trujwin

PC Suite -PERSISTENT

Recommended Posts

REcently installed PC Suite 7.1.51 from Nokia. Though I allowed auto run of PC Suite at the time of installation , I tried to disable it from the Auto runs screen of Online Armor. But PC SUite is cocking a snook .It always appears at every restart , and online armor sincerely reports as blocked. Is it that PC Suite is getting on thru some other surrogates?

Share this post


Link to post
Share on other sites

If you open Taskmanager, do you see either of these blocked processes listed as running or any other process that look like they belong to PC Suite?

I think PC Suite itself may contain an option "Invoke at startup" which can be unticked.

Share this post


Link to post
Share on other sites

If you open Taskmanager, do you see either of these blocked processes listed as running or any other process that look like they belong to PC Suite?

I think PC Suite itself may contain an option "Invoke at startup" which can be unticked.

PC Suite keeps running.I have attached the snaps of Process explorer to show all the processes of Nokia running of which PC SUite is a autorun program.

The issue is not about blocking PC Suite , it is about OA allowing it despite having it blocked in the auto-run. :mellow

Share this post


Link to post
Share on other sites

Possibly PC Suite has registry entries in more than one location that allow it to autorun. OA could then be blocking the one that shows up in Autoruns, but the program still starts due to another registry entry (which could be in a location such as the startup folder, that OA doesn't monitor due to it not being a malware target).

You could check with a program like Autoruns from here http://technet.microsoft.com/en-us/sysinternals/bb963902 to see if PC Suite has other autorun registry entries than the one listed for pcsuite.exe in OA (mousing over the entry in OA will display the location of that registry entry).

Share this post


Link to post
Share on other sites

Possibly PC Suite has registry entries in more than one location that allow it to autorun. OA could then be blocking the one that shows up in Autoruns, but the program still starts due to another registry entry (which could be in a location such as the startup folder, that OA doesn't monitor due to it not being a malware target).

You could check with a program like Autoruns from here http://technet.microsoft.com/en-us/sysinternals/bb963902 to see if PC Suite has other autorun registry entries than the one listed for pcsuite.exe in OA (mousing over the entry in OA will display the location of that registry entry).

I do not know if that answer would be ok.Similiar techniques could be used by MALWARES too to masquerade hiddenly. I have attached a image of both the OA entry as well as the Autorun entry. Please note that the PC suite is mentioned to start in the autotuns. Suppose I untick it , on manually invoking PC Suite later , a autorun gets added immediately.This is not the issue. There is something more to it.

Share this post


Link to post
Share on other sites

Is pcsuite.exe trusted in the Program's list? Also if the parent program is trusted, it's allowed to create an autorun without prompting. If PC Suite is continually attempting to add new autoruns every time you run it, this could be what occurs perhaps. Unticking the option for it to autostart from within PC Suite itself would be the best way to stop this.

Share this post


Link to post
Share on other sites

Is pcsuite.exe trusted in the Program's list? Also if the parent program is trusted, it's allowed to create an autorun without prompting. If PC Suite is continually attempting to add new autoruns every time you run it, this could be what occurs perhaps. Unticking the option for it to autostart from within PC Suite itself would be the best way to stop this.

I have untrusted it.Still PCSuite manages to autorun. Even if PCSuite attempts to autostart , I think either OA should stop that or give a alert that PCSuite will run despite it being blocked in the OA list.

This could be an example of some malware too. I am not bothered about PCSuite. What I am trying to say is some program is able to OVERRIDE OA's preferences. :o

Share this post


Link to post
Share on other sites

REcently installed PC Suite 7.1.51 from Nokia. Though I allowed auto run of PC Suite at the time of installation , I tried to disable it from the Auto runs screen of Online Armor. But PC SUite is cocking a snook .It always appears at every restart , and online armor sincerely reports as blocked. Is it that PC Suite is getting on thru some other surrogates?

Possibly PC Suite has registry entries in more than one location that allow it to autorun. OA could then be blocking the one that shows up in Autoruns, but the program still starts due to another registry entry (which could be in a location such as the startup folder, that OA doesn't monitor due to it not being a malware target).

I agree with trujwin. Surely, if Oa doesn't monitor it because it's not "a malware target", then that will make it a malware target. If I was a "malware creator" (is there a word for it?), then I would look at the places that are monitored by security software, and put my startup entry somewhere else.

I have untrusted it.Still PCSuite manages to autorun. Even if PCSuite attempts to autostart , I think either OA should stop that or give a alert that PCSuite will run despite it being blocked in the OA list.

This could be an example of some malware too. I am not bothered about PCSuite. What I am trying to say is some program is able to OVERRIDE OA's preferences. :o

This does seem to be a problem. I've just done some quick testing and found that OA actually deletes the registry entry (it must back it up, so that you can "Allow" it again in future). However, it is possible to reinstate the registry entry without OA realising.

Now I'll admit, I haven't tried restarting, or anything like that (this machine is ridiculously slow) and maybe OA only checks once per hour, or on shutdown, but at least for several minutes, OA has displayed to me that an Autorun is "Blocked" (i.e. deleted), when in fact, the registry entry has been re-created.

I might try again tomorrow with some restarts, if I remember, but I wouldn't be surprised if catprincess beat me to it. ;)

Share this post


Link to post
Share on other sites

This does seem to be a problem. I've just done some quick testing and found that OA actually deletes the registry entry (it must back it up, so that you can "Allow" it again in future). However, it is possible to reinstate the registry entry without OA realising.

Now I'll admit, I haven't tried restarting, or anything like that (this machine is ridiculously slow) and maybe OA only checks once per hour, or on shutdown, but at least for several minutes, OA has displayed to me that an Autorun is "Blocked" (i.e. deleted), when in fact, the registry entry has been re-created.

I don't know how you are reinstating the registry entry, but if you are using regedit to do this, you wouldn't get an alert because it's a trusted program.

In any case though, if you think you have found a general issue with autorun's not being blocked when they should be, please start a separate thread and detail the exact steps to reproduce it.

Share this post


Link to post
Share on other sites

I don't know how you are reinstating the registry entry, but if you are using regedit to do this, you wouldn't get an alert because it's a trusted program.

In any case though, if you think you have found a general issue with autorun's not being blocked when they should be, please start a separate thread and detail the exact steps to reproduce it.

That does not make sense either. If regedit wanted to start itself , OA may ignore it.But if regedit wanted to start a BOMB and OA is silent , then there is a serious issue.

I think this issue is not a priority right now...

Share this post


Link to post
Share on other sites

That does not make sense either. If regedit wanted to start itself , OA may ignore it.But if regedit wanted to start a BOMB and OA is silent , then there is a serious issue.

I think this issue is not a priority right now...

It's always been quite clear that you will see Autorun popups for Unknown programs only. It's mentioned here http://www.emsisoft.com/en/info/oa/Autoruns.html

I do not know the priority of your issue with Emsisoft. I did look at the program you mention when you first started the thread, but it's hardly a small download and I don't even have a Nokia phone so aside from the fact that it may not even install, I can't justify wasting my downloads on something that size when I have no use for it whatsoever. Sorry, but there is nothing more I can personally do about your issue unless it's reproducible with some other program that doesn't require that I download 50MB just to check it.

Share this post


Link to post
Share on other sites

It's always been quite clear that you will see Autorun popups for Unknown programs only. It's mentioned here http://www.emsisoft.com/en/info/oa/Autoruns.html

Sorry, but there is nothing more I can personally do about your issue unless it's reproducible with some other program that doesn't require that I download 50MB just to check it.

Never meant in the least to annoy you. But just felt that this would be a little important issue for firewalls and HIPS in general.

Share this post


Link to post
Share on other sites

Yeah I had a look at it.Once again dear friends ,let us get to the core issue here. If a program is blocked in OA's Autoruns page OA should see to it that it stays like that. Let us not debate into safe trusted programs etc etc.

Share this post


Link to post
Share on other sites

If a program is blocked in OA's Autoruns page OA should see to it that it stays like that.

I agree with you.

I posted the link just in case there was any info in there which might give you clues as to this errant OA behaviour.

Share this post


Link to post
Share on other sites

I don't know how you are reinstating the registry entry, but if you are using regedit to do this, you wouldn't get an alert because it's a trusted program.

Im not really sure why you're telling me this. I never said that I was expecting an alert about Regedit or any other trusted progam. Maybe you misunderstood.

As it happens, I simply reinstated the startup entry by exporting the registry key and then, once OA had deleted it, I merged the exported data back into the registry. However, I imagine it wouldn't make any difference how it was done, such as your idea of manually re-entering the data with Regedit (or another registry editor), or indeed, if the program itself re-created the startup entry (as is probably the case in trujwin's experience).

In any case though, if you think you have found a general issue with autorun's not being blocked when they should be, please start a separate thread and detail the exact steps to reproduce it.

Is this directed at me, or trujwin? Surely, that is the topic of this thread, why would I create a duplicate thread with the same topic? In any case, I'll add my method here and if you (or anyone else) are sure you want me to copy it into a new thread, I will do so.

1) Right-click any Autorun and choose "Jump to" to find it's startup entry in the registry.

2) Export the registry key containing the data for the particular Autorun (Right-click, Export).

3) Right-click the same Autorun (within OA) and choose "Block" then "Yes".

4) (Optional) Within Regedit, press F5 to Refresh the view and verify that the startup entry has been removed.

5) Double-click the exported .reg file and choose "Yes" to merge the data back into the registry.

6) Restart the computer.

7) Observe that the program has been run at startup (as per the registry setting), meaning that OA has failed to block it's startup.

8) (Optional) Open the OA GUI. Check "Autoruns" section to confirm that OA still believes the item to be "Blocked". Check the "History" section and see that there is no entry mentioning the Autorun (e.g. Autorun reinstated, etc.)

This is with OA v4.5.1.431 and Windows XP SP3.

Thanks for the report.

I'll check this.

Best regards,

Andrey.

Thank you Andrew/Andrey(?).

If you need any more information, don't hesitate to ask.

Share this post


Link to post
Share on other sites

This issue seemed to flatter to deceive with OA 5.1.1.1383. Immediately after installing I found PC Suite hiding in the trusted program list. I blocked it and was very pleased to find PC Suite blocked at the next startup.I was just looking around with the settings in PC Suite itself (which by default was ticked on to run). Then I deleted the PC Suite entry from the Autorun of OA.Next from PC Suite I ticked (off and then ON)the auto start to run. And on checking the OA Auto runs I found the PC Suite entry added to it.Now I blocked it. On the next start it was back to square one , PC Suite merrily seated in a corner. There is some compatibllity problems still.

There is another behaviour I found. Using the sysinternals autostart application (the entries are registered in the registry as they are ticked or unticked) added a few programs to start.OA promtly displayed a balloon that the programs are trusted and they also found their entries in the OA AutorunsNext I went back to the sysinternals autostart application and checked off those programs (it meant they would not start in the

next startup) . But OA autoruns still maintains as if they will start.They are not refreshed immediately.

Share this post


Link to post
Share on other sites

Hi,

Just to inform that the issue is persistent in 1395 as well , save the first instance when it was blocked in the Auto-run.

Case-1

1395 freshly installed.PC Suite is trusted in both programs and Auto-runs. I go to Auto-runs have it blocked. In the next few startups pleased to see PC Suite was effectively blocked.

Case -2

I go to the program list and DELETE the PCS entry even while leaving the Autorun entry untouched.Next I start PCSUITE application , get the OA systray balloon alert that it is trusted.Surprisingly within the PCSUITE application I found (invoke at startup TICKED).After this point presumably OA trusted PCS superscedes user choice?.

Might be the recap is not accurate but definitely it can give you a lead , with the equally good postings from others too in this thread.

There is a bug or logical error in here especially in programs which OA auto-trusts.

Why does OA ignore this route.C:\Users\************\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup?

Programs listed there do not find a place in the OA Autoruns. Also I am able to add programs to it without any alerts.

I think I am seeing this only in 1395.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.