Jump to content

Recommended Posts

Posted

If you do and your browser is Firefox, your Win Security-Mitigations event log - kernel mode will be full of the following blocked entries;

Eset_Firefox.thumb.png.a327f38410cf30ceeae6bf6dc820446d.png

Posted (edited)

I love it when third-party software decides to meddle with browsers. It always ends well.

Edited by cofer123
  • Administrators
Posted

I've asked BPP developers to comment on it. It may not be necessarily a negative message indicating issues with Firefox I assume, however.

Posted (edited)

It gets better.

I opened a stand alone B&PP session via its Eset desktop icon to perform a purchase from a web site I frequent often. I went directly to the web site and stayed on it during the entire session. No less than 39 of the above posted Security-Mitigations log entries were created.

Now this is very weird. The Firefox PID for each alert was a different number. Yes, Firefox generates multiple sub-processes. But not 39 of them ......................

Also, with ver. 16, Firefox is generating Security-Mitigations log entries that the .dll's Eset injects are not validly Microsoft code signed. However, it does allow the .dll's to be injected. This might have something to do with these Win32k.sys blocks.

Edited by itman
  • Administrators
Posted

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

Posted (edited)
1 hour ago, Marcos said:

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

You're really trying hard here to justify the bork.

Yes, I have seen the alert for other processes; namely  an Adobe Reader process.

I have in the past seen a couple of infrequent ones from Firefox on occasion.  However, my Security-Mitigations event log was never bombarded with this alert which again, only show en mass while secured browser mode is active.

Edited by itman
Posted

itman I have noticed this when I use to just used the banking redirect.  But with secure all browsers I'm seeing a number of these also.  So do we keep the secure all browsers enable or can we disable it?

  • ESET Staff
Posted

From my first quick analysis, this problem was there also before Secure All Browsers was enabled in v16, as Purpleroses noted, it happen when Secure browser start even before v16 release.

Security-Mitigation logs arise when secured browser started and new renderer process (with limited privileges) call WinAPI, with passes through the Win32k.sys to kernel. From log "Process firefox.exe' (PID xxx) was blocked from making system calls to Win32k.sys." is obvious, that this call was blocked (because of limited process privileges), so security of this process wasn't decreased, but system create mitigation log about it.

We will look at it with high priority, since then sorry for this increased number of Security-Mitigation events.

And itman, thanks for this report!

Posted
58 minutes ago, Purpleroses said:

itman I have noticed this when I use to just used the banking redirect.  But with secure all browsers I'm seeing a number of these also.  So do we keep the secure all browsers enable or can we disable it?

The problem is the activity noted is being blocked while B&PP mode is in effect. If you have the secured all browsers option enabled, you will just get more of this block activity while in secure all browsers mode.

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

  • ESET Staff
Posted
36 minutes ago, itman said:

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

No, in Secure all browsers it just generate more logs, but BPP mode isn't more or less safe than before. No browser security, nor BPP hardening isn't affected.

  • Administrators
Posted

Banking and payment protection module 1287 is going to be released soon which will mitigate Security-Mitigations reports. Thank you for the heads-up.

  • Administrators
Posted
41 minutes ago, Purpleroses said:

Marco so what does mitigate security mitigations mean? 

I mean that the Security-Mitigations log won't be filled with reports when Firefox, Edge or Chrome run with "Secure all browsers" enabled.

  • ESET Staff
Posted

BPP module with Security-Mitigations reports fix is fully released. Please check, if it helps also in your environment.

If you will encounter similar (or any) issue in the future, just let us know. We are here for you.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...