The "Mysterious" HIPS Duplicates Bug

[mma64 7]

[Edited, 08/22/2016 12:30:nn CET: oops, I have forgotten to adjust the SELinux context of the new video capture. Now this is changed and download tested as OK. Sorry for the inconvenience. Of actual relevance is this new video only.]

 

Phew! Finally I'm able to reproduce this bug, even with ESS V9.0.381, at will, at any time, and producing any amount of the same HIPS duplicate rules, see the new video! (Concentrate on the HIPS popups, the cursor showing you something and the cursor within the HIPS Log View. You could skip the first two minutes, especially interesting @ 00:16:30, HIPS rules edit view, where you see the added ~8 HIPS duplicates rules in this live video session. Playing the video at 2x / 3x / 4x speed can speed up the viewing, press PAUSE when something interesting ist happening...)

 

Any suggestions what I could do for ESET, now that this very nasty bug is reliably reproducible?!?

 

 

TLDR (previous postings):

1. HIPS duplicates popups are real for sure - since the very first ESS V9 version

2. it has nothing to do with my PC / Win7 Pro 64-bit - ESS V9 is the only program that's making problems

3. there are a whole bunch of bugs / (")issues(") / issues that are ESS V9 specific, ie. "introduced" with V9. Of which I have disclosed yet another one now, this time "ESS V9 bug: HIPS is producing wrong log entries, ie. with the wrong description", see screenshot #1! (And, yes, there even exists a "ESS V9 bug: Firewall is producing wrong log entries, ie. with the wrong description" - more on that later...)

4. these wrong HIPS log entries might or might not be a hint where to search for the ESET HIPS engineer. (I think there are two bugs: HIPS duplicates, ie. ESS V9 HIPS is "forgetting" existing rules and therefore asking what to do, in interactive mode, and HIPS writing wrong log entries...)

5. from time to time there's a HIPS duplicates popup for an ages old rule, ie. I think in a few years each and every HIPS rule will have at least one duplicate. (Approximately ~40 - 50 different ones till now.)

6. there are duplicate popups for partial duplicates too, ie. there is, for example, an ages old HIPS rule for "modify state of app, term./susp." and all of a sudden ESS V9 thinks it has to ask for a "term./susp." rule - which is, of course, already included in the original "modify state of app, term./susp." rule... This is exactly the case that I have documented in this new video and screenshots.)

7. the more a HIPS rule is triggered the higher the probability for a HIPS duplicates popup. This probability seems to get higher the longer the PC is running. (And hour long pauses without doing anything on the PC too.)

8. there's a quite high probability that multi-target HIPS rules are the root cause for the HIPS duplicates bug. (Ie. your HIPS engineer should investigate this case. Considering point 7, ie. multi-target HIPS rules which include programs that are very often used (triggered by HIPS, log = yes. And you will catch the "HIPS is producing wrong log entries" bug.).)

9. with my ESS V9 Export Checker Program (written in Java) I could see that there exist HIPS duplicates prior to ESS V9, ie. probably ESS V8!!! (Very few cases, in no way comparable to ESS V9 - with 0 - 5 duplicates per day!!! I think these pre-V9 cases are "only" HIPS popups that popped up two times in a row, ie. one after the other immediately...)

10. I have seen that '..\HipsRules.bin' is written at PC start time and about 2 hours later, even without any new HIPS rules - but the file size is slightly higher then. Why should the binary HIPS rules package be bigger after this auto-save, with no new HIPS rules added? This seems somewhat weird.

 

 

- the video, .wmv, 169581985 bytes, SHA-256 = 3b405adb66db527c17be911c08be31a34d10c9b1d135a874e3776d9b23c7c060, is here.

- screenshot #1 is showing you how ESS V9 up to ESS V9.0.381 is creating wrong HIPS log entries, ie. the description is wrong, taken from another "similar" rule (and not always from the same other rule). There are even cases where a completely different description is taken (I will add a sample later)!!!

- the 2nd screenshot showing you the result of the recorded live HIPS duplicates popups session (5x 'svchost.exe, term./susp., XYplorer.exe' HIPS duplicates)

Edited August 22, 2016 by mma64

[mma64 7]

@ESET and everyone trying to download the new video capture: oops, I have forgotten to adjust the SELinux context of the new video capture. Now this is changed and download tested as OK. Sorry for the inconvenience. Of actual relevance is this new video only.

 

regarding 4. in previous posting: though it seems that there always is taken a somewhat "related" description from a wrong HIPS rule, there exist rare cases, where even real 'source' and 'source' of the other description are different, see the screenshot. And, but very difficult (time consuming and only programmatically...) to verify, wrong HIPS log entries only occur during a HIPS duplicates popup, eventually (but rather (very) rare) with a wrong HIPS log entry slightly prior to a duplicate popup (so to speak "announcing a duplicates popup"). There are even cases where no wrong log entry can be seen.