Jump to content
eitanc

ekrn.exe launches firefox

Recommended Posts

Posted (edited)

Hello, I use NOD32 12.2.30.0 on Windows 10 pro 64 bit.

Recently I noticed a sudden/flash appearance of the Firefox banner on the taskbar. Like it loads and then terminates.

Looking at the windows security event log, I found it was launched by NOD32 process of ekrn.exe... very strange. see attached screenshot.
Firefox is NOT my default OS browser.

I didn't find any NOD32 scheduled process that is related to Firefox nor a matching windows "scheduled task".

Any ideas?

ekrn-firefox.png

Edited by eitanc
add a comment about FF not being my default browser

Share this post


Link to post
Share on other sites
Posted (edited)

Suspect this is caused by Eset's Banking & Payment Protection. It in essence opens a hardened browser session under ekrn.exe protection. Did such activity occur around the time the Windows Event Log entry was created? However, this only occurs if FireFox was already opened. If B&PP is selected via desktop icon, it will open the Win default specified browser.

Edited by itman

Share this post


Link to post
Share on other sites

Nope. My product is only NOD32, I don't have the mentioned feature

Share this post


Link to post
Share on other sites

OK. I am using EIS. Thought B&PP was also included in NOD32.

Just checked my Event 4688 Log entries and the only thing I observe is activity from Win system processes.

22 minutes ago, eitanc said:

Recently I noticed a sudden/flash appearance of the Firefox banner on the taskbar. Like it loads and then terminates.

I know of no reason why ekrn.exe would actually attempt to load FireFox outside of B&PP activity. Very strange indeed.

Share this post


Link to post
Share on other sites

I am running now procmon to capture only events where the process name is "ekrn.exe" and the path includes "firefox.exe". We'll see what we catch.

Share this post


Link to post
Share on other sites
Posted (edited)
21 minutes ago, itman said:

I know of no reason why ekrn.exe would actually attempt to load FireFox outside of B&PP activity. 

Also this activity does not cause a like Event 4688 entry to be created when B&PP activated within a FireFox session.

Edited by itman

Share this post


Link to post
Share on other sites

Open Process Explorer or Win Task Manager and see if multiple ekrn.exe processes are running. There should be only one instance of it; a child process of services.exe.

Share this post


Link to post
Share on other sites

Hello, this could be caused by importing our certificate for scanning the SSL communication.

Even if it is not your default browser, we do that for all supported browsers installed on the machine.

We do call the firefox.exe process during the certificate import, that's why it could be seen for a split second.

Share this post


Link to post
Share on other sites

Most likely it happens while attempting to import the ESET root certificate to the trusted root CA certificate store. We'll try to make a tiny change in the code to do it completely silently.

You could temporarily disable this option for a test and see if the behavior is gone (don't forget to re-enable it):

image.png

Share this post


Link to post
Share on other sites

Thanks TomasP and Marcos. Well... this brings "heart attack" to the user... not nice. Don't do it this way. Really, find a way to do it "under the hood". Also, please add a public support KB for this behaviour, to let folks know what is happening here. Also, it will be nice to add a matching log record to the Eset app log for each such operation, so you will be able to show customers a (date-time) match between this feature's action to what the customer have seen on the GUI and found in the windows event log. Thanks!

Share this post


Link to post
Share on other sites

The Eset certificate import into browsers should only occur once; usually at installation time.

The original posting lead me to assume multiple Win Event 4688 log entries existed. Also as a long time Eset user, I have never seen any like log entries associated with Eset use in any capacity. Finally, these log event entries show system process activity that occur immediately at boot time and prior to lsass.exe loading and user logon.

 

Share this post


Link to post
Share on other sites

Nope itman, this happens, surely and explicitly - every few hours. I opened a support case for this at Eset Israel and sent them my perfmon output files.

Share this post


Link to post
Share on other sites

Probably import of the root certificate is failing every time it's attempted. Let's wait for a resolution of your support ticket.

Share this post


Link to post
Share on other sites
Posted (edited)
9 minutes ago, eitanc said:

Nope itman, this happens, surely and explicitly - every few hours.

Did you verify that only one instance of ekrn.exe is running?

Edited by itman

Share this post


Link to post
Share on other sites

Yep, only one instance of ekrn.exe is running.

Share this post


Link to post
Share on other sites
10 minutes ago, Marcos said:

Probably import of the root certificate is failing every time it's attempted. Let's wait for a resolution of your support ticket.

OK, and if it fails - is this issue is logged somewhere I can find it?

Share this post


Link to post
Share on other sites
Posted (edited)
56 minutes ago, eitanc said:

OK, and if it fails - is this issue is logged somewhere I can find it?

According to this posting, the activity should be logged in the Eset Events log: https://forum.eset.com/topic/16028-attempting-to-add-the-root-certificate-to-all-known-browsers-on-your-computer-failed/

-EDIT- Also make sure you read the last posting in the above thread. The OP had set FireFox Master Password option on which was the cause of Eset's failure to add it's root CA certificate to FireFox's Authorities CA certificate store.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Another thing that is not just adding up right in my mind is this attempted Eset root CA certifcate add into Firefox would make sense if FireFox was opened manually by the OP. As he posted, FireFox is not his default browser and it is assumed this browser, whatever it may be,  is what he is using for Internet access.

Edited by itman

Share this post


Link to post
Share on other sites
11 hours ago, itman said:

Another thing that is not just adding up right in my mind is this attempted Eset root CA certifcate add into Firefox would make sense if FireFox was opened manually by the OP. As he posted, FireFox is not his default browser and it is assumed this browser, whatever it may be,  is what he is using for Internet access.

Certificate import is not done at browser startup, but independently by ekrn.exe, and to all browsers, not just to the default one.

Share this post


Link to post
Share on other sites
7 hours ago, TomasP said:

Certificate import is not done at browser startup, but independently by ekrn.exe, and to all browsers, not just to the default one.

What I suggest is Eset display an informational popup alert that the browser certificate add attempt failed. Many users don't review their Eset Event logs as they should.

Also any browser with a master password option such as that employed by FireFox will be problematic for this activity since it appears this setting will block Eset's certificate add attempt.

Share this post


Link to post
Share on other sites

Rather than displaying a pop-up, we'd like to alter the code that adds the certificate, so that it does not invoke any window on the user's desktop.

Share this post


Link to post
Share on other sites
25 minutes ago, TomasP said:

Rather than displaying a pop-up, we'd like to alter the code that adds the certificate, so that it does not invoke any window on the user's desktop.

The problem with this is the user would be unaware an issue exists with Eset's SSL/TLS protocol scanning due to failure to add the Eset root CA certificate to the browser. Again, many do not review their Eset Event logs; at least with any frequency.

Share this post


Link to post
Share on other sites

After a computer restart the root certificate should be imported in the trusted root CA certificate store anyways so there should be no issues then.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...