Recently with the release of Blink version 4.4.1, eEye has incorporated a very useful function that creates a memory dump file when anything sets off Blink's Application Protection Engine (aka "Kevlar"). This is useful, because these dump files can be sent to eEye to be examined allowing them to determine if an alert was a false-positive or an actual attack that was stopped.
To give you an example:
Recently, when I try to play a DVD movie in Windows Media Player, Blink will halt Windows Media Player and show me the following Kevlar alert:
Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Application: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Reason: KERNEL32.DLL!GetModuleHandleA
Action: Restart process
Application Arguments: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
Well, to eEye this is not enough information to determine whether or not this is something malicious, or a piece of code that when it runs (looks malcious to Blink, but is not) upon the attempt to run a video file. I know this particular alert is not malicious. In my attempt to troubleshoot, eEye advised me of a simple registry key that you import into your system, that forces Blink to create a memory dump anytime Kevlar alerts on something. Once you have imported this registry key, a Kevlar alert will now show the following:
Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Alert: Yes
Application: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Reason: KERNEL32.DLL!GetModuleHandleA
Action: Restart process
Application Arguments: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
Dump File: C:\Program Files (x86)\Windows Media Player\wmplayer.exe.dmp
NOTE: At the end of the alert, it now shows you the path where the dump file is located at so you can go and retrieve it.
This particular dump file turned out to be a little over 300mbs in size.
-----------------------------------------------------------------------------------------------------
Now, if your interested in setting this up so your system will do the same (so you can submit these helpful files to eEye) the following registry key must be imported to your system:
For 32bit Operating Systems:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\eEye\Blink]
"CreateDumps"=dword:00000001
For 64bit Operating Systems:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\Blink]
"CreateDumps"=dword:00000001
-----------------------------------------------------------------------------------------------------
To create the key, copy the text above (which ever applies to your type of system) and paste it into notepad. Finally, name it anything you want, but change the file extension to; .reg when you go to save it. To import it to your system, simply double left click on it as if you were attempting to run an executable (.exe) file. It will prompt and ask if you want to add it to your system and so forth.
I have also uploaded both registry keys (for both 32bit and 64bit systems) in a zip file named "KevlarDumps.zip" to this post for anyone that does not know how to complete the above process that I have explained. They can simply download the zip file and use the one that fits your needs and you should be good!
Finally, I am not sure how eEye would like these files to be sent to them (since they usually end up being too large for email), but you can email lnicula@eeye.com OR bpatten@eeye.com and ask them for further instructions on what to do if you happen to gather some of these dump files for alerts that you feel are false-positives. Always be sure to include information on what Operating System your using, etc when you email them.