NOTICE: This forum is mostly an archive, though new posts are allowed. Registration may require manual admin activation. After registering visit https://bitsum.com/contact/ to request account activation.
Started by XhenEd, August 16, 2015, 10:42:39 PM
Quote from: edkiefer on August 17, 2015, 05:54:27 AMWhat happens when you close PL GUI but leave Processlasso governor running ?were you running graph open with GUI, there are refresh rate settings for both GUI and governor .
Quote from: BenYeeHua on August 19, 2015, 10:50:50 AMSorry for that, I am a bit losing my mind, so I somehow can't focus on many thing.
Quote from: Jeremy Collake on August 19, 2015, 12:41:10 PMI think your guess that the GUI is triggering EIS's tamper detection is right. Can you give me a run-down of EIS process names? Otherwise, we will of course research ourselves, but this may save time.Thanks!
Quote from: Jeremy Collake on August 20, 2015, 08:00:55 PMI actually did add the two processes you listed in the most recent beta, 126.96.36.199 beta.There may be other Emisoft processes though? If you can check any log Emisoft has, that may tell us what it's triggering on.Thanks!
Quote from: Jeremy Collake on September 02, 2015, 09:53:02 AMWell at least they responded .Even though the issue is with EIS, I am still attempting to work-around it. So you're still seeing it? Any other processes I should add to the tamper-detection avoidance list?
QuoteThe problem is not that they [Process Lasso] are looking. The problem is that they are opening a whole bunch of processes with rights that allow them to modify and change the process in rapid succession over and over again.
QuoteThe problem is that they are opening a whole bunch of processes with rights that allow them to modify and change the process in rapid succession over and over again.
Quote from: BenYeeHua on September 03, 2015, 03:46:48 PMWell....Are we talking the same software?
Quote from: Jeremy Collake on September 03, 2015, 07:39:52 PMOk, I have EIS installed in a test bed. It actually seems to do alright with the last Process Lasso final (v8.8.2), though I have now also added 'a2wizard.exe' to all future builds.Note that if you do NOT see any more *repetitive* and *continual* Process Lasso tamper detection events in EIS, then the CPU consumption by EIS may NOT be related to Process Lasso (issues already fixed). Security suites like this always have a fairly heavy footprint since they have to do so much real-time scanning. Originally there was surely an issue with Lasso setting off it's tamper detection repetitively, but testing the most recent final build of Process Lasso, I don't see any interoperability issue due to the previously added exclusions.There may be some sporadic cases where Process Lasso trigger's EIS's tamper detection, but a few events in its log is nothing. The only *problem* is when EIS starts logging repetitive events, continually, without throttling them in any way, which *can* lead to excessive CPU use.All security suites have heavy footprints, so will inherently consume a lot of system resources.
Quote from: Jeremy Collake on September 03, 2015, 08:24:38 PMSorry, I have dealt with tamper detection issues of other security suites, so assumed it did have a log somewhere it is writing to. It may do so and not display it to the user.I'm updating that test bed and will try a restart.These exclusions I've added cause Process Lasso to not even *touch* the Emisoft processes, and I think I've hit all the resident ones. a2wizard.exe, of course, only runs during the setup, and is now added as of 188.8.131.52-beta.Definitely this *was* an issue in older versions. The question now is whether it is still an issue.BUT, without the logs, what makes you think the CPU use is from Process Lasso interacting with it? Is there some other way you are correlating the apparent excessive CPU use of EIS processes (which of course can fluctuate dramatically depending on what it's doing) with Process Lasso?If you're unsure, you may want to try uninstalling Process Lasso for a day or two, and see if there is any real change to EIS's CPU use.
Quote from: Jeremy Collake on September 03, 2015, 08:35:58 PMOk, great, I was going to suggest simply closing Process Lasso, but I would not have expected such a dramatic difference.Please allow me some time to verify this and see what in the world is going on so I can give a more certain answer without haphazardly guessing and making these rapid-fire posts.Thanks!
Quote from: XhenEd on September 03, 2015, 08:38:48 PMEdit: I tried pausing the Refresh Interval of the GUI. And it seems that it solved the problem.
Quote from: Jeremy Collake on September 07, 2015, 03:48:38 PMThis makes sense. That, well, pauses the GUI's refresh of the processes. You can still hit F5 to refresh the view. Lowering the refresh rate, instead of pausing it entirely, will also work.If I can't create a fix, I'll at least do something to mitigate the problem, such as automatically reducing the refresh rate when EIS is detected.
QuoteIt seems EIS keeps a watch on *everything* going on with the system. I'm still evaluating it fully, but man it definitely injects it's hooks everywhere. Therefore, what is setting it off may not be any tamper-detection mechanism, as was the case with other security software, but rather simply that it is having to deal with so many 'open process' operations that it can't efficiently handle (or not efficiently enough).
Quote from: Jeremy Collake on September 09, 2015, 03:44:13 PMOK, what I've got on the agenda presently, for a partial solution, is to reduce the GUI refresh rate to 5 seconds (from 1 second default) when EIS is detected. This isn't a full solution, but is a good start, as it will cut EIS load caused by Process Lasso substantially.Is it just me or does EIS seem to really drag the system down in general? It *may* just be my virtual machine.
Quote from: Jeremy Collake on September 10, 2015, 12:45:58 AMYes, it's the system restart that seems a bit slugglish in particular, probably as EIS builds it's scan cache, or loads it into memory from prior scans. Once built, it then doesn't have to rescan all those objects, so then is faster (guessing)... Anyway, keeping the GUI closed is certainly a fine and appropriate solution. If I can figure a way to adjust the process operations to not trigger EIS at all, I will do so, but that's more major work I'll have to reserve for v9 .. which is coming soon.
QuoteI don't think EIS is dragging my system down. However, I notice that my system restart is slower than usual after I installed EIS. Someone reported it already, and the Emissoft team said that they would look into it.
Quote from: BenYeeHua on September 10, 2015, 04:59:27 PMThis is normal, except you want to get virus not detected while booting. Some anti-virus just delay the loading of the monitoring(and also engine) for booting, so they are completely useless for 1-2 min after booting.
Quote from: arcanum on September 13, 2015, 12:06:00 PMCompletely useless 1-2 min after booting? Do you have papers for that? As far i know, at least my firewall driver runs on a "ring 0" kernel drive mode. So the driver denys all arp etc connections during boot up.
Quote from: parkd1 on September 23, 2015, 11:09:16 AMHmmmm just an idea. Maybe add edit tamper-proof list to version 9.
QuoteWhat BenYeeHua means is that most security suites are cloud based these days, and thus they have to get their latest update from the cloud, which may not occur until a few minutes after boot.