Jump to content

EGUI Application Modification Alert

kbleft
 Share

Recommended Posts

kbleft

kbleft 0

Posted
Posted

I'm running ESET Internet Security 14.0.22.0 on Windows 10.

A short while ago, EIS generated a yellow "Application Modified" popup alerting me that egui.exe had been modified and was trying to connect to the network. The popup gave me the option to "disable rules" or "keep rules" for the firewall. I chose "keep rules" because I trust ESET.

Now, I'm wondering if something is wrong because I wouldn't expect ESET to trigger an alert about its own GUI. Note, below, that modification of signed and trusted applications is allowed, so I should only get a notification about programs that are not signed and trusted. Since I got an alert, does that mean that i have a virus named egui.exe? Or that egui.exe has been replaced or modified by a malicious program?

 

Configuration Notes:

ESET firewall filtering mode is set to "Automatic mode"

No firewall rules are defined under Advanced firewall settings

Application modification detection is enabled

Allow modification of signed (trusted) applications is enabled

 

 

 

 

Link to comment
Share on other sites
kbleft

kbleft 0

Posted
  • Author
Posted

Hi, Marcos. I'm running the log collector now. When I'm done, how should I upload my log files? Do I attach them to a post, or is there another method?

 

In the meantime, here is some additional information:

1) I upgraded to EIS 14 from EIS 13 a few days ago. Everything went smoothly. No problems for the last few days. This is the first time I received the Application Modified alert.

2) I just received another Application Modified alert. This one was for ESET SysInspector. I'm not sure why it was trying to connect to the network, but I suspect it was activated by the Log Collector.

Application Modified.png

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)
5 hours ago, kbleft said:

A short while ago, EIS generated a yellow "Application Modified" popup alerting me that egui.exe had been modified and was trying to connect to the network. The popup gave me the option to "disable rules" or "keep rules" for the firewall. I chose "keep rules" because I trust ESET.

I have received this alert periodically in other past versions of EIS. I could never really figure out what was the source of the alert. However, I do have allow the "Allow modification of signed (trusted) applications" disabled.

Since I have the Eset firewall filtering mode set to default "Automatic" mode, application modification alerts should never appear since this feature is only applicable when the firewall is set to Interactive mode.

My best guess is Eset has hidden internal rules in regards to application modification of their own processes and occasionally there is a "hiccup" in regards modification of one of these processes. I also believe that application modification detection is triggered from the HIPS and not the firewall. For example, equi.exe is actually started and possibly modified by eguiproxy.exe. It might be for some unknown reason this activity is not properly initialized and recorded internally by Eset after a PICO, etc. update.

In any case, I have come to just ignore these alerts and just just mouse click on the "Disable rules" tab.

Edited by itman
Link to comment
Share on other sites
Box

Box 0

Posted
Posted (edited)

Hello, I've encountered the same problem.

I'm using EIS 14.0.22.0 (updated using the interface), and I think that it's the same problem that kbleft describes, please see the attached file. By other hand, the file that the warning points out is algo egui.exe, and it can be found in this path:

C:\Program Files\ESET\ESET Security

 

wich is the installation path. By other hand, I'm using the interactive mode for the firewall, and it seems that this warning is triggered when a program (a trusted one, by the way) tries to connect to the internet, I've triggered the warning two times doing the same thing, so, I think that this has something to do with internal firewall rules.

 

 

Snapshot.jpg

Edited by Box
Link to comment
Share on other sites
Box

Box 0

Posted
Posted

I can't edit, but I forgot to mention that I was using almost all the free RAM avalaible on that momment, I don't know if that helps.

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
1 hour ago, Box said:

By other hand, I'm using the interactive mode for the firewall, and it seems that this warning is triggered when a program (a trusted one, by the way) tries to connect to the internet

This would be normal behavior in firewall Interactive mode if an existing app hash value changed and a previous firewall rule existed for it. However, equi.exe is Eset signed so there might be a bug there.

You're going to keep getting the alert until you respond to keep existing firewall rules which I would select, or to create a new firewall rule for the app.

You can also manually verify that equi.exe in C:\Program Files\ESET\ESET Security is also Eset signed indicating it is legit.

Link to comment
Share on other sites
Box

Box 0

Posted
Posted (edited)
1 hour ago, itman said:

This would be normal behavior in firewall Interactive mode if an existing app hash value changed and a previous firewall rule existed for it. However, equi.exe is Eset signed so there might be a bug there.

You're going to keep getting the alert until you respond to keep existing firewall rules which I would select, or to create a new firewall rule for the app.

You can also manually verify that equi.exe in C:\Program Files\ESET\ESET Security is also Eset signed indicating it is legit.

 

Hello, many thanks for the response.

After re-reading my previous post I noticed that I didn't give clear information about this problem, I will try to explain it with a diagram, sorry for the quality:
 

Snapshot_02.thumb.jpg.841f02a95acabea1b5faf44a844dd92c.jpg

If I launch a program that haven't firewall rules, you can see the normal dialog asking what to do (on interactive mode), and after denying outbound connection or try to set a behaviour for the rule, immediately after EIS says that egui.exe has been modified and is trying to connect to the net.

I've checked the egui.exe found in C:\Program Files\ESET\ESET Security  ,and the SHA1 checksum:

9C9B3B035C5A2E2BC956D28E0FFD4ED253FC887B

 

gives 0 results in Virustotal:

https://www.virustotal.com/gui/file/35a06001b74ce1068818dbc21e5f6f28ef38fc0d6e3079dc731a9805860c8fb1/detection

also, the Details tab says that the file is signed by ESET, spol. s r.o. , but besides that, I don't have any other manner to know if this file has been signed by ESET.

 

 

 

 

Edited by Box
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)
14 hours ago, Box said:

If I launch a program that haven't firewall rules, you can see the normal dialog asking what to do (on interactive mode), and after denying outbound connection or try to set a behaviour for the rule, immediately after EIS says that egui.exe has been modified and is trying to connect to the net.

Check you existing Eset firewall rule set and verify that a rule exists for C:\Program Files\ESET\ESET Security\equi.exe. If one exists, verify it is set to allow inbound and outbound traffic. Otherwise, manually create a new rule for it. Move this equi.exe rule to the bottom of existing default firewall rules. You can use the default existing ekrn.exe rule as a guide for equi.exe rule creation.

I believe this should stop the equi.exe alert after a new app rule is created firewall Interactive mode.

Edited by itman
Link to comment
Share on other sites
Box

Box 0

Posted
Posted (edited)
1 hour ago, Marcos said:

We'd need step-by-step instructions how to reproduce the issue. Are you able to reproduce it at any time?

Hello, thanks for the response.

Yes, I've made a video to show the problem, and when I opened the program to capture the video and I've blocked the outbound connection, it showed the same egui alert, so, it's safe to asume that it will do this with other programs with no set firewall rules (in interactive mode, at least), please see the attached file, wich includes a MP4 video.

 

21 minutes ago, itman said:

Check you existing Eset firewall rule set and verify that a rule exists for C:\Program Files\ESET\ESET Security\equi.exe. If one exists, verify it is set to allow inbound and outbound traffic. Otherwise, manually create a new rule for it. Move this equi.exe rule to the bottom of existing default firewall rules. You can use the default existing ekrn.exe rule as a guide for equi.exe rule creation.

I believe this should stop the equi.exe alert after a new app rule is created firewall Interactive mode.

Thanks for the response again.

I've opened the rules section and there's no settings for egui.exe, by default there should be any? I think that I will block the connection until this problem is resolved, because the modified egui.exe only tries to connect to the net when another program (with no set rules) triggers the firewall dialog box, it may be a bug as you previously said.

Video_ESET_Forums.zip

Edited by Box
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
4 minutes ago, Box said:

I've opened the rules section and there's no settings for egui.exe, by default there should be any?

In past Eset versions, there used to be a default equi.exe rule.

I believe the issue here is use of firewall Interactive mode. Do as I instructed and see if it eliminates the issue.

Link to comment
Share on other sites
Box

Box 0

Posted
Posted (edited)
15 minutes ago, Marcos said:

It's still there among the built-in rules and even Kbleft has those rules enabled:

image.png

Yes, I can see the same if I check "Show in-built rules", here's mine (with egui.exe filter):

Snapshot_03.thumb.jpg.f891b76a34c03658550777c39b09213f.jpg


The rule under "Allow verification for egui" is the one that I've created, but it keeps asking for approving or denying rules for the modified egui.exe (since is trying to connect to the net).

Edited by Box
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)
13 minutes ago, Box said:

The rule under "Allow verification for egui" is the one that I've created, but it keeps asking for approving or denying rules for the modified egui.exe (since is trying to connect to the net).

Next time the alert appears, click on the "Approve" tab.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
14 minutes ago, Box said:

Yes, I can see the same if I check "Show in-built rules", here's mine (with egui.exe filter):

Since the default rule exists, delete any like custom rule you created.

Link to comment
Share on other sites
Box

Box 0

Posted
Posted
10 minutes ago, itman said:

Next time the alert appears, click on the "Approve" tab.

 

4 minutes ago, itman said:

Since the default rule exists, delete any like custom rule you created.

Done, thanks for the help, if something related to this arises, I will post again, but I will keep monitoring the thread to see if I can help with this problem.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...