sdalgl72

Impressed on my return

Recommended Posts

I am currently trialling EAM again and I am impressed so far it hasn't triggered any Steam Games like it used to.  Has there been any changes to the BB since I've been gone to fix the triggering of steam games?  As I remember steam triggering it and I am currently wondering if there might be something wrong with my new install of EAM.

Share this post


Link to post
Share on other sites
18 hours ago, sdalgl72 said:

Has there been any changes to the BB since I've been gone to fix the triggering of steam games?

We make occasional changes to the Behavior Blocker, and more frequently to its behavioral detection rules as well. I'm not aware of any specifically for Steam games, however we do try to reduce behavioral detection matches for legitimate applications as much as possible.

 

18 hours ago, sdalgl72 said:

... I remember steam triggering it and I am currently wondering if there might be something wrong with my new install of EAM.

Steam itself is digitally signed by Valve Software, and should never trigger the Behavior Blocker.

Games are a different matter, as they are very rarely digitally signed, and thus there is no easy way to automatically establish trust in them. Sometimes they can also be unstable when hooked by third-party applications (such as Anti-Virus software).

Share this post


Link to post
Share on other sites

If you want to make sure the Behavior Blocker is working, there's a batch file in the ZIP archive at the following link that should trigger a detection when you run it:
https://www.gt500.org/emsisoft/bb_test.zip

Just extract it somewhere, double-click on the batch file, and let Emsisoft Anti-Malware quarantine it. If you don't allow it to be quarantined, then it won't work as an effective test anymore.

  • Like 1

Share this post


Link to post
Share on other sites

> If you don't allow it to be quarantined, then it won't work as an effective test anymore.

Surely that depends on whether (if not choosing to quarantine it) someone picks "allow once" or "allow always"?     With "allow once", I'd expect another alert if I tried to run it again.

Share this post


Link to post
Share on other sites
16 hours ago, JeremyNicoll said:

Surely that depends on whether (if not choosing to quarantine it) someone picks "allow once" or "allow always"?     With "allow once", I'd expect another alert if I tried to run it again.

Notifications don't have those options. They only have "OK" and "Wait, I think this is safe".

Share this post


Link to post
Share on other sites

I risked it for a biscuit as it says your an Emsisoft Employee and it did in fact quarantine it.  Can't remember exactly what the notification said but because one option added it to my local block list the other was I thought it was safe.  Otherwise if the timer ran out it would of quarantined itself

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

Notifications don't have those options. They only have "OK" and "Wait, I think this is safe".

Well, I tried it, and I did get that question.  I expect that's us back to the 'problem' of having File Guard set to 'Thorough'.    It's exasperating that behaviour is different then, rather than just appleid more often, IYSWIM.

Share this post


Link to post
Share on other sites
18 hours ago, sdalgl72 said:

I risked it for a biscuit as it says your an Emsisoft Employee and it did in fact quarantine it.

Good, that means the Behavior Blocker is working. 👍

 

16 hours ago, JeremyNicoll said:

Well, I tried it, and I did get that question.  I expect that's us back to the 'problem' of having File Guard set to 'Thorough'.    It's exasperating that behaviour is different then, rather than just appleid more often, IYSWIM.

You have the Behavior Blocker set to show alerts instead of notifications. Here's a screenshot showing the default setting:

image.png
Download Image

Share this post


Link to post
Share on other sites

Spoke to soon just went to run a game that had recently updated to have the BB block it tried to report it as a false positive but because its over 15mb it won't let me

Share this post


Link to post
Share on other sites
15 hours ago, sdalgl72 said:

Spoke to soon just went to run a game that had recently updated to have the BB block it tried to report it as a false positive but because its over 15mb it won't let me

Just click "Wait, I think this is safe" in the notification. Once enough people have done that, Emsisoft Anti-Malware will start allowing that behavior for that game for everyone.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

Just click "Wait, I think this is safe" in the notification. Once enough people have done that, Emsisoft Anti-Malware will start allowing that behavior for that game for everyone.

Thanks I had to go in and take it out of quarantine because i didn't get the pop up it just blocked it. 

I assume I didn't get the notification even though the logs say I did because of a switch to silent mode maybe can't really tell. 

 

Quote

19/02/2020 15:40:10
Behavior Blocker detected suspicious behavior "CodeInjector" of C:\Program Files (x86)\Steam\steamapps\common\theHunterCotW\theHunterCotW_F.exe (SHA1: C600FBDFC3C894A8AE7742E846EBCA1C67FAB42D)

19/02/2020 15:40:19
A notification message "Suspicious behavior has been found in the following program: C:\Program Files (x86)\Steam\steamapps\common\theHunterCotW\theHunterCotW_F.exe" has been shown

Thats what the log said for the event.  One of the two is possible added it to my exclusions so will it send the data back that way?

Share this post


Link to post
Share on other sites
17 hours ago, sdalgl72 said:

Thanks I had to go in and take it out of quarantine because i didn't get the pop up it just blocked it. 

I assume I didn't get the notification even though the logs say I did because of a switch to silent mode maybe can't really tell. 

Correct, Silent Mode blocks the notifications, so EAM just takes its default action.

 

17 hours ago, sdalgl72 said:

One of the two is possible added it to my exclusions so will it send the data back that way?

No, it needs to be an Application Rule, which can be added from the Behavior Blocker settings while the game is running. You'll need to remove it from the exclusions before you can edit the rule for the application so the easy way to do it is configure the game to run in windowed mode so that EAM doesn't enter Silent Mode, remove it from exclusions, and then re-launch the game so that you can see the notification.

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

Correct, Silent Mode blocks the notifications, so EAM just takes its default action.

 

No, it needs to be an Application Rule, which can be added from the Behavior Blocker settings while the game is running. You'll need to remove it from the exclusions before you can edit the rule for the application so the easy way to do it is configure the game to run in windowed mode so that EAM doesn't enter Silent Mode, remove it from exclusions, and then re-launch the game so that you can see the notification.

I removed the file as an exclusion ran the game in window mode and didn't get any alerts and read the logs and looked at the BB and it had the process still as excluded so I just edited the rule to trusted.  Is that ok?

Share this post


Link to post
Share on other sites
15 hours ago, sdalgl72 said:

I removed the file as an exclusion ran the game in window mode and didn't get any alerts and read the logs and looked at the BB and it had the process still as excluded so I just edited the rule to trusted.  Is that ok?

If you were able to edit the rule manually, then yes that's fine.

Feel free to do that with any of your games, and be sure to select not to notify you when they change (unless you prefer to get a notification each time a game is updated).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.