Deep Behavioral Inspection crashing many apps if legacy Barco ClickShare ir running

[Arturs Gailis 0]

Hello, 

Recently we have discovered an issue with Barco ClickShare application. It is a wireless presentation solution, and we may have some of the legacy versions in use, for example, Barco ClickShare CSM-1. Barco said they will not provide any updates on this product and issue, as it is a discontinued product.

When the application inside Barco ClickShare button is launched (the latest supported firmware by that product), any app on Windows 10 and Windows 11 using hardware acceleration gets killed/crashes without warning by ESET - Zoom, Edge, Chrome, OBS, Remote Desktop, even the built-in Photo viewer hangs or gets killed. 

Did some advanced troubleshooting and after disabling Deep Behavioral Inspection in ESET Advanced Setup, it started to work again. The other solution is to add rundll32.exe from Windows system directory to HIPS allow list. None of the solutions above fully resolve the issue, because Barco is used both by company laptops and private BYOD devices which we can't access and disable antivirus components on. 

I remember this was not happening in summer but started happening recently. Happens both on ESET Endpoint Security 10.1.2058.0 and ESET Internet Security 16.2.15.0. 

When Barco app is launched, it extracts some files to TEMP directory and calls

C:\Windows\SysWOW64\rundll32.exe DXCap.dll,DXCAP_Hook

This gets logged in HIPS logs: 

Time;Application;Operation;Target;Action;Rule;Additional information
21.11.2023 09:57:39;\Device\HarddiskVolume5\ClickShare_for_Windows.exe;Modify state of another application;C:\Windows\System32\csrss.exe;Blocked;Self-Defense: Do not allow modification of system processes;

Attached a screenshot of HIPS Interactive mode and the offending executable in a ZIP archive. But this issue won't happen while the Barco button is not physically connected to the computer, so it may not be possible to replicate. 

Maybe there is a chance your team can inspect this issue further.

ClickShare_for_Windows.zip ees_logs.zip

[Marcos 5,078]

Please raise a support ticket for further troubleshooting of the issue.

[Bastien G 0]

Hi,

I've the same problem, did you find a solution? Eset support ask me to create an exclusion but it doesn't run or i don't have the corect syntaxe.

Best regards

[Marcos 5,078]

3 hours ago, Bastien G said:

I've the same problem, did you find a solution? Eset support ask me to create an exclusion but it doesn't run or i don't have the corect syntaxe.

Do you use Barco ClickShare application and experience the same issue as the OP?

[Arturs Gailis 0]

I have not yet raised a support ticket due to time constraints and "everything is on fire" situation during the end of the year events. 

Currently just temporarily discountinued the use of this legacy Barco product.

Can confirm its a widespread issue and exclusions does not work with this one, because of the way that application executes. Currently only solution is to completely disable Deep Behavioral Inspection. Adding rundll32.exe to exclusions is not something Im comfortable doing as that can allow some legit malicios stuff to execute using that file. 

 

[Marcos 5,078]

Did you test it with Deep Behavior Inspection module 1144.1 without exclusions? Should the problem persist, it will be necessary to raise a support ticket. The issue cannot be reproduced easily, at least not on a vm without wi-fi as I understand.

[Arturs Gailis 0]

Currently unable to reproduce the issue on my personal laptop with Deep behavioral inspection support module 1149 and 1144.1.

Crashes on module version 1144 instantly. 

1144.1 is not offered to me on Eset Endpoint Security with Regular Update channel. Seems to be stuck to 1144 version. 

Will do further testing in the coming days with full hardware setup. Currently testing without base station connected, just the ClickShare button plugged into USB port and no content shared.