Jump to content

Recommended Posts

Posted (edited)

I just noticed that Code integrity  determined that the image hash of a file is not valid. 

\Device\HarddiskVolume3\Program Files\ESET\ESET Security\ebehmoni.dll

I know i have the message for the eamsi.dll daily but this new one that ends with ebehmoni.dll I just started to notice. I'm not having any issues that I can tell.  Is there anything I need to worry about?

Here is a  screen shot of what I'm talking about

 

 

 

 

 

 

 

 

 

 

 

 

EsetFll.PNG

Edited by Purpleroses
Link to comment
Share on other sites

That .dll is Eset Deep Behavior Inspection Behavior Monitor.

I have no such Win Code Integrity event log entries. Below is a screen shot of that .dll properties for my EIS 14.1.20 installation. It may be that this is being caused by what Event 5038 log entry states; i.e. disk device error.

Eset_DBI.png.a81d3e79dcedb81a809e2045080554ff.png

Link to comment
Share on other sites

Just now, Purpleroses said:

Can you explain what a disk device error is? 

Simply put, it is an indicator your hard drive might be starting to fail. You will have to monitor for other like errors occurring for other apps or Win system processes. You might also want to check your hard drive with an appropriate diagnostic utility' usually the drive manufacturer's one is the best.

This also just be a one-off file corruption issue. You can always reinstall Eset and see if that resolves the issue.

Link to comment
Share on other sites

Thank you itman.  I also have the same message for eamsi.dll could indicate a potential disk device error.

Link to comment
Share on other sites

19 minutes ago, Purpleroses said:

I also have the same message for eamsi.dll could indicate a potential disk device error.

That one is legit.

Are you running in Eset pre-release update mode? It may very well be that Eset has changed the behavior of DBI in the current pre-release version.

Link to comment
Share on other sites

Submit C:\Program Files\ESET\ESET Security\ebehmoni.dll to VirusTotal: https://www.virustotal.com/gui/ and see if there are any detections for it.

I checked for any process injection activity for ebehmoni.dll using Process Explorer and there were none. Note that Eset injects eamsi.dll into other processes at system logon time. This is what causes the Code Integrity Guard Event log entries for it. The question is why Eset is injecting ebehmoni.dll if indeed Eset is the one performing the injection.

The last possibilty is Eset is detecting some suspicious behavior on your device and is indeed injecting or, as it appears, attempting to inject, ebehmoni.dll into that process. If that process is a protected Code Integrity Guard process, this is what would cause the event log entries you are observing. I have never observed any CIG event log entries for ebehmoni.dll but I don't check my log for any on a daily basis.

Link to comment
Share on other sites

Posted (edited)

i found this under security mitigations. So now I'm worried that my computer is at risk.  Everything is running alright.  Is my computer still protected?

 

esetmitigations.PNG

Edited by Purpleroses
Link to comment
Share on other sites

Posted (edited)
5 hours ago, Purpleroses said:

i found this under security mitigations. So now I'm worried that my computer is at risk.  Everything is running alright.  Is my computer still protected?

To begin, Win 10 code integrity violations are logged in multiple Win 10 event logs for the same event. These include the Windows security log as Audit Failure, the Security-Mitigations, and the Code Integrity logs.

I checked out the certificates for ebehmoni.dll  and it is not signed with a Microsoft code signing cert.. Therefore, it can be assumed that Eset will not inject this .dll into any process on demand. If this was the case, Eset would have signed the .dll as such as is the case for eamsi.dll.

In reference to the Security-Mitigations log entry you posted, I know of no reason why a dllhost.exe process would be attempting to load ebehmoni.dll. As far as I am aware of, all Eset processing is initiated via its ekrn.exe process.

At this point, I suggest you open a tech support ticket with Eset North America on this issue. Or, perhaps @Marcos can shed some light on this ebehmoni.dll behavior.

-EDIT- I also might be wrong with what I posted above. Refer to this recent forum posting: https://forum.eset.com/topic/28365-deep-behavioral-inspection-blocks-threads-of-net-process-after-loading-a-golang-dll/ . It clearly states and shows ebehmoni.dll being deployed to hook a thread into a .Net based process. It is also possible it is using dllhost.exe to do so. However, since ebehmoni.dll is not Microsoft code cert. signed, loaded of the .dll will fail.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

I should also note looking in the event log can be quite dangerous. I've seen multiple users worry about stuff because they don't know what it means and I'd recommend not viewing unless you have reason to suspect issues

Link to comment
Share on other sites

43 minutes ago, Purpleroses said:

So my computer is still be protected with eset right? 

I can't answer that question.

At this point, I can't state that the ebehmoni.dll behavior you are observing is legit Eset behavior, or if the .dll is being deployed maliciously by malware. You need Eset's assistance on this matter.

 

Link to comment
Share on other sites

By the way Itman since reinstalling Eset security I do not get that \Device\HarddiskVolume3\Program Files\ESET\ESET Security\ebehmoni.dll  in event viewer. The only thing that I can think that might have caused a glitch was that I installed windows update to 21H1.  But everything seems to be back to normal.

Link to comment
Share on other sites

6 minutes ago, Purpleroses said:

By the way Itman since reinstalling Eset security I do not get that \Device\HarddiskVolume3\Program Files\ESET\ESET Security\ebehmoni.dll  in event viewer. The only thing that I can think that might have caused a glitch was that I installed windows update to 21H1.  But everything seems to be back to normal.

You must be reading my mind. I was just going to ask about this.

Best explanation is a bad disk drive block or the like that indeed did cause a hash error as reported. It happens ..........

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...