Emsisoft Anti-Malware 8.xx Sammelthread

That unfortunately isn't available yet. In general scheduled scans are kind of pointless if you have the File Guard running at all times, as all your normal activity is watched anyways. Of course, if you turn the guard off on a regular basis, they may be somewhat beneficial.

Changes are saved automatically.

 

Well, there's one less thing I need to do.

 

Guard Application Rules

Please bear with me. Although I used EAM of and on for years, never used the realtime protection.

How are Application Rules populated? I presently have none. Are rules only created when an app is updated/modified? I originally thought a rule would be created when an app is run? I guess not.

 

Look at section 7::

https://www.emsisoft.com/en/info/a2am/

Depending on how you have your alerts set, you may not be notified at all (per default settings) unless less than 90% of the "community" trust the app.

You can also manually input rules in the behavior blocker for any given app.

My apologies if this isn't the info you are seeking.

 

IE9 Crashes.

I use Yahoo as my search engine. When I browse to an Emsisoft web site via a Yahoo page of search selections, IE9 will on many occasions will hang and crash. The error is always WOT.dll_unloaded.

This only happens on an Emsisoft link. Does Emsisoft have a problem with WOT?

Source
Internet Explorer

Summary
Stopped working

Date
‎7/‎4/‎2013 6:36 PM

Status
Report sent

Description
Faulting Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Problem signature
Problem Event Name: BEX
Application Name: iexplore.exe
Application Version: 9.0.8112.16490
Application Timestamp: 51955cca
Fault Module Name: WOT.dll_unloaded
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 501a9970
Exception Offset: 05927fdd
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 695c
Additional Information 2: 695cadb6b3cac73a7b753f8790f21596
Additional Information 3: 4a1c
Additional Information 4: 4a1cc6478f310035e1118fd1681305f5

Extra information about the problem
Bucket ID: 50

 

itman, I sent you a PM with the referenced material copied from the EAM manual. Hopefully that will provide info for you to both input rules as well as alter settings to your liking.

 

Thanks, Blues. I do have the entire "help" menu printed out.

Again it appears that EAM HIPS protection is "passive" in that an app alert is not generated until some "event" occurs; update, abnormal behavior, etc.

I created two "whitelist" exceptions for the services Trusteer uses although it appears not to have any effect. I need to create an exception for EAM in Rapport and it does not have that capabilty.

BTW - when you "whitelist", EAM will auto create the app rules for what was whitelisted.

 

There is definitely a boot issue with Trusteer Rapport and EAM 8.0. It appears there is a conflict with a TR boot driver, RapportKE64.sys, and EAM. It will cause a black screen delay when booting. Excluding RapportKE64.sys located in System32\drivers in EAM whitelist for File Guard and behavior blocking appears to do the trick.

I am presently excluding the two TR x86 service processes along with drivers; RapportKE64.sys, RapportEI64.sys, and RapportKE64.sys. No more lockups with IE and Explorer since adding the above with File Guard and behavior blocking exclusions.

Still getting a lot of TR browser alteration blocks for the event I noted in a previous posting. Guess I will just have to live with those. They don't appear to affect IE9 or EAM in any way.

 

Updates are noticeably faster

 

Scan times.

I saw a few comments in the Emsisoft forum about long scan times with ver. 8.0. I have to agree with those. I am running WIN 7 SP1 x64 on a 6 core CPU with 8 GB of fast DDR1600 memory. I have a fast SATA HDD. I have no core restrictions for EAM 8.0. I have also removed the memory restriction so EAM can use all available memory. Finally I don't have a lot of apps installed on this PC. A Smart EAM scan takes 20 mins. with no other concurrent PC usage.

What I have noticed during a scan that CPU usage never exceeds 20% so I have to infer that something is "thrortling down" the EAM scan. I contrast this with a NIS 2013 Quick scan that takes no more than a few minutes.

 

Hi itman,
See if this will answer your question. It is a question I asked a few months ago in the Emsi forum except I wanted to reduce processor usage which would have slowed the scan down. You would need to do the opposite.

-http://support.emsisoft.com/topic/11056-excessive-processor-use/#entry71984


@Fabian

Then why is there a red X and red font in the GUI when scheduled scans are turned off indicating that there is a problem? As you can see I ran a scan 9 hours ago and scheduled scans are turned off. I only run a scan to, hopefully, populate the cache after reinstalling.

 

Yes. Like i posted, I have no restrictions on CPU or thread usage. What is interesting as noted in the link you posted is that I only see one instance of
a2guard running when I do a scan. The link posting noted multiple copies should be running when multiple cores are utilized. So there might be a bug in ver 8.0?

 

Also please note that the CLEANHLP service was not removed when I uninstalled EAM.
EAM is great but is still slowing down my PC too much when doing on-demand scan. (and I recently upgraded to a more modern setup)

 

In reference to my prior posting about WOT causing IE9 to crash after I installed EAM 8.0, I came across some info at the WOT support web site.

First, I am still getting IE9 crashes with cause being as posted above. Not unbearable; like one every couple of days. Next, this never occurred prior to the install of EAM 9.0.

Per the WOT support web site, it appears that there is an issue with WOT and IE10 Enable Protection Mode(EPM). Some uses have issues with EPM set on for IE9. I have EPM set on for both Internet and Trusted site settings.

Appears something with one of the EAM 8.0 settings is not playing right with EPM perhaps?

 

I sent a support request to Trusteer about this:

Will post findings once I get a reply.

 

In general EAM uses all the available cores during the scan. A scan on my system looks something like this:

http://i.imgur.com/w27nasR.png

As you can see, even on my system the overall CPU load barely scratches the 30% mark. This is due to the fact that the limiting factor in this case is the hard disk transfer speed. The work though is more or less evenly distributed between all cores.

A smart scan on my system takes less than 2 minutes by the way. Quick scans are done in under 15 seconds. Deep scans take around 10 minutes. Since you did mention NIS, did you make sure to disable any other real-time scanners like NIS before performing a scan? Third party real-time scanners will greatly lengthen on-demand scan times, as they will essentially scan files that EAM opens during the scan, resulting in additional scans and overhead.

That is one of the things we like to change in one of the next versions. Most people don't use scheduled scans, so having that warning indicator reallys makes no sense and just causes the user to learn to ignore red warning labels on the start screen.

The a2guard.exe process is essentially just a GUI process. It doesn't do anything on its own and fully relies on the a2service.exe process to do any actual work. The only way to get multiple a2guard.exe processes is if there is a bug in EAM or if you login with multiple users simultaneously (Fast User switching).

That would be unlikely. The error message you get clearly points to WOT. Essentially what happens is that the WOT DLL is unloaded from the Internet Explorer process, but the DLL fails to unregister certain callbacks or hooks. The result is, that once such a hook or callback is triggered, Internet Explorer tries to execute code in the DLL that is no longer there, resulting in the crash.

And in completely unrelated news:

Emsisoft Emergency Kit 4.0 has just been released .

 

Thanks for the info. I will keep an eye out to see if it changes in the next update.

EEK 4.0 is already on my USB stick.

 

System stats: Win 7 x64 SP1, SATA HDD speed approx. 180 Mb/s, 8 GB DDR 1600 Performance memory.

Peratining to NIS 2013, it was uninstalled prior to install of EAM 8.0 and Norton clean tool run after a reboot. Then EAM 8.0 was installed.

Other security software; Trusteer Rapport and EMET 3.0.

Attached is screen shot of EAM 8.0 scan log summary. Don't know what else I can say. Perhaps a EAM scan conflict with EMET 3.0? I don't have anything protected by EMET except the standard all apps selections plus lsass.exe. I do have SEHOP and DEP set to opt out and ASLR to opt in for system settings.

-EDIT- I just started a Smart scan and watched scan in Performance Monitor. EAM is only using core 0 and 1 of my 6 core AMD Phonem II 1045T processor. Looks like EAM has a problem with AMD CPUs?
Also advanced catching is set to on so these later scans should be much faster.

I bumped up thread count to the maximum of 12 and that allowed EAM to use 5 of the 6 cores. A slight improvement at normal scan priority. I can bump that up but don't know if I want to.

Sorry but the times you quoted on your PC are in the range I had running NIS 2013 similar scans. I have run EAM free for years off and on and regardless of PC it was installed on, the scans were slow. I guess I have to attribute the current scan times to the Bitdefender engine that is no speed demon.

 

Sounds to me there might be an issue between EMET's ASLR setting for IE9 that cause the WOT .dll load address to be randomized and WOT not being able to find it? EAM 8.0 might have added something to the whole process? I will disable ASLR for IE9 and see if that helps. It is recommended that ASLR in IE9 be set off for Trusteer Rapport but had no issues like I said prior to the EAM 9.0 install.

 

Have you tried configuring performance settings?

 

Emsisoft Anti-Malware 8.0.0.11 with BETA updates enabled:

- Improved crash tracking mechanismn
- Wrong behavior of Quarantine and Delete buttons in scanner dialog when selecting individual items – fixed.
- Compatibility issue of Explorer integration and third party file managers – fixed.
- Minor GUI glitches – fixes.
- Wrong display of scan method in scan logs – fixed.
- Occasionally missing the tray icon in taskbar – fixed.

 

Did you read the last paragaph of my posting? Thread count is located in the "Performance Settings" section.

I also am a believer that one should not have to "tweak" his AV scanner to get a decent batch scan time.

To get things back into perspective since real time AV scanning with EAM 8.0 paid is your main protection, the batch scan times are not that important.

 

Oh sorry, i must have skipped it.

 

There is one comment I want to make about the Performance Settings option.

Based on the screen shot I posted above of my scan log, it appears that the "advanced data caching" option is not working. This option is supposed to eliminate the re-scanning of known safe files if their contents remained unchanged. If that were true, the scanned files count should decrease with each subsequent scan? In the log I posted, the Smart scan file counts are identical for multiple scans. Also the scan times are approximately the same giving further support that no files were being excluded from the scan.

 

Skipped files are still counted as being scanned. So you won't see a drop in scanned objects. The impact of the cache largely depends on what is the limiting factor during the scan on your system. Since in your system the limiting factor appears to be the hard disk transfer speeds, the cache will not have a significant impact, as the cache doesn't help to avoid file reads.