Jump to content

Deep Behavioral Inspection crashing many apps if legacy Barco ClickShare ir running

Arturs Gailis
 Share

Recommended Posts

Arturs Gailis

Arturs Gailis 0

Posted
Posted

Hello, 

Recently we have discovered an issue with Barco ClickShare application. It is a wireless presentation solution, and we may have some of the legacy versions in use, for example, Barco ClickShare CSM-1. Barco said they will not provide any updates on this product and issue, as it is a discontinued product.

When the application inside Barco ClickShare button is launched (the latest supported firmware by that product), any app on Windows 10 and Windows 11 using hardware acceleration gets killed/crashes without warning by ESET - Zoom, Edge, Chrome, OBS, Remote Desktop, even the built-in Photo viewer hangs or gets killed. 

Did some advanced troubleshooting and after disabling Deep Behavioral Inspection in ESET Advanced Setup, it started to work again. The other solution is to add rundll32.exe from Windows system directory to HIPS allow list. None of the solutions above fully resolve the issue, because Barco is used both by company laptops and private BYOD devices which we can't access and disable antivirus components on. 

I remember this was not happening in summer but started happening recently. Happens both on ESET Endpoint Security 10.1.2058.0 and ESET Internet Security 16.2.15.0. 

When Barco app is launched, it extracts some files to TEMP directory and calls 

C:\Windows\SysWOW64\rundll32.exe DXCap.dll,DXCAP_Hook

This gets logged in HIPS logs:  

Time;Application;Operation;Target;Action;Rule;Additional information
21.11.2023 09:57:39;\Device\HarddiskVolume5\ClickShare_for_Windows.exe;Modify state of another application;C:\Windows\System32\csrss.exe;Blocked;Self-Defense: Do not allow modification of system processes;

Attached a screenshot of HIPS Interactive mode and the offending executable in a ZIP archive. But this issue won't happen while the Barco button is not physically connected to the computer, so it may not be possible to replicate. 

Maybe there is a chance your team can inspect this issue further.

Screenshot 2023-11-16 223334.png

ClickShare_for_Windows.zip ees_logs.zip

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...