itman 1,799 Posted November 5, 2022 Posted November 5, 2022 If you do and your browser is Firefox, your Win Security-Mitigations event log - kernel mode will be full of the following blocked entries; cofer123 and SeriousHoax 2
cofer123 16 Posted November 5, 2022 Posted November 5, 2022 (edited) I love it when third-party software decides to meddle with browsers. It always ends well. Edited November 5, 2022 by cofer123
Administrators Marcos 5,441 Posted November 5, 2022 Administrators Posted November 5, 2022 I've asked BPP developers to comment on it. It may not be necessarily a negative message indicating issues with Firefox I assume, however.
itman 1,799 Posted November 5, 2022 Author Posted November 5, 2022 (edited) It gets better. I opened a stand alone B&PP session via its Eset desktop icon to perform a purchase from a web site I frequent often. I went directly to the web site and stayed on it during the entire session. No less than 39 of the above posted Security-Mitigations log entries were created. Now this is very weird. The Firefox PID for each alert was a different number. Yes, Firefox generates multiple sub-processes. But not 39 of them ...................... Also, with ver. 16, Firefox is generating Security-Mitigations log entries that the .dll's Eset injects are not validly Microsoft code signed. However, it does allow the .dll's to be injected. This might have something to do with these Win32k.sys blocks. Edited November 5, 2022 by itman
itman 1,799 Posted November 5, 2022 Author Posted November 5, 2022 Here's a "deep dive" into win32K.sys: https://www.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/17-Win32K/Win32K.pdf . Of note is its interfacing with keyboard drivers.
Administrators Marcos 5,441 Posted November 5, 2022 Administrators Posted November 5, 2022 This is from a system where ESET or other AV has never been installed: Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.
itman 1,799 Posted November 5, 2022 Author Posted November 5, 2022 (edited) 1 hour ago, Marcos said: This is from a system where ESET or other AV has never been installed: Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys. You're really trying hard here to justify the bork. Yes, I have seen the alert for other processes; namely an Adobe Reader process. I have in the past seen a couple of infrequent ones from Firefox on occasion. However, my Security-Mitigations event log was never bombarded with this alert which again, only show en mass while secured browser mode is active. Edited November 5, 2022 by itman
Purpleroses 21 Posted November 5, 2022 Posted November 5, 2022 itman I have noticed this when I use to just used the banking redirect. But with secure all browsers I'm seeing a number of these also. So do we keep the secure all browsers enable or can we disable it?
ESET Staff constexpr 47 Posted November 5, 2022 ESET Staff Posted November 5, 2022 From my first quick analysis, this problem was there also before Secure All Browsers was enabled in v16, as Purpleroses noted, it happen when Secure browser start even before v16 release. Security-Mitigation logs arise when secured browser started and new renderer process (with limited privileges) call WinAPI, with passes through the Win32k.sys to kernel. From log "Process firefox.exe' (PID xxx) was blocked from making system calls to Win32k.sys." is obvious, that this call was blocked (because of limited process privileges), so security of this process wasn't decreased, but system create mitigation log about it. We will look at it with high priority, since then sorry for this increased number of Security-Mitigation events. And itman, thanks for this report!
itman 1,799 Posted November 5, 2022 Author Posted November 5, 2022 58 minutes ago, Purpleroses said: itman I have noticed this when I use to just used the banking redirect. But with secure all browsers I'm seeing a number of these also. So do we keep the secure all browsers enable or can we disable it? The problem is the activity noted is being blocked while B&PP mode is in effect. If you have the secured all browsers option enabled, you will just get more of this block activity while in secure all browsers mode. My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way? We'll have to wait till Eset researches this more.
ESET Staff constexpr 47 Posted November 5, 2022 ESET Staff Posted November 5, 2022 36 minutes ago, itman said: My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way? We'll have to wait till Eset researches this more. No, in Secure all browsers it just generate more logs, but BPP mode isn't more or less safe than before. No browser security, nor BPP hardening isn't affected.
Administrators Marcos 5,441 Posted November 9, 2022 Administrators Posted November 9, 2022 Banking and payment protection module 1287 is going to be released soon which will mitigate Security-Mitigations reports. Thank you for the heads-up.
Purpleroses 21 Posted November 9, 2022 Posted November 9, 2022 Marco so what does mitigate security mitigations mean?
Administrators Marcos 5,441 Posted November 9, 2022 Administrators Posted November 9, 2022 41 minutes ago, Purpleroses said: Marco so what does mitigate security mitigations mean? I mean that the Security-Mitigations log won't be filled with reports when Firefox, Edge or Chrome run with "Secure all browsers" enabled.
ESET Staff constexpr 47 Posted November 16, 2022 ESET Staff Posted November 16, 2022 BPP module with Security-Mitigations reports fix is fully released. Please check, if it helps also in your environment. If you will encounter similar (or any) issue in the future, just let us know. We are here for you. peteyt 1
Recommended Posts