eEye Digital Security

Since i upgraded to Blink 4.1.1 a couple of days ago I have received the following error 5 times:

It shuts World of Warcraft down completely, and suggests reporting the issue to eEye.  I didn't see anything on the site showing how to report errors so i'm posting it here

Sounds like Blink's Application Protection Engine (aka "Kevlar") does not like something in WoW's behavior.  It is probably not malicious, but is triggering because of the way it accesses memory.  You can exclude that path in WoW from Kevlar for the time being if you wish to do so by following this:

http://forums.eeye.com/forums/p/54/140.aspx#140

Please disable the Application Protection engine until this gets resolved early next week.

Nicula,

     Is there something in particular going on that is being worked currently and that is why this triggered then?

The stricter policy from Blink Professional has been shipped with Blink Personal 4.1.1. Until this gets corrected, many games or DRM-ed applications will trigger the Application protection module. We will fix this early next week.

 In the meantime, the easiest thing to do is to disable the application Protection Module or manually replace the configuration file. Attached to this post is the file. To replace it:

1. Stop Blink
2. Copy the apiex.dat file in this folder : "c:\Program Files\eEye Digital Security\Blink\Config"
3. Start Blink

     Ahh, alright, that makes sense...I did notice a difference in "attitude" when I compared my Blink Professional on my mian system with the Personal Edition's behavior running in a VM.  In the meantime, can you point a link to the Knowledgebase article about modifying the apiex.ini file?  The old one I use to reference is not working.  Has the name of the file also changed to apiex.dat now instead of .ini  ... I have not really paid attention lately to that.

     Are there any plans in progress for ugrading or improving Kevlar's detection capabilities or is eEye still trying to just fine tune it in the meantime?

The dat file is the default policy while the ini file is user modifiable.

 We are still tweaking it and in the future will find a way to cut down on false positives so we can enforce a stricter policy and offer a stronger protection.

Outstanding, good to know.  My Blink Professional one (4.1.1) does look a bit different from the Personal Edition (4.1.2).  Is the Professional one suppose to have more exclusions (as it seems from below), I thought it was suppose to have a tighter configuration, however, my whitelist seems to have more stuff in it...especially entries for games that to me the Professional Edition (for enterprises) would not need to have in it.  Did something get switched by accident here? 

============================================================================

Blink Professional 4.1.1 apiex.dat file: 

###########################################################
#
#         Blink Exception Rules
#
#        DO NOT ALTER THIS FILE
#
#   This file might be regenerated by Blink during
#               the update process
#
#    To create custom exceptions, use the apiex.ini
#             file in the same directory
#
#
#  
###########################################################

##################################################
#Rules
##################################################

#Disable WindowsHookEx checks
*;;SetWindowsHookEx;0
%SystemRoot%\system32\drwtsn32.exe;;WriteProcessMemory;0
%ProgramFiles%\Internet Explorer\iexplore.exe;;WriteProcessMemory;0


#default Application Protection rules
%SystemRoot%\system32\lsass.exe;;Kevlar;4
%SystemRoot%\system32\svchost.exe;;Kevlar;4
%SystemRoot%\system32\csrss.exe;;Kevlar;0
%SystemRoot%\system32\services.exe;;Kevlar;4

inetinfo.exe;;Kevlar;2
Java.exe;;Kevlar;0

#Some HP spooling processes are triggering Application Protection, avoid them
%SystemRoot%\system32\spool\*;;Kevlar;0

#protect Blink processes
*blinksvc.exe;;TerminateProcess;1
*blinkrm.exe;;TerminateProcess;1
*eeyeevnt.exe;;TerminateProcess;1
%ProgramFiles%\Protector Suite QL\*;;WriteProcessMemory;0
%ProgramFiles%\Fingerprint Reader Suite\psqltray.exe;;WriteProcessMemory;0

#allow Windowes Update update.exe to do hotpatching
%SystemRoot%\SoftwareDistribution\Download\*\update.exe;;WriteProcessMemory;0

#
# Application Protection Whitelist
#
*\Dreamweaver.exe;;Kevlar;0
%ProgramFiles%\iTunes\*;;Kevlar;0
*\Yahoo! Games\*;;Kevlar;0
*Diner Dash*;;Kevlar;0
*Carrie the Caregiver.exe;;Kevlar;0
*\GameGuard\*;;Kevlar;0
*\UnrealTournament\System\UnrealTournament.exe;;Kevlar;0
*\Civilization 4\Civilization4.exe;;Kevlar;0
*\Heroes of Might and Magic*;;Kevlar;0
*\masm32\finst.exe;;Kevlar;0
*\masm32\qeditor.exe;;Kevlar;0
*muBlinder.exe;;Kevlar;0
*\Firaxis Games\*;;Kevlar;0
*\Activision\*;;Kevlar;0
*\Ad Muncher\AdMunch.exe;;Kevlar;0
*\Adaptec\EASY CD CREATOR 5\SOUNDSTREAM\sndstrm.exe;;Kevlar;0
*\Adesso Systems\Adesso\AdessoDownloadManager.exe;;Kevlar;0
*\Age of Wonders II\AoW2.exe;;Kevlar;0
*\Album Cover Finder\Album Cover Finder.exe;;Kevlar;0
*\AnswersThatWork\*;;Kevlar;0
*\AntiVir PersonalEdition Classic\avnotify.exe;;Kevlar;0
*\AOL Games\*;;Kevlar;0
*\ASCOMP Software\BackUp Maker\bkmaker.exe;;Kevlar;0
*\Atari\*;;Kevlar;0
*\ATI Technologies\*;;Kevlar;0
*\Atlantis Sky Patrol\AtlantisSkyPatrol.exe;;Kevlar;0
*\AusLogics BoostSpeed\*;;Kevlar;0
*\Authentic-ID\Toolbar\ServicesNotify.exe;;Kevlar;0
*\AVS4YOU\*;;Kevlar;0
*\AVSMedia\*;;Kevlar;0
*\AWS\WeatherBug\Weather.exe;;Kevlar;0
*\Bookworm Deluxe\BookWorm.exe;;Kevlar;0
*\Borland\*;;Kevlar;0
*\Bullfrog\*;;Kevlar;0
*Call of Duty*;;Kevlar;0
*\CCP\EVE\*;;Kevlar;0
*\Common Files\Autodesk Shared\acstart16.exe;;Kevlar;0
*\Common Files\AVSMedia\UploaderService\AVSUploaderService.exe;;Kevlar;0
*DotNetInstaller.exe;;Kevlar;0
*\Microsoft Shared\VS7Debug\MDM.EXE;;Kevlar;0
*Symantec*;;Kevlar;0
*\Deep Silver\*;;Kevlar;0
*\DISC\*;;Kevlar;0
*\Dynex Wireless G Adapter\WLService.exe;;Kevlar;0
*\EA Games\*;;Kevlar;0
*\EA SPORTS\*;;Kevlar;0
*\Electronic Arts\*;;Kevlar;0
*\Evidence Eliminator\Ee.exe;;Kevlar;0
*Filetopia.exe;;Kevlar;0
*\Firaxis Games\*;;Kevlar;0
*\Firefly Studios\*;;Kevlar;0
*\F-Secure\*;;Kevlar;0
*\Hasbro Interactive\*;;Kevlar;0
*\HealthMonitor\HealthMonitor.exe;;Kevlar;0
*\Hexacto Games\Lemonade Tycoon\Lemonade.exe;;Kevlar;0
*\HP\*;;Kevlar;0
*\IDA\ida.exe;;Kevlar;0
*WlanUtl.exe;;Kevlar;0
*ImgBurn.exe;;Kevlar;0
*ImgBurn.exe;;Kevlar;0
*\IMSafer\bin\imsc.exe;;Kevlar;0
*\IncrediMail\bin\IncMail.exe;;Kevlar;0
*\Infinite Mind LC\eyeQ\eyeQ.exe;;Kevlar;0
*\Infogrames Interactive\*;;Kevlar;0
*\InterVideo\Home Theater\IHT.exe;;Kevlar;0
*IObit SmartDefrag.exe;;Kevlar;0
*\iWin.com\*;;Kevlar;0
*BackgroundSwitcher.exe;;Kevlar;0
*JSBuilder.exe;;Kevlar;0
*\Kingsoft\PowerWord 2006\XDICT.EXE;;Kevlar;0
*\K-Lite Codec Pack\Media Player Classic\mplayerc.exe;;Kevlar;0
*\Kodak\Printer\Center\KodakSvc.exe;;Kevlar;0
*\Lenovo\system update\suservice.exe;;Kevlar;0
*\Lighthouse Interactive\*;;Kevlar;0
*\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe;;Kevlar;0
*\LucasArts\*;;Kevlar;0
*\Maxis\*;;Kevlar;0
*\McAfee\MBK\MBackMonitor.exe;;Kevlar;0
*\McAfee\MBK\McAfeeDataBackup.exe;;Kevlar;0
*\Media Player Classic\mplayerc.exe;;Kevlar;0
*\Microsoft Baseline Security Analyzer 2\mbsacli.exe;;Kevlar;0
*\Microsoft Experience Pack\*;;Kevlar;0
*\Microsoft Expression\*;;Kevlar;0
*\Microsoft Games\*;;Kevlar;0
*\Microsoft Small Business\Small Business Accounting 2007\SBA.exe;;Kevlar;0
*\Microsoft Small Business\Small Business Accounting 2007\SBAAccountantHost.exe;;Kevlar;0
*\Microsoft Time Zone\TimeZone.exe;;Kevlar;0
*\Network Associates\VirusScan\*;;Kevlar;0
*\Norton Ghost\*;;Kevlar;0
*\Norton Personal Firewall\IAMAPP.EXE;;Kevlar;0
*\Norton SystemWorks\Speed Disk\NOPDB.EXE;;Kevlar;0
*notepad++.exe;;Kevlar;0
*\OO Software\CleverCache\*;;Kevlar;0
*\OSS\MediaConverterPro\01B92E9.DLL;;Kevlar;0
*\PacketVideo\PVAuthor\pvauthor.exe;;Kevlar;0
*\PacketVideo\PVPlayer\PVPlayer.exe;;Kevlar;0
*\Paint.NET\PaintDotNet.exe;;Kevlar;0
*\PartyGaming\PartyGaming.exe;;Kevlar;0
*\Pinnacle\*;;Kevlar;0
*\Plextor\PTPXL\PTPXL.exe;;Kevlar;0
*\Pogo Games\*;;Kevlar;0
*\PowerArchiver\POWERARC.EXE;;Kevlar;0
*\PowerISO\PowerISO.exe;;Kevlar;0
*\Quest Software\Toad for SQL Server 2.0\Toad.exe;;Kevlar;0
*\Red Storm Entertainment\*;;Kevlar;0
*\Roxio\MyDVD\MyDVD.EXE;;Kevlar;0
*\RssReader\RssReader.exe;;Kevlar;0
*\Secure Data Organizer\SecureDataOrganizer.exe;;Kevlar;0
*\Sierra Online\*;;Kevlar;0
*\Sierra\*;;Kevlar;0
*SkyAnytime.exe;;Kevlar;0
*\Skype\Phone\Skype.exe;;Kevlar;0
*\SlimBrowser\sbrowser.exe;;Kevlar;0
*BlackWidow.exe;;Kevlar;0
*\Sony Pictures Games\*;;Kevlar;0
*\Sony\SonicStage\Omgjbox.exe;;Kevlar;0
*SoundTaxi.exe;;Kevlar;0
*\SpellForce\*;;Kevlar;0
*\Spybot - Search & Destroy\TeaTimer.exe;;Kevlar;0
*spyzooka.exe;;Kevlar;0
*\Steam\*;;Kevlar;0
*\Strategy First\*;;Kevlar;0
*\Sygate\SPF\Smc.exe;;Kevlar;0
*Alcohol.exe;;Kevlar;0
*StyleXPService.exe;;Kevlar;0
*SETGUN.EXE;;Kevlar;0
*THEGUN.EXE;;Kevlar;0
*\THQ\*;;Kevlar;0
*\thriXXX\*;;Kevlar;0
*\Titanium Soft\Snap\Snap.exe;;Kevlar;0
*\Tomb Raider - Legend\trl.exe;;Kevlar;0
*\Trend Micro\Anti-Spam\TMAS_OL.exe;;Kevlar;0
*\Turbine\*;;Kevlar;0
*\Ubi Soft\*;;Kevlar;0
*\Ubisoft\*;;Kevlar;0
*\UltraEdit\uedit32.exe;;Kevlar;0
*\Webroot\*;;Kevlar;0
*\Winamp\winamp.exe;;Kevlar;0
*XPRepairPro.exe;;Kevlar;0
*\Yahoo! Games\*;;Kevlar;0
%SystemRoot%\Microsoft.NET\Framework\*;;Kevlar;0
%SystemRoot%\PCHealth\HelpCtr\Binaries\helpctr.exe;;Kevlar;0
*DellWirelessWrapper.exe;;Kevlar;0
%SystemRoot%\System32\logonui.exe;;Kevlar;0
*\GTA5\*;;Kevlar;0
*\AusLogics Disk Defrag\diskdefrag.exe;;Kevlar;0
*\World of Warcraft\*;;Kevlar;0
%SystemRoot%\*.SCR;;Kevlar;0
%SystemRoot%\system32\*.SCR;;Kevlar;0
*\gametap.exe;;Kevlar;0
*\Skype\Phone\Skype.exe;;Kevlar;0
%SystemRoot%\System32\rundll32.exe;;Kevlar;0
%SystemRoot%\Temp\*.tmp;;Kevlar;0
%SystemRoot%\system32\wbem\wmiprvse.exe;;Kevlar;0
%SystemRoot%\system32\slsvc.exe;;Kevlar;0
*retinaengine.exe;;Kevlar;0
*VProConsole.exe;;Kevlar;0

#IPS rules
%ProgramFiles%\Skype\Phone\Skype.exe;;IPS;0
%ProgramFiles%\NewsLeecher\newsLeecher.exe;;IPS;0
*utorrent.exe;;IPS;0
*Azureus.exe;;IPS;0

 =============================================

Blink Personal Edition apiex.dat file supplied above from Nicula: 

###########################################################
#
#         Blink Exception Rules
#
#        DO NOT ALTER THIS FILE
#
#   This file might be regenerated by Blink during
#               the update process
#
#    To create custom exceptions, use the apiex.ini
#             file in the same directory
#
#
#  
###########################################################

##################################################
#Rules
##################################################


# Default Application Protection rules
# The following rules specify which applications to protect - (OptIn list)
# The last rule in this set excludes everything else
# To create exceptions, change the apiex.ini file as it is loaded before this one and its rules
# have precedence over these rules

*\inetinfo.exe;;Kevlar;2
*\Acrobat.exe;;Kevlar;5
*\AcroRd32.exe;;Kevlar;5
*\Illustrator.exe;;Kevlar;5
*\Photoshop.exe;;Kevlar;5
*\Adobe Premiere Pro.exe;;Kevlar;5
*\reader_sl.exe;;Kevlar;5
*\AIM\aim.exe;;Kevlar;5
*\AIM6\aim6.exe;;Kevlar;5
*\Microsoft Office\*;;Kevlar;5
*\Corel\WordPerfect Office 2002\Programs\wpwin10.exe;;Kevlar;5
*\Free Download Manager\fdm.exe;;Kevlar;5
*\Google\Google Desktop Search\GoogleDesktop.exe;;Kevlar;5
*\Internet Explorer\IEXPLORE.EXE;;Kevlar;5
*\iTunes\iTunes.exe;;Kevlar;5
*\iTunes\iTunesHelper.exe;;Kevlar;5
*\Messenger\msmsgs.exe;;Kevlar;5
*\Mozilla Firefox\firefox.exe;;Kevlar;5
*\MSN\MSNCoreFiles\msn6.exe;;Kevlar;5
*\MSN Messenger\msnmsgr.exe;;Kevlar;5
*\MySpace\IM\MySpaceIM.exe;;Kevlar;5
*\program\soffice.bin;;Kevlar;5
*\program\soffice.exe;;Kevlar;5
*\Outlook Express\msimn.exe;;Kevlar;5
*\Safari\Safari.exe;;Kevlar;5
*\winamp.exe;;Kevlar;5
*\Windows Media Player\wmplayer.exe;;Kevlar;5
*\Yahoo!\Messenger\YahooMessenger.exe;;Kevlar;5
*\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe;;Kevlar;5
%SystemRoot%\explorer.exe;;Kevlar;5
*\ethereal.exe;;Kevlar;5
*\javaws.exe;;Kevlar;5
*\mplay32.exe;;Kevlar;5
*\mplayer2.exe;;Kevlar;5
*\pptview.exe;;Kevlar;5
*\ppviewer.exe;;Kevlar;5
*\wdviewer.exe;;Kevlar;5
*\winhlp32.exe;;Kevlar;5
*\wireshark.exe;;Kevlar;5
*\wordpad.exe;;Kevlar;5
*\xlviewer.exe;;Kevlar;5
*\BO tester\*;;Kevlar;5
*\QuickTimePlayer.exe;;Kevlar;5
*\realplay.exe;;Kevlar;5
*\trillian.exe;;Kevlar;5
*\Opera.exe;;Kevlar;5
*\Winzip.exe;;Kevlar;5
*\WinRar.exe;;Kevlar;5

*;;Kevlar;0

#protect Blink processes
*blinksvc.exe;;TerminateProcess;1
*blinkrm.exe;;TerminateProcess;1
*eeyeevnt.exe;;TerminateProcess;1
%ProgramFiles%\Protector Suite QL\*;;WriteProcessMemory;0

#allow Windowes Update update.exe to do hotpatching
%SystemRoot%\SoftwareDistribution\Download\*\update.exe;;WriteProcessMemory;0

#Disable WindowsHookEx checks
*;;SetWindowsHookEx;0
%SystemRoot%\system32\drwtsn32.exe;;WriteProcessMemory;0
%ProgramFiles%\Internet Explorer\iexplore.exe;;WriteProcessMemory;0

#IPS rules
%ProgramFiles%\Skype\Phone\Skype.exe;;IPS;0
%ProgramFiles%\NewsLeecher\newsLeecher.exe;;IPS;0
*utorrent.exe;;IPS;0
*Azureus.exe;;IPS;0

The Blink Professional policy protects everything unless explicitly excluded (all those items in your policy are excluded) whereas Blink Personal only protects the specified processes and everything else is excluded.

Thank you for this information Inicula. makes me glad I opted for the professional version...

lnicula:

The Blink Professional policy protects everything unless explicitly excluded (all those items in your policy are excluded)

Okay, but here is my question, if I am running Blink Professional (which I am) why do I have all of those exclusions for things that should be in the Personal Edition only (i.e. the games and many other odds and ends I noted above)?  Shouldn't Blink Professional have almost nothing excluded?  If this is the case, it seems Blink Professional has what the Personal Edition should have and vice versa.

Blink Professional excludes many games and applications we found to be conflicting with to assist users running Blink Pro on their home computers (like you)

In Blink Personal, there is no need to exclude all those (as that's the default action) so it is only including what needs to be protected.

The value at the end of the rule means Disabled if is 0 and Enabled if is anything else than 0.

Nicula,

     I see, so all of these exclusions had to be added because Blink Professional was more picky, hence these applications caused issued I assume?  So in Blink Personal Edition are these all "hardcoded" as being excluded hence the exceptions are not added as they are in the Professional Edition?

     If a program is excluded from the Application Protection, lets say the main Windows Media Player executable (wmedia.exe), does that now mean if something malicious is pulled down via a media stream are you now out of luck for the Application Protection engine from protecting you from anything malicious that this code may have in it?