Partial Protection Only

[nkrontir 0]

After the recent upgrade, Surf Protection, File Guard and Behavior Blocker are disabled and cannot be enabled. This is true for any of the methods that can be used to enable any one or all of these components (from the icon-> protection status->enable all components, from the icon->protection status-> enable file guard, from the UI->Protection->Activate File Guard, etc).

 

Any clues?

 

Thanks.

 

[Fabian Wosar 390]

Hello nkrontir,

It looks like something went wrong during the installation of the latest drivers during the last update. To diagnose and remove the left over old drivers, I would require a log of our dedicated cleaning utility from you. Please download Emsiclean from this link (be sure to save it on your Desktop), and follow the instructions below to get me a log:

• Run the Emsiclean download that you saved on your Desktop.
• Read the disclaimer. Note that you must agree to it in order to proceed.
• Once the scan is finished, simply exit Emsiclean, and do not remove anything.
• A new file will be saved on your Desktop with a log of what was detected. Please attach that to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Thanks!

[nkrontir 0]

Please find attached the requested file.

 

Thanks.

EmsiClean_2015.03.03_16.25.56.txt

[Fabian Wosar 390]

Hello nkrontir,

Any chance I could look at your system via TeamViewer or some other remote access solution?

[nkrontir 0]

Sure, could you give me a few minutes to finish something that I'm working on first please?

[Fabian Wosar 390]

Take your time. There is no need to hurry. Once you have 30 minutes or so of free time, download the TeamViewer QuickSupport module from here:

 

http://www.teamviewer.com/en/download/windows.aspx

 

Once you run it, it will display an ID and a password. Just send me both via private message and I will be able to connect to your system.

[nkrontir 0]

Please let me know when there's an update on the issue.

[Fabian Wosar 390]

I will. Based on the dump you have some other file system filter drivers installed. We are currently testing all of them if there are any incompatibilities as your case is currently unfortunately the only report we have.

[Fabian Wosar 390]

I looked closer into your case today. The problem is the fact that you are using Windows XP with a lot of software that installs a process creation notification routine. These routines are essentially callbacks that are called by Windows whenever a process starts. The problem is, that on Windows XP only a maximum of 8 such callbacks can be installed. On your systems the 8 callbacks are already taken:

[*] PspCreateProcessNotifyRoutine:
     Procedure: 0xFFFFFFFFB34DD130 (nv4_mini) 
     Procedure: 0xFFFFFFFFAE396DAC (pfmfs_463!ReleaseForCcFlush) 
     Procedure: 0xFFFFFFFFAE19279E (fwtdi32!Create_Process_Notify_Routine) 
     Procedure: 0xFFFFFFFFAE05C4FA (cbfs3) 
     Procedure: 0xFFFFFFFFAE023CDF (cbfs) 
     Procedure: 0xFFFFFFFFADF6D92A (vmci!VMCIQueue_Peek) 
     Procedure: 0xFFFFFFFFAC5B69B0 (SbieDrv) 
     Procedure: 0xFFFFFFFFAC365145 (000) 

nv4_mini is your graphics card driver, you most likely won't be able to get rid of that one. pfmfs_463 is related to a product called Pismo File Mount. fwtdi32 is our firewall engine, so if using EAM instead of EIS is an option, that might work. cbfs3 and cbfs are related to a company selling off the shelf file system filter drivers. Which product exactly hides behind those is unclear. vmci is related to VMware. SbieDrv is related to Sandboxie. The last driver 000 is related to a Cyberlink product. 

 

The bottom line is, unless you free up at least one more callback slot EIS will not run on your system, as the driver will refuse to load because it can't register its notify routine. So you unfortunately have to uninstall one of the applications that is taking up a slot at the moment. Another option would be to upgrade to Windows Vista or later. In Vista and later the 8 routine limit was increased to 64.

 

Sorry but outside of these 2 options there is unfortunately nothing I can do for you.

[nkrontir 0]

I uninstalled VMware workstation but the problem persists. I didn't uninstall vSphere client, it's important to my work and I don't think it would need such access to my system. Maybe the VMware workstation uninstaller doesn't do a great job. I'll keep trying to sort this out and keep you posted.

 

Edit: This is just weird, there's no vmci.sys anymore on my system so that routine should be gone completely

[nkrontir 0]

Well, I have now uninstalled sandboxie as well and I still can't enable all components. Maybe it's something else?

[Fabian Wosar 390]

It is not impossible that a different driver took its place given the amount of applications you have installed on that system and the limitations Windows XP imposes.

 

Easiest way to check is to use a tool that allows you to view which drivers have these callbacks registered at the moment. Many anti-rootkit scanners, like this one for example, have that ability. You can find the option under "Kd +", "System Notify Callbacks". Only the entries of callback type "CreateProcess" are relevant. That number of such entries needs to be below 7 so both the EIS firewall driver (fwtdi32.sys) as well as the EIS File Guard and Behavior Blocker driver (epp32.sys) can install their callbacks.

 

If you want I can also take another look at it via TeamViewer.

[nkrontir 0]

It's down to 7 now but still the same behaviour... Maybe talk again on Monday?

[Fabian Wosar 390]

Sure, whatever you prefer .

[nkrontir 0]

It looks like I'll be available for a while. So if you are too, maybe we can continue taking a look?

[Fabian Wosar 390]

Sure, just send your TeamViewer details via PM .

[nkrontir 0]

Thanks a lot, everything is working now!

[Fabian Wosar 390]

You are very welcome .