Jump to content

OAP and Steganos LockNote .tmp Annoyances


dallas7
 Share

Recommended Posts

On the WinXP system:

I use a Steganos LockNote, currently at v.1.0.5, which allows for the creation of a password protected text file that can be saved as a file type that it is not, i.e. SecretWords.dll or GreatApp.exe. Opening a LockNote created file challenges for the password and it then behaves just like Notepad except for the file saving options and the password creation. Locknote.exe is a stand-alone (not installed, "portable") application.

I use it for one file that I modify every now and then and I am now at wits end as to how to end OAP's protection. This is what I have to go through everytime I modify and save the LockNote file:

Created: 1/2/2012 11:23:00 AM

Summary: Program Guard: STG2E5.tmp

Description: D:\Folder1\Folder2\testOA.exe -> E:\TempUser1\STG2E5.tmp

Event type: Program Guard(9)

Event action: Allowed(2)

Created: 1/2/2012 11:23:05 AM

Summary: File Shield: STG2E5.tmp modify testOA.exe

Description: E:\TempUser1\STG2E5.tmp wants to modify file D:\Folder1\Folder2\testOA.exe

Event type: Unknown(25)

Event action: Allowed(2)

Created: 1/2/2012 11:23:15 AM

Summary: Program Guard: STG2E5.tmp -> testOA.exe

Description: e:\TempUser1\STG2E5.tmp(9948) wants to start D:\Folder1\Folder2\testOA.exe(0)

Event type: Program Guard(9)

Event action: Allowed(2)

Created: 1/2/2012 11:25:50 AM

Summary: Program Guard: STG2EB.tmp

Description: D:\Folder1\Folder2\testOA.exe -> E:\TempUser1\STG2EB.tmp

Event type:

Event action: Allowed(2)

Created: 1/2/2012 11:25:53 AM

Summary: Program Guard: STG2EB.tmp -> testOA.exe

Description: E:\TempUser1\STG2EB.tmp wants to modify executable file D:\Folder1\Folder2\testOA.exe

Event type: Suspicious file(13)

Event action: Allowed(2)

Created: 1/2/2012 11:25:58 AM

Summary: Program Guard: STG2EB.tmp -> testOA.exe

Description: e:\TempUser1\STG2EB.tmp(12124) wants to start D:\Folder1\Folder2\testOA.exe(0)

Event type: Program Guard(9)

Event action: Allowed(2)

E: is the partition I devoted to cache, temporary, log, dump, etc. files; if an app has a setting for that class of file, its output goes into a folder here. E:/TempUser1 is the folder I set for User1's TEMP and TMP variables (System TEMP and TMP go to E:\TEMP).

Everytime LockNote saves the testOA.exe file, it uses that STG••.tmp which I have not been able to nail down due to its name-changing beavior.

LockNote.exe is in C:/Program Files and Allowed, Trusted and Normal.

I don't understand why File Shield remains active even if I uncheck Activate File Shield. I have also built the rule E:\TempUser1\STG*.tmp as shown in the screen shot but it is ineffective even it the E:/* rule doesn't exist. I have had the rules C:\*, D:\*, and E:\* active since about day 7 on this system and this LockNote beahvior is so far the only thing that's ever annoyed it.

D:\Folder1\Folder2 is configured as Path to exclude in Options Exclusions.

Every time another STG••.tmp is created, Oasis is contacted and the database updated.

I've attached a screen shot of the first popup. I greyed out the actual path for the one represented by \Folder1\Folder2 above. Selections of Remember, Trust, Install in any combinations have little effect on subsequent popups and/or behavior.

What am I doing wrong?

What can I do?

Thank you.

Link to comment
Share on other sites

Hi Thomas. That does work as one might expect. But now there is no protection for anything in which might rear its ugliness in a folder that's a free-for-all vector for everything that's bad. While I could depend on the EAM6, MBAM and Zemana layers to take up the slack, removing OAP's protection from the user's TEMP and TMP store for just one application is undesireable, much more so than a two or three popups.

In the meantime so more messing around prompted me to created rules for D:\Folder1\Folder2\* and e:\TEMPUS~1\STG*.tmp and that eliminated the File Shield popups. But this still doesn't explain why File Shield seemingly remains active when Activate File Shield is unchecked. Oh, the joys of 8x3 legacy filenaming. ^_^

Cheers.

Link to comment
Share on other sites

Hello dallas7,

I misunderstood your explanation about the directory "E:/TempUser1".

I thought "TempUser1" is just used by "LockNote" for the log files on your system.

So you already managed to eliminate the File Shield popups ?

Regarding to the question why File Shield is still running when the checkbox is unchecked:

Would it be possible for you to create a set of debug logs covering the problem and send them per pm to me ?

(http://support.emsis...mor-debug-logs/)

Link to comment
Share on other sites

Thomas, no problem on the my TempUser1 variable; it's not something you'd normally see as my XP system is highly configured to my own standards. But I did need to comment on it in my post #1 as it related to the logs entries I pasted there.

Yes, the rules I built have ended the popups as reported within this thread. Since I have no intention of de-activating the File Shield under the options tab, I'm not considering it a problem and I'll take a pass on offering up debug logs.

Getting back to the Program Guard interplay with the LockNote tmp process, the solution as I see it would be the ability to create a green (Allowed/Trusted/Normal) entry in the Programs list for E:\TempUser1\STG*.tmp. Since the app deletes the tmp file, it ends up as grey (absent) with no way that I know of to edit it.

I would like you or other Emsisoft support to advise on the possibility of that being done. Or another solution.

Thank you.

Link to comment
Share on other sites

Hello dallas7,

Yes, the rules I built have ended the popups as reported within this thread. Since I have no intention of de-activating the File Shield under the options tab, I'm not considering it a problem and I'll take a pass on offering up debug logs.

Good to hear the annoying popups are gone.

Our developers will check why File Shield seemingly remains active.

But I have to admit, I stay a little bit confused because of your last post when you was writing:

Getting back to the Program Guard interplay with the LockNote tmp process

I thought the problem is that File Shield seemingly remains active now ?

So there is still another problem with LockNote ?

One way to give privileges to the LockNote.exe file would be to got to "Programs" and right-click on the file LockNote.exe.

Then go to "Advanced Options" and choose "Installer" on the top of the window.

This would enable LockNote.exe to generate the temp file without any trouble/popups.

But in the case of LockNote, after the STG????.tmp-File was written to disk it tries to manipulate the LockNote.exe file again. This behavior could be a malicious one.

As a result of that it should be asked again next time and because of the nature of the HIPS,

LockNote.exe gets untrusted again.

Hope the answer is helpful.

Please specify your question to receive further support.

Link to comment
Share on other sites

Thank you. Setting Locknote.exe to Installer did not change the behavior for the STG••.tmp handling I described in my previous posts.

I know this deals with two OAP modules (File Shield, Program Guard) and I don't know how that confuses matters nor how this could have been split into two separate threads.

Please specify your question to receive further support.

I have re-read my postings and I don't know how I could possibly clarify matters with any more exactitude and detail than I already have.

Link to comment
Share on other sites

  • 2 weeks later...

Thank you! I was sure that was the case but wanted to make sure there was really "no way out." Fortunately, I only use the app for one file and I only occasionally update it.

Slightly off topic but worthy of note, there are similar mutlitple interactions with the A program wants to run Pop-ups for the many whatever.tmp files unpacked when a Windows installer (msi) is run. Fortunately again those are becoming a rarity.

No reply expected. Cheers.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...