Hello,
Recently we have discovered an issue with Barco ClickShare application. It is a wireless presentation solution, and we may have some of the legacy versions in use, for example, Barco ClickShare CSM-1. Barco said they will not provide any updates on this product and issue, as it is a discontinued product.
When the application inside Barco ClickShare button is launched (the latest supported firmware by that product), any app on Windows 10 and Windows 11 using hardware acceleration gets killed/crashes without warning by ESET - Zoom, Edge, Chrome, OBS, Remote Desktop, even the built-in Photo viewer hangs or gets killed.
Did some advanced troubleshooting and after disabling Deep Behavioral Inspection in ESET Advanced Setup, it started to work again. The other solution is to add rundll32.exe from Windows system directory to HIPS allow list. None of the solutions above fully resolve the issue, because Barco is used both by company laptops and private BYOD devices which we can't access and disable antivirus components on.
I remember this was not happening in summer but started happening recently. Happens both on ESET Endpoint Security 10.1.2058.0 and ESET Internet Security 16.2.15.0.
When Barco app is launched, it extracts some files to TEMP directory and calls
C:\Windows\SysWOW64\rundll32.exe DXCap.dll,DXCAP_Hook
This gets logged in HIPS logs:
Time;Application;Operation;Target;Action;Rule;Additional information
21.11.2023 09:57:39;\Device\HarddiskVolume5\ClickShare_for_Windows.exe;Modify state of another application;C:\Windows\System32\csrss.exe;Blocked;Self-Defense: Do not allow modification of system processes;
Attached a screenshot of HIPS Interactive mode and the offending executable in a ZIP archive. But this issue won't happen while the Barco button is not physically connected to the computer, so it may not be possible to replicate.
Maybe there is a chance your team can inspect this issue further.
ClickShare_for_Windows.zip
ees_logs.zip