Jump to content

HIPS oddities(?) (Odd activity from core processes and others)

Haxsys
 Share

Recommended Posts

Haxsys

Haxsys 0

Posted
Posted

Greetings!

I have a few questions and curiosities that I was hoping could be cleared up, a tad, if at all...

Lately I've been monitoring the HIPS log(s) just purely out of curiosity that was spawned from some details in various Win7 x64 updates that have been rolling out ever since they started pushing Win10 (which I have no intentions of upgrading to).

My first question should probably be about the windows core program known as CSRSS.EXE ...
Why would this particular program want to MODIFY ESet's - egui.exe? To what end?

My other question is:  I've noticed that my video games are also attempting to modify BOTH csrss.exe and egui.exe and in all cases HIPS does its thing, and lists them all as, "Self-Defense: Protect ekrn and egui processes...."

As of the last 24 hours, svchost.and services.exe have been trying to modify/access different control set registry keys.

Now, before anyone asks, I've already triple checked for naughty software, etc.  I'm somewhat of an OCD freak when it comes to a clean, and secure operating system.  This is also partly responsible for my curiosity of the aforementioned issues.

I'm typing this post on my laptop, not my gaming 'rig', so I can't share a screenshot as of this moment, but will gladly upload one later today if the need arises (even if it's just out of curiosity from fellow tech'ys).

Thanks in advance for taking the time to answer, take a look at my questions.

Respectfully,
Haxsys

hipslog.txt

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,935

Posted
  • Administrators
Posted

I look forward to hearing about possible explanation from someone knowledgeable :) Normally you shouldn't get those messages unless you enable logging of blocked operations for debugging / troubleshooting purposes.

Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted

My first question should probably be about the windows core program known as CSRSS.EXE ...

Why would this particular program want to MODIFY ESet's - egui.exe? To what end?

My other question is:  I've noticed that my video games are also attempting to modify BOTH csrss.exe and egui.exe and in all cases HIPS does its thing, and lists them all as, "Self-Defense: Protect ekrn and egui processes...."

As of the last 24 hours, svchost.and services.exe have been trying to modify/access different control set registry keys.

 

To my best knowledge, no system process should be modifying equi.exe or ekrn.exe for that matter. I have a specific HIPS rule for both to prevent global hooking, event interception, and state modification and have never received any alerts. Most definitely, csrss.exe should not be modifying equi.exe.

 

Also your video games should not be modifying system or Eset processes.

 

Best you copy the entries in the HIPS log that apply to the above and post in this thread. That way verification can be made if it is actually modification activity that is occurring.

Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted

Is squad.exe your game?

 

I am not a gamer but I would not let any application modify csrss.exe. Squad.exe is trying to modify csrss.exe.

 

Also it is csrss.exe that is trying to modify equi.exe and ekrn.exe. That is not normal behavior.

 

Maybe a gamer can shed some light on if this is normal behavior? I know I would never allow it.

 

You might want an Eset malware specialist to review this HIPS log.

Link to comment
Share on other sites
  • ESET Insiders
toxinon12345

toxinon12345 32

Posted
  • ESET Insiders
Posted

some system processes could be tampered, so it makes sense to protect them with predefined rules.

Some other processes get access to ESET processes, but this is more obviously the case for another security product (BehaviorBlocker for example)

Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted

Some other processes get access to ESET processes, but this is more obviously the case for another security product (BehaviorBlocker for example)

I would say this would be the only legit access activity to modify equi.exe and ekrn.exe.  And only with limited activity.

 

For example in ver. 8, equi.exe runs under explorer.exe.  I use Emsisoft's Anti-malware which injects its monitoring hook into explorer.exe. As a result when equi.exe is started by explorer.exe, EAM's hook is injected into equi.exe. This is allowed since I created a specific user HIPS exclusion rule to allow all activity from EAM's processes to avoid conflict between EAM and Eset.

 

On the other hand, ekrn.exe runs as separate service. As such, there is no attempted hook injection by EAM.  

Link to comment
Share on other sites
  • ESET Insiders
SlashRose

SlashRose 25

Posted
  • ESET Insiders
Posted
This behavior Eset is for ages and on different OS and also on freshly installed systems.( German: Dieses verhalten von Eset ist schon ewig und das auf verschiedenen OS und auch auf frisch Installierte Systeme) 
Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted

Looks like Steam is the culprit: https://support.steampowered.com/kb_article.php?ref=9828-SFLZ-9289 . They basically want you to allow Steam to do whatever it wants by creating exceptions for it in your security software.

 

After witnessing first hand what is does, I wouldn't have it on my PC.

Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted (edited)

I will also add that when you enable the HIPS log blocked activity option, you will see a lot of entries for legit system activities being blocked for Eset self-defense protection.

I enabled that logging option and observed a "slew" of "partial access allowed" log entries originating from svchost.exe against every file in every directory associated with Eset including every Eset driver file. I had a hunch what this was about. Subsequent analysis of my Win 7 event logs confirmed my hunch. If you haven't guessed yet what svchost.exe was doing, defrag was running.

Kind of neat though to see Eset's self-protection in action.

Edited by itman
Link to comment
Share on other sites
  • ESET Insiders
toxinon12345

toxinon12345 32

Posted
  • ESET Insiders
Posted

I was about to suspect the same about Steam. In the past were only reported performance annoyances, actually not errors or interference.

Link to comment
Share on other sites
Haxsys

Haxsys 0

Posted
  • Author
Posted

Every game ran on STEAM tries to access csrss.exe

I posted a forum topic about this on the steam forums and it was removed.

Link to comment
Share on other sites
itman

itman 1,630

Posted
Posted

Came across this posting on the Win 7 forums: hxxp://www.sevenforums.com/general-discussion/201140-unravelling-csrss-exe-new-process-architecture-windows-7-a-2.html?s=b503c5aeabda69daa47dc871b7d70e44

 

Appears it is not uncommon for some games to want to load themselves as a subprocess under csrss.exe. This is probably the explanation for the Eset HIPS log messages about csrss.exe process modification attempts.  

 

This is definitely not normal or safe behavior but games do all kinds of stuff that is not normal system behavior.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...