Known Issues and FAQs

If Your New to Blink, You Might Like to Read This.

Blue1978 — Thu, 14 May 2009 17:18:58 GMT

If your new to using Blink, I hope the following information will help you understand why it is a special all-in-one security suite that provides protection that other security vendors do not.

For those that may not know, the product that the company eEye Digital Security is most widely known for is the Vulnerability Assessment Tool called “Retina”. eEye, from day one, has focused all of its efforts on studying and creating security applications aimed soley at protecting Windows based server and client systems from attacks targeting software vulnerabilities. A list of their products can be found here:

http://www.eeye.com/html/products/index.html

eEye has a lot of very good articles on their website, all of which give the reader a basic understanding of the threats that Information Systems and users face today. Blink was designed specifically to protect from these types of threats and attacks. The main vector of attack that Blink focuses on protecting from, that about 95% of all other security applications fail to protect from, is explained about in this article:

“Shellcode Detection- An Additional Layer for File-Format Exploit Prevention”

http://www.eeye.com/html/resources/newsletters/versa/VE200905.html#techtalk

If you would like to read more of eEye's articles, they can be found here:

http://www.eeye.com/html/resources/newsletters/versa/index.html

eEye has "whitepapers" that can be downloaded and read after a simple registration form is filled out. An email will be sent to you with the download links to all of the other articles available (located here):

http://www.eeye.com/html/company/wp/index.html

The number one thing that a lot of people do not understand or realize, is that Blink is trying to protect from things that other security vendors are not - known and unknown vulnerabilities in software and the underlying Operating System itself. Quite frankly, this one of the hardest things to successfully do without creating a lot of false-positives. This is the main reason why you can not compare Blink (fairly) with the rest of the security applications available today. I am not intentionally trying to throw dirt on the other security products, because they too have their pros and cons, but they don't really "focus" on what attackers are using to enable them to download code and run it on a user's system. I like to reference one particular article that published by Computerworld, which explains why I am saying this. This also is why I am sitting here trying to promote and at the same time defend eEye Digital Security's Blink product.

The Computerworld article is located here:

http://www.computerworld.com/action/article.do?command=viewArticleBasi...mp;arti

The test results conducted by the security company Secunia (http://secunia.com/advisories/), referenced in the article, is downloadable from the following link:

http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

I tell a lot of people straight forward and in advance, unless you are a more advanced computer user, which understands the basics about protocols, how they work, and security principles in general, you will not get the most out of Blink and be able to appreciate it as much. I would honestly recommend to the everyday user that is NOT comfortable with running security applications and who rather be walked through everything like most security applications do, to not use Blink. If you like creating firewall, IPS, and other rules in general, you will learn to love Blink. Keep in mind when you run Blink on your system, you do not want any other security applications running with it. Blink has multiple layers of protection (7 layers) and was intended to be an all-in-one security suite. Adding anything else to your system will likely cause a lot of conflict and system stability issues.

So, with the information I have given so far, I wanted to point out a few unique areas of the Blink endpoint security suite that makes it special.

Today, vulnerabilities in software and the operating system are becoming the number one vector used to install malicious code on a system. A lot of this users do not realize is even happening.

1. Vulnerability Assessment - This is one feature that most all of the competition out there does not have. Blink has included Retina for free, which is built in and already configured to run and scan your local machine for vulnerabilities.

Retina meets a lot of the Security Compliancy Standards that exist today. To read more about these see the following link: http://www.eeye.com/html/compliance/index.html

- In this post (http://forums.eeye.com/forums/p/1017/4477.aspx#4477), a user shows an example of how Retina advises users of a Zero Day vulnerability that exists on a system.

2. Application Protection - A lot of security applications have generic "Application Protection" (I.e. protection aimed at stopping buffer overflows, etc) built into them. Most of these systems are limited, or you have to manually configure them which leaves too much room to misconfigure a system leaving it open to compromise. Blink's Application Protection is enabled for the system and everything on it. Think of this as an intelligent form of Data Execution Prevention (DEP). Blink's form protects from Heap, Stack, and Integer based buffer overflows.

3. IPS - Blink's IPS is unique. The main highlight of it, is that it uses Protocol Analysis for detecting intrusions. Protocol analysis is not offered in most security applications. It is mostly found being used in large business and enterprise based IDSs. When I say it uses Protocol Analysis, I do not mean it monitors the port (based on the protocl being used), it actually analyzes the protocol itself and how it is being utilized.

Second of all, Blink's IPS is not purely reactive, meaning; it reacts and BLOCKS things all the time (as most IPSs are defaulted to). Blink's IPS also allows you to simply configure rules to Alert on suspicious activity (as an IDS would do).
It does have the typical list of known attack signatures, but eEye has made it unique by hard coding into it their own unique Protocol Analyzers modules, referred to as "BAMs".

4. System Protection - This in a sense, is part of Blink Application protection capabilities, but is sub-sectioned into two categories (explained below). The System Protection monitors all of the API calls within the system looking for malicious calls and or process termination attempts (sometimes used by malicious code to disable a security system allowing it to install itself without resistance). The two subsections of System Protection are "Registry" and "Execution" protection. These monitor the registry and detect when something is misusing an execution process (if you want to think of it that way). For example, a maliciously crafted PDF file may contain shell code in it that is designed to execute when the user opens it. This in return will carry out another malicious funtcion whether downloading more malware or attempting to possibly escalate system privlages.

5. ActiveX Protection - This is the newest feature to be added to Blink. eEye has a patent pending ActiveX protection analyzer (BAM - "Blink Analyzer Module") built into the IPS. This now allows it to protect your system from one of the more abused aspects of Internet Explorer. A good description of ActiveX can be found in this eEye article:

http://www.eeye.com/html/resources/newsletters/versa/VE200903.html#techtalk

- Example of an Zero Day (ActiveX) exploit that Blink was able to stop without any signatures:

http://forums.eeye.com/forums/p/1017/4477.aspx#4477

* FINAL NOTE OF INTEREST: Because of the way Blink was designed to protect a system, it can be installed on any new Windows OS (i.e. newly installed without any updates performed) and then placed on the internet. Blink is able to protect it. This is hardly possible with very few (if any) of the other security applications out there.

As I stated before, Blink is designed to do one main thing, protect a system from Zero Day Exploits/Attacks. Other security applications are more focused on "detection" rates, still based on signatures. Yes, these have their place in security don't get me wrong, but this type of defense will not protect from a Zero Day. Blink does have a signature based AV/Spyware module in it (provided by Norman's AV), but once again that is not Blink's main purpose. Blink is trying to proactively protect you from the vulnerability that is being exploited, which is then used most of the time to elevate system privileges or to download more malicious code to the system locally. Most security applications seemed focused on "containment" after the infection has installed and ran itself. This is not actually mitigating or blocking the source of the problem. Quite frankly, with some of the stuff out there, once it executes you might as well re-image your machine and start over fresh.

Blink's AV component (which uses Norman's AV), has at times, been the source of some of the system slowdowns that some users experience. I will not lie about this, but this is due to a few different reasons. The main reason is, most AV products scan the file when it it accessed, moved, copied, read from, and written to. In Blink, a file is also analyzed and scanned while it is being executed. This is done through a Sandboxing technology built into Norman's AV. Using this Sandbox technology, eEye was able to create custom APIs to interface with the Sandbox allowing Blink to analyze a piece of code that was being run in the Sandbox. In numerous instances, this allows the detection of malicious code without requiring an AV signature to be made for it. Normally when this fuctions triggers the alert will have a name that starts with "W32/Malware".

An example: a user clicks on an Excel spreadsheet document to open it. Upon execution, the behavior is monitored in Norman's Sandbox. If it is found to do something malicious (i.e. attempt to make abnormal system changes, spawn new processes, or even beacon out to the internet), it will be flagged by Blink and the execution is prevented. So in essence, the Norman AV component in Blink is doing a lot more processing than your typical AV product is.

More information on Norman's Sandbox technology can be found here:

http://www.norman.com/technology/norman_sandbox/the_solution/en-us

In summary, Blink is not the fix to all problems, but the capabilities it provides (especially contained within one client appliation) far exceed what the competition offers when it comes to protecting a system from today's threats. Some users will attempt to install other security applications alongside Blink, this is not advised and for the most part it will end up creating a lot of headaches and frustrating. Blink has many layers of protection and quite frankly you don't need a lot more.

I hope after reading this, it helps some people understand what Blink is all about. It frustrates me to all ends when I see users saying, "I see Blink only detected 5 out of 10 Malware samples. I recommend AVG, not Blink." Okay, once again, Blink is not trying to compete in this area of expertise, Blink is trying to stop things from happening to your system (that are way more severe and unnoticeable by the user) than a simple Trojan installing itself.

==========================================================================================

If you would like to see some past reviews that have been done on Blink Professional, Personal, and Server Editions, please see the following forum post:

http://forums.eeye.com/forums/t/774.aspx

If you are curious to see some of the types of alerts that Bink shows when something suspicous is stopped, see the following forum post:

http://forums.eeye.com/forums/t/948.aspx

Blink Personal Edition can be downloaded from here:

http://download.cnet.com/eEye-Blink-Personal-Free-Complete-PC-Security/3000-2239_4-10658343.html?part=dl-113677&subj=dl&tag=button

LAST UPDATED ON: 02NOV09

How To Avoid The Error, "This license has already been used.", in Blink Personal Edition.

Blue1978 — Sun, 15 Mar 2009 23:07:23 GMT

This is for anyone that has purchased a single license or license package for Blink Personal Edition.

To save yourself the headache of dealing with the error message "This license has already been used", follow these steps if you intend to un-install Blink (before re-installing it) or you have to re-image or re-install your Windows OS for any given reason.

From Blink's Help menu at the top complete the following steps:

1. Go to "License Management"

2. Select the circle next to "Transfer License"

3. Click Next

4. Select the box at the bottom of the next screen that says "Yes, I want to remove my license from this machine."

5. Click Next and acknowledge any further prompts.

This should save you from going through any license related issues which will require you to contact eEye to have your license reset.

If your unable to complete the steps above, follow the steps given in this forum post for releasing your license:

http://forums.eeye.com/forums/p/992/4313.aspx#4313

How does Blink register its status with Windows Security Center

cimes — Fri, 15 Jun 2007 10:58:16 GMT

For Windows XP users, Blink registers its state with the Windows Security Center which is the small shield that remains minimized in the system tray notifying you of the status of various security essentials. "Firewall" and "Virus Protection" will report as "On" if the following conditions within Blink are met:

Firewall: On

1) System Firewall module is enabled, or

2) Application Firewall module is enabled, or

3) both System and Application Firewall is enabled

Virus Protection: On

Virus and Spyware Protection module (named Anti-Malware in version 3.0) AND On-Access Scanning is enabled.

Both have to be enabled to register with the Windows Security Center as "On"

How to check and modify the status of the Blink modules

1) You can check and modify the status of the modules from the "Quick Configuration" dialog box by selecting the keyboard shortcut: CTRL+Q.

2) The Virus and Spyware Protection (named Anti-Malware in version 3.0 or below) On-Access Scanning can be enabled and disabled from the "Options and Settings" dialog box as follows:

a) Select the keyboard shortcut: CTRL+O

b) From the "Virus and Spyware Protection" (or Anti-Malware) tab, you can modify the option "Enable On-Access Scanning"

"Internal Error 2738" received during installation

cimes — Thu, 07 Jun 2007 05:23:05 GMT

An "Internal error 2738" upon install indicates a Windows script error and often is either a result of the Microsoft Windows Script runtime not behaving properly or simply needs to be updated to the latest which is currently at version 5.6.

As a quick sanity check of your Windows Script installation, re-register vbscript.dll as follows:

1) Start -> Programs -> Accessories -> Command Prompt

2) At the command-line run the following:
regsvr32 %SystemRoot%\system32\vbscript.dll

3) You should get a separate prompt that it succeeded

Then reattempt the installation of Blink. If it should fail again with the same error, then (re)install Windows Script 5.6 obtaining it from the URL listed below. Just in case the link might not redirect properly, simply search Microsoft.com for: "Windows Script". Follow the instructions from Microsoft and once completed, again rerun the Blink Personal installation.

http://www.microsoft.com/downloads/details.aspx?FamilyId=C717D943-7E4B-4622-86EB-95A22B832CAA&displaylang=en

One of the above remediation steps should fix it for you; however, if it should fail again we would like to review some logs that can be obtained by running the executable from the command-line with additional parameters:

1) Start -> Programs -> Accessories -> Command Prompt

2) From the directory you saved BlinkConsumerSetup.exe run the following:
BlinkConsumerSetup.exe /L*v C:\BlinkInstall.log

3) Please send the file BlinkInstall.log (saved to the root directory of C:) to the email address:
blink.personal.eap@eeye.com

Thank you.

Vista compatibility expected by the end of the year

cimes — Thu, 07 Jun 2007 05:41:51 GMT

We anticipate having support for Microsoft Vista by the end of the year. Certainly it may come sooner, though. We will keep everyone informed of our progress and will update everyone when a more specific timeline is available. In the meantime, our current product requirements are:

Blink Personal

Windows 2000 (All workstation versions)
Windows XP 32-bit
Windows Tablet PC
Windows Media Center

Blink Professional

Windows NT4 (SP6 or higher)
Windows 2000 (All service packs)
Windows 2003 32-bit (All service packs)
Windows XP 32-bit (All service packs)
Windows Tablet PC (All service packs)
Windows Media Center (All service packs)

FIX: Malware might get deleted due to insufficient storage space

lnicula — Sat, 03 Nov 2007 02:59:45 GMT

A malware might be deleted if is quarantined and is large enough to exceed the size limit imposed on the Quarantine storage (by default 20 MB).

A solution is to increase the Quarantine Folder size (in Options and Settings -> Virus and Spyware Protection) to a much larger size such as 200 MB. See the attached picture for a quick how to.

Increase the selected value to 200000 for 200MB.

Potential incompatibility with Webroot Spy Sweeper

lnicula — Wed, 24 Oct 2007 00:46:12 GMT

While testing Blink 3.5 we found cases where Blink service failed to be stopped when Webroot Spy Sweeper was running. This seems to be consistent with what other users reported regarding failed Blink updates. What happens is that for some updates the Blink service needs to be restarted and as it fails to be stopped the update fails as well. Other consequences could be that the entire system freezes as a result.

We are still investigating this and will update the post when we have more data.

"Protection Error" appears when trying to run certain software

cimes — Tue, 19 Jun 2007 07:10:02 GMT

Protection Error
Error: <3 digit number>

This error may appear when executing certain third-party software while Blink is running (the 3 digit number which differs amongst the affected software is largely irrelevant). We are reviewing this incompatibility and are looking into a permanent solution; specifically, Blink's Application Protection module is not compatible with some uses of the ASPack compression and protection software which is being utilized by some software vendors that license it. It is also worth noting that there will not a Blink event generated in this specific scenario. For now, the work-around is to exclude the application: procname.xyz by adding an entry in the Blink configuration file: apiex.ini as follows:

1) From Windows Explorer, navigate to the file apiex.ini located within the following folder (default installation path listed):

C:\Program Files\eEye Digital Security\Blink\Config\

2) Open the file within Window's Notepad utility (or your preferred text editor) by right-clicking the file and selecting "Open" (or "Open With")

3) Scroll to the bottom of the file and on a separate line add the following entry:

*\procname.xyz;;Kevlar;0

Just a few comments about the required syntax (please also refer to the file itself which is well commented with additional examples):
a) Note the use of consecutive semi-colons. Blink expects the exact number of fields properly delimited; optionally, we could have also included the MD5 hash of the file (will describe later in a FAQ) which would be inserted between the semi-colons.
b) That is a zero at the end which instructs Blink to ignore the process.
c) Alternatively, you can specify the absolute path of the process.

4) Save the file. Blink will now need to be informed of the manual modifications. A shortcut (candidate for the "Tips and Tricks" forum) to shutting down Blink entirely and restarting it is to:

a) With Blink still running, open the "Options and Settings" dialog box (CTRL+O)

b) Simply click "OK"

Finally, rerun the affected software and the error should no longer appear.

Blink's too much on old, slow computer

wtre44 — Mon, 09 Jul 2007 03:31:17 GMT

Have 2 computers. Older one is very slow and constipated with Blink. Uses more resources than my previous solution of Avast! antivirus, Windows Defender, and Kerio personal firewall. Had to uninstall it. Newer computer can handle it fine. Both run XP Sp2.

Scheduled task did not finish within seconds and was forcibly stopped.

batman23 — Sun, 10 Jun 2007 21:27:45 GMT

I have been trying to finish a malware scan on my XP Pro PC and I keep getting a Scheduler Error. This is the logged result

Event ID:	BLINK-ENG-601
Severity:	High
Description:	Scheduler error
Alert:	No
Error Message:	Scheduled task 'MalwareScan' did not finish within 28800 seconds and was forcibly stopped.

What can I do to correct this?

Blink Does Not Start -> Error Starting Blinkrm COM interfaces

lnicula — Wed, 06 Jun 2007 02:29:10 GMT

We have a potential fix for this problem which can be sent to users having this issue for a fix confirmation

Please send an email to blink.personal.eap@eeye.com if you want to try out the fix.

Thanks!

Stealth Mode

Huangker — Thu, 07 Jun 2007 02:31:02 GMT

I've refered to KB000549 and I'm still rather confused? What exactly does stealth mode do? Does it drop all incoming unsolicited packets TCP and UDP packets? What about ICMP?