also the Quarantine gui interface not showing you standard buttons.  The latter surprises me, because - although I have no objects quarantined right now, the gui view of the Quarantine contents does have buttons, under the (empty) grid.

[JeremyNicoll]

Does the re-downloaded file also get quarantined, and then again and again?

If it does it suggests signatures are still identifying it, which in turn casts doubt on the idea that EAM had decided earlier quarantining was in error.

[Peter2150]

No it didn't.   Probably a different file.  Typical for click to run

[Peter2150]

Problem solved.   Can't delete  the quarante[ine in windows, so I booted to a winpre 10 RE and deleted it that way.   It's gone

[GT500]

This could have been due to some sort of corruption of the Quarantine files. In cases like that, you should be able to right-click on the EAM System Tray icon, select Shut down protection, and once a2service.exe is no longer running it should be possible to manually delete anything in the Quarantine folder.

[Peter2150]

Ah, thanks Arthur.  I didn't think of that.   Also thanks to  Jeremy for the assist.

 

Pete

[GT500]

You're welcome.

[Peter2150]

Hi Jeremy

 

Click to run doesn't install normally.  It allows a software author to do updates.  The program starts with a DLL kicking it off.  All runs out of Appdata.  Was a terrible idea.

[JeremyNicoll]

Click-to-Run - ah, do you mean: https://support.microsoft.com/en-hk/help/2028653/information-about-office-click-to-run-installations-and-about-related  ?

Was the object that ended up in Quarantine removed from the virtual file system that's apparently part of C-t-R, or the normal file system?

@GT500 - What was the garbled pop-up that @Peter2150 mentioned at the start meant to be asking, and is that going to be fixed?   Also, bearing in mind that the Quarantine gui panel I see (with nothing in Quarantine) does show a Delete button, why did Peter not see one?   Since I see it, I would have thought its presence was in the code that creates the empty quarantine gui panel, and not something posssibly dependent on being able to describe the contents of the Quarantine folder.

Assuming Peter was using a MS C-t-R application, and assuming that his logs show the name of the quarantined object, this should be reproducible.  Peter, did you experiment with any of this wth debug logging on?

[GT500]

10 hours ago, JeremyNicoll said:

@GT500 - What was the garbled pop-up that @Peter2150 mentioned at the start meant to be asking, and is that going to be fixed?   Also, bearing in mind that the Quarantine gui panel I see (with nothing in Quarantine) does show a Delete button, why did Peter not see one?

I'm really not sure. It's certainly not what the dialog is supposed to say, and the behavior of the dialog in general sounded off from his description. Debug logs might give us an idea what's going on, if it happens again that is.

[Peter2150]

Hi guy

 

Yes you found the joy Click to Run.   I use a music service that went to that approach.  I use Appguard and I  always have to turn it off to start the service as it uses Rundll32 to kick things off.    When EAM quarantined it it redownloaded another copy and by then EAM figured out it was a false positive.   It may have faked out the delete button because it's a non standard file in a  non standard location.  The new download has not been bothered.   This is why I just wanted to clean it out.  I didn't see it as an EAM problem, but an artifact of MS.

 

Pete

[JeremyNicoll]

> I didn't see it as an EAM problem, but an artifact of MS.

The nonsensical question in an EAM pop-up must have been an EAM thing though, even if the rest isn't.   Maybe it's a template message which is supposed to have words or phrases inserted between parts of the text you saw... in which case someone should be able to work out how EAM could issue it without having the missing words defined.

[Peter2150]

Could be, but at this point  I can't duplicate it.

[GT500]

21 hours ago, Peter2150 said:

Could be, but at this point  I can't duplicate it.

If it was Quarantine corruption, then you may have solved the problem by deleting files in the Quarantine.

[Peter2150]

Bottom line.   My EAM is happy and I am happy,

[Gawg]

Seems sorted to me.

One related thing that may or may not be of interest is that I have to exclude several programs in the"exclude from monitoring"box. But I have never had to add anything to the section " Exclude from scanning." I suppose that means protection is only blocking it when it's active? The files themselves with any scan are fine. (Often in more than just the program folder of windows, also could be users and program data too.

I just exclude all files from the particular program from monitoring. All is fine. Need do nothing at all for scanning, which I do daily. Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Never had any malware thanks to Emsisoft for over 2 years, since signing up, so very happy overall, just a few quirky things which are easy to work around. I would like to have my "exclude from monitoring." box empty like my "exclude from scanning" is. If I don't add to exclude from monitoring those programs simply wont work. 

[JeremyNicoll]

@Peter2150 > Bottom line.   My EAM is happy and I am happy,

Fine, but if there's a bug which presents a garbled message someone should fix it.

 

@Gawg > Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Do you mean you have a custom scan using a predefined list of all the files that have ever previously been flagged?  And when you scan those - which is not the whole disk - you have "use direct disk access" turned on?   I can't see how you could scan the whole disk and only have "direct disk access" on for some items.

[Gawg]

5 hours ago, JeremyNicoll said:

@Peter2150 > Bottom line.   My EAM is happy and I am happy,

Fine, but if there's a bug which presents a garbled message someone should fix it.

 

@Gawg > Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Do you mean you have a custom scan using a predefined list of all the files that have ever previously been flagged?  And when you scan those - which is not the whole disk - you have "use direct disk access" turned on?   I can't see how you could scan the whole disk and only have "direct disk access" on for some items.

What I mean is I click custom scan, then scan the whole disk, that's it. Takes a while. I only use direct access for things which have been flagged by realtime monitoring, but which I white list as I know it's not harmful.

Probably not necessary, but just an extra precaution. By custom scan all I meant was the third option 1. Quick scan. 2. Malware scan. 3. Custom scan. I suppose I wrote it poorly and made a very simple procedure sound complicated. It's not.

Edit: By direct disk access I simply mean't I tick the box "Use direct disk access." which is in the options for custom scan. Can be used for a single file, or whole disk, but Emsisoft recommend NOT using direct access for a whole disk. It's just a very thourough check, and good for rootkits too. To repeat, I check the box "Use direct disk access " It's always available regardless of file, folder. or whole disk.

Edit:

I just realized what you mean't and you are correct it's not possible to scan whole disk with select bits only Direct access. I never even considered that because it''s impossible.

Just to be clear. I scan the whole disk without direct access. Then a new scan or scans of flagged program only. It only takes a few seconds. Absolutely it's not both in one scan.

A misunderstanding I think.  Is that right? 

Edited March 22, 2019 by Gawg
Added about direct access

[GT500]

5 hours ago, JeremyNicoll said:

Fine, but if there's a bug which presents a garbled message someone should fix it.

If he can't reproduce it and provide debug logs, then we'll more than likely not be able to determine why it happened. For now we can only make assumptions.