Jump to content

ESS V9 (V10 probably too) bug: (plain) wrong HIPS and firewall log entries


Recommended Posts

As evidenced by me here (see screenshot #1, 08/20/2016  - come on, ESET, what's going on?) and here there is a crystal clear bug in ESS V9, and presumably in ESS V10 too: the HIPS module is writing wrong and even plain wrong HIPS log entries, ie. log entries with a wrong description!

 

[extracted from 2nd link above] though it seems that always there is taken a somewhat "related" description from a wrong HIPS rule, there exist rare cases, where even the real 'source' and 'source' of the other description are different, see the screenshot. And, but very difficult (time consuming and only programmatically...) to verify, wrong HIPS log entries only occur during a HIPS duplicates popup, eventually (but rather (very) rare) with a wrong HIPS log entry slightly prior to a duplicate popup (so to speak "announcing a duplicates popup"). There are even cases where no wrong log entry can be seen.

 

These wrong HIPS log entries occur near or at the very moment of a "Mysterious" HIPS Duplicates Popup (see 1st link), but can be written completely unrelated to such an incident too!

 

The newest variant of the wrong HIPS log entries bug being this one, see the screenshot! These wrong log entries are occuring since I have made a HIPS ASK rule for 'all sources, write to file / delete file, %LocalAppData%, %AppData%, C:\Windows\Temp\' - thanks 'itman'!!! As you can see in the screenshot this new HIPS rule is leading to HIPS log entries with a never before seen "operation: unknown operation" and a totally weird "rule: int3rn4l" as description! Definitely I'm having no HIPS rules with a description of "int3rn4l". And to make the weirdness complete I have saved this picture with file name 'a000.jpg', not 'a001.jpg' as the log entry says. These weird log entries are occuring sometimes when I'm saving a picture within Opera V12.x which is writing a temporary file to %LocalAppData% before actually saving the file to my RAM disk... And there exists a quite new HIPS rule for this writing to %LocalAppData% for Opera V12.x already, correctly triggered by the new HIPS ASK rule some time ago. Thus these steps are happening: I'm doing a "file save as" in Opera V12.x, HIPS triggers a 'dllhost.exe, regOps, EnableLinkedConnections', Opera writes a temporary file to %LocalAppData% (and deletes it, later) and writes it to the directory I specified, HIPS writing the EnableLinkedConnections, the write / delete events in %LocalAppData% done by Opera and according to the stored HIPS rule for this event, and HIPS sometimes even writes this very weird log entry (see the screenshot!)...

 

I'm suggesting that all users of ESS V9 and ESS V10 filter their HIPS logs for "int3rn4l" as fast as possible, this seems to be a constant value! Thus it's a no brainer to find such log entries... Please report your findings here, thanks!

 

@Marcos/ESET: definitely this and any other bug I'm reporting to you has anything to do with my "fancy" PC, my "fancy" 32 GB RAM and the "fancy" programs I'm using, the only program that makes problems on my PC is ESS V9, that's for sure - bet on it!

 

Here one last example of a wrong HIPS log entry, perfectly captured by my ESS Checker program ("SOLL" means "log entry rule description should be this one...", "IST" means "... but is effectively that one"):

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** peOps log entry /w wrong description: '28.10.2016 23:55:09;C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\consent.exe;some access allowed;User rule: allow svchost.exe (modify state of app, term. / susp., VMerge);Modify state of another application,Get access to another application',

source='C:\Windows\System32\svchost.exe', target='C:\Windows\System32\consent.exe',

SOLL='User rule: allow svchost.exe (modify state of app, [iD=15B, 28.12.2015: führt dies auf Spur der FREAKY Doublette???], audiodg.exe, consent.exe, mobsync.exe, wmpnscfg.exe, SysWOW64 control.exe, SysWOW64 rundll32.exe, taskhost.exe, Opera V12.x 64-bit + Plugin-Wrapper)',
IST ='User rule: allow svchost.exe (modify state of app, term. / susp., VMerge)'

(...)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

----------------------------------------------------------------------------------------------------------------------------

ESS V9.0.408, Win7 Pro x64 (of course always up to date), 32 GB RAM, AMD Athlon Phenom II...

post-3617-0-10870400-1480465018_thumb.jpg

post-3617-0-60599000-1480465025_thumb.png

Link to comment
Share on other sites

  • Administrators

As for int3rn4l, I think it was itman who asked about that. Logging these records does not affect the functionality of HIPS whatsoever and should be disregarded. It won't be logged as of the next build of the HIPS module.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...