Jump to content

Quarantine issues


Recommended Posts

I've got a strange issue.   I had an objected quarantined, and it's now driving me nuts.   I keep getting a pop up that makes no sense.   It says "After re-scanning the quarantined objects  with the updated sign. were previously falsly detected (false  positives). Do you want to now?"    It then lists the object quarantined.   Do I want to what??   How do I get rid of this.   No option to delete or anything>

Link to comment
Share on other sites

I think it may mean that the object shouldn't have been quarantined, but was because of a false positive.  Now signatures have changed and it's possibly offering to restore the item to where it came from.   (I'm guessing based on something I read in another thread a few days ago.)

Link to comment
Share on other sites

There's no reason why the average user would want to delete a falsely-quarantined file though... that's the sort of thing likely to cause grief.

It's better that the unnecessary quarantine action is reversed.  Of course if the quarantining has drawn their attention to a file they know they don't want, they can unquarantine it and then delete it as they would any other file. 

Link to comment
Share on other sites

What does "click to run"  mean?   Is it something different from a normal installer/exe that a browser downloads where one can instead r-click it and save the thing before running it?

It sounds as if you have two issues: the garbled/incomprehensible message you were getting, and also the Quarantine gui interface not showing you standard buttons.  The latter surprises me, because - although I have no objects quarantined right now, the gui view of the Quarantine contents does have buttons, under the (empty) grid.

Link to comment
Share on other sites

This could have been due to some sort of corruption of the Quarantine files. In cases like that, you should be able to right-click on the EAM System Tray icon, select Shut down protection, and once a2service.exe is no longer running it should be possible to manually delete anything in the Quarantine folder.

Link to comment
Share on other sites

Click-to-Run - ah, do you mean: https://support.microsoft.com/en-hk/help/2028653/information-about-office-click-to-run-installations-and-about-related  ?

Was the object that ended up in Quarantine removed from the virtual file system that's apparently part of C-t-R, or the normal file system?

@GT500 - What was the garbled pop-up that @Peter2150 mentioned at the start meant to be asking, and is that going to be fixed?   Also, bearing in mind that the Quarantine gui panel I see (with nothing in Quarantine) does show a Delete button, why did Peter not see one?   Since I see it, I would have thought its presence was in the code that creates the empty quarantine gui panel, and not something posssibly dependent on being able to describe the contents of the Quarantine folder.

Assuming Peter was using a MS C-t-R application, and assuming that his logs show the name of the quarantined object, this should be reproducible.  Peter, did you experiment with any of this wth debug logging on?

Link to comment
Share on other sites

10 hours ago, JeremyNicoll said:

@GT500 - What was the garbled pop-up that @Peter2150 mentioned at the start meant to be asking, and is that going to be fixed?   Also, bearing in mind that the Quarantine gui panel I see (with nothing in Quarantine) does show a Delete button, why did Peter not see one?

I'm really not sure. It's certainly not what the dialog is supposed to say, and the behavior of the dialog in general sounded off from his description. Debug logs might give us an idea what's going on, if it happens again that is.

Link to comment
Share on other sites

Hi guy

 

Yes you found the joy Click to Run.   I use a music service that went to that approach.  I use Appguard and I  always have to turn it off to start the service as it uses Rundll32 to kick things off.    When EAM quarantined it it redownloaded another copy and by then EAM figured out it was a false positive.   It may have faked out the delete button because it's a non standard file in a  non standard location.  The new download has not been bothered.   This is why I just wanted to clean it out.  I didn't see it as an EAM problem, but an artifact of MS.

 

Pete

Link to comment
Share on other sites

> I didn't see it as an EAM problem, but an artifact of MS.

The nonsensical question in an EAM pop-up must have been an EAM thing though, even if the rest isn't.   Maybe it's a template message which is supposed to have words or phrases inserted between parts of the text you saw... in which case someone should be able to work out how EAM could issue it without having the missing words defined.

Link to comment
Share on other sites

Seems sorted to me.

One related thing that may or may not be of interest is that I have to exclude several programs in the"exclude from monitoring"box. But I have never had to add anything to the section " Exclude from scanning." I suppose that means protection is only blocking it when it's active? The files themselves with any scan are fine. (Often in more than just the program folder of windows, also could be users and program data too.

I just exclude all files from the particular program from monitoring. All is fine. Need do nothing at all for scanning, which I do daily. Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Never had any malware thanks to Emsisoft for over 2 years, since signing up, so very happy overall, just a few quirky things which are easy to work around. I would like to have my "exclude from monitoring." box empty like my "exclude from scanning" is. If I don't add to exclude from monitoring those programs simply wont work. 

Link to comment
Share on other sites

@Peter2150 > Bottom line.   My EAM is happy and I am happy,

Fine, but if there's a bug which presents a garbled message someone should fix it.

 

@Gawg > Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Do you mean you have a custom scan using a predefined list of all the files that have ever previously been flagged?  And when you scan those - which is not the whole disk - you have "use direct disk access" turned on?   I can't see how you could scan the whole disk and only have "direct disk access" on for some items.

Link to comment
Share on other sites

5 hours ago, JeremyNicoll said:

@Peter2150 > Bottom line.   My EAM is happy and I am happy,

Fine, but if there's a bug which presents a garbled message someone should fix it.

 

@Gawg > Occaisionally I custom scan whole disk, and use the direct disk access option for anything that's ever or currently being flagged.

Do you mean you have a custom scan using a predefined list of all the files that have ever previously been flagged?  And when you scan those - which is not the whole disk - you have "use direct disk access" turned on?   I can't see how you could scan the whole disk and only have "direct disk access" on for some items.

What I mean is I click custom scan, then scan the whole disk, that's it. Takes a while. I only use direct access for things which have been flagged by realtime monitoring, but which I white list as I know it's not harmful.

Probably not necessary, but just an extra precaution. By custom scan all I meant was the third option 1. Quick scan. 2. Malware scan. 3. Custom scan. I suppose I wrote it poorly and made a very simple procedure sound complicated. It's not.

Edit: By direct disk access I simply mean't I tick the box "Use direct disk access." which is in the options for custom scan. Can be used for a single file, or whole disk, but Emsisoft recommend NOT using direct access for a whole disk. It's just a very thourough check, and good for rootkits too. To repeat, I check the box "Use direct disk access " It's always available regardless of file, folder. or whole disk.

Edit:

I just realized what you mean't and you are correct it's not possible to scan whole disk with select bits only Direct access. I never even considered that because it''s impossible.

Just to be clear. I scan the whole disk without direct access. Then a new scan or scans of flagged program only. It only takes a few seconds. Absolutely it's not both in one scan.

A misunderstanding I think.  Is that right? 

Edited by Gawg
Added about direct access
Link to comment
Share on other sites

5 hours ago, JeremyNicoll said:

Fine, but if there's a bug which presents a garbled message someone should fix it.

If he can't reproduce it and provide debug logs, then we'll more than likely not be able to determine why it happened. For now we can only make assumptions.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...