EveningStarNM 0 Posted June 28, 2018 Share Posted June 28, 2018 (edited) On a fresh installation of ESET NOD32 Antivirus 11.1.54.0 and iTunes 12.7.5.9 on a brand new installation of Microsoft Windows 10 Enterprise LTSB 1607 on a Dell Optiplex 3010 (Intel Core i5-3540/8GB, 250GB Crucial MX-200 SSD, 2TB WD Red, Intel HD Graphics and AMD FirePro W2100), the following event occurs between two and eight times within two or three seconds approximately every twenty minutes: Log Name: Microsoft-Windows-CodeIntegrity/Operational Source: Microsoft-Windows-CodeIntegrity Date: 6/27/2018 8:05:37 PM Event ID: 3033 Task Category: (1) Level: Error Keywords: User: SYSTEM Computer: <OBSCURED BY AUTHOR> Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\ESET\ESET Security\ekrn.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements. Event Xml: <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4EE76BD8-3CF4-44A0-A0AC-3937643E37A3}" /> <EventID>3033</EventID> <Version>0</Version> <Level>2</Level> <Task>1</Task> <Opcode>111</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2018-06-28T02:05:37.608988400Z" /> <EventRecordID>1986</EventRecordID> <Correlation /> <Execution ProcessID="1316" ThreadID="416" /> <Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel> <Computer>andromeda.eis.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="FileNameLength">57</Data> <Data Name="FileNameBuffer">\Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll</Data> <Data Name="ProcessNameLength">65</Data> <Data Name="ProcessNameBuffer">\Device\HarddiskVolume2\Program Files\ESET\ESET Security\ekrn.exe</Data> <Data Name="RequestedPolicy">7</Data> <Data Name="ValidatedPolicy">1</Data> <Data Name="Status">3221226536</Data> </EventData> </Event> There are currently 1,450 of these events in the CodeIntegrity log, and they began occurring immediately upon the installation of iTunes, and they are the only events in that log. They appear to have no effect on the functionality of the machine, but since nothing gets reported anywhere else, and the user is not informed of the unsuccessful scan of a DLL, it makes one wonder what might happen if the same failure occurred during the scan of a malicious DLL. The event also occurs on other machines of different types with Windows 10 Professional. Edited June 28, 2018 by EveningStarNM Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted June 28, 2018 Administrators Share Posted June 28, 2018 We do not load mdnsNSP.dll. I assume it's Bonjour itlsef which attempts to inject the dll into ekrn which fails due to self-defense protecting ekrn from this. Link to comment Share on other sites More sharing options...
EveningStarNM 0 Posted June 28, 2018 Author Share Posted June 28, 2018 27 minutes ago, Marcos said: We do not load mdnsNSP.dll. I assume it's Bonjour itlsef which attempts to inject the dll into ekrn which fails due to self-defense protecting ekrn from this. I'm not sure what Microsoft means by "load" in this context, but if Bonjour is trying to inject the DLL into ekrn, then it should be classified as malicious, should it not? For some reason, I doubt that Apple, Inc., writes code to inject its DLLs into third-party applications, especially of the anti-malware variety, but, if it does, this is an extremely serious issue. Link to comment Share on other sites More sharing options...
Recommended Posts