eEye Digital Security

My Vista x64 system locks up after Blink encounters this error in the Windows Application Log.  This occured 3 minutes after eEye Auto-Update ran.  The version is Blink Personal Version 4.3.2, Rule version 1534, AntiVirus Version 1.0.749, Vulnerability Scanner version 5.10.12, Audits version 2120.  Issuing "shutdown /r /f /t 0" doesn't reboot the computer.  I have to use the power or reset button to restart.

Excerpt from the Windows Application Log:

function Toggle(node) { if (!window.fullyLoaded) return; // Expand the branch? if (node.nextSibling.style.display == 'none') { // Change the sign from "+" to "-". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '+') { textNode.data = '-' + s.substring(1, s.length); } } // show the branch node.nextSibling.style.display = ''; } else // Collapse the branch { // Change the sign from "-" to "+". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '-') { textNode.data = '+' + s.substring(1, s.length); } } // hide the branch node.nextSibling.style.display = 'none'; } } // Toggle "System" element by default so that it's default status is to hide its children function ToggleSystemElement() { var body = document.getElementById("body"); var anchor = body.getElementsByTagName("table")[0]; Toggle(anchor); } // If binary data is present in event XML, show it in friendly form. function ProcessBinaryData(binaryString, binaryDataCaption, wordsFormatString, bytesFormatString, normalFont, fixedWidthFont) { var bodyNode = document.getElementById("body"); // Add a <hr> at the end of the HTML body. bodyNode.appendChild(document.createElement("hr")); // This paragraph (p element) is the "Binary data:" literal string. var p = document.createElement("p"); p.style.fontFamily = normalFont; var b = document.createElement("b"); b.appendChild(document.createTextNode(binaryDataCaption)); p.appendChild(b); p.appendChild(document.createElement("br")); bodyNode.appendChild(p); // // Show binary data in Words format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(wordsFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; var i = 0; var j = 0; var s, tempS; var translatedString; var charCode; var byte1, byte2; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte; 4 characters for a word. while (i < binaryString.length) { s = (i / 4).toString(16); // To hex representation. while (s.length < 4) { s = "0" + s; } s += ": "; // DWords representation is simply a rearrangement of the original binaryString // For example, from: // // 0000000002005600000000000f000540 // // (which is 00 00 00 00 02 00 56 00 00 00 00 00 0f 00 05 40). // // to: // // 0000: 00000000 00560002 00000000 4005000f // 8 words per line, 4 DWords per line. for (j = 0; j < 4; j++) { s += binaryString.substring(i + 6, i + 8); s += binaryString.substring(i + 4, i + 6); s += binaryString.substring(i + 2, i + 4); s += binaryString.substring(i, i + 2) + " "; i += 8; } p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); // // Show binary data in bytes format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(bytesFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; i = 0; j = 0; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte. while (i < binaryString.length) { translatedString = ""; // 2 characters in binaryString to form a byte s = (i / 2).toString(16); // to hex representation. // Prefix with '0' until its length is 4. while (s.length < 4) { s = "0" + s; } s += ": "; // Show 8 bytes per line for (j = 0; j < 8; j++) { tempS = binaryString.substring(i, i + 2); // 2 for 1 byte i += 2; s += tempS + " "; // Treat tempS as hex integer charCode = parseInt(tempS, 16); if (charCode < 32) { translatedString += "."; } else { translatedString += String.fromCharCode(charCode); } } while (s.length < 32) { s += " "; } s += translatedString; p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); }

This also appeared in the system log

function Toggle(node) { if (!window.fullyLoaded) return; // Expand the branch? if (node.nextSibling.style.display == 'none') { // Change the sign from "+" to "-". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '+') { textNode.data = '-' + s.substring(1, s.length); } } // show the branch node.nextSibling.style.display = ''; } else // Collapse the branch { // Change the sign from "-" to "+". var tBodyNode = node.childNodes[0]; var trNode = tBodyNode.childNodes[0]; var tdNode = trNode.childNodes[0]; var bNode = tdNode.childNodes[0]; var textNode = bNode.childNodes[0]; if (textNode.nodeType == 3 /* Node.TEXT_NODE */) { var s = textNode.data; if (s.length > 0 && s.charAt(0) == '-') { textNode.data = '+' + s.substring(1, s.length); } } // hide the branch node.nextSibling.style.display = 'none'; } } // Toggle "System" element by default so that it's default status is to hide its children function ToggleSystemElement() { var body = document.getElementById("body"); var anchor = body.getElementsByTagName("table")[0]; Toggle(anchor); } // If binary data is present in event XML, show it in friendly form. function ProcessBinaryData(binaryString, binaryDataCaption, wordsFormatString, bytesFormatString, normalFont, fixedWidthFont) { var bodyNode = document.getElementById("body"); // Add a <hr> at the end of the HTML body. bodyNode.appendChild(document.createElement("hr")); // This paragraph (p element) is the "Binary data:" literal string. var p = document.createElement("p"); p.style.fontFamily = normalFont; var b = document.createElement("b"); b.appendChild(document.createTextNode(binaryDataCaption)); p.appendChild(b); p.appendChild(document.createElement("br")); bodyNode.appendChild(p); // // Show binary data in Words format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(wordsFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; var i = 0; var j = 0; var s, tempS; var translatedString; var charCode; var byte1, byte2; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte; 4 characters for a word. while (i < binaryString.length) { s = (i / 4).toString(16); // To hex representation. while (s.length < 4) { s = "0" + s; } s += ": "; // DWords representation is simply a rearrangement of the original binaryString // For example, from: // // 0000000002005600000000000f000540 // // (which is 00 00 00 00 02 00 56 00 00 00 00 00 0f 00 05 40). // // to: // // 0000: 00000000 00560002 00000000 4005000f // 8 words per line, 4 DWords per line. for (j = 0; j < 4; j++) { s += binaryString.substring(i + 6, i + 8); s += binaryString.substring(i + 4, i + 6); s += binaryString.substring(i + 2, i + 4); s += binaryString.substring(i, i + 2) + " "; i += 8; } p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); // // Show binary data in bytes format. // p = document.createElement("p"); p.style.fontFamily = normalFont; p.appendChild(document.createTextNode(bytesFormatString)); bodyNode.appendChild(p); // Must use fixed-width font for binary data. p = document.createElement("p"); p.style.fontFamily = fixedWidthFont; i = 0; j = 0; // Each character in binaryString is a hex (16-based) representation of // 4 binary bits. So it takes 2 characters in binaryString to form a // complete byte. while (i < binaryString.length) { translatedString = ""; // 2 characters in binaryString to form a byte s = (i / 2).toString(16); // to hex representation. // Prefix with '0' until its length is 4. while (s.length < 4) { s = "0" + s; } s += ": "; // Show 8 bytes per line for (j = 0; j < 8; j++) { tempS = binaryString.substring(i, i + 2); // 2 for 1 byte i += 2; s += tempS + " "; // Treat tempS as hex integer charCode = parseInt(tempS, 16); if (charCode < 32) { translatedString += "."; } else { translatedString += String.fromCharCode(charCode); } } while (s.length < 32) { s += " "; } s += translatedString; p.appendChild(document.createTextNode(s)); p.appendChild(document.createElement("br")); } bodyNode.appendChild(p); }

By any chance have you attempted to try the new Blink 4.4.0 Beta and see if you are experiencing the same issues? 

http://forums.eeye.com/forums/p/1062/4601.aspx#4601

IF you are using Blink Personal Edition (with a license you paid for) please make sure you remove (transfer) your license before changing your version of Blink to save you a lot of headaches.

http://forums.eeye.com/forums/t/946.aspx

Just downloaded and I'll let you know if the problem continues.

The Blinksvc still crashes for some unknown reason.  2 out of 3 times it completely locked up explorer.exe and no applications would open or close.  This last time the windows froze for a few seconds and eventually allowed me to open Control Panel, and Event Viewer where I was able to see Blink restarted again.

 Alright, since it seems fairly reproduceable for you, can you enable debugging in Blink by following the instructions located here:

http://www.eeye.com/html/support/kb/view.html?id=KB000802

- Note:  If you can identify a layer in Blink (like the kb article says) that may be causing before starting the debugging process great, but if not, leave everything on and then start it.

After you collect the logs, please email them to lnicula@eeye.com and bpatten@eeye.com 

I would enable the debugging and then restart your computer.  After your system restarts anything from that point on will be caught in the debugging session.

If you need anything else let us know.

Does Blink do anything with javascript running a browser?  I'm having a hunch that leaving multiple tabs open on dynamically updating sites like Facebook, Google Reader, and Friendfeed in Firefox 3.5 is possibly a contributing factor.  I don't believe I've seen the behavior if Firefox was closed.  I have seen the explorer.exe go unstable if I leave Facebook up in a single tab overnight, though it sometimes take a day or two.

Dezl0ck:

Does Blink do anything with javascript running a browser?

I am not sure, eEye would have to answer that question.  I am sure that it is scanning it all the time, but other than that I don't know what else it would be doing.

Ok, thanks for the info.  I sent some logs in; however, I wasn't able to get the whole system to lock up though Blink did fail and then restart.

This person was also reporting a what seems to be the same issue I'm experiencing, but my system doesn't lock up immediately on boot.

Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; mso-themecolor:hyperlink; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} span.EmailStyle16 {mso-style-type:personal; mso-style-noshow:yes; mso-style-unhide:no; mso-ansi-font-size:11.0pt; mso-bidi-font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} http://forums.eeye.com/forums/t/1059.aspx