ParhaM

what this setting is for?

Recommended Posts

Hi
the option i'm asking about is this in Advanced section:
11.PNG.be5e7115724c3ba89f393ae7fc8b6303.PNG

and what happens if we check or uncheck it, this was checked by default i think
i've unchecked it to see if there be any difference or not and i did not see any difference ūü§Ē
Download Image

  • Upvote 1

Share this post


Link to post
Share on other sites

Did you read: https://help.emsisoft.com/en/2270/advanced-settings/   ?

I think it only matters for programs that appear to be doing something odd.  When EAM might at first think that they are malware, it will look online (if you have also chosen "Look up reputation of programs".  Then, if the online system thinks the program is ok, it will allow it if you have also set "Automatically allow...".

So, when you tested to see if there's a difference, were you running a program that tried to do something suspicious?

Was that program one that EAM (or you) hadn't already created a rule for?

Do you have "Look up reputation..." set?

  • Like 1

Share this post


Link to post
Share on other sites

yes i have Look up rep set
and yes i tested files with suspicious behavior that BB blocked them, i did not see any difference in the alret or anything from EAM when i've unchecked that auto allow programs with good rep
 

20 minutes ago, JeremyNicoll said:

When EAM might at first think that they are malware, it will look online (if you have also chosen "Look up reputation of programs".  Then, if the online system thinks the program is ok, it will allow it if you have also set "Automatically allow...".

well this is the easy part, i'd like to know what happens if i did not have that auto allow checked ūü§Ē like it won't allow the program to run? or something?
i think it might be something that works when we set the BB to "Alert" not auto resolve actually, then it will also ask for programs that have good rep also? not sure tho

and i also did not notice any difference between when BB set on "auto resolve with lookup notification" and "auto resolve and notification for threats only" like i have ran some samples that i had and checked both options there were no difference like at all.

  • Upvote 1

Share this post


Link to post
Share on other sites
15 hours ago, Mr.Pr said:

Hi
the option i'm asking about is this in Advanced section:
11.PNG.be5e7115724c3ba89f393ae7fc8b6303.PNG
Download Image

and what happens if we check or uncheck it, this was checked by default i think
i've unchecked it to see if there be any difference or not and i did not see any difference ūü§Ē

That setting tells the Behavior Blocker not to take action against programs that are known to be good on our Anti-Malware Network when they exhibit behavior that the BB monitors for.

This setting does not have any effect for digitally signed applications, and it also has no effect on applications that there is already a local rule to allow. This is why you are seeing no difference with it off.

Share this post


Link to post
Share on other sites
On 5/24/2020 at 7:38 AM, Mr.Pr said:

and i also did not notice any difference between when BB set on "auto resolve with lookup notification" and "auto resolve and notification for threats only" like i have ran some samples that i had and checked both options there were no difference like at all.

Thanks @GT500
how about this one?

Share this post


Link to post
Share on other sites
2 hours ago, Mr.Pr said:

how about this one?

"Auto resolve, with lookup notifications" causes EAM to display a notification when it's checking the safety of a program with our Anti-Malware Network, whereas the default setting (Auto resolve, notifications for threats only) will only display a notification if the BB is taking action against an application.

Share this post


Link to post
Share on other sites
21 minutes ago, GT500 said:

"Auto resolve, with lookup notifications" causes EAM to display a notification when it's checking the safety of a program with our Anti-Malware Network, whereas the default setting (Auto resolve, notifications for threats only) will only display a notification if the BB is taking action against an application.

the thing is i did not see the action you're talking about. i've executed so many samples so far with BB set to show lookup notifications¬†ūü§Ē

Share this post


Link to post
Share on other sites
1 minute ago, Mr.Pr said:

the thing is i did not see the action you're talking about. i've executed so many samples so far with BB set to show lookup notifications¬†ūü§Ē

Did you revert your application rule back to factory defaults before testing? The option is in the advanced settings.

image.png
Download Image

Share this post


Link to post
Share on other sites
1 minute ago, GT500 said:

Did you revert your application rule back to factory defaults before testing? The option is in the advanced settings.

 

i'm pretty sure that there is no custom rule for any applications in my EAM but i did that and still i just get the message that the program is being blocked by behavior blocker or Anti-Malware Network and that's about it. can you provide an screen shot of the actual message that should have pop up with that settings being on? lookup notification i mean

Share this post


Link to post
Share on other sites
11 minutes ago, Mr.Pr said:

can you provide an screen shot of the actual message that should have pop up with that settings being on? lookup notification i mean

Sure:

image.png
Download Image

Share this post


Link to post
Share on other sites
On 5/25/2020 at 10:44 PM, GT500 said:

i'm really confused about this then. would you please check this video i've recorded about the problem i'm facing?
it just skip the verification or what?
https://gofile.io/d/pYM1Pn

does this text shows up only when a file recognized as SAFE by Anti-Malware Network or i'm missing something?

Share this post


Link to post
Share on other sites

I see from the video that you have File Guard set to Paranoid.  I have mine set to Thorough... and have found various instances of EAM doing things in ways I do not find intuitive. 

All the normal explanations you get given here assume you have FG set to Default - which is its least sensitive setting.   

My impression is that on Thorough, and I'm sure, Paranoid, different bits of EAM act in a sequence that certainly doesn't make sense to me, and neither bit seems to be able to co=operate with the other part.   You're probably seeing a FG detection based on scanning the file before it runs, plus a Behaviour Blocker one after it starts to run.  Or something.

Share this post


Link to post
Share on other sites
20 hours ago, ParhaM said:

does this text shows up only when a file recognized as SAFE by Anti-Malware Network or i'm missing something?

The screenshot I posted is the notification displayed when a file is safe.

As for your video, it does contain the lookup notification. The following screenshot of the video was taken at 46 seconds. Your Internet connection is probably fast enough that the Anti-Malware Network lookup completes faster than you can really see the notification, and it's immediately replaced by a BB quarantine notification.

cap_Rec_200003_00_00_46_01.png
Download Image

  • Like 1

Share this post


Link to post
Share on other sites
On 5/29/2020 at 10:39 PM, GT500 said:

Your Internet connection is probably fast enough that the Anti-Malware Network lookup completes faster than you can really see the notification, and it's immediately replaced by a BB quarantine notification.

i'm sure my Internet connection is not faster than yours considering you was able to see the result of the action 

On 5/25/2020 at 10:44 PM, GT500 said:

and again considering i'm from Iran and the Average of Internet connection speed is about 2Mbit/s here so it is definitely not because my connection speed is fast enough, cause if mine is fast enough then yours is faster for sure and yet you was able to see the thing you know.. hope you get my point.
why we should not consider the reason might be that my system could not connect to Emsisoft Anti-Malware Network( it's not this cause i've had malwares blocked by AM Network )? or something went wrong i don't know 

Share this post


Link to post
Share on other sites

> i'm sure my Internet connection is not faster than yours considering you was able to see the result of the action

The speed of Arthur's internet connection is not relevant.

He (and I, and anyone else) can see the sequence of notifications /in the video/ by stopping it at the 46-second point then clicking to move the "current point" back and forth on the video timeline.  In real time (as it happened for you) it's probably impossible to see that sequence but the video frame-by-frame sequence makes it possible.

@GT500 - it would be sensible if the notification display logic were changed.  Although a user can choose where on the screen a notification will be displayed, that preference should only apply if there is no other notification already displayed.  If multiple ones are needed they should not completely overlay previous ones. 

  • Like 1

Share this post


Link to post
Share on other sites
11 minutes ago, JeremyNicoll said:

The speed of Arthur's internet connection is not relevant.

He (and I, and anyone else) can see the sequence of notifications /in the video/ by stopping it at the 46-second point then clicking to move the "current point" back and forth on the video timeline.  In real time (as it happened for you) it's probably impossible to see that sequence but the video frame-by-frame sequence makes it possible.

i could see that too, my problem is that i did not see the "result" of that verifying status with Anti-Malware Network. i just saw that it's checking. but in the screenshot that Arthur provided, we can actually see the result of that verifying thats the point of the whole thing right? user see that if file is SAFE or not by Anti-Malware Network so he/she can like decide that if BB blocking the file is false positive or something..

Share this post


Link to post
Share on other sites
17 minutes ago, ParhaM said:

i could see that too, my problem is that i did not see the "result" of that verifying status with Anti-Malware Network. i just saw that it's checking. but in the screenshot that Arthur provided, we can actually see the result of that verifying thats the point of the whole thing right? user see that if file is SAFE or not by Anti-Malware Network so he/she can like decide that if BB blocking the file is false positive or something..

the problem sounds fixed now i didn't reproduce since last week and i just checked it again, i can see the result of verifying with AM Network now
not sure what was the problem however

Share this post


Link to post
Share on other sites

What I see when I watch the video carefully is:   First you run "Pubg_Lite Cheat.exe".   That gets an alert (presumably from File Guard) which says

   gets alert Trojan   C:\hostwin\runtimereview.exe

and it says that that was detected and quarantined. 

 

It's not clear to me how that relates to what happens next, which is that the BB says "suspicious behaviour" in

    C:\hostwin\d8Ct...........bat      & Verifying with AMN

Then there's a pane that says

 

    "Suspicious behaviour detected and stopped"
    C:\hostwin\d8Ct...........bat

    Program will be quarantined in 9s

                 OK              Wait, I think it is safe

 

For some reason you expect to see a pane telling you what the result of the AMN lookup was? 

But in Advanced Settings you have:

   YES   Look up reputation
   NO    Automatically      allow programs with good reputation
   YES   Automatically quarantine programs with bad  reputation

(You need the   "   YES   Look up reputation"  set for the lookup to happen, ... and we know it did happen because you got "Verifying with AMN" earlier.)

The AMN clearly thinks the file is bad, so

     YES   Automatically quarantine programs with bad  reputation

applies.  So you get the pane telling you ("Program will be quarantined in 9s") that the file is about to be quarantined.

 

What did you expect that is different?

 

Share this post


Link to post
Share on other sites
13 hours ago, JeremyNicoll said:

@GT500 - it would be sensible if the notification display logic were changed.  Although a user can choose where on the screen a notification will be displayed, that preference should only apply if there is no other notification already displayed.  If multiple ones are needed they should not completely overlay previous ones.

The Behavior Blocker is capable of producing a significant number of notifications in rapid succession. They have to be contained to prevent blocking too much screen real estate, otherwise they become too much of a nuisance. Currently we handle that by only allowing a single notification on the screen at a time.

Also, in this case, as soon as EAM receives information from our servers about the process being queried, the notification that it's looking up the reputation becomes irrelevant since EAM is done doing that and is ready to tell you what it found. That's why the notification changes immediately instead of waiting for its normal timeout period.

 

13 hours ago, ParhaM said:

i could see that too, my problem is that i did not see the "result" of that verifying status with Anti-Malware Network.

This was the result:

cap_Rec%200003_00_00_47_01.png
Download Image

  • Like 1

Share this post


Link to post
Share on other sites
8 hours ago, GT500 said:

The Behavior Blocker is capable of producing a significant number of notifications in rapid succession. They have to be contained to prevent blocking too much screen real estate, otherwise they become too much of a nuisance. Currently we handle that by only allowing a single notification on the screen at a time.

Also, in this case, as soon as EAM receives information from our servers about the process being queried, the notification that it's looking up the reputation becomes irrelevant since EAM is done doing that and is ready to tell you what it found. That's why the notification changes immediately instead of waiting for its normal timeout period.

OK... provided there's never a possibility that a more important notification is covered by a less important one.

Share this post


Link to post
Share on other sites
15 hours ago, JeremyNicoll said:

OK... provided there's never a possibility that a more important notification is covered by a less important one.

Right now notifications are displayedin the order they are generated. The only instance I am aware of where one notification can supersede another is when notification being superseded is no longer relevant, and as far as I am aware the only notifications that become irrelevant while they are being displayed like that are the Anti-Malware Network lookup notifications.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.