eEye Digital Security

When I open up a new game a program starts with it called game gard (anti hack program), however when this program opens blink gets the below error and decides to restart the process.  Once the process is restarted my windows Identity gets switched and I have to logout and log back in to get my normal favorites/desktop icons.

Description: Blink detected a suspicious system call.
Program: C:\WINDOWS\explorer.exe
Reason: KERNEL32.DLL!VirtualProtect
Action: Restart process

Is there any way to stop this from happening?  Right now i have to turn off the system protection to stop it from happening.

Is there an executable name associated with the anti-hack program (like the anti-hack program "Punkbuster" uses PnkBstrA.exe, etc)?

You could exclude the antihack program from Blink's Application Protection engine (more on this later depending on your response).

What particular game (and anti-hack program) is causing this?

==================================================

     eEye can correct me if I am wrong on this, but to me from what your telling us, Blink reacted this way because obviously whatever the anti-hack program was doing (obviously trying to send information about what is runnning on your system back to the game servers) it was trying to use Internet Explorer's process to initiate contact back to its servers to report your system's status (i.e your running software or devices on your system that could be use to cheat in a game etc).  Blink does this off and on simply because exploits (and other Malware) will attempt to hijack a process or take control of a process to complete their malicious intentions. 

     Unfortunately, in your case this was a false-positive, however had it been something malicious it would have been stopped hence a good call by Blink.  Keep in mind a lot of the anti-hack programs display the behavior of a malicious process simply because of what they are doing.

==================================================

     I moved this post to the games section of troubleshooting (since it dealt with games and such).

The only thing I can find for gamegard seems to be a name in the task manager when gamegard is starting up. "GameGard.des"  I can't find any exe like punkbuster has.

When i went into blink and tryed to add the system execution protection rule, I found it hard to figure out what each of the inputs was asking for.  First it asks for an executible.  Next it asks for a parent executible (caller).  If I am able to find out what was making the calls to explorer.exe, would you be able to discribe how I would create the rule in blink?

Thanks

Your trying to create a rule in the System Protection module itself to "detect" something based on a process, but you need to exclude that particular process from Blink's Application Protection engine (aka "Kevlar") instead.  To do this, you must modify an .ini file within Blink.  To do this complete the following:

From an account that has Admin rights:

1.  Navigate to:  C:\Program Files(for Windows XP) or Program Files (x86) (for Vista)\eEye Digital Security\Blink\config

- under the config folder, double left click on the "apiex.ini" file to open it.  It should open in Notepad or something like that, if it asks you to choose what to open it in, choose Notepade or Wordpad if possible.

2.  Once in this file, I would recommend reading the description given by eEye (anything that has a line that starts with a "#" sign) for your own information.  Otherwise, scroll all the way to the bottom of this page.

3.  At the bottom directly on the next line directly under the last long line of "#############" enter:

    *GameGard.des;;Kelvlar;0

This "should" exclude that process name you have given me from the Application Protection engine in Blink.

4.  When your done, go to the top of this window and select File >> Save

5.  Shutdown Blink completely by going into its main window and going to (File >> Shutdown Blink Personal Edition)

6.  Restart Blink again and try your game once again.

=========================================

If this does not help, get the nice little utility called "Process Explorer" found at microsoft's technet site:  http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

1.  Open up the zip file that you download for it and simply extract only the "procexp.exe" file to your desktop or wherever you want to run it from.

2.  Run the self contained executable to start it.

3.  Once running, go to: View >> and select "Show New Processes" to place a check mark next to it.

Process Explorer is basically a Task Manager on Steroids containing many many more abilities.  IF you want, you can replace your Task Manager with it (until you revert back to Task Manager) by going to:  Options >> Replace Task Manager.  This will show was process or processes are running other processes and so forth.

Let us know if you need any more help.

I tryed adding the line to the apiex.ini file and got no results. 

Next i tryed adding all three of these processes to the apiex.ini since these were the 3 process I found runing with the process explorer you suggested.

In the explorer it would list GameGard.des, and GameMon.des under AION.bin for about a second and then that would dissapeair and i would get the flicker of the windows identity switching on me. then i get the blink warning. GameGard.des happens to run outside of AION.bin for about 10 seconds after what seems to be the flicker where it switches idenitys.

*GameGard.des;;Kelvlar;0
*GameMon.des;;Kelvlar;0
*AION.bin;;Kelvlar;0

Reading the message that blink gives me in the log its basicly telling me to put Explorer.exe into the apiex.ini file, however I dont think that would be a good idea?

EDIT:

I tryed adding "explorer.exe;;Kevlar;0" to the apiex.ini file temperarly to test it out.  What do you know it fixes it.  -_-   Though I would guess it is not a good idea to leave it like that.

 Indeed explorer.exe is usually vulnerable to buffer overflow attacks through the various plugins/viewers, modules etc that run inside and handle files of various formats.

Unfortunately that's why it also has many false positives. Many applications (and many malware binaries as well) inject code in it and run it for whatever purpose. Application protection will trigger if code is executed from the heap or a return-to-libc is detected.

     Unfortunately, you do not want to exclude explorer.exe from Kevlar like you have done.  Quite frankly, I would recommend simply disabling the Application Protection while your playing games and then reenable it afterwards.  It is unfortunate that with the way games run their code, security applications sometimes trigger on these actions.

Ok,

Thanks anyways for the help

Edit:

On a side question, Is there a reason my current windows identity gets switched when the process restarts?

If it didn't switch the identity, I wouldnt have a problem with it restarting the process (The game still seems to startup fine even once the process is restarted and the identity is switched).

 This could be a bug. We will attempt to reproduce and let you know.