WRSA monitor function always kicks in too late after browser updates! Why?

Discussion in 'Prevx Betas' started by guest, Aug 22, 2012.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    I am using WRSA Essentials 8.0.1.229 beta therefore I am posting this here even if I am sure the release version has the same problem.

    I am using Aurora as browser (it's really fast and great experience btw!) and even before that with beta Firefox mostly I noticed often a strange behaviour of WRSA: if I install new updates - let's say now daily for Aurora - then WRSA doesn't seem to realize that at first. - Why not!?

    I am talking about the monitor function. That does often only kick in after another (!) restart of the program - or reboot - (I guess when firewall first sees "new" activity of the new version and "old" activity "cache" of older version is outdated?). And that is extremly annoying to me!

    I don't want Aurora/Firefox to be monitored at all and never because for performance reasons (stopping unnecessary log writing activity etc.) and because I trust Mozilla. But as it is I simply cannot tell WRSA immediately after installing the new browser version to NOT monitor it (that would be quite annoying also of course, always having to do that I mean!) as it DOESN'T seem to be aware for a long time of the mentioned update. After a certain much to long period of time (as I said: maybe first firewall event of new version triggers that?) then "monitoring" is ON and only then I can disable that even if I used the new browser version for let's say half an hour until then!?

    Believe me: it's really annoying! And some flaw in detection of new programs in WRSA anyway. So please fix that bug ASAP. - New programs (updates) should either immediately be monitored (if not known to the cloud yet) or maybe - even better - we could chose an option for browsers like Firefox, Aurora etc. to *NEVER* monitor them. - That thing is bugging me for quite a time and now finally I had enough and thought I should report that. ;)
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You can configure overrides, but they only apply on each version of a file based on its MD5 rather than on its path. It would be very risky to allow files by path entirely.

    As soon as the file first executes, you'll see it under Monitor in the Active Processes list in WSA where you should be able to change it as soon as it's loaded for the first time.
     
  3. guest

    guest Guest

    I know all that. And if I have to always stop monitoring manually then so be it. Painful and annoying as it is.

    But you didn't get my point:

    See, there's a bug. - The update is executed (of aurora in my case here) but WRSA doesn't seem to be aware of that for a long time. Hence firefox.exe in aurora folder isn't monitored - at first.

    Only if I start the browser again (!) - second new start of new program - then WRSA is popping up it's firewall and THEN I can un-switch the monitoring function.

    And that can't be right. But it is doing that for quite a while now, for many versions. If you ask me it's a bug somewhere in the firewall. Maybe because the name doesn't change (firefox.exe) and access to internet was granted for the older version there exists a time frame where WRSA is sometimes (not always!) unaware of an existing browser update.

    I have that for months. Please take a look at that behaviour. My point is WRSA should see an update right after / while it is being installed. Monitoring should then start immediately but it doesn't often, as I try to describe to you.

    That is a bug. Can't be something else, right? - I mean if I already use the new version (after an upgrade!) and firewall alert pops only up after the NEXT (!) restart (2nd restart) ... then clearly there has to be a bug somewhere, don't you think?

    It's not always the case though, I would guess every second update or even more often I experience this. Then I have to wait (or restart the browser) so that I can switch OFF monitor function. That is the annoying part, the waiting. :(
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is probably just because of how WSA has to monitor browsers - they're handled differently than other processes as WSA needs to perform Identity Shield monitoring as well as outbound protection and inject various other modules into it. I'll take a look into it myself, but I'd be curious as to if it still happens if you disable the Identity Shield to test.

    Thanks!
     
  5. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Start monitoring right after the update...

    Are you running the browser during the update and then restarting later? That's how most of the browser updates work these days. Update in the background, don't mandate an immediate restart.

    The reason this is important is because when the update is done while the browser is running, it doesn't swap out the browser PE until the next restart or new instance, so the update isn't really even running yet. It's just sitting "Ready to run".

    Of course if you're updating when the browser isn't running, or restarting right after the update, and it's still not being monitored despite being a new PE image loading into RAM, that's an issue. But I see that as being unlikely.
     
Thread Status:
Not open for further replies.