stapp

NEW Beta 9869

Recommended Posts

16 hours ago, JeremyNicoll said:

Win 8.1, auto-update here ok, but the GUI's Quarantine pane still shows nothing despite files being present in the \Quarantine folder.

Only files with the .EQF extension are correctly encrypted files and will be visible in the Quarantine panel.

All other files are not correctly encrypted or had other issues. You can remove them manually.

We keep such files in that folder for situations were (even faulty) files are so important that they require to be analyzed by our lab and eventually restored, although i never saw such request.

 

 

 

Share this post


Link to post
Share on other sites

C:\>dir "C:\Program Files\Emsisoft Internet Security\Quarantine"
 Volume in drive C has no label.
 Volume Serial Number is F607-7930

 Directory of C:\Program Files\Emsisoft Internet Security\Quarantine

01/12/2019  19:50    <DIR>          .
01/12/2019  19:50    <DIR>          ..
01/12/2019  19:47                26 0ed050c8-7392-4cbc-abaf-1ed4a1b8e9f7.EQF.EIQF
01/12/2019  19:50                26 8d974b5a-b9f9-425d-a92d-24f326157c48.EQF.EIQF
               2 File(s)             52 bytes
               2 Dir(s)  203,809,226,752 bytes free

 

Both files got there when I tested the download of the eicar test file as described earlier, after EAM asked if the files should be quarantined and I clicked on the relevant button.

If the files are not supposed to be there, EAM should not have put them there.   If they are corrupt in some way, then it was EAM that corrupted them.

Share this post


Link to post
Share on other sites

This happens because probably moving to quarantine doesn't succeed because the browser deleted the source file already.

If you set File Guard to another scan level than Default, such issues are expected, when 3rd party apps take care for deletion of detections,.

it's a similar situation when you have multiple AV installed.

its a minor thing and most important is that the malware is catched and deleted before it can do  harm.

 

Share this post


Link to post
Share on other sites

> its a minor thing and most important is that the malware is catched and deleted before it can do  harm.

Yes, I suppose that's true.    But if (real malware rather than Eicar test files) can't be dug out of Quarantine and sent to Emsisoft for analysis isn't there a problem?   And - worse in some ways - if these files had been false positives that got quarantined, by not showing them in the Quarantine GUI pane I wonder how you'd expect a user to find them and reinstate them?

> This happens because probably moving to quarantine doesn't succeed because the browser deleted the source file already.

Why would it do that?   I used Chrome for my experiments, so presumably the IOfficeAntivirus/AMSI integration caused Chrome to ask EAM if the file was ok.  EAM produced an alert and asked me what should be done with the file.

Surely Chrome does not have the opportunity to delete a file until the EAM code returns control to Chrome?    Why would EAM return control to the browser before it has done what the user asked, and actually put the file into Quarantine?

 

In any case, the evidence (two files in Quarantine, with the date/time stamps of these Eicar file experiments) is that /EAM put them there/.

If they don't represent quarantined files, what are they for?     Why, whatever they are, are they not shown in the GUI?  

 

Share this post


Link to post
Share on other sites

It seems that you do not get the point.

I've tried to explain how it works and why it works like this. maybe someone else can explain this better.

 

Share this post


Link to post
Share on other sites

Frank, no-one else (unless they are also Emsisoft employees) is going to be able to explain it if you can't.    We don't have access to the code.

YOU say that these funny files are perhaps because a browser deleted a file.     WHY would it do that if EAM is still in the process of deciding whether the file is ok and if not, what to do with it?

 

You said above "If you set File Guard to another scan level than Default, such issues are expected, when 3rd party apps take care for deletion of detections," ... which I would accept IF the third-party app was not using this much-vaunted integration that Emsisoft says means the browser asks EAM to scan the file.   While EAM is doing whatever it does why on earth would the browser, having asked EAM to do that, delete the file?    Why would it know it should, before EAM tells it the file is unsafe?

 

Separately from that, whatever the files are, WHY does the EAM GUI not show that they are there?    It was EAM that put them there.

 

Share this post


Link to post
Share on other sites

One more time then

1. browser or any other app that uses IOffice AV API to call EAM to scan a file,  streams the file to EAM.
2. EAM returns: DETECTION OR NO DETECTION
3. if DETECTION,  browser or any other app, deletes the file, not EAM.
4. if you set File Guard to Default, files are NOT scanned when they are saved, which does NOT interfere with IOfficeAV.
5. if you set File Guard to <> Default, files ARE scanned when they are saved, which interferes with IOffice AV, as EAM will try to Quarantine the file too.

That is how it works currently.

Share this post


Link to post
Share on other sites

OK, thank-you for the information.  I'm trying to sort out in my head what the possibilities are.  First, can you tell me what precisely you mean by "streams the file to EAM"?

My first thought was you meant some sort of "please test the data that's stored 'here' in memory" request (occurring before the file is saved), but since the (Eicar test files) are actually being written to disk I now think you mean simply that the browser saves the file then asks (via integration) for that file to be examined.   Is the "stream" terminology aspect significant?

Fileguard-wise, you're saying that the action the browser has already taken, to save the file, means that (in my case with Fileguard being "thorough") EAM is separately being asked to look at the just-saved file via FileGuard?

In the tests I've done here, my impression is that the FileGuard-triggered test, because it was caused by the save of the file, is being processed by EAM before the browser-integration examination starts. Is that always true, or are these examination requests handled asynchronously?    Would eg slow file-systems & a huge file ever mean the browser-integration check happens before the Fileguard/save one?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.