Jump to content

ESET and iTunes don't play nicely together


Recommended Posts

On a fresh installation of ESET NOD32 Antivirus 11.1.54.0 and iTunes 12.7.5.9 on a brand new installation of Microsoft Windows 10 Enterprise LTSB 1607 on a Dell Optiplex 3010 (Intel Core i5-3540/8GB, 250GB Crucial MX-200 SSD, 2TB WD Red, Intel HD Graphics and AMD FirePro W2100), the following event occurs between two and eight times within two or three seconds approximately every twenty minutes:

Log Name:      Microsoft-Windows-CodeIntegrity/Operational
Source:        Microsoft-Windows-CodeIntegrity
Date:          6/27/2018 8:05:37 PM
Event ID:      3033
Task Category: (1)
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <OBSCURED BY AUTHOR>
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Event Xml:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4EE76BD8-3CF4-44A0-A0AC-3937643E37A3}" />
    <EventID>3033</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1</Task>
    <Opcode>111</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-06-28T02:05:37.608988400Z" />
    <EventRecordID>1986</EventRecordID>
    <Correlation />
    <Execution ProcessID="1316" ThreadID="416" />
    <Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel>
    <Computer>andromeda.eis.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="FileNameLength">57</Data>
    <Data Name="FileNameBuffer">\Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll</Data>
    <Data Name="ProcessNameLength">65</Data>
    <Data Name="ProcessNameBuffer">\Device\HarddiskVolume2\Program Files\ESET\ESET Security\ekrn.exe</Data>
    <Data Name="RequestedPolicy">7</Data>
    <Data Name="ValidatedPolicy">1</Data>
    <Data Name="Status">3221226536</Data>
  </EventData>
</Event>

There are currently 1,450 of these events in the CodeIntegrity log, and they began occurring immediately upon the installation of iTunes, and they are the only events in that log. They appear to have no effect on the functionality of the machine, but since nothing gets reported anywhere else, and the user is not informed of the unsuccessful scan of a DLL, it makes one wonder what might happen if the same failure occurred during the scan of a malicious DLL. The event also occurs on other machines of different types with Windows 10 Professional.

Edited by EveningStarNM
Link to comment
Share on other sites

  • Administrators

We do not load mdnsNSP.dll. I assume it's Bonjour itlsef which attempts to inject the dll into ekrn which fails due to self-defense protecting ekrn from this.

Link to comment
Share on other sites

27 minutes ago, Marcos said:

We do not load mdnsNSP.dll. I assume it's Bonjour itlsef which attempts to inject the dll into ekrn which fails due to self-defense protecting ekrn from this.

I'm not sure what Microsoft means by "load" in this context, but if Bonjour is trying to inject the DLL into ekrn, then it should be classified as malicious, should it not? For some reason, I doubt that Apple, Inc., writes code to inject its DLLs into third-party applications, especially of the anti-malware variety, but, if it does, this is an extremely serious issue.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...