HIPS oddities(?) (Odd activity from core processes and others)

Haxsys · April 26, 2016

Greetings!

I have a few questions and curiosities that I was hoping could be cleared up, a tad, if at all...

Lately I've been monitoring the HIPS log(s) just purely out of curiosity that was spawned from some details in various Win7 x64 updates that have been rolling out ever since they started pushing Win10 (which I have no intentions of upgrading to).

My first question should probably be about the windows core program known as CSRSS.EXE ...
Why would this particular program want to MODIFY ESet's - egui.exe? To what end?

My other question is: I've noticed that my video games are also attempting to modify BOTH csrss.exe and egui.exe and in all cases HIPS does its thing, and lists them all as, "Self-Defense: Protect ekrn and egui processes...."

As of the last 24 hours, svchost.and services.exe have been trying to modify/access different control set registry keys.

Now, before anyone asks, I've already triple checked for naughty software, etc. I'm somewhat of an OCD freak when it comes to a clean, and secure operating system. This is also partly responsible for my curiosity of the aforementioned issues.

I'm typing this post on my laptop, not my gaming 'rig', so I can't share a screenshot as of this moment, but will gladly upload one later today if the need arises (even if it's just out of curiosity from fellow tech'ys).

Thanks in advance for taking the time to answer, take a look at my questions.

Respectfully,
Haxsys

hipslog.txt

Marcos · April 26, 2016

I look forward to hearing about possible explanation from someone knowledgeable Normally you shouldn't get those messages unless you enable logging of blocked operations for debugging / troubleshooting purposes.

itman · April 26, 2016

My first question should probably be about the windows core program known as CSRSS.EXE ...

Why would this particular program want to MODIFY ESet's - egui.exe? To what end?

My other question is: I've noticed that my video games are also attempting to modify BOTH csrss.exe and egui.exe and in all cases HIPS does its thing, and lists them all as, "Self-Defense: Protect ekrn and egui processes...."

As of the last 24 hours, svchost.and services.exe have been trying to modify/access different control set registry keys.

To my best knowledge, no system process should be modifying equi.exe or ekrn.exe for that matter. I have a specific HIPS rule for both to prevent global hooking, event interception, and state modification and have never received any alerts. Most definitely, csrss.exe should not be modifying equi.exe.

Also your video games should not be modifying system or Eset processes.

Best you copy the entries in the HIPS log that apply to the above and post in this thread. That way verification can be made if it is actually modification activity that is occurring.

itman · April 26, 2016

Is squad.exe your game?

I am not a gamer but I would not let any application modify csrss.exe. Squad.exe is trying to modify csrss.exe.

Also it is csrss.exe that is trying to modify equi.exe and ekrn.exe. That is not normal behavior.

Maybe a gamer can shed some light on if this is normal behavior? I know I would never allow it.

You might want an Eset malware specialist to review this HIPS log.

toxinon12345 · April 27, 2016

some system processes could be tampered, so it makes sense to protect them with predefined rules.

Some other processes get access to ESET processes, but this is more obviously the case for another security product (BehaviorBlocker for example)

itman · April 27, 2016

Some other processes get access to ESET processes, but this is more obviously the case for another security product (BehaviorBlocker for example)

I would say this would be the only legit access activity to modify equi.exe and ekrn.exe. And only with limited activity.

For example in ver. 8, equi.exe runs under explorer.exe. I use Emsisoft's Anti-malware which injects its monitoring hook into explorer.exe. As a result when equi.exe is started by explorer.exe, EAM's hook is injected into equi.exe. This is allowed since I created a specific user HIPS exclusion rule to allow all activity from EAM's processes to avoid conflict between EAM and Eset.

On the other hand, ekrn.exe runs as separate service. As such, there is no attempted hook injection by EAM.

SlashRose · April 27, 2016

This behavior Eset is for ages and on different OS and also on freshly installed systems.( German: Dieses verhalten von Eset ist schon ewig und das auf verschiedenen OS und auch auf frisch Installierte Systeme)

itman · April 27, 2016

Looks like Steam is the culprit: https://support.steampowered.com/kb_article.php?ref=9828-SFLZ-9289 . They basically want you to allow Steam to do whatever it wants by creating exceptions for it in your security software.

After witnessing first hand what is does, I wouldn't have it on my PC.

SweX · April 27, 2016

Looks like Steam is the culprit: https://support.steampowered.com/kb_article.php?ref=9828-SFLZ-9289 .

"We recommend that applications listed in bold with a ( * ) symbol are fully uninstalled from your system if disabling them does not resolve the issue"

Hmmm :blink:

itman · April 27, 2016

I will also add that when you enable the HIPS log blocked activity option, you will see a lot of entries for legit system activities being blocked for Eset self-defense protection.

I enabled that logging option and observed a "slew" of "partial access allowed" log entries originating from svchost.exe against every file in every directory associated with Eset including every Eset driver file. I had a hunch what this was about. Subsequent analysis of my Win 7 event logs confirmed my hunch. If you haven't guessed yet what svchost.exe was doing, defrag was running.

Kind of neat though to see Eset's self-protection in action.

Edited April 27, 2016 by itman

toxinon12345 · April 27, 2016

I was about to suspect the same about Steam. In the past were only reported performance annoyances, actually not errors or interference.

itman · April 27, 2016

More on Steam malware here: https://threatpost.com/steam-stealer-malware-booming-business-for-attackers-targeting-gaming-service/116792/

Haxsys · April 28, 2016

Every game ran on STEAM tries to access csrss.exe

I posted a forum topic about this on the steam forums and it was removed.

itman · April 28, 2016

Came across this posting on the Win 7 forums: hxxp://www.sevenforums.com/general-discussion/201140-unravelling-csrss-exe-new-process-architecture-windows-7-a-2.html?s=b503c5aeabda69daa47dc871b7d70e44

Appears it is not uncommon for some games to want to load themselves as a subprocess under csrss.exe. This is probably the explanation for the Eset HIPS log messages about csrss.exe process modification attempts.

This is definitely not normal or safe behavior but games do all kinds of stuff that is not normal system behavior.

Sign In

HIPS oddities(?) (Odd activity from core processes and others)

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics