WSA v801161 causes Failure MemoryFox for FF Addon

Discussion in 'Prevx Releases' started by charlestek, Mar 28, 2012.

Thread Status:
Not open for further replies.
  1. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    Firefox 11 32 bit or FF 9 , OS Win 7 Ultimate 64 bit

    FF Addon Memory fox reduces memory usage of Firefox 11.0 or earlier considerably. For me and others (see reviews) it drops memory usage usually by 60- 70%.

    http://www.browsermemory.com/
    https://addons.mozilla.org/en-US/firefox/addon/memory-fox/

    Ever since I installed Webroot ( yesterday) am getting memory release failure on afom.exe - which is the memory fox executable.

    Disabling Webroot causes Memory Fox to work properly with no errors or Memory release failures.


    Excerpt for first link (browsermemory.com) below:

    During the early development phase for Memory Fox I've discovered some API calls internally within the core of Firefox that would habitually cause an increase for the two types of memories, Virtual Paging and Physical Ram. I initially tried utilizing the coding within an XPCOM DLL to force a flushing of the Ram memory back to the Virtual Paging thereby having Firefox close some of the orphaned files and memory handles. This message action allowed me to post out to the Firefox.exe some additional API messages to halt this redundant action causing the increase. What a user would see is the Ram Memory being again filled in by the Virtual Paging Manager, and this being ONLY the valid and essential pages of information need at that current immediate time. This action would be without the inclusion of unnecessary obsolete data paging information that had been left abandon in Physical Ram. This operation action would seem to improve memory intermittently at times, so I moved the code out of the XPCOM add-on to an Out-Of-Process application as a stand-alone known as Memory Fox. Memory Fox would reduced the overhead of the Physical Ram which would indicate that it was successful by testing with the same Tabs Opened ( With ) and ( Without ) the aid of the Memory Fox add-on as being activated. Although, one could verify that there would be a normal increase in the Virtual Page memory, the idea was to increase as much as possible the available Physical Ram memory. The action would lessening the chances of a memory exception failure by providing a longer usage time for the Firefox browser session or allow other applications running parallel the same advantage.

    Recently, in a new beta version of Memory Fox, I've injected a DLL to remove the offending API calls before they are consumed by supporting functions internal to the core Firefox code.
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You're going to have to disable the WSA Identity Shield and possibly set Self Protection to Minimum if you want to use a tool like this. There won't be any way around it as it will need to access the memory of your browser instances.
     
  3. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    None of the suggestions you gave me has any effect. I had no issues before with Vipre. If Firefox did not have this poor design to begin with, I would not need the addon.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you try rebooting after changing the options? If that doesn't work, you may need to also disable the Web Threat Shield.

    Thanks!
     
  5. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    Will try, thank you
     
  6. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    I tried changing the settings per your suggestion, and rebooting, but that does not help.

    I sent a support ticket to webroot support, and their suggestion is listed below in red, which works only if I put firefox.exe in the detection configuration whitelist.
    Putting the Memory Fox Addon afom.exe in the whitelist does nothing.

    HOWEVER, what does this do to protection? Does it essentially eliminate all WSA protection monitoring in Firefox??


    THE MEMORY FOX AUTHOR just replied to an email conversation I'd have with him. His response is listed further below in green.

    Webroot Support (Mar 30, 2012 12:34)
    RE:Looked in Logs

    Hi,

    Can you open your Webroot program, click Pc Security > Quarantine > Detection Configuration > Configure.

    Please set Firefox to allow if it is listed here and also have a look to check if Afom is listed here and also set to allow if possible.

    Please let me know if this does not resolve the issue.

    Thanks,

    Webroot Support





    From: Richard
    Sent: Friday, March 30, 2012 10:51 AM
    To: Phil C.
    Subject: Re: Issues with WebrootSecurityAnywhere causing afom.exe memory release failure

    Funny,

    I was about to reply back to before your reply suggesting that Web Root is block the api call from Memory Fox to Firefox.
    That's the problem. You might see if there is a White List for adding applications not to block within Web Root. Also, check their log
    to see what Web Root has blocked.

    richard
    On Fri, Mar 30, 2012 at 9:43 AM, Phil wrote:
    Richard,

    It happens on FF 9 or FF 11.

    It only happens when the Webroot Security Anywhere is on, and every time memory is released, so it is not intermittent.
    Turning Webroot off stops it.

    I had previously used GFI vipre antivirus and it did not have this issue, but vipre is inferior to Webroot.

    So I suspect it is more an issue with Webroot than your programming.

    Phil
     
    Last edited: Mar 30, 2012
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Are sure you want to leave the email addresses in your post? It's best if you remove them!

    TH
     
  8. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    I removed the address. Thanks. Although the address is readily found from FF addons.
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I surmise:
    Firefox is a trusted app (G)
    Memory Fox is unknown (U)
    Therefore, when MF injects the unknown DLL into FF, FF gets monitored, and MF doing memory stuff to the process doesn't work well through monitoring.

    Setting FF to Allowed just tells it to stop monitoring FF even though it got injected. Optimally it would be best for the DLL that was injected to be examined and set to Good in the cloud, so FF can be normal and monitored if something else (malicious?) is injected.
     
  10. charlestek

    charlestek Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    11
    Actually the author's quote above says Memory fox just calls an api in Firefox, so there is no dll injecting I think.

    I just got an email updating my support ticket thread. They supposedly unmarked things in the cloud, and I followed the instructions below, but I still get the Memory fox error trying to release memory.


    Webroot Support (Mar 30, 2012 19:49)
    RE:Works, but does this make Firefox totally vulnerable?

    Hello,

    Thank you for your report. After analyzing the automatically attached logs, we have white-listed the unknown processes which SecureAnywhere had been monitoring on your system.

    We ask that you run a new scan of your computer now (click "Scan My Computer" in the main overview window). Please let us know if the same issue persists after this scan.

    Regards,

    The Webroot Threat Research Team
     
  11. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I decided to take a look into this...

    From the MemoryFox page:
    "I've injected a DLL to remove the offending API calls before they are consumed by supporting functions internal to the core Firefox code."

    So that's the official description saying it's DLL injecting, which would definitely cause the problem if the main MF process or the DLL it injects are either not-trusted or blocked by ID shield. So if you are using Essentials or above, check your Protected applications list.
     
Thread Status:
Not open for further replies.