eitanc 2 Posted October 7, 2019 Share Posted October 7, 2019 (edited) Hello, I use NOD32 12.2.30.0 on Windows 10 pro 64 bit. Recently I noticed a sudden/flash appearance of the Firefox banner on the taskbar. Like it loads and then terminates. Looking at the windows security event log, I found it was launched by NOD32 process of ekrn.exe... very strange. see attached screenshot. Firefox is NOT my default OS browser. I didn't find any NOD32 scheduled process that is related to Firefox nor a matching windows "scheduled task". Any ideas? Edited October 7, 2019 by eitanc add a comment about FF not being my default browser Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 7, 2019 Share Posted October 7, 2019 (edited) Suspect this is caused by Eset's Banking & Payment Protection. It in essence opens a hardened browser session under ekrn.exe protection. Did such activity occur around the time the Windows Event Log entry was created? However, this only occurs if FireFox was already opened. If B&PP is selected via desktop icon, it will open the Win default specified browser. Edited October 7, 2019 by itman Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 7, 2019 Author Share Posted October 7, 2019 Nope. My product is only NOD32, I don't have the mentioned feature Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 7, 2019 Share Posted October 7, 2019 OK. I am using EIS. Thought B&PP was also included in NOD32. Just checked my Event 4688 Log entries and the only thing I observe is activity from Win system processes. 22 minutes ago, eitanc said: Recently I noticed a sudden/flash appearance of the Firefox banner on the taskbar. Like it loads and then terminates. I know of no reason why ekrn.exe would actually attempt to load FireFox outside of B&PP activity. Very strange indeed. Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 7, 2019 Author Share Posted October 7, 2019 I am running now procmon to capture only events where the process name is "ekrn.exe" and the path includes "firefox.exe". We'll see what we catch. Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 7, 2019 Share Posted October 7, 2019 (edited) 21 minutes ago, itman said: I know of no reason why ekrn.exe would actually attempt to load FireFox outside of B&PP activity. Also this activity does not cause a like Event 4688 entry to be created when B&PP activated within a FireFox session. Edited October 7, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 7, 2019 Share Posted October 7, 2019 Open Process Explorer or Win Task Manager and see if multiple ekrn.exe processes are running. There should be only one instance of it; a child process of services.exe. Link to comment Share on other sites More sharing options...
ESET Moderators TomasP 318 Posted October 8, 2019 ESET Moderators Share Posted October 8, 2019 Hello, this could be caused by importing our certificate for scanning the SSL communication. Even if it is not your default browser, we do that for all supported browsers installed on the machine. We do call the firefox.exe process during the certificate import, that's why it could be seen for a split second. Peter Randziak 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted October 8, 2019 Administrators Share Posted October 8, 2019 Most likely it happens while attempting to import the ESET root certificate to the trusted root CA certificate store. We'll try to make a tiny change in the code to do it completely silently. You could temporarily disable this option for a test and see if the behavior is gone (don't forget to re-enable it): Peter Randziak 1 Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 8, 2019 Author Share Posted October 8, 2019 Thanks TomasP and Marcos. Well... this brings "heart attack" to the user... not nice. Don't do it this way. Really, find a way to do it "under the hood". Also, please add a public support KB for this behaviour, to let folks know what is happening here. Also, it will be nice to add a matching log record to the Eset app log for each such operation, so you will be able to show customers a (date-time) match between this feature's action to what the customer have seen on the GUI and found in the windows event log. Thanks! Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 8, 2019 Share Posted October 8, 2019 The Eset certificate import into browsers should only occur once; usually at installation time. The original posting lead me to assume multiple Win Event 4688 log entries existed. Also as a long time Eset user, I have never seen any like log entries associated with Eset use in any capacity. Finally, these log event entries show system process activity that occur immediately at boot time and prior to lsass.exe loading and user logon. Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 8, 2019 Author Share Posted October 8, 2019 Nope itman, this happens, surely and explicitly - every few hours. I opened a support case for this at Eset Israel and sent them my perfmon output files. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted October 8, 2019 Administrators Share Posted October 8, 2019 Probably import of the root certificate is failing every time it's attempted. Let's wait for a resolution of your support ticket. Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 8, 2019 Share Posted October 8, 2019 (edited) 9 minutes ago, eitanc said: Nope itman, this happens, surely and explicitly - every few hours. Did you verify that only one instance of ekrn.exe is running? Edited October 8, 2019 by itman Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 8, 2019 Author Share Posted October 8, 2019 Yep, only one instance of ekrn.exe is running. Link to comment Share on other sites More sharing options...
eitanc 2 Posted October 8, 2019 Author Share Posted October 8, 2019 10 minutes ago, Marcos said: Probably import of the root certificate is failing every time it's attempted. Let's wait for a resolution of your support ticket. OK, and if it fails - is this issue is logged somewhere I can find it? Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 8, 2019 Share Posted October 8, 2019 (edited) 56 minutes ago, eitanc said: OK, and if it fails - is this issue is logged somewhere I can find it? According to this posting, the activity should be logged in the Eset Events log: https://forum.eset.com/topic/16028-attempting-to-add-the-root-certificate-to-all-known-browsers-on-your-computer-failed/ -EDIT- Also make sure you read the last posting in the above thread. The OP had set FireFox Master Password option on which was the cause of Eset's failure to add it's root CA certificate to FireFox's Authorities CA certificate store. Edited October 8, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 8, 2019 Share Posted October 8, 2019 (edited) Another thing that is not just adding up right in my mind is this attempted Eset root CA certifcate add into Firefox would make sense if FireFox was opened manually by the OP. As he posted, FireFox is not his default browser and it is assumed this browser, whatever it may be, is what he is using for Internet access. Edited October 8, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Moderators TomasP 318 Posted October 9, 2019 ESET Moderators Share Posted October 9, 2019 11 hours ago, itman said: Another thing that is not just adding up right in my mind is this attempted Eset root CA certifcate add into Firefox would make sense if FireFox was opened manually by the OP. As he posted, FireFox is not his default browser and it is assumed this browser, whatever it may be, is what he is using for Internet access. Certificate import is not done at browser startup, but independently by ekrn.exe, and to all browsers, not just to the default one. Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 9, 2019 Share Posted October 9, 2019 7 hours ago, TomasP said: Certificate import is not done at browser startup, but independently by ekrn.exe, and to all browsers, not just to the default one. What I suggest is Eset display an informational popup alert that the browser certificate add attempt failed. Many users don't review their Eset Event logs as they should. Also any browser with a master password option such as that employed by FireFox will be problematic for this activity since it appears this setting will block Eset's certificate add attempt. Link to comment Share on other sites More sharing options...
ESET Moderators TomasP 318 Posted October 9, 2019 ESET Moderators Share Posted October 9, 2019 Rather than displaying a pop-up, we'd like to alter the code that adds the certificate, so that it does not invoke any window on the user's desktop. Link to comment Share on other sites More sharing options...
itman 1,748 Posted October 9, 2019 Share Posted October 9, 2019 25 minutes ago, TomasP said: Rather than displaying a pop-up, we'd like to alter the code that adds the certificate, so that it does not invoke any window on the user's desktop. The problem with this is the user would be unaware an issue exists with Eset's SSL/TLS protocol scanning due to failure to add the Eset root CA certificate to the browser. Again, many do not review their Eset Event logs; at least with any frequency. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted October 9, 2019 Administrators Share Posted October 9, 2019 After a computer restart the root certificate should be imported in the trusted root CA certificate store anyways so there should be no issues then. Link to comment Share on other sites More sharing options...
Recommended Posts