Hello again, not here very often but I have some questions that I could not find answers to.
1.- If a program is monitored, it will not go back to "Allow" after some time, even when it is a known safe program?
What got me worried a bit is that after a fresh install, WSA set explorer.exe (and lsm.exe) to monitor. Both 100% clean on virustotal. Is this a new default behavior or should I REALLY start worrying?
2.- When I allow a trusted program, it still gets blocked?
In this case GSC.exe, I get a "The application was unable to start correctly (0xc0000018)" message. When I disable the realtime shield, it runs.
I like very much how WSA protects you, even if you don't want it to haha!
Seriously, I trust you guys know what is best, but where is the limit of user control. I know GSC has FP issues but is considered safe. So if a user allows a program, why not keep monitoring it instead of blocking it completely?
cheers,
Wammes
Page 2 / 2
Userlevel 5
Hello community,
This thread has made an interesting turn... :D
1. Uninstalling via appwiz.cpl (add/remove) removes WSA the best and this is for consumer and business.
2. Uninstall via "wrsa.exe -uninstall", leaves remnants behind for reinstall and import of previous settings.
3. A "Deactivate" command from console leaves dba-dbi files and allows for import of settings. Business does not prompt for import.
4. For business builds, an "Uninstall" agent command from console also leave db files behind as did deactivate.
5. The MSI for businesses also has a known issue that uninstalling from any other manner than MSI command or GPO, it leaves remnants behind that prevent reinstall via MSI. Dev is aware and will resolve.
If anyone is seeing anything different or has any concerns with our uninstalls, please let us know and we'll alert development.
Thanks all,
This thread has made an interesting turn... :D
1. Uninstalling via appwiz.cpl (add/remove) removes WSA the best and this is for consumer and business.
2. Uninstall via "wrsa.exe -uninstall", leaves remnants behind for reinstall and import of previous settings.
3. A "Deactivate" command from console leaves dba-dbi files and allows for import of settings. Business does not prompt for import.
4. For business builds, an "Uninstall" agent command from console also leave db files behind as did deactivate.
5. The MSI for businesses also has a known issue that uninstalling from any other manner than MSI command or GPO, it leaves remnants behind that prevent reinstall via MSI. Dev is aware and will resolve.
If anyone is seeing anything different or has any concerns with our uninstalls, please let us know and we'll alert development.
Thanks all,
Follow up:
All issues fixed - explorer and lsm no longer monitored, GSC starts.
How:
assistance and whitelisting by tech support.
What done:
reinstalled WSA a few times. Specifically asked to reboot after uninstall, not to import old settings. <-- that seems to be important, as TripleHelix already suggested.
A scan and reboot was necessary after the whitelisting.
Also was asked to locate the WRData folder and rename it. I did find WRData in c:program files, not in c:programdata. It contained PKGVistax86wrflt.dll (the browser extension). <-- so maybe leftovers were messing things up.
Note: I was instructed to uninstall via the start menu (means "wrsa.exe -uninstall"). Shawn mentioned uninstall via appwiz.cpl removes WSA the best, would that not be a better default action for tech support to suggest?
- - - - - - - - - - - - - - - - - -
Strange why explorer got monitored in the first place... maybe messed up permissions. Could not find anywhere what the defaults are, copied these from an older explorer.exe in the winsxs folder, removed my username and restored the missing trustedinstaller:
administrators read&execute (not inherited)
SYSTEM read&execute (not inherited)
users read&execute (not inherited)
trustedinstaller fullcontrol (not inherited) OWNER
I hope that is correct, I would be grateful if anyone could check their W7pro 32bit explorer.exe permissions.
Thanks again all for the great support in this community 🙂
All issues fixed - explorer and lsm no longer monitored, GSC starts.
How:
assistance and whitelisting by tech support.
What done:
reinstalled WSA a few times. Specifically asked to reboot after uninstall, not to import old settings. <-- that seems to be important, as TripleHelix already suggested.
A scan and reboot was necessary after the whitelisting.
Also was asked to locate the WRData folder and rename it. I did find WRData in c:program files, not in c:programdata. It contained PKGVistax86wrflt.dll (the browser extension). <-- so maybe leftovers were messing things up.
Note: I was instructed to uninstall via the start menu (means "wrsa.exe -uninstall"). Shawn mentioned uninstall via appwiz.cpl removes WSA the best, would that not be a better default action for tech support to suggest?
- - - - - - - - - - - - - - - - - -
Strange why explorer got monitored in the first place... maybe messed up permissions. Could not find anywhere what the defaults are, copied these from an older explorer.exe in the winsxs folder, removed my username and restored the missing trustedinstaller:
administrators read&execute (not inherited)
SYSTEM read&execute (not inherited)
users read&execute (not inherited)
trustedinstaller fullcontrol (not inherited) OWNER
I hope that is correct, I would be grateful if anyone could check their W7pro 32bit explorer.exe permissions.
Thanks again all for the great support in this community 🙂
Page 2 / 2
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.