Online Armor install causing Win7 startup errors

Topic

New Reply

Following uninstalling and cleaning up after Vipre (& backups & System Restore points), I installed trial versions of Emsisoft AM and Online Armor yesterday, fought with OA until past midnight, then shut down and disabled OA (via MS Services, available after OA shutdown), and switched to Windows firewall, whereupon all was well. Went to bed and just before falling asleep remembered an anomaly where some “garbage” characters had briefly appeared in the list of trusted programs, after which the list disappeared.

So this morning I completely uninstalled OA plus all traces and created another System Restore point. Then I re-downloaded OA and reinstalled it, after making sure all else on my computer (Lenovo laptop with Win7Pro) was running well — including Classic Menu, Classic Explorer, and Shell Folder Fix, etc. I accepted the default settings and watched it go through its Learning mode again for the prescribed 2 minutes. Reviewed the results, just to see, and added a few Allowed programs, keeping a more hands-off approach this time in case I was getting in the way. Also allowed OA exe files in EAM.

Once again, I’m having problems getting those programs to run predictably and on startup (e.g., 2nd boot the Classic Menu worked, 3rd & 4th times not), even though added under Firewall as Allowed. And once again, I’ve encountering various system file startup WerFault.exe memory-read/write errors — igfxtray.exe, hkcmd.exe, and igfxpers.exe, which handle things like on-screen volume control at the swipe of an LED “button,” etc. on my laptop; also Logitech SetPoint & Lenovo battery mgt. Each boot adds more system file WerFault errors. And the snowball continues downhill……

Task Manager won’t run, nor will Process Explorer (Sysinternals), although Autoruns does start. The MS Mgt Console won’t run, so no access to Services. Even little Notepad freezes & closes; I’m making notes on my Stickies program and on paper — no printscreen, either. I’ve added various Lenovo, Logitech, & Intel exe files as Allowed. And I’ve turned on debug mode, figuring someone will want that info.

I’ve emailed Emsisoft support, but apparently they work M-F. Am hoping Rui has some ideas; until then, I’m shutting down & then disabling OA in order to have a functional computer.

Reply | Quote

Replies

You should try and get OA in Learning mode and then boot the system like that. OA in learning mode takes notice of what programs are running and automatically authorizes them. Once you are happy with everything running, you can get OA off learning mode.

With OA and running programs, the Programs option in the side menu is very important. This is the whitelist maintained by OA and it is independent of the firewall settings, which are related to permissions for such programs to access your network (or the internet). After learning mode, you can open this list and make sure all programs here are set as Allowed and Trusted. That should get your started without issues.

HTH

Reply | Quote

Yeah, I forgot to mention that both last night and this afternoon I did just that — put it into Learning mode and then rebooted — and again — and again. It’s just not wanting to learn, I guess — I can’t figure out what’s going on. Any other ideas?

And this time around, I discovered that after shutting OA down, I still couldn’t get into Services, nor could I even bring up the Start Menu without restarting Explorer each time, although I had just unchecked the OA “Launch at Next Startup” when I received notification of your response.

And thanks, Rui, for responding — right after I posted, even. 🙂

Reply | Quote

Hmmm… what security programs did you use before OA, other than Vipre, that is?

That situation is very uncommon. My first suspect would be some incompatibility with security software (or remains of such). To find out what is happening, I think the very best is to involve Emsisoft’s support,by posting in their support forum (I know you said you’d rather not do it but with so many problems, it’s probably the only way to find out what is going on and sort it). They can lead you through a troubleshooting procedure, that likely will involve configuring OA to create logs as it runs.

Reply | Quote

Thanks, Rui. I’ve been wondering about that, as well; I’ve been running EMET 5.0 and Malwarebytes AntiExploit Free, both of which did well with Vipre.

OA recognized and allowed both MBAE and EMET automatically but then had the other problems. Facing facts, I find that OA’s granular control and HIPS are a bit over my head — actually, quite a bit over my head. Thus, if this can’t easily be resolved, then I can accept the more automated EIS without HIPS. I’m behind a NAT router, and I do very little outside work anymore; my laptop is there only for reference, not hooked in.

When I began looking for better security earlier this year, I decided that I wanted a multi-layered approach using more than a single vendor for active memory-resident protection, so I added EMET and took note of the fact that Emsisoft and Malwarebytes programs are not only highly rated but are said to get along well with others, being designed to do so. Thus they are key elements of that strategy. My bank has also been pushing the free Trusteer Rapport for their website, so that’s another possible (optional) element, one that Vipre didn’t handle well.

The Emsisoft support page indicates either emailing or posting on the forum, so I think I’ll just wait for their email reply. The time it has given me for further research, thought, and reassessment has been quite productive. 🙂

Reply | Quote

I never used EMET and, for the moment, I don’t think I will. The combo OA + EAM seems enough for my needs. Any robust, whitelisting HIPS would be a replacement for OA.

This said, I believe there must be something in your setup that is causing OA to behave like that. I never had trouble running the on demand MBAE with OA, so I would look at EMET as the first possibility for conflicts.

You being behind a router means EIS wouldn’t bring much more, when compared with say, EAM + the windows firewall, other than an easier to configure firewall.
The granular control of OA over programs is precisely the reason for me to use it. I can accept it is not a tool for everyone, but my experience is that it usually just works without need for much input, after an initial post setup phase, where it may require a bit more input from you.

Reply | Quote

Thanks for that, Rui. I’ll be interested to see what Emsisoft support comes up with. I was really frustrated not being able to figure out what might be so unusual that it would stop OA in its tracks. When my laptop was new, I did my usual uninstallation or disabling of a number of the “features,” and I keep a sharp eye on autoruns for stuff I don’t want, so it’s pretty pared down and runs smoothly.

When I send Emsisoft whatever logs they want, they’ll likely spot something…. If I can get OA through the setup phase and running well, so that only occasional adjustments are needed, then that’s for the better, but I’ve let go of which way it might go. One of my life lessons: stubbornness, like most other things, can be taken to extremes. 😉

Reply | Quote

Trusteer Rapport can be quite difficult to uninstall and has been known to cause problems for some.

If you haven’t installed it yet – then don’t.

I use HitmanPro Alert to protect my browser(s) which is also a freebie but trouble free, although I think you should resolve your current problems before adding another layer.

Here it is for when you are ready http://www.surfright.nl/en/alert

Reply | Quote

Oh, I for sure will take it one step at a time! And I mentioned Trusteer Rapport only as a possibility; if all else is working well, then I see little if any need for it.

Just now finished a new install of OA, after stopping and disabling EMET. Same ol’ thing with memory read/write errors — this time happening *during* the Learning process following reboot. Will try putting it into Learning mode and rebooting once, but if no go, then once again will uninstall it.

Reply | Quote

Just wondering if it’s DEP that’s causing the problem and may be changing its settings could help http://windows.microsoft.com/en-gb/windows7/change-data-execution-prevention-settings

Reply | Quote

Thanks, Sudo15. I just now finished bringing my computer back up to speed following my 3rd clean install of OA (and now uninstall) — this time with EMET stopped and disabled (rather than uninstalling it, although I could have done that, then reinstalled with prior settings).

In any case, it came up with the same memory read/write errors with basic system files. In the OA install process, I enabled full debug logging right off the bat during the install, just before the reboot. Then once up, with the same system errors, I put it into Learning mode and rebooted again. Without EMET running at all, I had the same problems. Couldn’t even run Notepad to paste in the contents of one Debug window — had to use Notepad++. Copied the OA Log folder to my data folders, plus any other logging type of info., so perhaps Emsisoft can figure it out, but I really *am* done for now — third time was not the charm.

Thanks for your suggestion, though. Perhaps if OA does get up and running, DEP would be something to look at.

Reply | Quote

I have DEP turned on and it doesn’t affect OA.

Given the OA situation, I would probably wait for the contact from Emsisoft’s support. I guess only the info in the logs can shed light on what may be causing this.

Reply | Quote

I know it would seem to defeat the object of running OA in Learning Mode, but have you thought of doing this in a clean boot and then adding the Startup items back one by one – although you don’t need any items in Startup for the system to run, but it could also be one of the non-MS services.

Rui doesn’t seem to have any problems so the conflict must lay with what else you have installed.

Reply | Quote

Thanks, Sudo. If you’re referring to the Startup folder, those I’ve added are few, but yes, that is one thing I could try (when I’m ready for the next sparring match). Or were you referring to unchecking added software in the Sysinternals Autoruns Logon tab? Most are device drivers and such: Lenovo, Intel, Realtek, Synaptics, SRS Labs, etc., which seem to load first, with some of those being what crash and burn.

As for a C:EEK folder, I’ve never had one, but the OA uninstall is complete with no left-over folder under either Program Files folder, nor in Roaming; I double-check manually and with a CCleaner registry scan. My free version of EAM was simply authorized with the trial code, which enabled full memory-resident AntiMalware function.

Reply | Quote

Sorry about the EEK folder bit – thinking of Emisoft Emergency Kit which is why I edited it out hopefully before you read it. 🙂

If you have a restore point to take you back to before you installed all of these programs, I think you should just start with installing one of them such as EMET (as that appears to be a major player) if you want to keep that, then check to see that everything is fully functional then add either OA or Emisoft, but before adding the second of those, fully uninstall the other first so as not to muddy the waters.

This bleepingcomputer.com site is useful for determining if a Start up item is required/desirable and clicking on either of those in the grid will give an explanation of their function.

Any not listed that you want to check out can be manually entered into the Search box. http://www.bleepingcomputer.com/startups/

Reply | Quote

Thanks, Sudo. I did actually see the C:EEK comment and commented on it above. :p

I initially checked the BleepingComputer.com site; however, the services that errored out are clearly essential for my system and not optional. OA successfully accepts my various programs as Allowed, but without the basic services my laptop apparently needs, they and even Windows itself won’t successfully function.

I’ve heard back from Emsisoft, so we’ll see what they might come up with. I’ve got lots of log files, copied data, and dump files that I can send them for study.

Reply | Quote

Hopefully they can come up with an answer.

Reply | Quote

Well, another day down the tubes. Although I have offered to send the Logs folder & other info. they normally ask for and that I managed — with difficulty — to save prior to the last uninstall of OA, they seem uninterested:

You are the first customer with such massive issues to use Online Armor.

Online Armor development is currently paused. The debug files wouldn’t help yet because our developers do not fix potentially bugs currently in Online Armor.

Given the severe degree of instability with OA installed, I’m not willing to try running TeamViewer at the same time. While I could recover from a total crash, it’s not something I’d willingly risk. Why are they not even willing to look at the logs first to see if there IS something I could adjust? :confused:

They asked me to test EIS instead — which I said I’d consider, once they examined my logs to see if there’s a possibility of adjusting something. But with the apparent cursory reading of what I’ve said, there’s no guarantee they’d even look at the logs if I were to upload/send them. And it doesn’t sound promising for OA…..

Reply | Quote

Have you tried with the clean boot yet – although that won’t isolate any active security programs.

The only way other than disabling those is to boot up into Safe Mode with Networking.

Reply | Quote

Have you tried with the clean boot yet – although that won’t isolate any active security programs.

The only way other than disabling those is to boot up into Safe Mode with Networking.

Clean boot disables non Microsoft services as well as startup programs and will disable most security software. (I never say all :rolleyes: )

Jerry

Reply | Quote

Have you tried with the clean boot yet – although that won’t isolate any active security programs.

The only way other than disabling those is to boot up into Safe Mode with Networking.

The clean boot process is definitely worth a shot, and I’ll give it a go when I can dive in again.

I find that dealing with computers going wonky is no longer exhilarating and a fun challenge for me — I must have maxed out. I still enjoy trying to figure out problems or the odd piece of software, but only with a fully functional computer. :P:

So when I have a good block of time and am ready for a few rounds again (to mix metaphors — although I guess people take dives in the ring), I’ll do a clean-boot installation with a sustained manual learning mode to see what, if anything, I can discover.

Reply | Quote

Diagnosing with a clean boot can be time consuming as you are starting up with quite a bit disabled and have to add one bit back at a time then check things are as they should be until they aren’t.

Where it can get interesting (if that’s the word) is when a combination of three non MS services are the cause – any two of the three is fine but the third stops things dead.

Hopefully a clean boot for you will identify the cause much easier.

Edit

Looks like you’re not alone as this looks like it could be 2-0 to EMET with yours and that could be a good place to start with the anomalies.

http://windowssecrets.com/forums/showthread//164540-Firefox-and-IE-have-stopped-working

Reply | Quote

Diagnosing with a clean boot can be time consuming as you are starting up with quite a bit disabled and have to add one bit back at a time then check things are as they should be until they aren’t.

If you enable all services and see if the problem returns, you cut the diagnostic time in half. Once you find its either services or startup programs that are the issue, enable the remainder in groups of four or six and you quickly zero in on the problem. Many times you can deuce the probable entries and shorten debug time even further. I never add one at a time. It rarely takes me much time to zero in on the culprit using a clean boot.

Jerry

Reply | Quote

MS recommend enabling half of the non MS services and then the other half but I’ve seen this miss the scenario with the combo I’ve previously described, which is why I suggest the slower one at a time approach.

Reply | Quote

Thanks for your input, Sudo and Jerry — my email checker was temporarily out of commission (operator error), so I didn’t get the notification of your replies.

Currently I’m getting one response every 24 hours from Emsisoft, and they’re not eager to support OA on my system, even if I can find the culprit(s). So I’m appreciative of your help and concern.

Reply | Quote

QUESTION: Is disabling EMET 5 services with services.msc as good as uninstalling it re diagnostic purposes?

I heard back from my once-daily Emsisoft “support” person — not answering ANY of my questions nor my request for a support person who would be able to work in my time zone, and not addressing any of my concerns, for example, that I had already totally disabled EMET before installing OA. Only a statement to uninstall it.

Reply | Quote

I couldn’t answer that for definite but I know that when you just use Windows uninstaller to uninstall an AV program, residue is left which can and often does conflict with the new AV, so on that basis, aspects of EMET could still cause a conflict and I would go for the clean sheet approach and uninstall it.

Reply | Quote

Thanks, Sudo.

Reply | Quote

I have given up — on both OA and Emsisoft support, who didn’t answer my questions and/or concerns that I listed. As with this forum, where I spend time wording my posts to be as clear as possible and businesslike, I spent time wording my responses to Emsisoft. At this point, I have had no further communication from them. I tried asking for a different support person, as people communicate differently, and it’s common to have communication issues, but that request has also gone unanswered. Perhaps I should have used their other support option: their forum; the sunshine of many eyes on their response/non-response might have been more effective — but that’s water under the bridge.

I am left to conclude that Emsisoft has no real desire to support OA and instead wants people to buy EIS.

As my desktop XP computer is my critical work computer and has a multitude of programs that would be VERY expensive to update or replace, it will remain XP until my final client retires. There is no way I can or will subject that computer to the possibility of the severe instability I had with OA on my Win7 laptop (which serves as a bare-bones backup for the XP), and both have gradually had additional security programs added for a layered approach, with the goal of replacing Vipre. Other people have had no problems running OA and EMET, but Emsisoft has not answered my questions, so I’m done with OA — I’m not going to buy software so reluctantly “supported.” I’m no longer feeling as positive about Emsisoft, either.

I intend to ask for a switch of the two trial licenses they granted me for EAM and OA to licenses for EIS, as they apparently want me to do. Even so, I’ll be taking a deep breath when installing EIS, given my bad experience with Emsisoft support. (Oh yes, I’ll be imaging my XP first with my trusty and proven Ghost 2003.)

Reply | Quote

I have given up — on both OA and Emsisoft support, who didn’t answer my questions and/or concerns that I listed. As with this forum, where I spend time wording my posts to be as clear as possible and businesslike, I spent time wording my responses to Emsisoft. At this point, I have had no further communication from them. I tried asking for a different support person, as people communicate differently, and it’s common to have communication issues, but that request has also gone unanswered. Perhaps I should have used their other support option: their forum; the sunshine of many eyes on their response/non-response might have been more effective — but that’s water under the bridge.

I am left to conclude that Emsisoft has no real desire to support OA and instead wants people to buy EIS.

As my desktop XP computer is my critical work computer and has a multitude of programs that would be VERY expensive to update or replace, it will remain XP until my final client retires. There is no way I can or will subject that computer to the possibility of the severe instability I had with OA on my Win7 laptop (which serves as a bare-bones backup for the XP), and both have gradually had additional security programs added for a layered approach, with the goal of replacing Vipre. Other people have had no problems running OA and EMET, but Emsisoft has not answered my questions, so I’m done with OA — I’m not going to buy software so reluctantly “supported.” I’m no longer feeling as positive about Emsisoft, either.

I intend to ask for a switch of the two trial licenses they granted me for EAM and OA to licenses for EIS, as they apparently want me to do. Even so, I’ll be taking a deep breath when installing EIS, given my bad experience with Emsisoft support. (Oh yes, I’ll be imaging my XP first with my trusty and proven Ghost 2003.)

I think the forum is clearly their best support option. That is what I use. The forum has the advantage of having experienced users helping out as well, much as we have here. I have also never failed to get a reply on the forum.

If EAM works for you, EIS will, as well. As I said before, I see no real advantages on EIS over EAM + the Windows firewall. You have a finer degree of control over the firewall, and that can be an advantage, but likely not something that can be of use in most cases.

I have been running OA since the XP days, on a machine that has since been upgraded to W7.. I still have it running in a Vista box, a Windows 7, a Window 8 and a Windows 8.1 laptop. I have persisted with it as it really never caused any issues that could not be overcome on my own or using Emsisoft’s support.

Reply | Quote

Thanks, Rui. I’ll use their forum after this — lesson learned. I guess I hadn’t read enough posts to realize that other experts jumped in, other than a switch of reps sometimes when things were going south.

I’m currently running EAM and Windows Firewall, with EAM keeping tight tabs on a few otherwise-troublesome programs I added to its application rules. It’s the XP firewall that worries me, and that’s my critical computer. (As I said before, WAY too expensive to upgrade the special software used or to replace it — and licensing and installers prevent reinstall in virtual machine.)

Soon after I posted my above conclusions, I finally got a response from a new rep at Emsisoft OA support, who addressed the actual issues. So I’m back to trying another install this weekend, when I don’t need my laptop as an emergency backup computer on standby, this time excluding my Intel, SRS Sound, Realtek, etc. folders, something I had wondered about but was concerned about doing, exempting them from protection.

Apparently the Universe is having a lot of fun with me as I bounce back and forth between my conclusions (EIS? Persist with OA?) Every time I reach one conclusion, something happens to bounce me to the other one. I’ll be REALLY glad when this process is finally over. :wacko:

Reply | Quote

Good luck with that attempt.

I understand the rationale for using EIS with XP. It can provide a bit more protection over the native firewall, yes, but I agree OA is really what you need there. With OA, your XP security will be greatly enhanced, the whitelisting being a good thing to have in a OS with no further security updates.

Reply | Quote

Is there any risk in excluding (exposing?) system hardware driver folders from firewall protection? Does it open a path of attack?

I’ve asked the same question of the rep but am also interested in the thoughts of those who know more than I on this subject.

Reply | Quote

Any exceptions to HIPS monitoring open an avenue for possible attack. How likely that will be used, I can’t really answer.
What I will say is that I never had to do anything like that and I don’t see why you should, anyway.

Reply | Quote

Well, I did my 4th OA install tonight. After further research on ixfxtray.exe, ixgxpers.com, and hkcmd.exe, I decided to go ahead and remove them from auto-starting. I even went ahead and uninstalled EMET 5.0, after exporting my settings.

I then installed OA again. At the outset I excluded some folders including my beloved Classic Shell/Explorer and ShellFolderFix, plus Logitech SetPoint, which were all problems before. Then rebooted to finish the install process and began excluding others, incl. Realtek Audio, and the AV/AM stuff like EAM and MBAE; I even excluded the on-demand MBAM and SAS. All this while I had Learning Mode running and kept it on as I added more folders (Macrium Reflect, etc. — anything I had read about that was known to cause problems with OA), and then began trying to run various programs. During this, I rebooted yet again, with Learning Mode still going, then shut it off after a bit.

I did balk at excluding Windowssystem32, where some of the “problem” files reside, along with little things like Task Manager, etc. Why have a firewall if I have to exclude everything?

Windows seemed to be a bit more stable this time, though I found I still could not run Task Manager or Sysinternals Process Explorer and was worried about other such things I hadn’t yet tried to run. I was still getting some periodic WerFault errors, but I thought perhaps I could try to get it to a point that was stable enough to handle remote support.

Then OA froze — with no Task Manager available. I have again uninstalled OA.

OA may be a great firewall, in spite of the testing results last spring, but this has been over the top. I’ve reinstalled EMET 5 and will reboot a couple more times, check the registry, possibly do a System Restore just to be sure, if anything looks funny. My travels with OA are at the end of the road; I don’t need anything that cranky — I can do cranky on my own.

Reply | Quote

Do you get requests to authorize such programs when you try to run them?

Reply | Quote

Do you get requests to authorize such programs when you try to run them?

Your question has stuck with me. You meant the Task Manager, Sysinternals Process Explorer, and the ilk? No, no requests for authorization as with other programs, just nothing happening or erroring out, Learning Mode or not.

I’m now looking at PrivateFirewall as a possibility for my XP; Gizmo’s 2014 review gave it 5 stars, and I think I’ll take a closer look. If not, then ZoneAlarm (not free); both have HIPS. I’m liking the EAM, so that plus MBAM Premium, MBAE, etc. from there. EMET 4 is already running on it, even with Vipre.

Reply | Quote

Do you get requests to authorize such programs when you try to run them?

I was running it mostly in Learning Mode but had it alert me — I saw various programs flash by, one of which was one of the three I had stopped from auto-starting; others went by pretty fast while I was focusing on system functions, which still weren’t up to par, though I went in and reviewed the allowed list periodically. I don’t believe Task Manager ever showed up, nor did Process Explorer. But I really am done with OA this time.

I was unable to restore the System Restore Point I had created prior to the install; it errored out. I ran sfc and chkdsk /f (no errors except for minor in free space), then tried restoring it again, just in case, but no go. So apparently (irony alert) OA fired a parting shot as I bid farewell. :D:

I think things are okay; the restore point is probably not critical, as things once again seem to be working well, and I always have my Macrium Reflect images and daily data/user backups.

I am reevaluating the best path forward with the business XP — minus OA, which could install okay on it, but I’m not even going to try it. I know that things are much more complex, with much over my head now, but I’ve never had such disastrous results with installing and setting up programs from the 1980s forward, including firewalls, and this is a mainstream laptop (2011 Lenovo).

Reply | Quote

If you find that your restore points return as unsuccessful, then try them in Safe Mode as AV programs can interfere.

I think it’s probably because they don’t like going back to where their Definitions would be out of date.

Can you get Task Manager and those other programs to work in Safe Mode ?

Reply | Quote

Thanks, Sudo. I’ll keep that in mind going forward. I have successfully used restore points before, but doing so in Safe Mode is something I hadn’t thought of.

Once OA crashed, my priority was to uninstall it, so I didn’t take the time to see if it behaved in Safe Mode. If this were a spare computer, now that the mental rust is largely off, it would have been interesting to solve this Gordian knot, but as it is, my priority was to get it up and running again. (I did play a word game following all of this, and blew the roof off of prior scores, so this turned out to be good for my brain. :D)

Reply | Quote