ewido security suite 3.5 beta

As I tried to explain to you earlier, this is NOT an issue... Memory usage will again go down as soon as another program needs the memory (This is btw. what these so called "ram cleaners" do... They simply allocate as much ram as possible... This gives you ZERO additional performance or "free" memory... In fact the system will be even SLOWER after a "memory defragmentation" as things have to be read again into memory when needed.)...

 

I did a restart and no change. I will see if the next update date shows when it becomes available...

 

Sounds like a bug to me, will be checked

 

I perform a full scan of my computer and ewido security suite 3.5 beta gave me:

C:\Program Files\AnalogX\Script Defender\test.vbs -> Trojan.Io
C:\Program Files\Debugging Tools for Windows\adplus.vbs -> Trojan.Io
C:\Program Files\Yahoo!\Messenger\YPager.exe -> Heuristic.Win32.Backdoor
C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe -> TrojanDownloader.TSUpdate.i
C:\WINDOWS\PCHealth\HelpCtr\System\NetDiag\dglogs.htm -> Trojan.Io

Should i worry?

Regards

 

Nope, "luckily" these are false positives... Could you please send them to submit@ewido.net so we get an overview of all of them? Many thanks!

 

another false positive on boot-up being sent to submit@ewido.net

 

fish25,

for when a ewido forum?

Regards

 

I supposed that but i'm not shure!
Many thanks for your help!

 

Have had a bit of a play with the UI and done some scans, have found a few little oddities. Like everyone else I got a few false positives (Trojan.Io seems popular), but being a beta thats to be expected

Problem #1 :
After a Full Scan the SecuritySuite.exe process has 66,660 handles left open. Most of these handles are to the Key HKLM\SOFTWARE\ewido\config
This can be trivially reproduced by doing a registry scan and then looking at the open handles with process explorer

Odd/Undesirable Behaviour #1 (ewidoguard) :
ewidoguard.exe seems to be very rapidly read polling the key HKLM\software\ewido\guard
I would like an option to be able to turn this off please, I can just as easily protect this key with RegDefend and lose the multiple times per second poll and associated Context Switching
Even with realtime protection turned of the guard is still doing this...

Code:

0.00328701 ewidoguard.exe:3120	OpenKey HKLM\software\ewido\guard	SUCCESS Access: 0x20019 	
0.00669135	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.00669750	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.00675281	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.00698105	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.00698552	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.00698944	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.00705509	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.00709951	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.03539584	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.03540869	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.03562101	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.03562548	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.04401788	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.04412516	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.04416623	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.04438050	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.04438497	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.06002858	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.06003500	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.06004786	ewidoguard.exe:3120 OpenKey	HKLM\software\ewido\guard SUCCESS	Access: 0x20019 	
0.06017916	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.06025710	ewidoguard.exe:3120 QueryValue HKLM\software\ewido\guard\guard SUCCESS	0x12345678	
0.06036829	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		
0.06041019	ewidoguard.exe:3120 CloseKey	HKLM\software\ewido\guard SUCCESS		

Odd/Undesirable Behaviour #2 (SecuritySuite.exe) :
The SecuritySuite.exe main window is showing high ongoing Context Switching when its doing nothing. what is it doing ?

• The threads securitysuite.exe+0x146f6 and MSVCR71.dll!endthreadex+0x31 seem to be responsible for the context switching
• The main window is continuously getting WM_GETICON messages which is not a behaviour I am seeing for other apps on the PC

Enhancement #1 :
Allow the SecuritySuite GUI window to be resized so that the report can be read onscreen a little more easily

Enhancement #2 :
Having cookies mixed in with all the other results makes it a little harder to distinguish between non-desirables and actual problems, maybe

Enhancement #3 :
Have an easy way to get back and see logs from previous scans

Enhancement #4 :
After a memory scan, possibly show "no infected processes found" rather than files ?

 

You're right, these are all enhancements already planned (most of them for 3.6)

 

Fish, did you encounter some issues about lock ups when scanning? this occurs at random moments...if I close/end all other apps lock up still takes place...
sometimes it's at about 5% scantime, sometimes at 15%...but a cold reboot has to take place to get ahold of my computer back...

 

/edit: I know it's beta and I don't mind that just like to inform you.

 

During which scan? Registry, Memory or Files?

 

I have a gmail account and use the gmail notifier to let me know when I have mail. It sits in my system tray. Whenever I doubleclick the icon or right click >> view inbox to go to my mailbox in my browser, the guards CPU jumps up to 50 % and stays there indefinitely. I have to deactivate realtime protection and wait for the CPU usage to return to normal, then reactivate to fix the problem. I wonder if anyone else that uses gmail has this problem?

 

No problem here (with firefox being the default browser)...

 

Hi, this happens at random intervals...if I use registry scan, fast scan, complete scan..it doesn't matter what type of scan I take.
sometimes it happens at 10% or 15% when scanning.

 

all these scans have one in common... the registry scan... does it also happen when you do a custom scan of your drives?

 

Thanks for the quick reply

I would have thought that what I reported as problem #1 was simply a bug to get fixed in the beta, its a bit excessive consuming all those filehandles for no reason

 

I do believe you but still I think that the 3.5 beta is not ok. When I do a scan with Counter Spy you see that only the counterspy file grows in memory use. The other programs do not. And when the CS scan is done the program immidiately drops back to 8 mb or so. Ewido's new one has a memory effect on ALL other programs and doesn't drop back at all. So ALL programs stay on very high RAM numbers. Do you find that correct?

I don't see the memory drop that you are writing about too, by the way. Only a new startup makes that happen. Or using the MemTurbo.

 

Yes, it's perfectly ok... We could even praise it as a new feature... As the memscanner of the ewido security suite scans all modules of each process (which most others don't!), they will get loaded into memory (this is where the hdd activity comes from)... This no problem, bug or whatever, have a look here:

http://aumha.org/win5/a/xpvm.php

Try to start a program that uses much memory (like a game or something) and watch the memory usages of the other programs... They will go back down...

 

I use Opera as my default browser (8.01)...

 

Some updates right now for B-users.

Gerard

 

With the last update, this problem is fixed

 

Same here ...

 

The update does seem to have helped the CPU usage, however it still uses 10-20% with Prevx running.. shutting either of them down brings CPU down to 1-5%