wallacegal

I marked wait I think it's safe when it wasn't

Recommended Posts

I had a notification go off today and the option to either mark it as 'Wait, I think it's safe' or let it go goes by so fast, I marked something as safe when I shouldn't have. When I finally found it, it was marked as a Google Chrome installer, and I'm using Chrome, but I'd not clicked on anything that should have started a download. I couldn't delete the folder so deleted the contents and then the folder. How would I mark something like that for quarantine once it's been marked as safe by mistake?

7/23/2020 3:10:24 PM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\Theo\AppData\Local\Temp\CR_58B75.tmp\setup.exe (SHA1: 06677591F4058F36741B388BC1F331841201EF76)

7/23/2020 3:10:27 PM
A notification message "Suspicious behavior has been found in the following program: C:\Users\Theo\AppData\Local\Temp\CR_58B75.tmp\setup.exe" has been shown

7/23/2020 3:10:34 PM
User "CUTHBERT4\SYSTEM" clicked "Wait, I think this is safe"

Share this post


Link to post
Share on other sites

Presumably "Marking as safe" adds a user-defined rule to the Behaviour Blocker... so you could delete the rule: find it in the BB list of processes (where if it's not running at the time it will be marked as "Stopped"), right-click it and choose "Delete rule".    Next time it's detected make a different choice?   But perhaps first look at the thing.  You don't want to disable genuine updates to Chrome.  I'd have expected a genuine one to be digitally signed, though, and maybe therefore not produce an alert.

 

I plugged your SHA1 hash into the "search" box at VirusTotal.  That shows:
https://www.virustotal.com/gui/file/bdfffe10be52adb2a0f9ac36652811fa86279e43dd5e5580f049ef7dfbda66a2/detection 
that many antimalware apps (in fact, every one of those VT currently uses) think the file is safe; moreover they say it IS digitally signed, and it categorically IS a Google-supplied Chrome installer - see the "Details" tab from that initial results page.   That means the BB alert is probably a mistake, with the BB mistakenly categorising something inside the installer as malware.

 

> ... I'm using Chrome, but I'd not clicked on anything that should have started a download.

There are "google update" services that may or may not be running on your system that can perform automatic updates.   Even venturing into "Help" or "About Chrome" clearly runs some logic to see if an update is pending; I'm not sure if, if one is, it is automatically fetched.  I wouldn't be surprised if it is.   There's also plugins/extensions; I review those occasionally at the special "internal url" / settings page:   chrome://components   and have noticed that if I force Chrome to update specific extra parts from one of my userids, the other userid seems to benefit - suggesting that Chrome is installed "per system" rather than "per user".  

 

Share this post


Link to post
Share on other sites
2 minutes ago, JeremyNicoll said:

Presumably "Marking as safe" adds a user-defined rule to the Behaviour Blocker... so you could delete the rule: find it in the BB list of processes (where if it's not running at the time it will be marked as "Stopped"), right-click it and choose "Delete rule".    Next time it's detected make a different choice?   But perhaps first look at the thing.  You don't want to disable genuine updates to Chrome.  I'd have expected a genuine one to be digitally signed, though, and maybe therefore not produce an alert.

You know, I barely get 3 seconds to read whatever's in that box. If I'm in the midst of typing something, I have to switch gears and focus on the message and I'm not quarantining something I want to keep but I barely have time to identify anything I'm not expecting, so I think that's rather harsh. I've been using this product for many years and I'm not completely unfamiliar with it but there are some things I don't regularly deal with and couldn't find a way to delete that rule. The ideal thing would be that when that box with the message opens, that it doesn't go away until it's acknowledged one way or the other but I suggested that long ago and was ignored.

As to updates to Chrome and the few extensions that I use, I regularly update things, but was not working on anything that would trigger an update. I'm using the Chrome stable browser right now rather than Canary, so the only thing I should have gotten for Chrome would be the green update arrow in the upper right corner. That's why I don't have a clue what triggered this.

Thank you for your answer on how to delete the rule.

2 minutes ago, JeremyNicoll said:

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

> You know, I barely get 3 seconds to read whatever's in that box.

I didn't know that.    If you look at Settings - Notifications ... and then the top value (for "Real-time detections") how long is it set to?    Here, I have the times for all detections set to 999 seconds (which is between 16 and 17 minutes) so - assuming I'm not away from the pc for ages - I will see and have time to react to at least some detections.   There are parts of the Behaviour Blocker's processing where an early detection notification might be replaced by one describing an automatic decision though, depending on what else you've configured EAM to do.

In Settings - Advanced, about half-way down the list of options there's one "Look up reputation of programs" - which dictates whether EAM will attempt to find out whether other users think a specific program is good or bad, and two options under that ("Automatically allow..." and "Automatically quarantine...") that allow you to determine if the result of such a lookup should tell EAM just to go ahead and do something.  You probably need to have a think about how you have these things set.  Having an antimalware program make its own decisions, faster than you can decide if they are the right ones, is your choice.   Here, I do allow lookup, and I'm happy - if that process thinks a program is ok - to allow it.  But I do not let something get automatically quarantined.

 

> The ideal thing would be that when that box with the message opens, that it doesn't go away until it's acknowledged one way or the other

Well, I agree with that.   But maybe the behaviour you saw isn't how it's meant to happen.  And then again, maybe you've explicitly configured EAM not to do that.  It would help to know the notification time setting and the choices you've made in the Advanced section.

 

> but I suggested that long ago and was ignored.

I am not the person to complain to, though.  I'm just another user.

 

> As to updates to Chrome and the few extensions that I use, I regularly update things, but was not working on anything that would trigger an update. I'm using the Chrome
> stable browser right now rather than Canary, so the only thing I should have gotten for Chrome would be the green update arrow in the upper right corner. That's why I don't
> have a clue what triggered this.

Nor me, but as far as I understand it, Chrome updates itself on its own schedule.   This:
https://www.computerworld.com/article/3211427/whats-in-the-latest-chrome-update.html
from a week ago, albeit slightly ambiguously, suggests that Chrome "updates itself in the background".   I'm not totally sure if that means that updates are fetched AND installed without user intervention, or whether it's just the fetch... but it doesn't sound as if it waits for you to do something.   Me? - I hardly ever use Chrome, and when I do the very first thing I do is visit "Help - About Chrome" to trigger an update if one is pending.. so I don't know what regular users see.

Share this post


Link to post
Share on other sites

I've tried everything from zero to 999 and I still get about 3 seconds so that option doesn't work for me. And my suggestion was early on during a support ticket with one of their techs. So I'm not blaming you at all. I just wish I could change it and it would actually work. Right now, it's set at 10 seconds but still only goes 3.

In the folder for that .tmp file was an executable. I never see that with Chrome. It never downloads anything I have to run unless this is something new. I usually update it using either the help or about or that green arrow and it goes through the process then restarts. I would think, even if it now updates in the background it wouldn't be downloading anything I'd have to click on to start. It's also not anywhere in my downloads. It downloaded straight to the temp folder and all of my downloads are set to go to the download folder for me to deal with later. The whole thing was a bit creepy really. 

Thanks for the reply.

Share this post


Link to post
Share on other sites
5 hours ago, wallacegal said:

I've tried everything from zero to 999 and I still get about 3 seconds so that option doesn't work for me. And my suggestion was early on during a support ticket with one of their techs. So I'm not blaming you at all. I just wish I could change it and it would actually work. Right now, it's set at 10 seconds but still only goes 3.

Moving your mouse pointer over a notification resets its timer, and holding the mouse pointer over the notification pauses its timer.

 

9 hours ago, wallacegal said:

I couldn't delete the folder so deleted the contents and then the folder. How would I mark something like that for quarantine once it's been marked as safe by mistake?

I'm fairly certain that the Behavior Blocker doesn't keep rules for files that no longer exist, so once you delete the file the rule should be automatically deleted.

 

9 hours ago, wallacegal said:

7/23/2020 3:10:24 PM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\Theo\AppData\Local\Temp\CR_58B75.tmp\setup.exe (SHA1: 06677591F4058F36741B388BC1F331841201EF76)

That SHA1 hash corresponds to the following file:
https://www.virustotal.com/gui/file/bdfffe10be52adb2a0f9ac36652811fa86279e43dd5e5580f049ef7dfbda66a2/details

It appears to be a Google Chrome installer, and is digitally signed by Google. I've asked our malware analysts to look into why the Behavior Blocker may have been triggered by it.

Share this post


Link to post
Share on other sites

It looks like the certificate the file was signed with isn't blacklisted, so normally the Behavior Blocker wouldn't have been triggered by it. That could indicate that the file was moved or deleted before the signature could be read.

Share this post


Link to post
Share on other sites

> I've tried everything from zero to 999 and I still get about 3 seconds so that option doesn't work for me.

Well, that strongly suggests that you have the "Lookup" and "Automatically..." options turned on.   The BB displays the initial alert, then does a Lookup, then gets a result and automatically does the preset action and at the same time takes away the alert pane because it no longer needs it because it knows what to do.   If you don't want that to happen you need to turn off the "Automatically..." options.
 

> In the folder for that .tmp file was an executable.

That in itself is not all that unusual (though it may be, for Chrome).  Updaters quite often work in a two-stage process; the first unpacks whatever was downloaded (into a randomly-named folder in %TEMP%) then the thing itself is executed.

I googled for: Temp\CR_xxxxx.tmp     - that being a sort-of generic version of the temporary filename your weird file was given - and there's a handful of posts with people discussing google chrome updates using these sorts of filenames.  It's odd though because it IS only a few posts, and some of those are pretty old.  But see eg: https://www.reddit.com/r/chrome/comments/al8zui/chrome_installing_from_cwindowstemp/

One of the posts describes folders of these names being created by "silent installs" (which are usually run by network administrators to install things on their users' computers without the users knowing it's happening or having to do anything) of the Vivaldi browser (which presumably uses the innards of the Chrome browser and therefore maybe fetches and runs some Chrome updates).   Do you have the Vivaldi browser?   This post was at: https://forum.vivaldi.net/topic/7463/install-property-s-for-windows-installations-sccm/2   Even if you don't use Vivaldi, how about any other Chrome-based browser?

 

Share this post


Link to post
Share on other sites

Holding my mouse over the warning message does nothing.

The only automatic things I have turned on is the updating for Emsisoft and to automatically quarantine programs with a bad reputation which wouldn't trigger that message.

Yes, I do have Brave, but it's not running. It's triggered manually by me and I haven't run it in a month, at least. All of the browsers I have are set to a manual trigger in Services.

I just got another message so I'm going to guess this is Google's new way of updating Chrome. I think it's a bit stupid on their part. I'm certainly not going to let it through at this time though until I know for sure what's going on. Unfortunately, Google is a big enough company that I doubt they care that this is going on. It's not what's best for the consumer of course, it's what's easiest for them.

7/24/2020 8:32:10 AM
Medium risk Malware "Behavior.CryptoMalware" in "C:\Users\Theo\AppData\Local\Temp\CR_5BEC7.tmp\setup.exe" quarantined by user CUTHBERT4\XXXXXX(my name)

Share this post


Link to post
Share on other sites

> The only automatic things I have turned on is the updating for Emsisoft and to automatically quarantine programs with a bad reputation which wouldn't trigger that message.

Correct, it won't cause the message.  But the automatic quarantine is why you earlier only got a few seconds to read the alert and had the decision made for you.

A while back it was possible for users to look at the info stored on the AMN (ie where EAM goes to check file reputations) but that's not been possible for ages.  It's a pity because we have no idea why the earlier file (and maybe this one) are thought bad even though VT thought it was fine.

 

You said: "All of the browsers I have are set to a manual trigger in Services."?     Why would a browser be defined in Services?     Do you mean their updaters?

I wish I understood what is fetching these update files.

Are you running a "Home" version of Windows, or a Pro/Enterprise one?   The latter can, I think, have Policies set that dictate if/how/when updates are looked for.  (I read some webpages about that earlier.) Maybe Pro/Enterprise versions ignore normal user settings?  (They'd have to, to prevent normal users turning off things that Pro/Enterprise system administrators wanted done their way.)

 

Last time around you showed us a log message that started "Behavior Blocker detected suspicious behavior..." which would only happen when the iffy program was actually run.   But this time your log line doesn't mention the Behaviour Blocker ... which would suggest that File Guard regards the file itself as a problem.   Or were there earlier BB messages for this one too? 

 

Did this most recent file's hash also appear to be a genuine Google Chrome file when checked at VirusTotal?

I just had the VT website repeat its scan of the earlier file - which means that signature changes that have occurred since last time might have altered the result.  But all 69 programs still think the earlier file is innocent.

 

Someone had a similar problem (with Brave) a while back: https://support.emsisoft.com/topic/31523-brave-browser-installation-problem/   but they knew they were trying to install Brave, or an update to it... and the file concerned was identified as Brave (on the VT website).

 

Share this post


Link to post
Share on other sites
20 hours ago, JeremyNicoll said:

Well, that strongly suggests that you have the "Lookup" and "Automatically..." options turned on.   The BB displays the initial alert, then does a Lookup, then gets a result and automatically does the preset action and at the same time takes away the alert pane because it no longer needs it because it knows what to do.   If you don't want that to happen you need to turn off the "Automatically..." options.

Those options are enabled by default, and don't effect the amount of time the notification is displayed for.

BTW: @JeremyNicoll this topic seems to be getting a bit confusing. Do you mind if I handle it?

 

15 hours ago, wallacegal said:

Holding my mouse over the warning message does nothing.

Let's try getting a diagnostic log. The instructions and download are available at the following link:
https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/

Share this post


Link to post
Share on other sites
16 hours ago, GT500 said:

Those options are enabled by default, and don't effect the amount of time the notification is displayed for.

BTW: @JeremyNicoll this topic seems to be getting a bit confusing. Do you mind if I handle it?

 

Let's try getting a diagnostic log. The instructions and download are available at the following link:
https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/

I'm sorry, I've spent enough time on this for the past few days. I truly appreciate both of you trying to help, but the message itself is the least of my problems. I've repeatedly checked Chrome and it's up to date so the message that keeps popping up with the CR_XXXX, always a different name by the way, can't be a Chrome update. I'm getting quick enough to say "okay" when it pops up, but it would be nice if I could just blacklist any file named CR_ whatever so the message didn't show constantly. And the message is showing every hour or so.

Regardless, as I said, thank you both so much. Right now, I'll deal with it best I can and figure something out to do with it all in the meantime. I'm by no means a novice to computers, but also not a programmer for Emsisoft. I'm sure though that something will eventually rear its ugly head ;)

Share this post


Link to post
Share on other sites

Have you tried a tool such as Process Hacker or Process Explorer to see what's launching the Chrome installer from your TEMP folder?

Both of these tools show processes in a tree view so that you can easily tell which processes launched other processes, and you can hover over a process in the list to see a tooltip with the command that was used when launching it.

As an example of the tree view, here's a screenshot showing how slack.exe launched several more instances of slack.exe, upc.exe launched UplayWebCore.exe, and steam.exe launched steamwebhelper.exe which in turn launched more instances of steamwebhelper.exe:

image.png
Download Image

Share this post


Link to post
Share on other sites

> @GT500 said: BTW: @JeremyNicoll this topic seems to be getting a bit confusing. Do you mind if I handle it?

Of course not. 

I was wondering though, if Wallacegal is quarantining every instance of this installer, if there's some way to submit those files to Emsisoft so someone can (unpack them? and) find out what they actually contain?   And, are they all apparently signed by Google?

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

Have you tried a tool such as Process Hacker or Process Explorer to see what's launching the Chrome installer from your TEMP folder?

Both of these tools show processes in a tree view so that you can easily tell which processes launched other processes, and you can hover over a process in the list to see a tooltip with the command that was used when launching it.

As an example of the tree view, here's a screenshot showing how slack.exe launched several more instances of slack.exe, upc.exe launched UplayWebCore.exe, and steam.exe launched steamwebhelper.exe which in turn launched more instances of steamwebhelper.exe:

image.png
Download Image
Download Image

Well, Process Hacker wouldn't run. At all. So I had to use the .zip binary to run it. I just had that same message appear again and looking under Chrome, nothing. The same programs prior to it starting were the ones listed as Emsisoft quarantined it, so I don't know what's triggering it.

Share this post


Link to post
Share on other sites
8 hours ago, JeremyNicoll said:

I was wondering though, if Wallacegal is quarantining every instance of this installer, if there's some way to submit those files to Emsisoft so someone can (unpack them? and) find out what they actually contain?   And, are they all apparently signed by Google?

I already know what the file in the log entry he posted is. It's a legit Google Chrome installer, digitally signed by Google.

 

5 hours ago, wallacegal said:

Well, Process Hacker wouldn't run. At all. So I had to use the .zip binary to run it. I just had that same message appear again and looking under Chrome, nothing. The same programs prior to it starting were the ones listed as Emsisoft quarantined it, so I don't know what's triggering it.

You could type "google" into the search field in Process Hacker to make it easier to see.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

I already know what the file in the log entry he posted is. It's a legit Google Chrome installer, digitally signed by Google.

 

You could type "google" into the search field in Process Hacker to make it easier to see.

I'm a she...

The file was tagged again, and I managed to find it under Google Updater so at this point, it's on your tech's end to find out why it's being flagged as a quarantineable program, I guess. The other problem I see though is, and this is on Google's part, I let that first one through and it just sat there so I'm not sure what Google is counting on to trigger the update, but if they're trying to do it silently, it will never get updated. I wouldn't have seen that if it wasn't for Emsisoft and to have it download and then just sit in a temp folder...

Share this post


Link to post
Share on other sites
16 hours ago, GT500 said:

I already know what the file in the log entry he posted is. It's a legit Google Chrome installer, digitally signed by Google.

That was true of the first file described at the start of the thread.  I checked its hash on VirusTotal (as you'd have seen at post 2).  I would have said we couldn't be quite so sure about all the other files as the OP neither shared their hashes nor confirmed whether she'd checked them herself at VT.   There IS still a mystery: what precisely is triggering these updates, bearing in mind that the OP thinks Chrome is already uptodate, and also why is it being offered over and over again.  

Edit: offered over and over again - I suppose that's obvious - it's because whatever is in the update, it's never been installed.

Share this post


Link to post
Share on other sites
13 minutes ago, JeremyNicoll said:

That was true of the first file described at the start of the thread.  I checked its hash on VirusTotal (as you'd have seen at post 2).  I would have said we couldn't be quite so sure about all the other files as the OP neither shared their hashes nor confirmed whether she'd checked them herself at VT.   There IS still a mystery: what precisely is triggering these updates, bearing in mind that the OP thinks Chrome is already uptodate, and also why is it being offered over and over again.

Again, I'm a 'she'. And there are several instances of the Google updater that must have gotten past whatever protocols Emsisoft is using but they're all just sitting there. I am not going to be the one to click on one of them and find out what they are/do. I did look at every one of them. There are no hash's on them. Only serial numbers which your VT can't seem to find.

I have disabled Google Updater in services. I'll see if that stops these foreign installers and they're all labeled as an installer, though they're obviously not automatic at all. As to whether Chrome is up to date or not, clicking the three dots, help, about Chrome gives me this, so it's up to date as far as it's concerned:

Google Chrome is up to date
Version 84.0.4147.89 (Official Build) (64-bit)
 
And I've added the temp folder CR contents that did Not trigger a warning to quarantine:
 

Share this post


Link to post
Share on other sites

> I'm a she.

The paragraph I'd just written had "she" and "herself" in it.   Before you explicitly said you're female I thought you might be, from the "gal" ending in your name, but I thought I'd taken care not to write anything that made any explicit assumption.  Apart from that I referred to you as "the OP" (ie original poster) because it's quicker to type that than plug your (anyone's) 'name' in; I regard "them", "their" etc as non-specific. 

 

> hashes

At the very start of this thread you showed us a BB log message which contained a hash.  Since then, are all your notifications coming from File Guard?  That is, not the BB?  Do these log messages not also contain a hash?  I just tried to download an iffy file and the log message was

27/07/2020 20:57:25  File Guard detected Malware ...... details ... (SHA1: 3395856CE81F2B7382DEE72602F798B642F14140)

and the part at the end, starting "SHA1:", is a hash.

 

The "serial numbers" on these files: do you mean the 5 letters and digits after the "CR_"?     If so they're completely random, and the five of them can produce more than a million different file names.   The advantage of asking VT questions about files via hash values is that hashes depend on a file's contents, not its name.

Share this post


Link to post
Share on other sites
16 minutes ago, JeremyNicoll said:

> I'm a she.

The paragraph I'd just written had "she" and "herself" in it.   Before you explicitly said you're female I thought you might be, from the "gal" ending in your name, but I thought I'd taken care not to write anything that made any explicit assumption.  Apart from that I referred to you as "the OP" (ie original poster) because it's quicker to type that than plug your (anyone's) 'name' in; I regard "them", "their" etc as non-specific. 

 

> hashes

At the very start of this thread you showed us a BB log message which contained a hash.  Since then, are all your notifications coming from File Guard?  That is, not the BB?  Do these log messages not also contain a hash?  I just tried to download an iffy file and the log message was

27/07/2020 20:57:25  File Guard detected Malware ...... details ... (SHA1: 3395856CE81F2B7382DEE72602F798B642F14140)

and the part at the end, starting "SHA1:", is a hash.

 

The "serial numbers" on these files: do you mean the 5 letters and digits after the "CR_"?     If so they're completely random, and the five of them can produce more than a million different file names.   The advantage of asking VT questions about files via hash values is that hashes depend on a file's contents, not its name.

No, not the serial numbers. I found the SHA number and ran it through VT and all I get is No Engines Detected This File.  Emsisoft is marking every one of them as CryptoMalware. And disabling the Google Updater didn't make a difference at all. I had two more try to come through.

This is just one example but they're all noted with the exact same thing. The only difference is the CR_ file name:

7/26/2020 7:09:29 PM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\XXX\AppData\Local\Temp\CR_D9BD4.tmp\setup.exe (SHA1: 581FF121BC46F1CBED4B5186568CBB1100BE5DA0)

7/26/2020 7:09:31 PM
A notification message "Suspicious behavior has been found in the following program: C:\Users\XXXX\AppData\Local\Temp\CR_D9BD4.tmp\setup.exe" has been shown

7/26/2020 7:10:31 PM
User "CUTHBERT4\SYSTEM" clicked "OK"

And I did see that ''she''. Thank you.

 

Share this post


Link to post
Share on other sites

> No, not the serial numbers. I found the SHA number and ran it through VT and all I get is No Engines Detected This File. 

OK.  (I replied to your "There are no hash's on them....)

Asking VT about SHA numbers is fine.

"No Engines Detected This File" means none of the multiple antivirus programs that VT use think there is a problem with any file which has that hash.  It doesn't mean VT "couldn't find the file". 

 

I hardly ever run Chrome here, but just ran it.  It updated (the usual way, from the About Chrome pane) to something just a little more recent than your version, ie: 84.0.4147.105

Share this post


Link to post
Share on other sites
24 minutes ago, JeremyNicoll said:

> No, not the serial numbers. I found the SHA number and ran it through VT and all I get is No Engines Detected This File. 

OK.  (I replied to your "There are no hash's on them....)

Asking VT about SHA numbers is fine.

"No Engines Detected This File" means none of the multiple antivirus programs that VT use think there is a problem with any file which has that hash.  It doesn't mean VT "couldn't find the file". 

 

I hardly ever run Chrome here, but just ran it.  It updated (the usual way, from the About Chrome pane) to something just a little more recent than your version, ie: 84.0.4147.105

I just ran the Help/About Chrome and it updated automatically to the same version as you, once I reset the Google Updates to automatic in the Services. At this point, I'm inclined to just let Emsisoft do its thing and hope eventually someone figures it out. I can't be the only one, but might be the only one reporting it.

Share this post


Link to post
Share on other sites
20 hours ago, wallacegal said:

I'm a she...

My apologies. It was just me making a bad assumption.

 

20 hours ago, wallacegal said:

... it's on your tech's end to find out why it's being flagged as a quarantineable program, I guess.

From your screenshot it looks like the folders aren't being deleted from the TEMP folder. Are the files EAM keeps flagging still in them as well?

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

My apologies. It was just me making a bad assumption.

 

From your screenshot it looks like the folders aren't being deleted from the TEMP folder. Are the files EAM keeps flagging still in them as well?

Yup. They're still there. So they're not being moved out of any folder and into quarantine. Which then begs the question, is anything that's being quarantined at any time moved from where it is, into quarantine? However, after thinking about that, I did search that folder and none of the two or three other, different files on the quarantine list going back to January, are not in there. This tells me that there's something triggering whatever Google is trying to download but Emsisoft isn't handling it correctly.

Share this post


Link to post
Share on other sites
19 hours ago, wallacegal said:

Yup. They're still there. So they're not being moved out of any folder and into quarantine. Which then begs the question, is anything that's being quarantined at any time moved from where it is, into quarantine? However, after thinking about that, I did search that folder and none of the two or three other, different files on the quarantine list going back to January, are not in there. This tells me that there's something triggering whatever Google is trying to download but Emsisoft isn't handling it correctly.

That also negates my theory, which was the files being moved/deleted before the Behavior Blocker could read their digital signatures. We're going to need debug logs for this so that we can hopefully see what's going on. Here's how to get them:

  1. Open Emsisoft Anti-Malware.
  2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
  3. Click Advanced in the menu at the top.
  4. Scroll to the bottom of the Advanced section, and change the option for Debug logging to Enabled for 1 day.
  5. After that, close the Emsisoft Anti-Malware window.
  6. Reproduce the issue you are having (wait for the Behavior Blocker notification about setup.exe in the TEMP folder).
  7. Once you have reproduced the issue, open Emsisoft Anti-Malware again.
  8. Click on the little icon in the lower-left (right above the question mark) that looks like little chat bubbles.
  9. Click on the button that says Send an email.
  10. Select the logs on the right that show today's dates (if you try to send too many logs, then we may not receive them).
  11. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  12. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  13. Click on Send now at the bottom once you are ready to send the logs.

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Share this post


Link to post
Share on other sites
9 hours ago, GT500 said:

That also negates my theory, which was the files being moved/deleted before the Behavior Blocker could read their digital signatures. We're going to need debug logs for this so that we can hopefully see what's going on. Here's how to get them:

 

  1. Open Emsisoft Anti-Malware.
  2. Click on the little gear icon on the left side of the Emsisoft Anti-Malware window (roughly in the middle).
  3. Click Advanced in the menu at the top.
  4. Scroll to the bottom of the Advanced section, and change the option for Debug logging to Enabled for 1 day.
  5. After that, close the Emsisoft Anti-Malware window.
  6. Reproduce the issue you are having (wait for the Behavior Blocker notification about setup.exe in the TEMP folder).
  7. Once you have reproduced the issue, open Emsisoft Anti-Malware again.
  8. Click on the little icon in the lower-left (right above the question mark) that looks like little chat bubbles.
  9. Click on the button that says Send an email.
  10. Select the logs on the right that show today's dates (if you try to send too many logs, then we may not receive them).
  11. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
  12. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
  13. Click on Send now at the bottom once you are ready to send the logs.

 

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Well, I'm trying to do that, but it tells me that at 10mb, the file is too big so I've turned it off and back on again now and hope something comes through soon so the file remains small enough to send.

Share this post


Link to post
Share on other sites
18 minutes ago, JeremyNicoll said:

If you still have the 10mb file, can you compress that into a smaller file first and try to send it that way?

Not the debugging log, no. I can't find it anywhere. And the email to tech automatically compresses it according to the message.

Share this post


Link to post
Share on other sites
10 hours ago, wallacegal said:

Not the debugging log, no. I can't find it anywhere. And the email to tech automatically compresses it according to the message.

Hold down the Windows logo key on your keyboard (usually between the Ctrl and Alt keys) and tap the R key to open the Run dialog. Copy and paste %ProgramData%\Emsisoft\Logs into the Run dialog, and then click OK. The debug logs are in the folder that will open. Just ZIP them (you can use RAR or 7z/LZMA if you prefer) and attach them to a private message to me.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

Hold down the Windows logo key on your keyboard (usually between the Ctrl and Alt keys) and tap the R key to open the Run dialog. Copy and paste %ProgramData%\Emsisoft\Logs into the Run dialog, and then click OK. The debug logs are in the folder that will open. Just ZIP them (you can use RAR or 7z/LZMA if you prefer) and attach them to a private message to me.

Done

Share this post


Link to post
Share on other sites
On 7/30/2020 at 4:46 AM, wallacegal said:

Done

Thanks. I've forwarded the logs to QA. There's a possibility we'll need engine logs as well (they're activated separately and saved in a different location). If QA asks for them then I'll let you know.

Share this post


Link to post
Share on other sites

The logs show that Windows is occasionally failing to validate the digital signature, which causes EAM to ignore it, thus allowing the Behavior Blocker to flag the files for potentially malicious behavior.

Unfortunately since it's Microsoft's signature validation mechanism that's failing, the only thing that can be done is to exclude the files from monitoring. Since they're being saved in randomly created folders, it will be necessary to use wildcards to exclude them. I can send you instructions in a private message if you would like to try this.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

The logs show that Windows is occasionally failing to validate the digital signature, which causes EAM to ignore it, thus allowing the Behavior Blocker to flag the files for potentially malicious behavior.

Unfortunately since it's Microsoft's signature validation mechanism that's failing, the only thing that can be done is to exclude the files from monitoring. Since they're being saved in randomly created folders, it will be necessary to use wildcards to exclude them. I can send you instructions in a private message if you would like to try this.

Thank you for working through this with me. I'm not sure why Windows would change like that since I don't update it. I can figure out the wildcards but I don't know if I want to go through all of that. At least I know it's not Emsisoft or that the files are in fact, a problem. I'd tell Microsoft about this whole thing, but they just don't care at all so...Thank you so much again and at least, if anyone else reports this problem, there's now an answer to it. :)

Share this post


Link to post
Share on other sites
18 hours ago, wallacegal said:

Thank you for working through this with me. I'm not sure why Windows would change like that since I don't update it. I can figure out the wildcards but I don't know if I want to go through all of that. At least I know it's not Emsisoft or that the files are in fact, a problem. I'd tell Microsoft about this whole thing, but they just don't care at all so...Thank you so much again and at least, if anyone else reports this problem, there's now an answer to it. :)

Unfortunately this appears to be a long standing issue with Windows, and has been the source of problems with Firefox updates triggering Behavior Blocker notifications in the past as well. The issue happening with Chrome updates is new, and may have been caused by a Windows Update or perhaps changes to Google Chrome's updater.

Share this post


Link to post
Share on other sites
59 minutes ago, GT500 said:

The issue happening with Chrome updates is new, and may have been caused by a Windows Update or perhaps changes to Google Chrome's updater.

I use Chrome every day and I've never seen this behaviour.

Share this post


Link to post
Share on other sites
22 hours ago, marko said:

I use Chrome every day and I've never seen this behaviour.

It was rare with Firefox as well. The issue may only happen on certain computers.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.