Jump to content

Another Reason Not To Use Secure All Protected Browsers Mode.


Recommended Posts

  • Administrators

I've asked BPP developers to comment on it. It may not be necessarily a negative message indicating issues with Firefox I assume, however.

Link to comment
Share on other sites

It gets better.

I opened a stand alone B&PP session via its Eset desktop icon to perform a purchase from a web site I frequent often. I went directly to the web site and stayed on it during the entire session. No less than 39 of the above posted Security-Mitigations log entries were created.

Now this is very weird. The Firefox PID for each alert was a different number. Yes, Firefox generates multiple sub-processes. But not 39 of them ......................

Also, with ver. 16, Firefox is generating Security-Mitigations log entries that the .dll's Eset injects are not validly Microsoft code signed. However, it does allow the .dll's to be injected. This might have something to do with these Win32k.sys blocks.

Edited by itman
Link to comment
Share on other sites

  • Administrators

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

Link to comment
Share on other sites

1 hour ago, Marcos said:

This is from a system where ESET or other AV has never been installed:

Process '\Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Opera\opera.exe' (PID 7352) was blocked from making system calls to Win32k.sys.

You're really trying hard here to justify the bork.

Yes, I have seen the alert for other processes; namely  an Adobe Reader process.

I have in the past seen a couple of infrequent ones from Firefox on occasion.  However, my Security-Mitigations event log was never bombarded with this alert which again, only show en mass while secured browser mode is active.

Edited by itman
Link to comment
Share on other sites

itman I have noticed this when I use to just used the banking redirect.  But with secure all browsers I'm seeing a number of these also.  So do we keep the secure all browsers enable or can we disable it?

Link to comment
Share on other sites

  • ESET Staff

From my first quick analysis, this problem was there also before Secure All Browsers was enabled in v16, as Purpleroses noted, it happen when Secure browser start even before v16 release.

Security-Mitigation logs arise when secured browser started and new renderer process (with limited privileges) call WinAPI, with passes through the Win32k.sys to kernel. From log "Process firefox.exe' (PID xxx) was blocked from making system calls to Win32k.sys." is obvious, that this call was blocked (because of limited process privileges), so security of this process wasn't decreased, but system create mitigation log about it.

We will look at it with high priority, since then sorry for this increased number of Security-Mitigation events.

And itman, thanks for this report!

Link to comment
Share on other sites

58 minutes ago, Purpleroses said:

itman I have noticed this when I use to just used the banking redirect.  But with secure all browsers I'm seeing a number of these also.  So do we keep the secure all browsers enable or can we disable it?

The problem is the activity noted is being blocked while B&PP mode is in effect. If you have the secured all browsers option enabled, you will just get more of this block activity while in secure all browsers mode.

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

Link to comment
Share on other sites

  • ESET Staff
36 minutes ago, itman said:

My main present concern is given the number of blocked events occurring is B&PP mode being compromised in any way?

We'll have to wait till Eset researches this more.

No, in Secure all browsers it just generate more logs, but BPP mode isn't more or less safe than before. No browser security, nor BPP hardening isn't affected.

Link to comment
Share on other sites

  • Administrators

Banking and payment protection module 1287 is going to be released soon which will mitigate Security-Mitigations reports. Thank you for the heads-up.

Link to comment
Share on other sites

  • Administrators
41 minutes ago, Purpleroses said:

Marco so what does mitigate security mitigations mean? 

I mean that the Security-Mitigations log won't be filled with reports when Firefox, Edge or Chrome run with "Secure all browsers" enabled.

Link to comment
Share on other sites

  • ESET Staff

BPP module with Security-Mitigations reports fix is fully released. Please check, if it helps also in your environment.

If you will encounter similar (or any) issue in the future, just let us know. We are here for you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...