eEye Digital Security

When performing windows updates....

IE7 - CLICK on TOOLS - WINDOWS UPDATES

Browser goes to Windoes Site.

Select CUSTOM

Browser Scans computer for updates needed and then BLINK does not link something that triggers the AP Protection Module:

Disabling the AP protection module and it will work fine...

Today was a ROOT Cert Update - but its not the install of the update but rather whatever MS is doing to scan for it... Here is the update it found to do today

Root Certificates Update

Brent:

 Reason: KERNEL32.DLL!CreateFileA

     My only guess is, what ever Windows Updates was doing (my guess it either attempted to modify or change that particular .DLL file to update it) and Blink obviously jumped on it.  Sounds like a good catch to me, but it would make more sense if Blink had stopped it at any other time other than when you were intentionally doing a Windows' Update. 

     Seeing that Blink is doing its job and looking for the 'unknown' to prevent things from ever happening to begin with, it sounds like it was a just a "cautious false-positive" decision by Blink.  Maybe the eEye folks will need to look into creating an exception for or tweaking.
 

Yes pretty much why I posted it - just to bring it to their attention....and others in case they also might see this...

I would not even mind simply disabling App protection before updates.... its not like it is hard to do just need to know why this would happen on only certain computers I use and not be consistant....

I would describe this event as very fishy. We are not aware of any case where IE would intentionally run code from writable memory.

 It could be caused by some plugins that you might have installed in IE (using process explorer to get a list of all DLLs would help you find them) or - and this is the worst case and less probable- your update server address has been hijacked in hosts file and you are now being sent to a proxy server which is doing its malicious bidding.

I have to say this is now the the only computer this has happened on or where the system has restarted all by its self... It has occured also buring Malware scans on a machine I just did a brand new install of XP on yesterday....

Installed XP Pro - did all the updates... etc etc

Installed BLINK

Ran a malware scan just for grins.... came back about a half hour later and it had restarted and was at the login screen..

So thou its another issue it seems that something triggers the Reboot...

This one I am talking abotu above is not a reboot but simply a crash of the IE browser and it will do it again and again unless app protection is turned off... but the only Log file entry is the one listed..

I very much do not believe I am invfected with anything - thou it is possible - becase anythign is possible I do not have any other issues with the machine and never had any issues running mcafee in the past 2-3 years with this machine..

This machine is a Dell Precision Workstation: Xeon CPU Dual 3.2gh with 2gm of RAM
XP Pro SP2 with all the latest updates...

Now is there any possbility that previous install of Spybot with Imunization run or Adaware could be still conflicting or possibly Google Toolbar etc?

Brent:

I would not even mind simply disabling App protection before updates.... its not like it is hard to do just need to know why this would happen on only certain computers I use and not be consistant....

     Does it do it to you when you do updates by going to it via the Start button then selecting the windows update shortcut for you?   I am guessing it still will since it is using IE regardless, but it's just a different idea as far as the way you approach it.

Vs. the TOOLS in the browser...

I will try that.... saldy it does not occur with all updates.... only some - usually ones that are pertaiing to root cert updates..

 Is it possible for BLINK to assess the issue and report a more 'meaningful' error message?  I don't feel like debugging my working machines to understand 'errors'.

Thanks.