David Lambert 1 Posted April 24, 2023 Posted April 24, 2023 20 hours ago, itman said: I believe the touchpad driver is a UMDF one. Proofpoint a few years back wrote a great POC at the height of the DoublePulsar incident showing how a standalone .dll could be accessed via reflective .dll injection method by hooking a a thread in another process using DoublePulsar running in Win user mode. POC worked great and thread hooking was virtually undetectable. I suspect something along this line is going on here. Should someone contact Cirque about this? They may or may not have put a keylogger into their touchpad driver, and if not, they may want to remove the contaminated driver from their website.
itman 1,806 Posted April 24, 2023 Posted April 24, 2023 18 hours ago, David Lambert said: I only started using ESET on Aug. 1 of last year. I have never knowingly used the "B&PP feature." To definitively identify the conflict between the Cirque touchpad software and Eset Secured browser protection, perform the following; 1. Reinstall the Cirque software. 2. Open Eset GUI. Select Setup -> Security Tools -> Banking and Payment Protection. Mouse click on the "Gear" symbol and select Configure. Disable Keyboard protection setting. Mouse Click on OK tab and any subsequent displayed OK tab to save your setting changes.Verify that Keyboard protection setting is disabled. 3. Open Firefox or Chrome and determine if your prior issues have been resolved. If not, proceed to step 4. 4. Repeat the activity stated in step 2 but this time disable Enhanced Memory Protection setting. Verify that Enhanced Memory protection setting is disabled. 5. Open Firefox or Chrome and determine if your prior issues have been resolved. Report back on your findings. Also, re-enable B&PP Keyboard and Enhanced Memory protection settings.
ESET Staff constexpr 47 Posted April 24, 2023 ESET Staff Posted April 24, 2023 14 minutes ago, itman said: To definitively identify the conflict between the Cirque touchpad software and Eset Secured browser protection, perform the following; 1. Reinstall the Cirque software. 2. Open Eset GUI. Select Setup -> Security Tools -> Banking and Payment Protection. Mouse click on the "Gear" symbol and select Configure. Disable Keyboard protection setting. Mouse Click on OK tab and any subsequent displayed OK tab to save your setting changes.Verify that Keyboard protection setting is disabled. 3. Open Firefox or Chrome and determine if your prior issues have been resolved. If not, proceed to step 4. 4. Repeat the activity stated in step 2 but this time disable Enhanced Memory Protection setting. Verify that Enhanced Memory protection setting is disabled. 5. Open Firefox or Chrome and determine if your prior issues have been resolved. Report back on your findings. Also, re-enable B&PP Keyboard and Enhanced Memory protection settings. Based on previous logs there is no need to follow this steps. The problem (of slow down) is not in the conflict with our keyboard protection of the Secured browser, but their invasive implementation.
David Lambert 1 Posted April 24, 2023 Posted April 24, 2023 11 minutes ago, constexpr said: Based on previous logs there is no need to follow this steps. The problem (of slow down) is not in the conflict with our keyboard protection of the Secured browser, but their invasive implementation. To clarify, the problem is the invasive implementation of Secure All Browsers? I already did the testing requested, so I'll report it anyway. I've reinstalled the Cirque touchpad software. The browser performance issues come back. Disabling Keyboard Protection and disabling Enhanced Memory Protection does not fix the browser performance issues. Disabling Secure All Browsers does fix the browser performance issues, even when Keyboard Protection and Enhanced Memory Protection are both enabled.
itman 1,806 Posted April 24, 2023 Posted April 24, 2023 (edited) 17 minutes ago, David Lambert said: Disabling Keyboard Protection and disabling Enhanced Memory Protection does not fix the browser performance issues. This is an interesting finding. Your only solution here is to disable the "Secure all browsers" option in B&PP settings. When you want to perform banking and other financial activities, do so by opening B&PP secure browser via its desktop icon option. Hopefully, the performance issues will be minimal enough to allow this as feasible alternative. Edited April 24, 2023 by itman
David Lambert 1 Posted April 24, 2023 Posted April 24, 2023 6 minutes ago, itman said: This is an interesting finding. You're only solution here is to disable the "Secure all browsers" option in B&PP settings. When you want to perform banking and other financial activities, do so by opening B&PP secure browser via its desktop icon option. Hopefully, the performance issues will be minimal enough to allow this as feasible alternative. I do not use B&PP.
itman 1,806 Posted April 24, 2023 Posted April 24, 2023 Just now, David Lambert said: I do not use B&PP. Actually when the Secure all browsers option is enabled, you are indeed using Eset Banking and Payment Protection option. The only difference between the two methods is with Secured all browsers enabled, you are always running the browser in B&PP mode.
ESET Staff constexpr 47 Posted April 24, 2023 ESET Staff Posted April 24, 2023 19 minutes ago, David Lambert said: To clarify, the problem is the invasive implementation of Secure All Browsers? Cirque software wants to inject to Secured browser and they inproperly handle the fact that this action is blocked 12 minutes ago, itman said: This is an interesting finding. You're only solution here is to disable the "Secure all browsers" option in B&PP settings. I see at least 2 possible solutions. You can have Secured browser, that (among other protection) bloks injection of unknown 3rd party code or browser with injected 3rd party code. But definitely you cannot have both of them. 3rd option is that Cirque software should not try to inject other processes thousands of times per minute, that will definitely help (and is the source of the slow down issue).
David Lambert 1 Posted April 24, 2023 Posted April 24, 2023 39 minutes ago, constexpr said: Cirque software wants to inject to Secured browser and they inproperly handle the fact that this action is blocked I see at least 2 possible solutions. You can have Secured browser, that (among other protection) bloks injection of unknown 3rd party code or browser with injected 3rd party code. But definitely you cannot have both of them. 3rd option is that Cirque software should not try to inject other processes thousands of times per minute, that will definitely help (and is the source of the slow down issue). Like I said before, I can live without the touchpad drivers.
Recommended Posts