Jose_Lisbon

Very dangerous threat

Recommended Posts

VLC Media Player (unless of course it's some other program pretending to be that program of course), isn't actually a dangerous program :)

I know Cat, I was being ironic.

Share this post


Link to post
Share on other sites

I'd like as well to thank OA for not alerting me to the keylogging properties of GoogleEarth. Why worry the user too much? He has enough pop-ups on his hands.

Regards.

Share this post


Link to post
Share on other sites

Yes, but where's the whitelist? VLC? Google? HitmanPro? Malwarebytes? For Heaven's sake, it's ridiculous!

Why do some programs trigger different alerts in different situations (I've been testing on a VMWare).

Why did some (serious) issues translated from 4.5 to 5.0?

Why were this issues not present in 4.0?

I may sound like a troll from this and previous posts. If so, so be it!

But I have to ask: Why does a program that used to make me feel safe doesn't do it any longer?

Regards,

Jose.

Share this post


Link to post
Share on other sites

I am not sure why you are asking for an explanation of why you feel the way you feel, on a product support forum. It's not a question that someone else can answer for you.

If you have issues that you feel are bugs, then please describe them and provide detailed steps on how to reproduce them so the developers can look into them Starting threads that by your own admission are purely to be "ironic" and neglecting to take suggested steps on how to minimise popups for programs that you trust is unlikely to result in any productive outcome and will only serve to further your frustration.

Share this post


Link to post
Share on other sites
I am not sure why you are asking for an explanation of why you feel the way you feel, on a product support forum.

Because it is a support forum.

It's not a question that someone else can answer for you.

Yes it is, just no answers.

If you have issues that you feel are bugs, then please describe them and provide detailed steps on how to reproduce them so the developers can look into them

I already did that (with your help, through PMs). Not any longer; it's like Comodo: no one listens.

only serve to further your frustration.

Frustation indeed.

Share this post


Link to post
Share on other sites

I believe the OP is questioning the OA 'whitelist', albeit ironically. He may have a point (about both whitelist and 'support' forum).

Share this post


Link to post
Share on other sites

I do not think OA has a whitelist anymore! :rolleyes:

A few years ago I remember installing Delphi 2006, I remember talking to Mike about it, and OA "knew" about Delphi. A while back I bought a new laptop, and reinstalled Delphi, dozens and dozens of popups from OA, "yes it is a setup, yes remember my decsision, any target, etc, etc, etc". OA even warned me Delphi was creating exe's!!! I should hope so, ditto to OA warning me Delphi was logging my keystrokes!!!

Every now and then (latest was last week) OA seems to forget... and Delphi becomes a threat again, so it is back to heaps of popups....

And.. recently I installed Delphi XE, same thing....

As I said I don't think OA has a whitelist anymore... nothing I run/install ever seems to be in it...

Share this post


Link to post
Share on other sites

I do not think OA has a whitelist anymore!

We do: Both shipped with the product and in the cloud (OASIS). In fact OASIS currently knows about several millions applications out there and has about 50 GB of data collected about them. The big issue though is that it lives from user feedback and compared to the Emsisoft Anti-Malware Network community the OASIS community is relatively small. There are plans for joining OASIS and the Emsisoft Anti-Malware Network. It is a bit too soon for any specifics though.

Every now and then (latest was last week) OA seems to forget... and Delphi becomes a threat again, so it is back to heaps of popups....

This actually is a bug. Essentially Online Armor cleans up its rule database from time to time to avoid slow downs due to a large number of rules. If you haven't run an application for more than 30 days and the rule for that application was never edited manually OA will simply drop the rule. The reason behind this is that if the rule was never changed manually it is a default rule. So if you later run the application again OA would just create the default rule again. No harm done.

The problem though lies in the fact how Online Armor treats an application rule as manually edited. Currently it only counts it as manually edited when you actually change it in the rule editor. That is not the main way people create their rules though. They instead will just select the "Remember" or "Trust" check box in the alert window. Those changes weren't treated as manual changes to the rule so those rules may get dropped if you don't run an application for more than 30 days. This will be fixed in the next release though.

Share this post


Link to post
Share on other sites
We do:
I am sure you do, I was being cynical, virtually nothing I install seems to be in it - strange thing is they used to be...
...get dropped if you don't run an application for more than 30 days.
Not applicable here, there would hardly be a day Delphi is not run. There appears to be some correlation between Delphi crashing and OA forgetting, e.g. Delphi will crash, next time it is loaded OA has forgotten - it is not always but often enough to be noticed.

Thank you for the reply...

Share this post


Link to post
Share on other sites
Not applicable here, there would hardly be a day Delphi is not run.

Does Delphi create executables (.exe) in temp directories (or, directories other than that of the application) and execute them from those directories? Please excuse my ignorance of Delphi.

Share this post


Link to post
Share on other sites
...Does Delphi create executables (.exe) in temp directories (or, directories other than that of the application) and execute them from those directories?...
I think it is an option as to where the exe is created, but generally (and always here) it is created in the same directory with all the code for the application being developed is stored.

Are you heading down the path of excluding directories? My point is surely Delphi should be "allowed" by OA to create exes? Does OA ask if IE can browse the internet? Or MS Word is watching your key strokes?

Share this post


Link to post
Share on other sites

The point is: 5.0 is seriously flawed.

4.5 was flawed as well.

Emsisoft picked up a good thing and messed it up.

Let's go through the issues:

The GUI suffers from the same bugs.

The Wizard can go on for the best part of an hour.

The Wizard (again) will perform at its own will.

The whitelist is more of a black one (maybe pink).

Anti Keylogger will work randomly.

The alerts will only repeat the same text (an .exe wants to run, OA can't tell you if it's good or bad...)

The alerts (again) are overwhelming.

I could go on.

OA 4.0 was a good program. It's spoiled now.

Funny how a couple of Australians (as the CEO of the old OA said once: just two developers) could do better than an established enterprise.

I had to leave OA, I had no choice. I decided to go (for now) with Windows 7 FW along with Spyshelter (a watered down HIPS).

Just as a final note: for those who can, and have the patience, try Spyshelter for a couple of days. You will see how a little/great application can be simple, effective, alerts you when it has to, gives the right information on the pop-ups, the right configurations and the right options. Considering it is a Polish based firm (neighbours), maybe Emsisoft could have a chat with them.

Still keeping faith,

Jose.

Share this post


Link to post
Share on other sites

The point is: 5.0 is seriously flawed.

4.5 was flawed as well.

Emsisoft picked up a good thing and messed it up.

Let's go through the issues:

The GUI suffers from the same bugs.

The Wizard can go on for the best part of an hour.

The Wizard (again) will perform at its own will.

The whitelist is more of a black one (maybe pink).

Anti Keylogger will work randomly.

The alerts will only repeat the same text (an .exe wants to run, OA can't tell you if it's good or bad...)

The alerts (again) are overwhelming.

I could go on.

OA 4.0 was a good program. It's spoiled now.

Funny how a couple of Australians (as the CEO of the old OA said once: just two developers) could do better than an established enterprise.

I had to leave OA, I had no choice. I decided to go (for now) with Windows 7 FW along with Spyshelter (a watered down HIPS).

Just as a final note: for those who can, and have the patience, try Spyshelter for a couple of days. You will see how a little/great application can be simple, effective, alerts you when it has to, gives the right information on the pop-ups, the right configurations and the right options. Considering it is a Polish based firm (neighbours), maybe Emsisoft could have a chat with them.

Still keeping faith,

Jose.

Hi Jose,

A couple of comments from me :)

First of all - while I am not involved in OA from day to day, the original OA devs have moved to Emsisoft, and added to this is Fabian and the Emsisoft team. To take over an application like OA is no small task, and as I can see the reworkings of OA are actually rather good. OA is still, compared to the big end of town, a small fish in a big pond and it has been forever reliant on mutual goodwill between the OA team and the community.

The whitelist - I used to spend an age maintaining it - but as Fabian demonstrated - it's a HUGE database, and a huge job. From one side, something like VLC could have many different exes, many different DLLS, and many different versions - in my install there are 3 executables, and 272 dlls.

Each one of these used to have to be manually trusted in OASIS. For each version. So if VLC did a new build, all the hashes can change and hey presto another 270+ files appeared in OASIS that need to be validated manually. Consider then then top 100 applications, and you can see that there's a lot of work.

This was mitigated a little by use of digital signatures comparison; but even then, someone has to do it.

So - if you believe in whitelisting, clearly there has to be a better way.

Just for fun, one time I did a quick calculation at the number of unique files in OASIS. I worked out that if I got the entire beta test team taking 5 minutes per file to perform an assessment (there were about 20 or so beta members), working 15 hours per day, it would take something like 6 months to process all of the OASIS files, assuming, of course, no new ones were added. (these numbers are "made up" I don't recall the actuals, but you get the idea).

Whitelisting or not is something Emsi have to decide they want to continue, or to develop white heuristics, or other ways of determining safeness, or protecting against dangerousness. Either way will take time and resources.

So, I don't think Emsi has wrecked OA - from the changes I saw in last release there were some very welcome and long overdue improvements to the product, as well as removing some obsolete features.

Mike

Share this post


Link to post
Share on other sites
Are you heading down the path of excluding directories?

Not at all - just trying to understand - I have a similar experience with an unrelated application which creates an executable in a temp folder - I have never had exclusions in OA (three XP PCs).

Share this post


Link to post
Share on other sites
The whitelist - I used to spend an age maintaining it

Nice to hear from you Mike! I can easily believe it would be a huge job. I could live without it if I knew there was none, but it would be nice to be able to set up an app and have OA remember settings... I guess I should just do more regular OA backups, then restore when things go wrong.

I am still surprised when a new build is created here... and OA trots off to update the OASIS database... must be a lot of our files in there now!

Share this post


Link to post
Share on other sites

Nice to hear from you Mike! I can easily believe it would be a huge job. I could live without it if I knew there was none, but it would be nice to be able to set up an app and have OA remember settings... I guess I should just do more regular OA backups, then restore when things go wrong.

I am still surprised when a new build is created here... and OA trots off to update the OASIS database... must be a lot of our files in there now!

I never had problems with OA losing data, but this may well have been because I installed the latest build almost daily. I'll bet emsi have loads of your files in there too :)

Seems like Fabian has already found the data loss bug and committed to fix it, so hopefully that one would finally be nailed.

Share this post


Link to post
Share on other sites

Hi Mike.

Nice to hear from you and thanks for the input.

I'm far from being a developer so I'm at a disadvantage when discussing technical details.

But this is how I understand a whitelist on a program like OA:

The main function of the whitelist is to tame the HIPS and so to provide usability. In order to achieve that there has to be a list of safe programs and/or software vendors. If a program is considered safe (let's take GoogleEarth as an example) all the actions would be allowed, but still monitored and registered. Like this the app would install silently but there would be entries in the proper places, for ex: in Anti-Keylogger there would be an entry saying GoogleEarth's screenlogger is trusted.

If, instead of trusting the whole app, you go through every .exe and every DLL you'll end up with the usual deluge of pop-ups like you have now.

This may sound simplistic and I know it can create security concerns, but I see no other way to square the circle (a HIPS and few alerts) unless you go with solutions like automatic sandboxing wich I think only complicate things.

Just my two cents.

Regards,

Jose.

Share this post


Link to post
Share on other sites

Jose, sorry to hear about all your problems, I have found OA (in the most recent incarnation as well as the last), to be working swimmingly on my XP SP 3 system.

A couple of comments about some alternative programs (without going too far afield or bashing any product).

I tried SpyShelter a couple of times when I had some issues with oasrv.exe using up lots of CPU. (That has since stopped and it's been months without the issue.)

SpyShelter's HIPS was all over the place in terms of how and what it allowed and blocked and left me feeling a bit less than secure about its own methodologies (let alone whitelist).

Additionally, two separate times it was installed on my system it disabled my keyboard. (Thankfully I was able to navigate via "mouse" to uninstall and get the system back on track.)

Zemana...I tested this one but found that when it was paired with another firewall (with the firewall's HIPS disabled) it wouldn't consistently pass any of the various keylogger tests I use to test security programs with, even its own.

Other than OA, I felt most comfortable with PrivateFirewall...and though I think it's a good program I left it to come back to OA because OA is much more feature rich overall and much better in my tests against loggers and various other threats. Plus the alerts are much more specific and comprehensible. (I emailed Greg Salvato about some of the areas where PF could improve. Still, I think it's a fine product.)

Lastly, though I can certainly understand your frustration if OA isn't currently working for you as you feel it should, I feel that you have been unfairly critical, a bit rude in your posts and have generalized your personal issues with the program into universal truths.

This simply is not the case. I'm sure that there are many, many more users out there (besides myself) who have found this program to be just what the doctor ordered (even if not "perfect"). I get the very rare alert/pop-up...otherwise the program is quiet. And I have tested it against the keylogger tests successfully. So...perhaps the universal statements you have made do not quite rise to that level.

When I was disillusioned with my oasrv.exe issues I was frustrated and disappointed that I had to uninstall the program for a few months. Nonetheless, I was always happy with catprincess and the willingness to help I received from her and other members like Pete. I also told them I looked forward to coming back as soon as possible and now have been able to do that for the last few months.

I guess the ultimate point of all this rambling is not to generalize your own personal experience and to be willing to meet those trying to help you half way.

Share this post


Link to post
Share on other sites

Jose, sorry to hear about all your problems, I have found OA (in the most recent incarnation as well as the last), to be working swimmingly on my XP SP 3 system.

A couple of comments about some alternative programs (without going too far afield or bashing any product).

I tried SpyShelter a couple of times when I had some issues with oasrv.exe using up lots of CPU. (That has since stopped and it's been months without the issue.)

SpyShelter's HIPS was all over the place in terms of how and what it allowed and blocked and left me feeling a bit less than secure about its own methodologies (let alone whitelist).

Additionally, two separate times it was installed on my system it disabled my keyboard. (Thankfully I was able to navigate via "mouse" to uninstall and get the system back on track.)

Zemana...I tested this one but found that when it was paired with another firewall (with the firewall's HIPS disabled) it wouldn't consistently pass any of the various keylogger tests I use to test security programs with, even its own.

Other than OA, I felt most comfortable with PrivateFirewall...and though I think it's a good program I left it to come back to OA because OA is much more feature rich overall and much better in my tests against loggers and various other threats. Plus the alerts are much more specific and comprehensible. (I emailed Greg Salvato about some of the areas where PF could improve. Still, I think it's a fine product.)

Lastly, though I can certainly understand your frustration if OA isn't currently working for you as you feel it should, I feel that you have been unfairly critical, a bit rude in your posts and have generalized your personal issues with the program into universal truths.

This simply is not the case. I'm sure that there are many, many more users out there (besides myself) who have found this program to be just what the doctor ordered (even if not "perfect"). I get the very rare alert/pop-up...otherwise the program is quiet. And I have tested it against the keylogger tests successfully. So...perhaps the universal statements you have made do not quite rise to that level.

When I was disillusioned with my oasrv.exe issues I was frustrated and disappointed that I had to uninstall the program for a few months. Nonetheless, I was always happy with catprincess and the willingness to help I received from her and other members like Pete. I also told them I looked forward to coming back as soon as possible and now have been able to do that for the last few months.

I guess the ultimate point of all this rambling is not to generalize your own personal experience and to be willing to meet those trying to help you half way.

Hi Guys

First, thanks Blues, glad I could help. As I am sure Alex_S could attest, I've complained about certain issues myself, but overall the latest versions have been looking good. To be honest, I've disabled keylogger protection, as it is inherently annoying as it monitors behavior, and thus false positives. I have other protection for that.

As to SpyShelter, I did look out of curiosity, and when I see phrases like "special algorithms" it makes me laugh. My BS detector goes on full alert. Then I downloaded their antileak test. Another joke. I think I've seen that before. Dumb thing is to get it to run I have to allow it in two programs. Then once it runs it tells me I am not protected. Not for me, thank you.

Pete

Oh and I do think the thread title was way over the top.

Edited by Peter2150
Add a final thought

Share this post


Link to post
Share on other sites

Hi Peter.

With all respect I think your totally wrong about Spyshelter.

P.S. I'm not sure if posting the above link somehow violates Forum Policy, or is considered off topic. If so please erase the whole post.

Regards,

Jose.

Share this post


Link to post
Share on other sites

The thing with white lists is to get the balance. Just one example of what I am talking about:

If Online Armor would trust all signed files you wouldn't have seen the alerts you reported earlier. In fact I am pretty certain that for the most commonly used applications we would never again produce a popup since even the small software vendors started to sign all their binaries because Microsoft told them too. In fact this works so well that quite a few products use it as their only white listing mechanism. The problem is that they assume it would be impossible for a bad guy to obtain a certificate to sign his malware files when the reality is that we have about 10 - 20 new samples each day with valid certificates. Those samples go right through products with less restrictive white list mechanisms.

So as you see white lists have two sides. Getting the balance right is difficult. Online Armor's white list may arguably be a bit too restrictive. But I take that over a white list that waves malware right through any time as long as there are efforts made to improve it and I already outlined what we are planning to do in that regard.

Share this post


Link to post
Share on other sites

Hi Peter.

With all respect I think your totally wrong about Spyshelter.

P.S. I'm not sure if posting the above link somehow violates Forum Policy, or is considered off topic. If so please erase the whole post.

Regards,

Jose.

Didn't see anything that changed my mind. I don't need a keylogger at that price, or at all actually, and frankly from what I saw I sure wouldn't recommend anyone consider it a replacement for Online Armor.

Pete

Share this post


Link to post
Share on other sites
...If a program is considered safe (let's take GoogleEarth as an example) all the actions would be allowed, but still monitored and registered.
I would like to think not, I think only those actions that would be expected to be used. Getting back to Delphi, it would be allowed to create exe's, but GoogleEarth... I am not as sure...

Share this post


Link to post
Share on other sites
Oh and I do think the thread title was way over the top.

A thread title is a thread title - some do get attention. I suspect this one is achieving its aim - a useful, sometimes revealing, discussion (big thumbs-up for that).

I do wish these discussions would stick to OA: not name and opine about the goodness/badness of other products (if it is OK to do so then I will oblige)!

Share this post


Link to post
Share on other sites

A thread title is a thread title - some do get attention. I suspect this one is achieving its aim - a useful, sometimes revealing, discussion (big thumbs-up for that).

Thanks judson. I'm relieved someone understands.

If one comes to a program forum and points what he considers to be wrong it's because he cares about the program.

If I wanted to chat for the sake of chat I would go to Wilders.

Share this post


Link to post
Share on other sites

Thanks judson. I'm relieved someone understands.

If one comes to a program forum and points what he considers to be wrong it's because he cares about the program.

If I wanted to chat for the sake of chat I would go to Wilders.

I am sorry guy's but I don't buy this. A subject like that to draw attention isn't about caring about the program, it's about getting attention and I feel it's the wrong way. Why. Consider someone who isn't familiar with Online Armor and just purchased it. Then they come to the forum and see this subject, and it really scares them. They didn't realize it wasn't a serious threat, but just a user trying to draw attention to his problem. This isn't caring about Online Armor.

If you don't feel a situation is getting proper attention, and yes that can happen, then either post in the private forums if you have access or PM Fabian. But posting a subject implying something that isn't true just doesn't strike me as the way to go.

Pete

Share this post


Link to post
Share on other sites

This has already the signs of an interminable argument. So if...

Consider someone who isn't familiar with Online Armor and just purchased it. Then they come to the forum and see this subject, and it really scares them.
...is to be taken as probable I ask the Mods/Devs to delete this Thread. I'm not here for attention nor confront.

Regards,

Jose.

Share this post


Link to post
Share on other sites

I agree with Jose and Alycat regarding the strange behaviour of the whitelist and it seeming to be completely absent, a lot of the time. Obviously, the whitelist (any whitelist) must have limitations, especially with obscure programs and files, or even new versions of well known software - we should expect these to be unknown.

Sometimes, however, OA will spring into action over an "Unknown" program that "has not been classified by us yet", even though it is an incredibly popular piece of software, used by hundreds of thousands, or maybe even millions, of people worldwide, and which was released months, or sometimes even years ago. In that case, I wonder "When will you classify it, then?" - the obvious conclusion to draw is, never. I've even seen OA trust and allow one file from a program, but then say that another file is unknown and that I should consider it's validity. How can that happen?

Honestly, I think there are far greater concerns with OA than the whitelist. I probably wouldn't care if the whitelist never changed, I'm simply sharing my (very similar) thoughts and experiences on the subject.

Thank you.

Share this post


Link to post
Share on other sites

Another near miss... uff...

I know you are trying to be funny re. number of OA popups, but consider that OA's purpose is to protect you from real threats, not to "entertain" you with popups.

Therefore:

1) When you download an installer, you have to make up your mind: i) is the downloaded file from from a trusted source, which can vary in the amount of trust you may give it, e.g. correctly signed by the software company, or file hashes--if available--are correct, or is the download site protected by an HTTPS certificate that you think you can trust (and you've checked the certificate chain, if you are really paranoid)? It's still wise to upload the installer to a service like VirusTotal.com and anubis.iseclab.org if you have doubts about the instraller's potential effects on your system.

If you can't really trust the installer, but still want to try the program, then use some kind of sandboxed virtual pc to eliminate any effects on your regular pc--this is just cautious common sense.

The OA whitelist of installers and programs can never be complete, running software like OA always means accepting that you will have to make manual choices than if OA is not running.

2) If the download meets your standard of trust, then there is NO reason NOT to let OA treat the installer as "Trusted" and as an "Installer", in order to reduce the number of popups. Often there is an additional option in the initial OA popup: "Create system restore point". Use it!

3) Even with all these options checked, there still will be some popups, I've seen them when global keyboard hooks are installed, certain types of DLLs and OCXs are registered, direct physical disk access is requested, etc. In these cases OA is just alerting you that the installer is doing things that are a little more intrusive than the simplest installers, e.g. using external programs to install the DLL or system service components of the program you are installing. These are components which, in any case, need your decision on allowed/trusted status, now or at some later point. Maybe OA should cut out all such popups for a "trusted" installer and just "allow" them once and log the action--I'm not sure, but I prefer to know what is going on and decide on allow/trust status.

Share this post


Link to post
Share on other sites

Maybe OA should cut out all such popups for a "trusted" installer and just "allow" them once and log the action

Perhaps that would be fine for a "behaviour blocker", not for a strong HIPS - IMHO.

I'm not sure, but I prefer to know what is going on and decide on allow/trust status.

Me too and that's exactly the reason why I'm using a HIPS software.

Regards,

N.

Share this post


Link to post
Share on other sites

I have to agree with Jose and his frustrations. Only god knows how many times I tell Online Armor (4.5) that a program is trusted/safe/allowed.

Now - it seems - it's worst enemy is Git Extensions. It asks me to allow the program at least 3 times a day.

Sometimes I spend more time trying to configure the firewall than actually working :-s

I used to love Online Armour (the Mike version) but recently I've had loads of problems.

These last versions are quite heavy and I've experience high CPU usage (oasrv.exe) a lot.

Someone might argue that I have to use the support forum to inform about my problems. I've done that: logs, images and everything.

Nobody even considered to send me a reply or a receipt (Mike would have replied to thank me :-) ).

I am even scared to update to version 5 cause, at least, my PC is quite stable now.

I am disappointed about the new Online Armour and I am seriously considering to move to another personal firewall ... but I don't know which one.

Regards

Alberto

Share this post


Link to post
Share on other sites

I have to agree with Jose and his frustrations. Only god knows how many times I tell Online Armor (4.5) that a program is trusted/safe/allowed.

Now - it seems - it's worst enemy is Git Extensions. It asks me to allow the program at least 3 times a day.

Sometimes I spend more time trying to configure the firewall than actually working :-s

I used to love Online Armour (the Mike version) but recently I've had loads of problems.

These last versions are quite heavy and I've experience high CPU usage (oasrv.exe) a lot.

Someone might argue that I have to use the support forum to inform about my problems. I've done that: logs, images and everything.

Nobody even considered to send me a reply or a receipt (Mike would have replied to thank me :-) ).

I am even scared to update to version 5 cause, at least, my PC is quite stable now.

I am disappointed about the new Online Armour and I am seriously considering to move to another personal firewall ... but I don't know which one.

Regards

Alberto

Please don't get me wrong, but there is a reason why software is updated, so I don't see any sense in complaining about flaws of version 4.5x; This support forum is for users with problems so it isn't a wrong step to write your problems here, when you look to other threads you will see that there are always EMSI employees around who try to help. ;)

Version 5 is much faster and I don't feel any impact on my system, neither on my i5, nor on my [email protected]

So the 1. thing I would recommend is that you always use the newest version of a program.

And 2.:

Maybe you should try a behaviour blocker like Mamutu. Because a HIPS is a HIPS and will always have it's flaws, if this would be the perfect security solution then Microsoft would have implemented it already, don't you think? :)

I don't know any HIPS that doesn't has problems with certain programs, look at other forums where ppl complain about similar problems.

There are million apps out there and with every update sth important can change that will need a user's input.

If this kind of security software is too anoying to anyone he/she maybe should change his/her security policy.

@VLC problem:

VLC is one of the most used video players out there so it is also one of the beloved targets of malware writers and there have been a lot of leaks in the last years:

http://www.videolan.org/security/

So IMHO it isn't that bad that OA is a little too "sharp" on such things. :)

Share this post


Link to post
Share on other sites

Please don't get me wrong, but there is a reason why software is updated, so I don't see any sense in complaining about flaws of version 4.5x; This support forum is for users with problems so it isn't a wrong step to write your problems here, when you look to other threads you will see that there are always EMSI employees around who try to help. ;)

Version 5 is much faster and I don't feel any impact on my system, neither on my i5, nor on my [email protected]

So the 1. thing I would recommend is that you always use the newest version of a program.

And 2.:

Maybe you should try a behaviour blocker like Mamutu. Because a HIPS is a HIPS and will always have it's flaws, if this would be the perfect security solution then Microsoft would have implemented it already, don't you think? :)

I don't know any HIPS that doesn't has problems with certain programs, look at other forums where ppl complain about similar problems.

There are million apps out there and with every update sth important can change that will need a user's input.

If this kind of security software is too anoying to anyone he/she maybe should change his/her security policy.

@VLC problem:

VLC is one of the most used video players out there so it is also one of the beloved targets of malware writers and there have been a lot of leaks in the last years:

http://www.videolan.org/security/

So IMHO it isn't that bad that OA is a little too "sharp" on such things. :)

I have to disagree. Not remembering decisions isn't being sharp it's flawed. I've run OA even latest versions side by side with Malware Defender which is much "sharper" as you put it the Online Armor as it is a purer HIPS. I tell both programs to remember something and MD does and OA doesn't always remember in an unpredictable way. This is not sharper but flawed programing, and EMSI is aware and is to do something about it.

Pete

Share this post


Link to post
Share on other sites

Please don't get me wrong, but there is a reason why software is updated, so I don't see any sense in complaining about flaws of version 4.5x; This support forum is for users with problems so it isn't a wrong step to write your problems here, when you look to other threads you will see that there are always EMSI employees around who try to help. ;)

Version 5 is much faster and I don't feel any impact on my system, neither on my i5, nor on my [email protected]

So the 1. thing I would recommend is that you always use the newest version of a program.

And 2.:

Maybe you should try a behaviour blocker like Mamutu. Because a HIPS is a HIPS and will always have it's flaws, if this would be the perfect security solution then Microsoft would have implemented it already, don't you think? :)

I don't know any HIPS that doesn't has problems with certain programs, look at other forums where ppl complain about similar problems.

There are million apps out there and with every update sth important can change that will need a user's input.

If this kind of security software is too anoying to anyone he/she maybe should change his/her security policy.

@VLC problem:

VLC is one of the most used video players out there so it is also one of the beloved targets of malware writers and there have been a lot of leaks in the last years:

http://www.videolan.org/security/

So IMHO it isn't that bad that OA is a little too "sharp" on such things. :)

Right now I was working with TortoiseGit and I was asked at least 10 time to confirm the executable. Every single time you check the boxes and every single time it asks again.

Maybe you do not consider people working with his/her computer.

I don't have time to do these things all the time cause ... I am working.

I can understand security but this is a little bit too much.

Share this post


Link to post
Share on other sites

Guys, anyone who gets popups for the same actions about the same executables (which were told to be remembered and allowed) - please post screenshots.

We can not see what's happening on your systems...

Share this post


Link to post
Share on other sites

Should I have to set programs to trusted to get things to work? Shouldn't I be able to allow some things for programs and have OA remember them without having to go the whole way and set the program to trusted?

Share this post


Link to post
Share on other sites

Should I have to set programs to trusted to get things to work? Shouldn't I be able to allow some things for programs and have OA remember them without having to go the whole way and set the program to trusted?

Setting a program to trusted would allow its actions without prompts. If you want to be prompted - you can allow some its actions via answering appropriate OA prompts (popups) ;)

btw, did you tick "Remember my decision" checkbox before clicking allow?

Share this post


Link to post
Share on other sites
Setting a program to trusted would allow its actions without prompts. If you want to be prompted - you can allow some its actions via answering appropriate OA prompts (popups) ;)

Yes, I am quite aware of that, I am happy to allow what I want allowed and block what I don't - but only once please!
btw, did you tick "Remember my decision" checkbox before clicking allow?
Can't be sure that time, but I have ticked it on previous occasions. There were no keylogger prompts when I loaded it earlier.

Share this post


Link to post
Share on other sites

I agree with Alycat.

I want a firewall which warns me there's a potential threat but once I've authorized it (unless I've updated it) I would like it to be quite.

I've got some programs which I have to allow/trust every time I execute them.

Share this post


Link to post
Share on other sites

I agree with Alycat.

I want a firewall which warns me there's a potential threat but once I've authorized it (unless I've updated it) I would like it to be quite.

I've got some programs which I have to allow/trust every time I execute them.

Could you please tell me these programs' names and/or post download links, so I'd be able to reproduce your findings?

Besides this - are you 100% sure that you received popups for the same actions of the same (not changed) programs even though you (presumably) ticked "Trust" and/or "Remember" checkboxes in OA prompts when answering them?

Please also provide a list of other security software installed on your system and your system details (OS version, including SP version if any).

Thanks in advance,

Best regards,

Andrey.

Share this post


Link to post
Share on other sites

VLC is one of the most used video players out there so it is also one of the beloved targets of malware writers and there have been a lot of leaks in the last years

So as to check the patched version of a very much used app (VLC, GoogleEarth, Flash Player, Adobe Reader, etc...) just take a look at Secunia and how they do it.

Sometimes one finds the best solutions in the most improbable places.

http://secunia.com/vulnerability_scanning/personal/

Share this post


Link to post
Share on other sites

So as to check the patched version of a very much used app (VLC, GoogleEarth, Flash Player, Adobe Reader, etc...) just take a look at Secunia and how they do it.

Sometimes one finds the best solutions in the most improbable places.

http://secunia.com/vulnerability_scanning/personal/

Yes, I can really recommend the Secunia PSI 2.0 program as a good complement to the protection of OA. It installs a bunch of small footprint services that monitor new software installs/updates on your machine, as well as existing well-known software already installed. When anything it monitors is out-of-date with respect to security-relevant updates, it will either install a silent update package for you, or provide you with a direct link to the software vendor's downloadable updates. Simplifies software maintenance greatly. I've been using it for 2 or 3 years.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.