Jump to content

The "Mysterious" HIPS Duplicates Bug


Recommended Posts

Plagued by this bug since installing (german) ESS V9.first over (english) ESS V8.last from the first second, and afterwards even after having installed (english) ESS V9.0.349.0 over (german) ESS V9.first, I think I have found a snappy procedure to reproduce this bug in no time (you can look for some more infos about this bug here, https://forum.eset.com/topic/6867-new-build-available-349/page-4#entry38878):

(read carefully, and you can trigger this bug in no time. Yes, once again you have to read far more than I thought, but following it you will trigger HIPS duplicates...)
1. no, the HIPS duplicates bug doesn't exist in ESS V8
2. it has nothing to do with Win10, because I'm using Win7 Pro 64-Bit
3. german version over english version? Should have nothing to do with this, I think

how to reproduce this bug (preliminary important informations):
- the key to trigger it should be this HIPS rule (I haven't checked any other HIPS rules for the same analogous pattern, but...):



<ITEM NAME="16C">
<NODE NAME="enabled" TYPE="number" VALUE="1" />
<NODE NAME="name" TYPE="string" VALUE="User rule: allow svchost.exe (modify state of app, Stapel, u.a. consent.exe!!! 28.12.2015: führt dies etwa auf Spur der FREAKY Doublette?!?))" />
<NODE NAME="priority" TYPE="number" VALUE="80" />
<NODE NAME="action" TYPE="number" VALUE="1" />
<NODE NAME="log" TYPE="number" VALUE="1" />
<NODE NAME="notify" TYPE="number" VALUE="0" />
<NODE NAME="allAppSources" TYPE="number" VALUE="0" />
<ITEM NAME="appSources" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" />
</ITEM>
<NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasRegTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasPeTargets" TYPE="number" VALUE="1" />
<ITEM NAME="fileOperations">
<NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="File_Delete" TYPE="number" VALUE="0" />
<NODE NAME="File_Modify" TYPE="number" VALUE="0" />
<NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
<NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
<NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="regOperations">
<NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Modify" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="peOperations">
<NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
<NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
<NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
<NODE NAME="Application_Create" TYPE="number" VALUE="0" />
<NODE NAME="Application_Modify" TYPE="number" VALUE="1" />
</ITEM>
<NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileTargets" DELETE="1" />
<NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
<ITEM NAME="regTargets" DELETE="1" />
<NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="peTargets" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\audiodg.exe" />
<NODE NAME="2" TYPE="string" VALUE="C:\Windows\System32\consent.exe" />
<NODE NAME="3" TYPE="string" VALUE="C:\Windows\System32\mobsync.exe" />
<NODE NAME="4" TYPE="string" VALUE="C:\\\wmpnscfg.exe" />
<NODE NAME="5" TYPE="string" VALUE="C:\Windows\SysWOW64\control.exe" />
<NODE NAME="6" TYPE="string" VALUE="C:\Windows\SysWOW64\rundll32.exe" />
<NODE NAME="7" TYPE="string" VALUE="C:\Windows\System32\taskhost.exe" />
<NODE NAME="8" TYPE="string" VALUE="C:\\\opera.exe" />
<NODE NAME="9" TYPE="string" VALUE="C:\\\pluginwrapper\opera_plugin_wrapper.exe" />
<NODE NAME="A" TYPE="string" VALUE="C:\\\pluginwrapper\opera_plugin_wrapper_32.exe" />
</ITEM>
</ITEM>

("User rule: allow svchost.exe (modify state of app, Stapel, u.a. consent.exe!!! 28.12.2015: führt dies etwa auf Spur der FREAKY Doublette?!?" - in english: "a whole bunch of targets, for example consent.exe!!! Is this the reason for these nasty HIPS duplicate popups?!!")

- I have some / "a lot" HIPS rules with multiple targets, but I have deleted the corresponding rules with single targets, for sure.)
- thus the bug triggering key is: in this one HIPS rule (modify state of app, allowed) with multiple targets you can see at least five targets that are for sure leading to sporadic, but consistent, HIPS duplicate popups in my ESS V9 configuration!!! (Ok, at least six, 'audiodg.exe' has triggered a HIPS duplicates popup too, I think - but I will not verify this at 5 o'clock in the morning, not now...)
- to accelerate the triggering of a HIPS duplicate significantly you should / must work with fiddling PCAP ON / OFF, ie. "setup : advanced setup : tools : diagnostics : enable personal firewall logging [check box]"! (Don't forget the PCAP OFF, and the deletion of the PCAP file ('C:\ProgramData\ESET\xxxxxxx\Diagnostics\EpfwLog.pcapng'), after your tests!)
- to speed up the triggering of a HIPS duplicate even more you should include changing existing firewall and / or HIPS rules (one is enough) between your trigger attempts (ie. "directory properties", "file save as" (from any program with it), "sticky explorer : favorite directory (any) (more detailed below)".

Phew! Now it's high time for the HIPS duplicates bug reproduction procedure:
1. enable HIPS interactive mode
2. search for a HIPS rule in the style of the one you can see above, and add multiple targets, choose wisely, 'consent.exe' (UAC) is a good one and several other heavily used programs, and delete the corresponding single targetted HIPS rules.
3. another HIPS rule with 'SysWOW64 dllhost.exe' (search for it), modify registry, EnableLinkedConnections, triggered on every "file save as", "directory (and file) properties", "sticky explorer : right click : favorite directory : back to root directory" is a good candidate
4. do the same thing with consent.exe, look at this HIPS rule of mine: "Benutzerregel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG: this FREAKY duplicate!!!, 29.10.2015 ~01.46)"
(@ESET developer team: this nasty bug seems a little bit more convoluted than just the HIPS rules with multiple targets "thingy", ie. here I seem to have a 1st good HIPS rule, single target. And after that, starting with ESS V9, a whole lotta duplicate HIPS rules!... Interesting tidbit (look at the HIPS rule in XML format above): I can't remember that 'opera.exe' ever triggered a HIPS duplicate popup, but I'm more than sure that the Opera Plugin Wrappers trigger quite a lot!!!)
5. thus, create a HIPS "modify state of app" rule, with 'svchost.exe' as target and 'consent.exe' as application source, and then do the above stated steps, ie. 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG.
6. work with PCAP ON / OFF, ie. "setup : advanced setup : tools : diagnostics : enable personal firewall logging [check box]", ie. enable it save files like hell, in between disabling PCAP and waiting some minutes (2 - 5), then save files, PCAP re-ON, save files, PCAP OFF, wait, PCAP re-ON, save files. The HIPS duplicate popup bug should trigger sooner or later. Combine this with making multiple "directory properties" and the "sticky explorer" stuff, and (eventually - HIPS duplicate popups are more sporadic here) starting / stopping heavily used normal programs
7. fiddling with PCAP ON / OFF / re-ON, in combination with the two precious 'consent.exe' HIPS rules (with changing HIPS and / or firewall rules descriptions, another good bug triggering accelerator) you should be able to trigger the HIPS duplicates bug in (nearly) now time!

HTH
 

Link to comment
Share on other sites

  • Administrators

You have posted details about just one rule. I'd need need to see a duplicate as well. The best would be if you could export your ESET configuration and pm me the configuration xml.

Link to comment
Share on other sites

TL;DR: the HIPS duplicates popup bug exists for sure, but it's not as easy as "HIPS rule with multiple targets = HIPS duplicates popup of some / all of these targets". (I've never done anything special with HIPS, and never outside ESS. HIPS popup? - "read, study, allow, log it, change description".) 'SysWOW64 dllhost.exe' and 'consent.exe', producing the most duplicate popups with me contradict this "theory" clearly, after verifying these two duplicate cases: for each of them there exists one crystal clear HIPS "starting" rule, followed by a whole lotta duplicate ones, that are 100% identical, except the description (and the ID), of course!... Nonetheless: would someone proceed as described in my posting #1, testing and confirming this nasty bug?!! Anyone? (Testing: it cant' get any shorter and snappier than this: 0. check that you have as much firewall and HIPS rules as possible. (I have 1086 firewall and 1542 HIPS rules (>200 HIPS duplicates, and counting)). 1. look that you have a HIPS rule as in ID=4FA (see below). 2. set HIPS to interactive mode. 3. PCAP ON. Wait 2 minutes. 4. PCAP OFF. Wait 5 minutes. 5. PCAP re-ON. 6. change a firewall description, OK, OK, OK - BANG, a nasty HIPS duplicates popup for, in my case HIPS ID=4FA! Save it. 6. look for it, now you have two of those already... 7. don't forget to turn PCAP OFF again.) Thanks.

- the included HIPS rule, ID=16C, in posting #1 is the first "modify state of app" HIPS rule for 'svchost.exe' with (beside others) 'consent.exe' in it.
- the following is the first HIPS rule, ID=4FA, "modify state of app" for 'consent.exe' with single target 'svchost.exe', thus definitely not a duplicate:
(in all HIPS description fields I have removed "I REALLY, REALLY, ...", "Benutzerregel: " -> "Regel: ", """ -> "'", some "<" -> "<" and the like)









<ITEM NAME="4FA">
<NODE NAME="enabled" TYPE="number" VALUE="1" />
<NODE NAME="name" TYPE="string" VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette (duplicate)?!? 01/20/2016: no, the FIRST one!)" />
<NODE NAME="priority" TYPE="number" VALUE="80" />
<NODE NAME="action" TYPE="number" VALUE="1" />
<NODE NAME="log" TYPE="number" VALUE="1" />
<NODE NAME="notify" TYPE="number" VALUE="0" />
<NODE NAME="allAppSources" TYPE="number" VALUE="0" />
<ITEM NAME="appSources" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\consent.exe" />
</ITEM>
<NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasRegTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasPeTargets" TYPE="number" VALUE="1" />
<ITEM NAME="fileOperations">
<NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="File_Delete" TYPE="number" VALUE="0" />
<NODE NAME="File_Modify" TYPE="number" VALUE="0" />
<NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
<NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
<NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="regOperations">
<NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Modify" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="peOperations">
<NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
<NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
<NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
<NODE NAME="Application_Create" TYPE="number" VALUE="0" />
<NODE NAME="Application_Modify" TYPE="number" VALUE="1" />
</ITEM>
<NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileTargets" DELETE="1" />
<NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
<ITEM NAME="regTargets" DELETE="1" />
<NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="peTargets" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" />
</ITEM>
</ITEM>

- this is the first duplicate HIPS rule (ID=502) of ID=4FA:









<ITEM NAME="502">
<NODE NAME="enabled" TYPE="number" VALUE="1" />
<NODE NAME="name" TYPE="string" VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?)" />
<NODE NAME="priority" TYPE="number" VALUE="80" />
<NODE NAME="action" TYPE="number" VALUE="1" />
<NODE NAME="log" TYPE="number" VALUE="1" />
<NODE NAME="notify" TYPE="number" VALUE="0" />
<NODE NAME="allAppSources" TYPE="number" VALUE="0" />
<ITEM NAME="appSources" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\consent.exe" />
</ITEM>
<NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasRegTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasPeTargets" TYPE="number" VALUE="1" />
<ITEM NAME="fileOperations">
<NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="File_Delete" TYPE="number" VALUE="0" />
<NODE NAME="File_Modify" TYPE="number" VALUE="0" />
<NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
<NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
<NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="regOperations">
<NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Modify" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="peOperations">
<NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
<NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
<NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
<NODE NAME="Application_Create" TYPE="number" VALUE="0" />
<NODE NAME="Application_Modify" TYPE="number" VALUE="1" />
</ITEM>
<NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileTargets" DELETE="1" />
<NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
<ITEM NAME="regTargets" DELETE="1" />
<NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="peTargets" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" />
</ITEM>
</ITEM>

- then come the HIPS duplicates with IDs 507, 513 is the first with a date, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?, 10.10.2015 ~18:35)"), then:
514, VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?, 11.10.2015 ~01:39)"
51A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!!)"
520, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!!, 17.10.2015 ~02:53))"
522, "Regel: zulassen consent.exe (modify state of app, svchost.exe, bei 2tem FW-Popup, Doublette!, 17.10.2015 ~18:35)"
523, "Regel: zulassen consent.exe (modify state of app, svchost.exe, switching PCAP OFF, Doublette!, 17.10.2015 ~19:02)"
52C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!! Quasi direkt nach ~4 FW-Popups, 20.10.2015)"
53E, "Regel: zulassen consent.exe (modify state of app, svchost.exe, ~6 Min nach PCAP re-ON, Doublette!!!, 22.10.2015 ~00.51)"
53F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, chg file privileges, kurz nach PCAP OFF, Doublette!!!, 23.10.2015, ~01.51)"
547, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing previous HIPS rule (ie all), Doublette!!!, 25.10.2015 ~02.12)"
548, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~30 Min nach PCAP OFF, Doublette!!!, 25.10.2015 ~17.23)"
54A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing previous SYSWOW64 contrl.exe duplicate, Doublette!!!, 26.10.2015, ~15.13)"
54D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK (/OK(?)) - BANG: this FREAKY Doublette!!!, 28.10.2015 ~02.29)"
54F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG: this FREAKY Doublette!!!, 29.10.2015 ~01.46)"
553, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~15 Min nach PCAP OFF, Doublette!!!, 31.10.2015 ~18.25)"
555, "Regel: zulassen consent.exe (modify state of app, svchost.exe, 1 FW-Popup (and stored), ~15 Min later wanted ACK 1st PCAP OFF, producing THIS FREAKY Doublette!, 01.11.2015, ~17.31)"
55F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~22 Min nach PCAP OFF (dazwischen EnableLinkConnection-Doublette), Doublette!!!, 07.11.2015, 20.07)"
562, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing chgd previous HIPS rule (ie 2 in all), FREAKY Doublette!!!, 09.11.2015)"
56D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, vor UAC wegen file ACL chg, ~30 Min nach PCAP OFF, FREAKY Doublette!!!, , 12.11.2015 04.02)"
56E, "Regel: zulassen svchost.exe (modify state of app, consent.exe, ~2 Min nach PCAP re-ON nach ~78 Min PCAP OFF, FREAKY Doublette!!!, , 12.11.2015 ~17.29)"
57B, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, FREAKY Doublette!!!, , 20.11.2015 ~18.52)"
581, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~12 min after PCAP OFF, FREAKY Doublette!!!, , 21.11.2015 ~20.10)"
582, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~30 Min nach PC-Start mit direkt FW-Popup, chgd, später 2x 'file save as', FREAKY Doublette!!!, (...), 22.11.2015)"
583, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, >4 HOURS after last PCAP re-ON, NO ESS V9 activity in-between!!!, FREAKY Doublette!!!, , 23.11.2015 ~03.28)"
58C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~18 Min nach PC-Start mit direkt FW-Popup, chgd, FREAKY Doublette!!!, , 29.11.2015)"
58D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~15 Min nach PCAP OFF, FREAKY Doublette!!!, , 30.11.2015)"
58E, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~24 Min nach PCAP OFF + 1x (DAYS old) FW rule TXT chgd, zeitgleich AV-Update trial, xDSL aber OFF, FREAKY Doublette!!!, , 01.12.2015 03.44)"
590, "Regel: zulassen consent.exe (modify state of app, svchost.exe, (UAC for) storing chgd days old firewall rule, <4 min after PCAP OFF, FREAKY Doublette!!!, , 03.12.2015 ~03.19)"
598, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC for storing chgd firewall rule TXT, ~23 Min nach PCAP OFF, FREAKY Doublette!!!, , 06.12.2015 04.07)"
59A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=6 Min nach PCAP OFF, FREAKY Doublette!!!, , 07.12.2015 03.52)"
59C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~18 Min nach PCAP OFF + FW-Popup + FW rule TXT chg, FREAKY Doublette!!! [THIS IS A VERY CLEAR BUG LEADING PATTERN], , 07.12.2015 23.25)"
54A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~37 Min nach PC-Start (no EnableLinkedConn before during 3 'file save as'), FREAKY Doublette!!!, 10.12.2015)"
5AA, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~39 Min nach PCAP OFF, FREAKY Doublette!!!, , 12.12.2015 ~03.42)"
5AB, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of storing chgd HIPS rule TXT, FREAKY Doublette!!!, , 12.12.2015 03.47)"
5AD, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of PCAP OFF, HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 15.12.2015 03.43)"
5B9, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of an '.exe', <5 min later (!!!), FREAKY Doublette!!!, 17.12.2015)"
5BB, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~14 min after PCAP OFF, FREAKY Doublette!!!, , 18.12.2015 04.11)"
5BC, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~4 min after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 18.12.2015 ~19.42)"
5BD, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of 'show all programs'; in task manager, <=~3 min after last PCAP OFF (or re-ON), FREAKY Doublette!!!, , 19.12.2015 ~01.24)"

(now installed ESS V9.0.349.0 over previous ESS V9.first)

5BE, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of firewall popup, ~25 Min nach PC-Start, FREAKY Doublette EVEN WITH ESS V9.0.349.0!!!, , 20.12.2015)"
5C3, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC file ACL chg, ~7 min after last PCAP OFF, FREAKY Doublette EVEN WITH ESS V9.0.349.0!!!, , 23.12.2015 ~02.32)"
5C8, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~8 min after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 26.12.2015 ~02.57)"
5D2, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~30 min after last PCAP ON, FREAKY Doublette!!!, even with ESS V9.0.349.0!!!, 28.12.2015 03.31)"
5D5, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF (precisely @ or within AV-Update /w xDSL=OFF), HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 29.12.2015 03.42)"
5D6, User rule: allow consent.exe (modify state of app, svchost.exe, UAC file ACL chg (still within AV-Update @xDSL=OFF), <=3 (!!!) min after last PCAP OFF (AND THE BLOODY SAME) FREAKY Doublette!!!, , 29.12.2015 03.45)"
5D7, User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ONE PCAP OFF (after a whole bunch of UACs + PCAP OFF/re-ON/ON wo/ these) FREAKY Doublette!!!, , 30.12.2015 ~00.09)"
5DA, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=3 min (!!!) after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 01.01.2016 04.14)"
5DB, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ONE PCAP OFF (last re-ON before HOURS, 1 old fw rule TXT chg ~10-20 min before this PCAP OFF) (after a whole bunch of UACs + PCAP OFF/re-ON/ON wo/ these) FREAKY Doublette!!!, , 04.01.2016 ~02.59)"
5E0, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, 8 min after last FREAKY Doublette, THE NEXT FREAKY Doublette!!!, , 05.01.2016 03.54)"
5E2, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ~5 fw rules TXT chgd, <=6 min after last PCAP re-ON, THE NEXT FREAKY Doublette!!!, , 06.01.2016 04.11)"
5E9, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, HOURS after last PCAP re-ON, THE NEXT FREAKY Doublette!!!, , 07.01.2016 ~03.39)"
5EB, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~9 min after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 10.01.2015 04.22)"
5F2, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~59 min after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 13.01.2016 04.04)"
5F8, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=5 min (max.) after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 17.01.2016 ~17.57)"

(time for the last four HIPS duplicates)
5FF, "User rule: allow SysWOW64 dllhost.exe (registry EnableLinkedConnections, file props, ~10 min after last PCAP OFF, FREAKY Doublette!!!, , 18.01.2016 04.19)"
600, "User rule: allow VistaGlance.exe (start new app, SysWOW64 control.exe, ~14-17 Min nach PC-Start mit direkt 1x FW-Popup (+ rule TXT chg), FREAKY Doublette!!! (vgl. mit 06.01.2016), 18.01.2016)"

(these two are the last - after having written posting #1 and loosing everything, because of a timeout of your Forum Software (hint, hint!), ie. I had to rewrite posting #1 - ok, effectively reformatting it "only", because I still remembered having lost all previous postings of mine to the cryptic error message this Forum Software generates ("you have no right"?!? - No, "timeout, you were disconnected" would be more precise. Still no fun at all!!!):

603, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, HOURS, HOURS after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 19.01.2016 ~05.4?)"
604, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of task manager alt-b (all prgs), a FEW minutes after last FREAKY Doublette, THE NEXT SAME FREAKY Doublette!!!, , 19.01.2016 ~05.54)"


- yes, it's a little bit weird that HIPS ID=4FA, "allow consent.exe (modify state of app, svchost.exe)" should generate this amount of crystal clear HIPS duplicates, of which I have saved all. And it seems to contradict my "theory" of "it's a multiple targets => the HIPS duplicates popup bug "thingy", only in ESS V9"...

- oh no, SysWOW64 dllhost.exe, modify registry EnableLinkedConnection is contradicting it too:

(first entry, a very, very, very old entry, HIPS ID=1D)







<ITEM NAME="1D">
<NODE NAME="enabled" TYPE="number" VALUE="1" />
<NODE NAME="name" TYPE="string" VALUE="User rule: allow dllhost.exe (registry EnableLinkedConnections, was soll das? Beim 'file save as' im Opera (!). Nur dort? Keine Doublette, das uralte Original)" />
<NODE NAME="priority" TYPE="number" VALUE="80" />
<NODE NAME="action" TYPE="number" VALUE="1" />
<NODE NAME="log" TYPE="number" VALUE="1" />
<NODE NAME="notify" TYPE="number" VALUE="0" />
<NODE NAME="allAppSources" TYPE="number" VALUE="0" />
<ITEM NAME="appSources" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\SysWOW64\dllhost.exe" />
</ITEM>
<NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasRegTargets" TYPE="number" VALUE="1" />
<NODE NAME="hasPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileOperations">
<NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="File_Delete" TYPE="number" VALUE="0" />
<NODE NAME="File_Modify" TYPE="number" VALUE="0" />
<NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
<NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
<NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="regOperations">
<NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Modify" TYPE="number" VALUE="1" />
</ITEM>
<ITEM NAME="peOperations">
<NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
<NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
<NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
<NODE NAME="Application_Create" TYPE="number" VALUE="0" />
<NODE NAME="Application_Modify" TYPE="number" VALUE="0" />
</ITEM>
<NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileTargets" DELETE="1" />
<NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
<ITEM NAME="regTargets" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections" />
</ITEM>
<NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="peTargets" DELETE="1" />
</ITEM>

(and that's the first HIPS duplicate I saved, ID=4FB)







<ITEM NAME="4FB">
<NODE NAME="enabled" TYPE="number" VALUE="1" />
<NODE NAME="name" TYPE="string" VALUE="Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Doublette?!!)" />
<NODE NAME="priority" TYPE="number" VALUE="80" />
<NODE NAME="action" TYPE="number" VALUE="1" />
<NODE NAME="log" TYPE="number" VALUE="1" />
<NODE NAME="notify" TYPE="number" VALUE="0" />
<NODE NAME="allAppSources" TYPE="number" VALUE="0" />
<ITEM NAME="appSources" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="C:\Windows\SysWOW64\dllhost.exe" />
</ITEM>
<NODE NAME="hasFileTargets" TYPE="number" VALUE="0" />
<NODE NAME="hasRegTargets" TYPE="number" VALUE="1" />
<NODE NAME="hasPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileOperations">
<NODE NAME="File_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="File_Delete" TYPE="number" VALUE="0" />
<NODE NAME="File_Modify" TYPE="number" VALUE="0" />
<NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" />
<NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" />
<NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" />
</ITEM>
<ITEM NAME="regOperations">
<NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Delete" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Rename" TYPE="number" VALUE="0" />
<NODE NAME="Registry_Modify" TYPE="number" VALUE="1" />
</ITEM>
<ITEM NAME="peOperations">
<NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" />
<NODE NAME="Application_Debug" TYPE="number" VALUE="0" />
<NODE NAME="Application_Hook" TYPE="number" VALUE="0" />
<NODE NAME="Application_Stop" TYPE="number" VALUE="0" />
<NODE NAME="Application_Create" TYPE="number" VALUE="0" />
<NODE NAME="Application_Modify" TYPE="number" VALUE="0" />
</ITEM>
<NODE NAME="allFileTargets" TYPE="number" VALUE="0" />
<ITEM NAME="fileTargets" DELETE="1" />
<NODE NAME="allRegTargets" TYPE="number" VALUE="0" />
<ITEM NAME="regTargets" DELETE="1">
<NODE NAME="1" TYPE="string" VALUE="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections" />
</ITEM>
<NODE NAME="allPeTargets" TYPE="number" VALUE="0" />
<ITEM NAME="peTargets" DELETE="1" />
</ITEM>

- comparing these two HIPS rules with 'Meld', a file comparison tool, reveals that they are 100% identical, except ID and rule description, of course...
- ... though these two are 99.999% identical, I have a whole bunch of HIPS duplicates popups of them stored:
4FB (the first ever), "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Doublette?!!)"
503, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:Computer, Doublette!!!)"
50D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:X-temp, Doublette!!!)"
510, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:M-temp, Doublette!!!)"
517, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'Opera save as', Doublette!!!)"
525, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:W-temp, freaky Doublette #1000, 19.10.2015 ~03:26)"
526, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'Opera save as', freaky Doublette!!!, 19.10.2015, ~21:50)"
537, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, unklar bei was (war's nicht file properties?!!), aber rel. nahe nach switching PCAP OFF, Doublette!, 21.10.2015 ~02.34)"
538, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, DEFINITIV file properties, kurz nach save settings, freaky Doublette #2000!!!, 21.10.2015 ~02.59)"
53D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, DEFINITIV Rechtsklick:Eigenschaften, ~7 Min nach PCAP re-ON, freaky Doublette, 21.10.2015 ~22.51)"
546, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~7 Min nach PCAP re-ON, freaky Doublette, 25.10.2015 ~02.06)"
552, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~6 Min nach PCAP re-ON, freaky Doublette, 31.10.2015 ~02.06)"
557, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~10 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar, 03.11.2015 ~02.13)"
558, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, after storing ESS V9 settings, FREAKY Doublette, 03.11.2015 ~02.49)"
55E, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~18 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!!, 07.11.2015)"
560, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~18 Min nach PCAP re-ON, FREAKY Doublette, 08.11.2015, ~02.24)"
567, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~2 Min nach HIPS-Popup (ok), chg + save same HIPS rule, HOURS after PCAP re-ON, FREAKY Doublette, 10.11.2015 ~01.59)"
568, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, (same) directory properties, ~21 Min nach PCAP re-ON, FREAKY Doublette, this is getting ridiculous, 10.11.2015 ~02.37)"
569, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~20 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!! (100% same behaviour as on 20151107), 10.11.2015)"
56B, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, ctrl-c (!!!) (prep file copy) in alternativem Explorer, ~21 Min nach PCAP re-ON, FREAKY Doublette, this is getting ridiculous, , 11.11.2015 ~03.00)"
56F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~4 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar [ie A SAFE BET FOR PRODUCING A DUPLICATE], 14.11.2015 ~02.59)"
570, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~23 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!!, 14.11.2015)"
571, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~63 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar [ie A SAFE BET FOR PRODUCING A DUPLICATE], 15.11.2015 ~03.36)"
573, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, (after 'failing' 1x 'fav dir' plus 4x dir props) , @7th min after PCAP re-ON, FREAKY Doublette!!!, 16.11.2015 03.13)"
575, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as' (~33 Min nach FW-Popup und chgd new FW rule), ~36 Min nach PC-Start, FREAKY Doublette!!!, 18.11.2015)"
578, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 3rd Opera 'file save as' (~60 Min nach PC-Start, NO ESS V9 activity), FREAKY Doublette!!!, 19.11.2015)"
579, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~3 Min nach PCAP re-ON, FREAKY Doublette!!!, 20.11.2015 ~03.35)"
57C, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, 8 Min nach PCAP re-ON, 4 Min nach ESS settings save, FREAKY Doublette!!!, 21.11.2015 03.00)"
57D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, 1 min after previous FREAKY Doublette!!!, 21.11.2015 03.01)"
57F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, <=1 min after previous FREAKY Doublette!!!, [i CAN DO THIS ALL NIGHT LONG, ESET!!! ELIMINATE THIS CRYSTAL CLEAR BUG!], 21.11.2015 03.1x)"
586, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, ~27 Min nach PCAP OFF, FREAKY Doublette!!!, 26.11.2015 04.09)"
589, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, ~6 min after PCAP re-ON + ESS settings export, FREAKY Doublette!!!, 27.11.2015)"
58F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, ~9 min after PCAP re-ON + new HIPS rule TXT chgd + ESS settings export, FREAKY Doublette!!!, 01.12.2015 ~3.56)"
593, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, (immer noch gleiche file props), direkt danach,FREAKY Doublette!!!, 04.12.2015 ~04.1x)"
596, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, file props, ~14 min after PCAP OFF, (erst danach storing chgd fw rule TXT), FREAKY Doublette!!!, 05.12.2015 03.14)"
597, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~25 Min nach PC-Start mit direkt FW-Popup + FW rule TXT chg, FREAKY Doublette!!!, 05.12.2015)"
599, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~18 Min nach PC-Start, 100% NO ESS V9 ACTIVITY BEFORE, FREAKY Doublette!!!, 06.12.2015)"
5A5, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'file save as', ~2.5 HOURS after last PCAP re-ON (and NO PC activity at all), FREAKY Doublette!!!, , 11.12.2015 ~02.37)"
5A6, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, file props, <<1 min after PCAP OFF, FREAKY Doublette!!!, , 11.12.2015 03.36)"
5A9, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, NOT 1st (~6th) 'file save as' - minutes after 1x FW rule TXT / 1x HIPS rule TXT chgd, FREAKY Doublette!!!, , 12.12.2015 ~00.37)"
5AC, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, '100th file save as', but HOURS after last PCAP re-ON (and last 'file save as'), FREAKY Doublette!!!, , 14.12.2015 03.17)"
5AE, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st (Opera) 'file save as', ~16 Min nach PC-Start mit direkt FW-Popup + FW rule TXT chg, ONCE AGAIN FREAKY Doublette!!!, 15.12.2015)"
5B8, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, exporting chgd ESS settings, <= 1 min after last PCAP re-ON, FREAKY Doublette!!!, , 17.12.2015 ~04.26)"
5C9, "User rule: allow dllhost.exe (registry EnableLinkedConnections, '100th file save as', ~4-5 min after last PCAP OFF, FREAKY Doublette!!!, , 27.12.2015)"
5D0, "User rule: allow dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, FREAKY Doublette!!!, , 28.12.2015)"
5D1, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, <=2 min (!!!) after prv FREAKY Doublette yet ANOTHER (and the SAME) FREAKY Doublette AGAIN!!!, , 28.12.2015)"
5D3, "User rule: allow dllhost.exe (registry EnableLinkedConnections, 'file save as' (export ESS settings), <=1 min (!!!) after last PCAP re-ON, FREAKY Doublette!!!, , 28.12.2015 03.50)"
5E1, "User rule: allow dllhost.exe (registry EnableLinkedConnections, 1ST 'file save as' HOURS after last PCAP re-ON (AND some fw popups), (as EXPECTED, THIS IS A CLEAR REPRODUCIBLE BUG PATTERN!!!) FREAKY Doublette!!!, , 06.01.2015 03.xx)"
5F3, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 14.01.2016 ~03.51)"
5FF, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, ~10 min after last PCAP OFF, FREAKY Doublette!!!, , 18.01.2016 04.19)"
(this was the last EnableLinkedConnections HIPS duplicate of 'SysWOW64 dllhost.exe' until now)

 

HTH
 

Edited by mma64
Link to comment
Share on other sites

  • ESET Insiders

@mma64,

You can tell the here and show what you want, try here in the forum emulate as if this bug does not exist as though this bug has been confirmed by German support! I try to make it since 2 months to Eset mods here the course, only they do not want to understand even though you know it that it is so because of the German support has spoken with Eset Programierern and this error confirmed! I have forwarded it to Heise and it will be reported by Heise internal testing over it, let's see what you then told here !!!

(German: @mma,Du kannst den hier erzählen und zeigen was du willst, sie Versuchen hier im Forum so zutun als ob dieser Bug nicht Existiert, obwohl dieser Bug vom Deutschen Support Bestätigt wurde! Ich Versuche es schon seit 2 Monaten den Eset Mods hier das Verständlich zu machen, nur sie wollen es nicht Verstehen obwohl sie es Wissen das es so ist, denn der Deutsche Support hat mit den Eset Programierern Gesprochen und diesen Fehler Bestätigt! Ich habe es an Heise weitergeleitet und es wird nach Heise Internen Tests drüber Berichtet werden, mal schauen was man dann hier erzählt!!!)

Link to comment
Share on other sites

  • Administrators

You wrote "check that you have as much firewall and HIPS rules as possible. (I have 1086 firewall and 1542 HIPS rules)". Do you mean that this is a precondition for issue replication? I didn't have that many rules created and was unable to reproduce it no matter what I tried.

Would it be possible to do the following? A picture is worth a thousand words.

- export your current configuration and collect logs using ESET Log Collector

- uninstall ESS

- install the latest English v9 (do not change any default settings yet)

- start capturing a video of your screen

- reproduce the issue

- stop capturing

- save the video, compress it, upload it to a safe location and pm me the download link along with the output from Log Collector.

Link to comment
Share on other sites

Here is one possible explanation for these duplicate rules in ver. 9 using learning mode. What could be going on is the HIPS in ver. 9 is creating a rule for a specific activity rather than a rule allowing all process modification actions.

For example, the HIPS creates a rule for consent.exe to allow process modification into svchost.exe for .dll injection. Later, the HIPS creates an allow rule for consent.exe to allow process modification of svchost.exe for memory modification. Etc., etc..

Link to comment
Share on other sites

  • Administrators

Here is one possible explanation for these duplicate rules in ver. 9 using learning mode. What could be going on is the HIPS in ver. 9 is creating a rule for a specific activity rather than a rule allowing all process modification actions.

For example, the HIPS creates a rule for consent.exe to allow process modification into svchost.exe for .dll injection. Later, the HIPS creates an allow rule for consent.exe to allow process modification of svchost.exe for memory modification. Etc., etc..

 

I still don't think there's a difference between v8 and v9 but will ask the developer of HIPS for confirmation. What I can tell is that in future versions rules created in interactive or learning mode will be merged to minimize the number of rules created for an application.

 

Looking at rules created by v8, only one operation is selected in the Target application tab per rule which was created automatically:

 

 

post-10-0-87877300-1453304580_thumb.png

Link to comment
Share on other sites

A better explanation of what I posted previously is that I suspect that for a process modification generated rule, ver. 9 might be generating a HIPS rule for every Win API encountered? For example:

 

VirtualAllocExVitualFreeEx

WriteProcessMemory

CreateRemoteThread

 

Etc.

 

If this is indeed the case, there will be major issues with user generated ver. 8 like process modification rules since one rule covered all applicable APIs.

Link to comment
Share on other sites

 

[Marcos] (...) - install the latest English v9 (do not change any default settings yet)

- start capturing a video of your screen (...)

 

@Marcos: isn't there a missing "- import the previously exported settings" in between the two steps quoted, is it?! As soon as I have screen recorded a HIPS duplicate popup I will uninstall and reinstall ESS V9. But I doubt that this will make any difference.

 

@all: "[are a "lot" / lot of firewall and / or HIPS rules] a precondition for issue replication?" I'm not sure, but I think the more the higher the probability of HIPS duplicate popups, and the faster you will get these nasty popups... Thus...: it would be nice if some ESS V9 users could post their amount of firewall and HIPS rules. You haven't to count them, ESS V9 displays them. Approximate numbers are ok, ie. "1100" instead of the precise 1086. (I'm eagerly awaiting the numbers from SlashRose for example.)

 

- After having installed Screen Recorder, a video capture tool, I tried to trigger a HIPS duplicate popup, 45 minutes long, without any success... Then I paused for 18 minutes, visited the ESET Forum, wanted to save a file (-> 'SysWOW64 dllhost.exe, registry EnableLinkedConnections') - and guess what, another freaky HIPS duplicate popup! Unfortunately without screen recording ON... (See screenshot #0.)

 

- and the weirdness goes on, this time in the HIPS log, see screenshots #1 - #4:

#1 (there's exactly ONE "modify state of app, vlc.exe" HIPS rule, this is fully ok)

#2 (after a UAC ('consent.exe') for PCAP, and somewhat later, I looked into the HIPS log, only to see this strange log entry! Strange because 'svchost -> dllhost' might be correct, but the rule description is wrong for sure...)

#3 (this is the corresponding HIPS rule for the one in #2, with a fully correct rule description, and with something multiple, this time multiple actions, so called "peOperations". HIPS rule is ok.)

#4 (and this, you guessed it, the first HIPS duplicates popup of #3, though this time as single peOperations...)

 

 

post-3617-0-06666400-1453431516_thumb.png

post-3617-0-99164300-1453431543_thumb.png

post-3617-0-42251300-1453431556_thumb.png

post-3617-0-12691700-1453431566_thumb.png

post-3617-0-14239100-1453431575_thumb.png

Link to comment
Share on other sites

  • ESET Insiders

I like to send them each file they wish, but the Verbugten Log Collector I do not lead off because it does not really works and also it was them but very accurate from mma64 Described, but as I said they are welcome to any file or log who they want just have to say that! ( German: Ich schicke ihnen gerne jede Datei die sie möchten, aber den Verbugten Log Collector führe ich nicht aus da er nicht richtig Funktioniert und außerdem wurde es ihnen doch sehr genau von mma64 Beschrieben, aber wie gesagt sie können gerne jede Datei oder Log haben die sie wollen, müssen nur sagen welche!)

Link to comment
Share on other sites

  • ESET Insiders

@Marcos,

I had them but to what letter , they must only tell me what files they want to !

Edited by Marcos
Formatting removed
Link to comment
Share on other sites

@SlashRose: don't despair. I'm fully dedicated to this nasty bug and will not give up until ESET approves and corrects it! (*) Video proof of a HIPS duplicates bug could be captured by me and will go online soon ('dllhost.exe', "file save as")... If you don't mind privacy issues it should be enough to export your ESS V9 configuration (see screenshot) and make a PM of this file to Marcos, preferably zipped, ie. (Win7) select the 'ESS-V9-Einstellungen.xml', right click, "send to" ("senden an"), "zip-compressed folder" ("ZIP-komprimierter Ordner"), a 'ESS-V9-Einstellungen.zip' will be created.

 

 

(*= there was already one case where a lot of people complained about a seemingly "impossible" crystal clear bug until I chimed in and presented a ridiculously simple procedure to reproduce that bug, read on here, https://forum.eset.com/topic/2124-firewall-interactive-mode-not-working-properly/#entry13141...)

 

This time it's not that easy, as it seemed first, but the bug producing patterns are visible for everybody that reads carefully my HIPS descriptions.

 

Here are a few other HIPS duplicates rules:

 

"User rule: allow conhost.exe (modify state of app, term. / susp. app, lpremove.exe, OUT OF NOWHERE, FREAKY Doublette!!!, 16.02.2015 presumably ~21.25)"
"User rule: allow consent.exe (modify state of app, svchost.exe, UAC of PCAP re-ON, 40 min after last PCAP OFF (and a bunch of stone old HIPS rule TXT chgs + 1 stone old fw rule TXT chg), FREAKY Doublette!!!, 17.02.2016 04.05)"
"User rule: allow svchost.exe (modify state of app, term. / susp. app, ashsnap.exe, ~6 min after last PCAP OFF (in total ~214 MINUTES (!!!) after last PCAP re-ON and NO PC activity), FREAKY Doublette!!!, 18.02.2016 ~03.32)"
"User rule: allow SysWOW64 dllhost.exe (registry EnableLinkedConnections, file props, after HIPS duplicates rule TXT chg, (and still in 'PCAP OFF mode'), [this duplicate rule only /w delay of ~4 minutes (!!!) in HIPS edit view visible, 1ST TIME EVER!!!, 1655 rules now], THE NEXT FREAKY Doublette!!!, 18.02.2016 ~04.02)"
"User rule: allow consent.exe (modify state of app, svchost.exe, UAC of PCAP re-ON, 54 min after last PCAP OFF (and a 2nd HIPS duplicates TXT chg), [no delay, this duplicate rule instantly visible, as USUAL, in the HIPS storage space], THE ***3RD*** FREAKY Doublette in a row!!!, 18.02.2016 04.20)"
"User rule: allow explorer.exe (start new app, 7zFM.exe, after a day /w 2 + 1 fw popups + 2x 'prg chgd' HIPS popups (ok) + a whole bunch of fw rules TXT chgs), doch keine Doublette???, but WHY JUST NOW, OVER 4 MONTHS (!!!) after installing ESS V9?!!, 19.02.2016 00.14)"
"User rule: allow svchost.exe (term./susp., modify state of app, IrfanView, <=~40 seconds after PCAP OFF (after, in total, ~187 MINUTES /w NO PC activity), wohl FREAKY Doublette!?! (there's one stone old rule /w 'modify state of app, IrfanView' for sure), 19.02.2016 ~03.50)"

 

---> Thus now I increasingly have HIPS (duplicates too) popups that take 3 - 4 minutes (!!!) until they get visible in the HIPS edit view (~4 cases), "partly" duplicates (HIPS popups /w single operation for HIPS events that are already stored otherwise, as multi-operations HIPS rules, see the IrfanView case), and new rules for HIPS events that for sure should have been triggered way earlier but had not (see the 7zFM case)...

 

(And I even have to report the most epic and highly dramatic HIPS bug of ESS V9 yet!)

 

 

post-3617-0-63525500-1456347260_thumb.png

Link to comment
Share on other sites

phew, the video is online, view (/ download and view) it here, https://mprogger.selfhost.ch/

 

here are the SHA256 checksums:
a41441b8ceaa98e7f06fea4ed96689cfb3df92fea431ac69d0fd8fffe154878d *ESS-V9-0-349-0-(HURRAYYYY!!!,the-~400th-HIPS-duplicates-popup-finally-captured-by-video!!!).7z 10569642 bytes
299a4b8ab4f1d25ff97af50a2ee8e8a60778a42251bb53ff6da665d8aca1fd37 *ESS-V9-0-349-0-(HURRAYYYY!!!,the-~400th-HIPS-duplicates-popup-finally-captured-by-video!!!).wmv 28928933 bytes

 

and here the corresponding HIPS duplicates, in total 3 in a row (29.01.2016 ~04.26 = video captured HIPS duplicates rule):

 

allow consent.exe (modify state of app, svchost.exe, UAC of PCAP re-ON, <~5 min (!) after last PCAP OFF (a 'PCAP OFF' HOURS after last PCAP re-ON, and a day /w already one HIPS duplicate, plus 1x new firewall rule, BOTH ~10 HOURS before this new) FREAKY Doublette!!!, 29.01.2016 ~04.26)
allow SysWOW64 dllhost.exe (registry EnableLinkedConnections, file props (of the video capture...) (1ST ACTION after video capture! Ie. after HIPS rule TXT chg of last duplicate), THE 3rd FREAKY Doublette!!!, 29.01.2016 ~04.39)
allow SysWOW64 dllhost.exe (registry    "          "       ", saving ESS V9 settings (4th ACTION after video capture, 3rd was viewing the vid! Ie. after HIPS rule TXT chg of last duplicate), THE 4th (!!!) FREAKY Doublette!!!, 29.01.2016 ~04.53)

 

(website is online all night long, now it's 20:35 CET. Otherwise on demand / from ~16:00 CET - 00:00 CET for a few days.)

 

 

Link to comment
Share on other sites

  • ESET Insiders

Thank mma64. Very nice video, we Hair Exactly the same problem, I can hip no longer run in the Interactive mode, because otherwise I no longer can calmly work on PC as it in 2-3 minute intervals the popup opens else because again a duplicate is created and then again I have to create a rule, am now at ca.2600 duplicates !!! The file of Marcos is outside, but it will nevertheless do not help that I know.

(German: Danke mma64. Sehr schönes Video, wir haben Haargenau das gleiche Problem, ich kann das Hip gar nicht mehr im Interactiven Modus laufen lassen, da ich am PC sonst gar nicht mehr in Ruhe Arbeiten kann da es sonst im 2-3 Minuten Takt das Popup sich öffnet weil wieder eine Dublette erstellt wird und ich dann wieder  eine Regel erstellen muss, bin jetzt bei ca.2600 Dubletten!!! Die Datei an Marcos ist Raus, aber es wird trotzdem nichts bringen, dass weiß ich.)

Link to comment
Share on other sites

@SlashRose: thanks for downloading and viewing.

 

With a HIPS duplicates popup frequency of just 2 - 3 minutes, as SlashRose writes and with the PM'd 'export-settings.xml', it should be a piece of cake for ESET to find out why this happens... I have between 0 - 4 HIPS duplicates popups per day - and yes, I'm talking about duplicates, not new legitimate HIPS popups which I'm not counting here!

 

@SlashRose: have you already written down anywhere here what programs produce the most duplicates popups? Ideally more common programs like browser(s), freeware / open source tools etc than more "exotic" ones like 'lpremove.exe', 'audiodg.exe' (on my PC, but rarely) or ".NET" stuff (on your PC, if I remember correctly)?

 

I don't think that checking your 'export-settings.xml' will lead to a solution (yes, ESET will see that there are a whole lotta of duplicates, fully identical - "hurray"), but loading and working with it will be an eye opener for ESET...

Edited by mma64
Link to comment
Share on other sites

  • ESET Insiders

And was also in the new build of the error as well as other non-Fixed, it is ne shame! ( German: Und auch im neuen Build wurde der Fehler wie auch andere nicht Gefixt, es ist ne schande! )

Link to comment
Share on other sites

  • ESET Insiders

@mma64,
Look Please mma64 so much it interested him when they get what sent (Marcos)!

 ( German: Sieh mal Bitte mma64, so viel Interessiert es ihn wenn sie was geschickt bekommen ( Marcos )!

 

 

 

post-1266-0-49635600-1456859007_thumb.png

Link to comment
Share on other sites

Wow, epic... But give them some more time. I don't know how computer savvy you are (I'm extremely savvy, and no, I don't know everything of course), but if it's no problem for you you could PM me the link to this .zip or you could, being savvy enough yourself extract the HIPS section from the 'ESS-V9-Einstellungen.xml' with a reasonable enough editor and PM'ing me that .zip. It's this HIPS section of the .xml I'm interested in, I'm a little bit out of ideas in the moment.

 

And I'm waiting for this too:

 

 

@SlashRose: have you already written down anywhere here what programs produce the most duplicates popups? Ideally more common programs like browser(s), freeware / open source tools etc than more "exotic" ones (...)

 

Without this my checking of your HIPS section could be a little too time consuming and eventually ending this way:

 

 

(mma64) (...) (yes, ESET will see that there are a whole lotta of duplicates, fully identical - "hurray") (...)

 

Regarding the number of downloads of my video: 1 download only until now. (And we all know who has downloaded it. Not ESET, but only you SlashRose.)

 

(Website was online 5 days in a row, 20160225 - 20160229. It's 04:49 CET now. Website from now on only active from ~16:00 CET - 00:00 CET or on demand!)

 

Link to comment
Share on other sites

  • Administrators

This issue is already tracked in our system and pending for the HIPS engineer to analyze. As soon as we have some news, we'll update you.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...