Sign in to follow this  
Akamai

Question on latest v. 5 and OA refusing to remember

Recommended Posts

Using 4.5.1.431 free version w/ XP Pro SP3. OA has repeated problems with a couple (2) programs: TrueSync Desktop v.2.1 and Remote Administrator 2.2. Installed OA via "Trust everything" but added these two programs after the initial install later. I know others have dealt with this problem over many past releases. These two programs are INTERMITTENTLY getting blocked and/or asking for permission to run. Problems are happening with two different computers, TSDesktop.exe (from TrueSync) on one computer, and r_server.exe (from RAdmin) on the other one. The really crazy part is OA initially remembers my decisions but after awhile forgets and then they are either blocked or it asks permission again and again. Even more crazy after waging a battle to get it back to remembering: choosing trust/install mode, deleting to let OA re-detect etc., OA would again remember. But after awhile OA would again forget and the battle was on yet again. So far only these two programs are effected by this. Even more strange is OA has no problems with either of these 2 programs (yet) on other systems using the exact same OS. These other systems are configured the same.

Cons:

1. This is a bit frustrating to deal with.

2. It makes me wonder if OA will have this problem with any other programs.

Pros:

1. Thank God (so far) it's only these two programs OA has this problem with! :)

Can anyone confirm that this crazy behavior has been fixed in latest v.5 before i try it? I have read reports/reviews by some that say they have the same problem in v.5 but i'm not sure which build or release. Also, has anyone there ever compiled a list of programs that people have had this problem with or is it just random?

Thank you for any help on this!

Share this post


Link to post
Share on other sites

Can anyone confirm that this crazy behavior has been fixed in latest v.5 before i try it? I have read reports/reviews by some that say they have the same problem in v.5 but i'm not sure which build or release. Also, has anyone there ever compiled a list of programs that people have had this problem with or is it just random?

In most cases, it's unrelated to the program itself. Some instances of settings being forgotten were fixed with v5. Others such as the bug Fabian explained here http://support.emsisoft.com/topic/4190-very-dangerous-threat/page__view__findpost__p__24983 will be fixed for the next release :)

Share this post


Link to post
Share on other sites

Fabian talks about 30 days, here we found OA 5 lost it's memory on shutdown. Every reboot of the PC resulted in a pop-up festival, yet another "security" program that causes more damage (lost work time in this case) than it supposed to prevent. Tried re-installs , uninstalled other security software , made no difference. Pop-ups pop-ups pop-ups , 30+ clicks just to start Photoshop.

Share this post


Link to post
Share on other sites

Hi Boreth :)

When someone like yourself posts giving no info such as operating system, previously installed firewall, presently installed security software etc, it is difficult to make helpful suggestions.

You could also post which build type of OA you are using (Free, Premium, ++) and what type of install you did (trusted or wizard) Are all your programs green in colour and listed as trusted in the OA programs list?

Did you try opening Photoshop in learning mode? (then turning learning mode off)

Help us, to help you :)

Share this post


Link to post
Share on other sites

In most cases, it's unrelated to the program itself. Some instances of settings being forgotten were fixed with v5. Others such as the bug Fabian explained here http://support.emsisoft.com/topic/4190-very-dangerous-threat/page__view__findpost__p__24983 will be fixed for the next release :)

Mahalo [er, Thanks] catprincess! :)

I apologize for not remembering the version #s. Could you please let me know which version # I should be looking for?

Is it v. 5.0.0.1097 or later (5.0.0.1100}?

In other words, in which version would this be fixed?

Thanks Again!

Share this post


Link to post
Share on other sites

Mahalo [er, Thanks] catprincess! :)

I apologize for not remembering the version #s. Could you please let me know which version # I should be looking for?

Is it v. 5.0.0.1097 or later (5.0.0.1100}?

In other words, in which version would this be fixed?

Thanks Again!

Some instances were fixed with 5.0.0.1097. 5.0.0.1100 was a minor update to oaui.exe only that delivered via automatic updates (it's not available as a separate installer) and isn't related to this issue. I believe the next full release (ie, one that is also available as a full installer on the download site, rather than being only available from automatic updates), would contain the fix for the scenario Fabian outlined in the thread I linked to. I am not sure when the next release is scheduled for though, but major releases are posted in the changelog here http://changeblog.emsisoft.com/?s=online+armor :)

Share this post


Link to post
Share on other sites

I'm running 5.0.0.1100, still having problems... OA warns me a program is a keylogger, say ok and remember, couple minutes later same thing. As mentioned before it forgets Delphi... and I can't see the 30 days has anything to do with it, as these programs are used here every day...

Share this post


Link to post
Share on other sites

Our problem stayed with us all the way till 5.0.0.1100 , running Win 7 Pro 64bit, AMD X4 940 , 6b Mem , OA Premium (no sense in complaining about a freebee is there?), AV Vipre on , MS Defender and Ms Firewall turned off. At the moment we have a very productive live without OA 5 premium and Windows Firewall turned back on, our license runs out in 11 months, please don't remind remind us to renew.

Share this post


Link to post
Share on other sites

I'm running 5.0.0.1100, still having problems... OA warns me a program is a keylogger, say ok and remember, couple minutes later same thing. As mentioned before it forgets Delphi... and I can't see the 30 days has anything to do with it, as these programs are used here every day...

Hi Alycat,

Could you please get some screenshots for the reappearing popups for the same actions of the same executables and send them to oasupport (at) emsisoft (dot) com.

Thank you in advance,

Best regards,

Andrey.

Share this post


Link to post
Share on other sites

If a program is run, and whatever is needed for OA to decide it is a keylogger happens, and the user clicks ok and remember, and then that program's checksum is changed (program recompiled), does OA forget it was a keylogger? Because since the program has been finished, OA has not been issuing popups about a keylogger, but when it was being recompiled all the time, OA was issuing popups.

Share this post


Link to post
Share on other sites
Yes, this would be expected behaviour for an unknown program that has changed.

An "unknown" program? :blink: OA's message says a program I have trusted has changed, so it is not unknown. And that message is strange because the program was not trusted. So, if a known program has its checksum changed and if you say "yep, that is ok", OA forgets ALL the settings for previously made for that program? Is that as intended?

Share this post


Link to post
Share on other sites

No, that's not intentional. But if the program was really trusted, you shouldn't have ever gotten a keylogger alert for it in the first place. Trusted programs aren't monitored for keylogging.

Unfortunately it's anyones guess what may have caused these problems unless you can provide further details on the exact steps so the developers can reproduce it.

Share this post


Link to post
Share on other sites

Ok, I give up - it seems to me reading this forum, that the answer given to so many problems is to just "trust the program". What is the point of having a firewall if you are supposed to trust so much. Surely OA should work WITHOUT trusting every program that gives a problem?

Share this post


Link to post
Share on other sites

When you recompile a program you receive not the same program, but a program located at the same path as before but with a different checksum. The purpose of HIPS is to detect such changes, so a malware wouldn't be able to trick you by replacing/altering a well-known/previously-known program.

So, when you recompile a program you've previously allowed keylogging (or some other) behavior for - it's normal that you'd receive prompts about the same behavior for the program with different checksum because in fact it's not the same program, but a program located at the same path with the same name.

Share this post


Link to post
Share on other sites

Generally directories for programs being developed are excluded (Mike put that in for me a few years ago). But one program had a few "quick" changes made, and it was not set up as excluded.

Share this post


Link to post
Share on other sites
...it's not the same program, but a program located at the same path with the same name.
So what should happen if an exe is copied to another path?

Share this post


Link to post
Share on other sites

Hi Andrey

I've seen this "forgeting" on an application that hasn't changed since the day it was installed and it has no updating feature. And it takes a bit for OA(even latest beta) to remember what I told it.

Pete

Share this post


Link to post
Share on other sites
You'll get two separate entries in the Program's list.

OK, that's strange (I assume you tried this on your system) because I don't. I deleted entries for the program in OA's "Programs". I then recompiled the program in Directory A, ran it and ok'ed OA's prompts.

I then copied the file to Directory B, and ran it from there - I received a "trusted program has changed" message (???) but nothing else.

Checking OA's "Programs" shows one entry, for Directory A - and that info remains even if Directory A is removed (???).

Share this post


Link to post
Share on other sites

OK, that's strange (I assume you tried this on your system) because I don't. I deleted entries for the program in OA's "Programs". I then recompiled the program in Directory A, ran it and ok'ed OA's prompts.

I then copied the file to Directory B, and ran it from there - I received a "trusted program has changed" message (???) but nothing else.

Yes, I tried it here (and checked again just now also) although I'm only copying a program to a new location; I did not recompile anything. For each location I copied it to, OA behaved as I'd expect it to and treated it as a different program, so asssuming I ran the program from 3 different locations, I'd end up with three different entries in the Program's list.

Checking OA's "Programs" shows one entry, for Directory A - and that info remains even if Directory A is removed (???).

If the program is actually removed from the first location, that entry should become greyed out indicating that it's no longer present.

Share this post


Link to post
Share on other sites
...For each location I copied it to, OA behaved as I'd expect it to and treated it as a different program...
That is how it used to work here, not any more, I have one entry.
If the program is actually removed from the first location, that entry should become greyed out indicating that it's no longer present.
Nope, I have one entry only, the directory is not correct, nothing is greyed.

Share this post


Link to post
Share on other sites

If a program is run, and whatever is needed for OA to decide it is a keylogger happens, and the user clicks ok and remember, and then that program's checksum is changed (program recompiled), does OA forget it was a keylogger?

No, it doesn't forget anything. OA realises that it's a different program. If it didn't, it would be pretty useless.

OK, that's strange (I assume you tried this on your system) because I don't. I deleted entries for the program in OA's "Programs". I then recompiled the program in Directory A, ran it and ok'ed OA's prompts.

I then copied the file to Directory B, and ran it from there - I received a "trusted program has changed" message (???) but nothing else.

Checking OA's "Programs" shows one entry, for Directory A - and that info remains even if Directory A is removed (???).

Yes, it does seems to have some "issues" in this regard. I sometimes receive "A trusted program has changed" alerts for programs that aren't trusted, and haven't changed.

Share this post


Link to post
Share on other sites
No, it doesn't forget anything. OA realises that it's a different program. If it didn't, it would be pretty useless.
If it is just a different version of the same program, and you acknowledge that to OA, I do not agree it should then forget all the settings you have made for that program, forcing you to start from scratch.
Yes, it does seems to have some "issues" in this regard. I sometimes receive "A trusted program has changed" alerts for programs that aren't trusted, and haven't changed.
This is 100% here, if I have a program that is not trusted and it is recompiled, every time I get a message from OA saying a trusted program has changed.

Interesting thing the other day... I decided to clean up OA's Programs list, there were entries, sometimes a dozen or more, for different versions of same programs... so started deleting, started from the top of the list ("A"s), got down to the "C"s... and suddenly OA warns me that my email program (which starts with "G") wanted to run, wanted to use the internet, was a keylogger..... (and it had been running all day before that...) :blink:

Share this post


Link to post
Share on other sites
and suddenly OA warns me that my email program (which starts with "G") wanted to run, wanted to use the internet, was a keylogger..... (and it had been running all day before that...) :blink:

I've noticed that kind of random behaviour too often and it worries me very, very much.

I'm still with OA because other similar solutions please me less, and out of a somewhat misguided loyalty. But I rely more and more on Sandboxie.

I hope V6 (or V5...) will bring dramatic improvements, otherwise Emsisoft would better drop OA's HIPS altogether and concentrate on Mamutu. That would be a shame but as things are now it's not sustainable.

Share this post


Link to post
Share on other sites

If it is just a different version of the same program, and you acknowledge that to OA, I do not agree it should then forget all the settings you have made for that program, forcing you to start from scratch.

But only you as the user of the machine know if a program has changed legitimately, OA can't know that. It could be malware masquerading as your original program, or it could have been malware that modified it.

I'm not sure what you mean when you say that you "acknowledge" to OA that it it the same program. Do you mean that you accept a "Trusted program has changed" pop-up? If so, then I think that you should receive no alerts (about keylogging or otherwise) for a trusted program (you trust it to do whatever it needs), but I'll leave it to someone more qualified to confirm that.

Share this post


Link to post
Share on other sites

If OA informs me a program I have "trusted" (not really, but that is another story...) has changed (and I agree OA needs to check this, for HIPS to be effective), and I tell OA yep, it is the same program, it has been updated or whetever, then why should I have to go through and set all the OA configuration up yet again. I know it is not really the same exe, it has been replaced, etc, etc, but as far as I am concerned it is just an upgrade to a program that OA knows about and a program I have configured in OA previously.

Share this post


Link to post
Share on other sites

If OA informs me a program I have "trusted" (not really, but that is another story...) has changed (and I agree OA needs to check this, for HIPS to be effective), and I tell OA yep, it is the same program, it has been updated or whetever, then why should I have to go through and set all the OA configuration up yet again. I know it is not really the same exe, it has been replaced, etc, etc, but as far as I am concerned it is just an upgrade to a program that OA knows about and a program I have configured in OA previously.

As far as I know it's only with unknown programs that this occurs. Rules stay intact if a trusted program changes and you allow it. Probably, if a program or it's vendor is suspicious enough that you feel the need to leave the program as unknown, if it changes, you'd want to be keeping a close eye on whatever it might be doing. You might have allowed it to enumerate files or have direct disk access previously, but if a potentially untrustworthy program has changed, it makes sense to be re-evaluate.

Share this post


Link to post
Share on other sites
... but if a potentially untrustworthy program has changed, it makes sense to be re-evaluate.

Does the Firewall info get cleared under this sceanrio? (It doesn't seem to be here.)

Share this post


Link to post
Share on other sites

Does the Firewall info get cleared under this sceanrio? (It doesn't seem to be here.)

Yes, if the original (unchanged) program is no longer present, the Firewall rules for that program are removed. The only exception is trusted programs; if a change is detected to a trusted program and you allow it, it's rules should remain intact.

Share this post


Link to post
Share on other sites

I take a program here as an example.

Remove all entries for it in OA under Programs and under Firewall.

Recompile program.

Try to run program, receive a message a program wants to run - good.

It tries to access internet, allow it - good.

Recompile it.

Try to run program, receive a message a trusted program wants to run (sic) - sort of ok, it has changed but was never trusted.

It tries to access internet, no warning.

There seems to be a lack of consistency.

Share this post


Link to post
Share on other sites

Is this related to your other post about the rules being removed or is it completely separate? Probably the issue here is due to the warning about it being a trusted program when it actually wasn't ever trusted (this seems to be some kind of bug), hence the firewall rules staying intact.

Share this post


Link to post
Share on other sites
Is this related to your other post about the rules being removed...

Yes, just an example. If a program is recompiled it appears to be regarded as a new program in Programs but seems to be left in Firewall. I would have thought the logic for one would apply to the other.

The "trusted" I think was really meant to say "a program OA knows about" as in a record of past activity exists.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.