Path of Exile - Ongoing False Positive

[qwerty123]

Greetings, I reported a false positive for the Path of Exile game several months ago on the website submission form.

It might have been partially addressed, as it's not a constant spam of Warnings like it was before. However, it still occurs most times I leave the game, usually many minutes later after the game has long been closed and hasn't been in Task Manager the whole time, which is a little odd.

If that makes no sense to you at all, the only thing I can think might be related is that I run some autohotkey helper macros to launch/alongside the game, and I time them out on a fixed ~5 minute timer. Perhaps that's when Immunet picks up what it thinks is weird behavior and traces is back to the game's .exe.

Running the latest version of Immunet (7.3.2.11960). Also occurred before updating. There's nothing related in the File History nor Quarantine.

 

Edited November 7, 2020 by qwerty123

[ritchie58]

Hi qwerty123,

Have you tried to add a custom Exclusion rule for the autohotkey app(s) with Immunet? If not, give that a try and see if that fixes the issue. Just make sure you exclude the correct file path(s) for the app(s).

[qwerty123]

On 11/7/2020 at 5:58 PM, ritchie58 said:

Hi qwerty123,

Have you tried to add a custom Exclusion rule for the autohotkey app(s) with Immunet? If not, give that a try and see if that fixes the issue. Just make sure you exclude the correct file path(s) for the app(s).

Oh I didn't know about manual exclusions. Excluding pathofexile_x64.exe didn't help. Then I excluded 3x .ahk files and YoloMouse (launched by a macro). Seems to be good now.

[ritchie58]

Glad I could help out qwerty123. If you encounter any other conflicts between Immunet & the game or mouse apps let me know.

Best wishes, Ritchie...

[qwerty123]

Short-lived, I didn't adjust anything since then and haven't really been playing

Today I launched and kept the game open for a while doing minor stuff. Noticed many hours later that Immunet had popped up a whole bunch of warnings at some point. Not sure if it was during or after play.

[ritchie58]

If you created a C:\Program Files Exclusion for the game that should have worked!

No mistakes can be made with spelling, spaces, etc... associated with the file path or the exclusion won't work. If you manually typed in the file path the first time around try using the Exclusion's "Browse" feature this time.

Also, try excluding the game's "entire Program Files folder" if you didn't last time.

Here's how...

Open Settings -> scroll down to Add New Exclusion & click on that -> click on the Browse button -> find the correct Program Files folder and click on the folder itself -> click on Add Exclusion -> click Apply -> click Close.

You can delete the old exclusion after you create the new one.

I hope this info helps qwerty123
Best wishes, Ritchie...

[qwerty123]

Hmm it was spelled right. Excluded just the parent folder now, still occurs. 

Edited November 17, 2020 by qwerty123

[ritchie58]

I wish a support person would/could add some insight into this issue. Adding the entire games' C:\Program Files (x86)\ folder directory to the exclusion list should have worked. Unless...

Immunet does have additional behavioral blocking capabilities too so maybe that's the issue. Immunet thinks that the games' executable is possibly "unknown malicious code" trying to execute on your system would be my extrapolation.

Mmm, try adding another exclusion for the file path of the executable file that's being shown with the warning dialog box. That is: C:\Program Files (x86)\Path of Exile\PathOfExile_X64.exe (great idea to add the screen-grab btw!).

Also, try turning off "Blocking Mode" in Settings too.

Regards, Ritchie...

 

[qwerty123]

Blocking Mode was already off.

Adding the executable in addition to the folder didn't help.

[ritchie58]

Wow! I can't think of anything else for you to try qwerty123, I'm at a loss. Sorry I couldn't help ya bro!

I would normally recommend that you submit another FP report to the devs but the FP reporting URL seems to be non-functional at this time which comes as no surprise to me given the current circumstances.

With no technical support on this site anymore and other on-going issues (such as the FP URL not working & the continuing EX0 server error messages with this site to name a few) I know I'm starting to get quite perplexed as to why Immunet was/is being so neglected for so many months now.

I know there's a pandemic going on but other AV company's don't seem to have problems providing expert technical support for it's users in spite of that fact.

Must be that this software is a "extremely low" priory with Cisco right now.

If things don't improve soon I don't think I will want to remain involved with this project. That's how frustrated I'm becoming!

"I don't want to attempt to support, which I'm increasingly starting to believe is, just glorified abandonware for much longer!"

Everyone has only so much patience before it's expended.

Seeing software that once had such great potential (and still does actually) that I've been personally involved with for well over 10 years go by the wayside really sucks!

Ritchie...

[qwerty123]

Slight update on this. It actually occurs even just having the game running in the background and not logged in. And Immunet goes through periods of using 80%+ of the CPU (AMD Ryzen 7, GeForce 1060)... There's definitely something wrong here.

I'll turn on Gaming Mode and see if it goes away. (Could have sworn I turned Gaming Mode on long ago... Maybe Immunet forgets your settings when you update the core software versions? That's not good.)

Edited December 6, 2020 by qwerty123

[ritchie58]

Hi qwerty,

That really is what I would call excessive CPU cycles being utilized! Does it do that when Gaming Mode is enabled?

Gaming Mode is designed to disable itself when you do a reboot. This is a security feature just in case someone forgot that Gaming Mode is still enabled.

[qwerty123]

Yes it does it with Gaming Mode on. It starts out using 20% of my CPU, then climbs and climbs to 75-80%+, seemingly using up whatever is available, maxxing out my cpu usage at 98%-100%. Even after closing the game and all macros, "Cisco AMP for Endpoints Connector" has now increased to using 93% of my cpu (total 98-99%). After a couple minutes it finally starts slowly decreasing by jumps of 10-20% cpu usage at a time every 5-10 seconds until eventually back to 0% after a couple minutes. I did ran the whole thing again and recorded it, same thing happens (Gaming Mode on). There's an incredible amount of processing going on for what is essentially almost nothing happening on my computer. I did nothing, just stared at the screen the whole time, aside from launching and quitting Path of Exile: 

This example/test I just did it gave no false positive warnings (though they still occur, I had several 10 minutes ago (Gaming Mode was off though, I think).

[ritchie58]

I watched the whole video. Great idea to add the screen grab video for documentation! There definitely is some sort of 'continuing' serious conflict between the game & Immunet.

"Yeah, that process 'normally' does not continue to use up that much system resources for that length of time!" Weird!

Have you tried to contact the game's developers to see if Path Of Exile has caused problems with other AV's & if there's a fix/workaround for that?

This just a guess on my part but some games do use one or more Windows Temp file directories that might also need excluded. That's something else you could ask the game's developers.

One more thing you could try is also disable 'Monitor Program Start' in Settings to see if that makes any difference. You will lose some of Immunet's efficacy by turning off this important setting however. 

Like I mentioned before, I do wish a support technician would get involved with this issue but I'm not going to hold my breath on that happening!

Best wishes, Ritchie...

 

[ritchie58]

Here's something else you could try. Immunet developers have rolled-out a new 7.3.12 build that has some bug fixes & improvements. 

You should get the update pushed to you through the UI or you can directly download the newest boot-strapper installer here. https://download.immunet.com/binaries/immunet/bin/ImmunetSetup.exe 

It wouldn't hurt to do an uninstall & reinstall actually considering the circumstances. It's up to you.

If you do decide to do a uninstall & reinstall with the new build I would recommend you keep your previous Settings & Exclusions by clicking on the "YES" option when the uninstaller prompt asks if you plan to re-install Immunet. That way you won't have to re-configure your Settings and add your Exclusions over again as Immunet will save your history.dat files.

[qwerty123]

I very much appreciate the effort you've put in here. Unfortunately taking any/all of these steps is a lot of effort, when I can just turn off the Immunet Service to "solve" the problem... I'll try to post again if I try any of these steps. For now I'm just going to play the game in peace and quiet.