Very Long "Welcome Screen" with HIPS Self Protection

Discussion in 'ESET NOD32 Antivirus' started by razmichael, Feb 18, 2012.

Thread Status:
Not open for further replies.
  1. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    My new Dell Precision m4600 (i7 quad, 16gb ram and 256 SSD) came yesterday and I have spent hours trying to figure out what was causing a problem as I slowly added my programs and application to the Windows 7 x64 OS. At a certain point the laptop would boot up to the login and then hang on the Welcome screen. At first I assumed it had hung up and after two complete restores I went through a more controlled install of the 30 windows updates, Chrome and the new Nod32 install. I discovered that the problem occurred after Nod32 was installed and the system was not really hanging but took 8 or 10 minutes to get past the welcome screen (considering with the SSD an normal full boot took less than 30 seconds without Nod32). Suspecting HIPS I turned it off and had no problem. I then ran it in interactive mode to try to manually add programs to the ruleset. After a number of still long boots, the wait was down to 6 minutes. I than turned off only the Self Protection and - back to normal sub 30 second boots.

    I've been a long time user of Nod32 (almost since the original release) and still think it by far the best anti-virus software but this was really annoying. Has anyone else seen this and any fixes? Perhaps the SSD is too fast for it!
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In the advanced HIPS setup, there's an option "Log all blocked operations". Enable it for a while, reproduce the problem, disable the logging and paste here the relevant records from your HIPS log.
     
  3. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Done. Below is the text output from the HIP log with self protection enabled during startup. In this example the startup when from 1:53:41 to 1:59:02 with just the "Welcome" screen in Windows 7 x64 svc pack 1 and NOD32 5.0.95.0.

    Thanks

    Code:
    20/02/2012 2:00:28 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:59:02 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Modify state of another application
    20/02/2012 1:58:57 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Modify state of another application
    20/02/2012 1:56:51 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Modify state of another application
    20/02/2012 1:56:48 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\lsass.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\csrss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\csrss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\smss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe	some access blocked	SelfDefense: Protect ekrn and egui processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\lsass.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\csrss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\csrss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:56:44 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\smss.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Terminate/suspend another application,Modify state of another application
    20/02/2012 1:53:57 PM	C:\Windows\System32\LogonUI.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:53:41 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:53:41 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    20/02/2012 1:53:41 PM	C:\Windows\System32\svchost.exe	Get access to another application	C:\Windows\System32\winlogon.exe	some access blocked	SelfDefense: Do not allow modification of system processes	Modify state of another application
    
     
  4. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Is there anything else I can provide to further this investigation? I'm not fully sure of the additional risk by keeping "self protection" disabled but I suspect I should be able to enable it.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you have WvCredProv.dll (Wave Credential Provider) or infql2.dll (UPEK TouchChip) present / loaded in the system ?
     
  6. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    I'm not "with" my laptop at the moment but I'm sure the Dell Precision M4600 uses the UPEK fingerprint reader (and it has the reader).
     
  7. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Hi Marcos
    What next or should I just keep the 'self protection' disabled?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This will be most likely fixed by a HIPS module update. However, we're yet to find a way how to accomplish it without a negative effect on security.
     
  9. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Hi Marcos
    So basically I just cannot use the 'self protection' option - which I assume is also a compromise in security.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    A newer HIPS module 1044P is available on pre-release servers. It should fix this issue.
     
  11. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Thanks Marcos. Is this module available now or do I wait for the next version release of Nod32?
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It was already available when I replied here. You just need to enable pre-release updates in the update setup.
     
  13. razmichael

    razmichael Registered Member

    Joined:
    Feb 18, 2012
    Posts:
    9
    Location:
    Canada
    Thank you Marcos. I have upgraded and so far not seen the issue (tried 3 reboots with HIPS and Self Protection on - no slowdown).

    Much appreciated!
     
Thread Status:
Not open for further replies.