David Lambert 1 Posted April 21, 2023 Posted April 21, 2023 I know there's no way to get the computer to trust that dll. Is there anything I can do to change how ESET treats that dll that would help? The touchpad software has nice capabilities that would be nice to retain.
itman 1,806 Posted April 21, 2023 Posted April 21, 2023 (edited) Based on what I am reading here: https://www.cirque.com/desktop-trackpad-support-faq , it is questionable if the trackpad device should be used on Win 10/11: Quote Do the Cat trackpad products support Windows 10? The driver has not been qualified for Windows 10 specifically, but it has been qualified for Windows 8 and is expected to be fully compatible with Windows 10. GlidePoint 3.8.0 Driver and GlidePoint 3.7.3 Driver will be the last driver versions for Cirque EasyCat, SmartCat, and SmartCat Pro desktop touchpads. Cirque will no longer support GlidePoint Drivers. GlidePoint Driver is not guaranteed to perform as expected with all versions of Windows 10 or with Windows 11. Edited April 21, 2023 by itman Super_Spartan 1
David Lambert 1 Posted April 21, 2023 Posted April 21, 2023 (edited) I'm using a Cirque SmartCat. On https://www.cirque.com/drivers, they specify that driver version 3.8.0 is for Windows 10 (64 bit). But that doesn't mean it's tested and set up to be trusted. But elsewhere, in the quote you found, they state that "GlidePoint Driver is not guaranteed to perform as expected with all versions of Windows 10." They have stopped manufacturing the SmartCat and all their other standalone touchpads, so nothing is going change. You state that "it is questionable if the trackpad device should be used on Win 10." Are you saying that it is actually unsafe to use that dll, from a security standpoint? Could malware make its way into that dll? Or is it just recommended to not use untrusted software from a compatibility viewpoint. Like I said, I'd prefer to keep using their software, but it's not essential. I do need to use a standalone touchpad, since I sustained repetitive stress injuries decades ago, and I cannot use a regular mouse for extended periods of time. ESET Internet Security has performance exclusions and detection exclusions. I could reinstall the driver and try those out. Edited April 21, 2023 by David Lambert
itman 1,806 Posted April 21, 2023 Posted April 21, 2023 1 hour ago, David Lambert said: You state that "it is questionable if the trackpad device should be used on Win 10." Are you saying that it is actually unsafe to use that dll, from a security standpoint? Could malware make its way into that dll? Or is it just recommended to not use untrusted software from a compatibility viewpoint. The first question is if the driver is even validly signed. Note that Microsoft a while back dictated all drivers be code signed with a SHA256 cert.. Since this is a Win 8 driver, doubt that its SHA256 cert. signed. If the driver is not SHA256 cert. signed, Win 10 Secure Boot option won't load it. Or, worse Windows will disable Secure Boot to allow the driver to load. As I see i if you must use this device, you will have to permanent disable Eset's Secure all browsers option. You can still perform secure banking and financial activities by invoking B&PP option via its desktop option.
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 (edited) I must use the device, but I don't have to use Cirque's drivers. You make a convincing case for removing Cirque's drivers, so I have removed them. Thank you all for your help. You may close my trouble ticket. Edited April 22, 2023 by David Lambert
Administrators Marcos 5,461 Posted April 22, 2023 Administrators Posted April 22, 2023 I have installed Cirque's drivers in an attempt to reproduce the issue, however, I couldn't get glidehok.dll injected into browsers even with Banking and payment protection disabled. Maybe actual hardware (touchpad) is required.
itman 1,806 Posted April 22, 2023 Posted April 22, 2023 1 hour ago, Marcos said: I have installed Cirque's drivers in an attempt to reproduce the issue, however, I couldn't get glidehok.dll injected into browsers even with Banking and payment protection disabled. Maybe actual hardware (touchpad) is required. Are you sure the driver was actually installed? According to this; Quote The touchpad must be connected and working before the driver can be installed. https://www.cirque.com/drivers driver installation should have failed.
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 You can buy a used one on eBay, use it, then sell it again. You might even be able to sell it at a slight profit.
itman 1,806 Posted April 22, 2023 Posted April 22, 2023 (edited) After downloading the Cirque 3.8 drivers from here: https://www.cirque.com/drivers , they are all code signed with Microsoft SHA256 cert.. As such, there should be no issue with those drivers in Win 10 other than possible compatibility issues as noted by Cirque. Also, glidehok.dll is validily signed with a Symantec SHA256 EV cert.. As such, there should be no issue with that .dll. The issue must lie with the .dll "not playing nicely" with Secured Browser memory protection. Edited April 22, 2023 by itman
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 As Spock would say on Star Trek, "Fascinating." Going through this amount of trouble is not worth it for one case, since I'm fine, but the root issue may pop up enough to make it worth your while to pursue.
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 Cirque touchpads can be found at https://www.ebay.com/sch/i.html?_from=R40&_trksid=p2334524.m570.l1313&_nkw=Cirque&_sacat=3676&LH_TitleDesc=0&_odkw=power+cat+touchpad&_osacat=3676
itman 1,806 Posted April 22, 2023 Posted April 22, 2023 (edited) Found what I believe is the issue with glidehok.dll. A scan of it at VirusTotal shown below notes it performs keylogging. Since Eset Secured Browser protection employs its own anti-keylogger protection in the form of keystroke scrambling, there's the conflict. Can the keylogging feature be disabled in the Cirque software? https://www.virustotal.com/gui/file/977e079a1366b03ff88fd4bdea7531bc730e67af8dd2b5b3c4163e71220c6b89/behavior Edited April 22, 2023 by itman
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 It does keylogging?!?!?! I didn't know that. Yikes.
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 Is it possible that the keylogging is due to malware inside the driver?
itman 1,806 Posted April 22, 2023 Posted April 22, 2023 (edited) 2 hours ago, itman said: Can the keylogging feature be disabled in the Cirque software? I went though the User Guide .pdf for this software and no where is it mentioned it is performing keylogging activities. Are you using a virtual keyboard? The keylogging portion of this software might be capturing output from the virtual keyboard when a key is depressed from the virtual keyboard via the touchpad. In any case, I can't see this Cirque feature working right as long as Secure Browser keylogging protection is enabled. Your only choice would be to disabled Secure Browser keylogging protection. Note that this would be a security risk when performing banking or other financial activities. Edited April 22, 2023 by itman
itman 1,806 Posted April 22, 2023 Posted April 22, 2023 (edited) 10 minutes ago, David Lambert said: Is it possible that the keylogging is due to malware inside the driver? Not that I can determine from the VT analysis. Edited April 22, 2023 by itman
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 The driver is for Cirque's standalone touchpad. I'm going to install it and see what the Cirque Control Panel Add-on offers in that area, but I've used their hardware and drivers for at least 10 years, and I don't remember anything about keylogging.
David Lambert 1 Posted April 22, 2023 Posted April 22, 2023 There is no mention of keylogging in the CIrque Control Panel Add-on. The EULA displayed when installed does not contain the word "key" anywhere in it. One of the things that the CIrque Control Panel Add-on does is let you assign one of a large number of actions to the left and right mouse buttons, some of which are a key-press or a sequence of key-presses on the keyboard: Left Click, Right Click, Middle Click, Click-Lock, Double-Click, Slow Mode, Horizontal Only, Vertical Only, Insert, Delete, Home, End, PageUp, PageDown, Enter, Tab, Next Tab, Previous Tab, Last Window Used, Help, Cut, Copy, Paste, Undo, Save, Print, Close Application, Maximize Window, Minimize Window, Restore Window, Minimize All Windows, Restore All Windows, Start Menu, Run, Window Center, Windows Explorer, Default Web Browser, Default Email, Default Media, Create New Link... The default left and right mouse button actions are left-click and right-click. Is this list a red herring?
David Lambert 1 Posted April 23, 2023 Posted April 23, 2023 I've searched the Windows registry on my computer for "Cirque", and I do not find any registry entries under Cirque mentioning keyloggers. I opened up the installer's INF files in a text editor, and I see entries for a wide variety of CIrque's devices, which include keyboards, but most of those entries don't make it into the Windows registry.
itman 1,806 Posted April 23, 2023 Posted April 23, 2023 (edited) 13 hours ago, David Lambert said: I've used their hardware and drivers for at least 10 years The Eset Secure all browsers option is a relatively new feature. Prior to this feature, the Eset secure browser feature was initiated via URL redirection from the normal browser mode or by manually opening B&PP feature via desktop icon option. I assume in the past you used one of the above methods to initiate an Eset B&PP session. It also appears that you had no issues with your browser using the touchpad and its software while in a B&PP session. Is this correct? Edited April 23, 2023 by itman
itman 1,806 Posted April 23, 2023 Posted April 23, 2023 14 hours ago, David Lambert said: some of which are a key-press or a sequence of key-presses on the keyboard The software is using glidehok.dll to "simulate" this keyboard activity.
itman 1,806 Posted April 23, 2023 Posted April 23, 2023 (edited) On 4/22/2023 at 9:12 AM, Marcos said: I couldn't get glidehok.dll injected into browsers even with Banking and payment protection disabled. I believe the touchpad driver is a UMDF one. Proofpoint a few years back wrote a great POC at the height of the DoublePulsar incident showing how a standalone .dll could be accessed via reflective .dll injection method by hooking a a thread in another process using DoublePulsar running in Win user mode. POC worked great and thread hooking was virtually undetectable. I suspect something along this line is going on here. Edited April 23, 2023 by itman
David Lambert 1 Posted April 24, 2023 Posted April 24, 2023 11 hours ago, itman said: The Eset Secure all browsers option is a relatively new feature. Prior to this feature, the Eset secure browser feature was initiated via URL redirection from the normal browser mode or by manually opening B&PP feature via desktop icon option. I assume in the past you used one of the above methods to initiate an Eset B&PP session. It also appears that you had no issues with your browser using the touchpad and its software while in a B&PP session. Is this correct? I only started using ESET on Aug. 1 of last year. I have never knowingly used the "B&PP feature."
DsebaCk 0 Posted April 24, 2023 Posted April 24, 2023 Hi, I am facing similar issues in chrome like the above mentioned. Generally Chrome seems to be working fine, until i attempt to download a file - After the file has been downloaded it seems to be stuck for more than 10 seconds at the end and cannot open the file until it finishes . seems like it takes ages to finish the download process. If I right click the ESET system tray icon and click 'Pause Protection' and pasue it for 10 minutes - after the requested file has been downloaded it finihses the download straight away and i can access the file. I have followed the insructions from this thread on how to create an Operating System log file with the ESET log collector software and attached the created zip file to this message. I selected the log age limit to be 1 day as if i leave it as default on 30 days it creates a 400MB file that i cannot upload here as ulpload limit is only 200MB. I have a DELL laptop and it has a touchpad - as i`ve read above one of the users had the similar issue i am facing rectified by uninstalling the touchpad driver and software , so i tried to do this and did not help - downloads were stuck at the end in Chrome for more than 10 seconds before the downloaded file could be accessed even after uninstalling the touchpad. The only thing that fixes the slow download finish in Chrome on my system is to deactivate ESET Protection temporarily which basically renders the whole ESET software useless. Please advise on what could be the issue and how can this be fixed. Regards eis_logs.zip
Administrators Marcos 5,461 Posted April 24, 2023 Administrators Posted April 24, 2023 3 hours ago, DsebaCk said: Generally Chrome seems to be working fine, until i attempt to download a file - After the file has been downloaded it seems to be stuck for more than 10 seconds at the end and cannot open the file until it finishes . seems like it takes ages to finish the download process. If you download a bigger file, it may take several seconds to scan it so a 10s delay is not too much. Before providing an advanced OS log, please check if the delay occurs also when downloading a file smaller than 1 MB. Also provide a link to the file when it took ~10s to scan it after the download. I assume that disabling Banking and payment protection would have no effect on the "issue" so it should be posted in a separate topic.
Recommended Posts