Jump to content

Code Integrity is unable to verify the image integrity of the file a2hooks64.dll because the set of per-page image hashes could not be found on the sy


Recommended Posts

Hello

 

This could be helpful information. After updating to build EAM 6513 I checked various logs (routinely) and noticed 3 of the above titled log entries(under CodeIntegrity Logs) starting 2 minutes after the new build update finished. I have seen these entries sporadically (3 or 4 times a month) since 12-08-15. Also, per older complete memory dumps(1 month or older) the epp.sys driver was blamed by WhoCrashed Program.

 

So about 4 weeks ago I did a clean uninstall of EAM and epp.sys driver and the Emet 5.2 program and then did a Net Framework Repair Tool repair with success. I ran it on all 3 user profiles to be sure all user profiles were successful. I re-installed EAM (the prior build to current one) plus emet 5.2 and have had no problems for around 10 days (no need to reboot) concerning any Net Framework garbage collection issues or crash dumps or apps stopped working issues.

 

I also noticed in the Code Integrity Log (after re-installing EAM after clean uninstall using Emsiclean Removal) that the Code Integrity log entries no longer appeared and I  was very satisfied plus my system was running for many days at a time without any problems such as  app stopped working or BSOS's or Framework garbage collection timing issues.

 

Per crashdumps and MS Reliability App compatibility Reports,  I believe most of my occasional app stopped working were either due to Framework Garbage Collection or a2hooks64.dll hanging up under heavy video browsing sometimes leading to a epp.sys bsod. I also noticed that all of these problems stopped happening after I made the above mentioned repairs and re-installs. (Basically programs that rely heavily on Net Framework 4.5.2.

 

But, now since my update to build 6513 the log entry:

Code Integrity is unable to verify the image integrity of the file

a2hooks64.dll because the set of per-page image hashes could not be found on the system has reappeared since the EAM build 6513 update. It has only been 1 whole day since I updated to build 6513 (done on 070316) and everything went smoothly but :

 

I am concerned that I may start encountering problems again related to A2hooks64.dll or epp.sys  and I will let you know promply.

Question:

Why does A2hooks64.dll specifically have problems with Code Integrity Checks? I am sure that the file is properly signed as I have checked. Is it a timing issue when the system is under heavy use? Does it have something to do with alternating betweem 3 user profiles or :

Does it have something to do with the latest Build 6513 installing a new Epp.sys driver or a new A2hooks64.dll?

 

I have noticed that from the Code Integrity Logs that the A2hooks64.dll problem comes and goes and could very well be linked to when a2hooks64.dll is updated, as it is not always updated in all new build releases. I have not analyzed the dates and times at this point.

 

An attempt at an explanation concerning these Code Integrity Logs will go a long way towards my moving on from these questions unless problems arise over the next few days.

I will appreciate any insightful input very much. Thanks

Link to comment
Share on other sites

I just noticed the same thing in my event log. Started on 7/1. My boots have been noticeably slower with multiple desktop refreshes and now I suspect this as the reason.

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/1/2016 8:13:56 AM
Event ID:      6281
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      XXX-PC
Description:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6281</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-07-01T12:13:56.893967200Z" />
    <EventRecordID>1194526</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="48" />
    <Channel>Security</Channel>
    <Computer>Don-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">\Device\HarddiskVolume3\Program Files\Emsisoft Anti-Malware\a2hooks64.dll</Data>
  </EventData>
</Event>

Link to comment
Share on other sites

Those messages are normal. Certain processes in Windows are specially protected by additional signature enforcements. Essentially all DLLs that aren't cross signed by Microsoft or match Microsoft's strict rules won't be able to load. These processes are usually involved in DRM and are protected so you can't just inject code into them to capture unprotected audio and video streams. They are sometimes also used for sandboxing and isolation. Edge for example may trigger similar alerts.

 

This isn't a problem with EAM only either. Essentially every application that ends up loading DLLs as simple as context menu extensions will trigger these types of alerts. You will likely be able to stop most of them by excluding the following processes:

 

audiodg.exe

mfpmp.exe

werfault.exe

werfaultsecure.exe

wermgr.exe

 

All of them are located in your Windows System32 folder. If you are using a 64 bit Windows version, you probably want to exclude the 32 bit versions of these processes in the SysWOW64 folder as well.

Link to comment
Share on other sites

Those messages are normal. Certain processes in Windows are specially protected by additional signature enforcements. Essentially all DLLs that aren't cross signed by Microsoft or match Microsoft's strict rules won't be able to load. These processes are usually involved in DRM and are protected so you can't just inject code into them to capture unprotected audio and video streams. They are sometimes also used for sandboxing and isolation. Edge for example may trigger similar alerts.

 

This isn't a problem with EAM only either. Essentially every application that ends up loading DLLs as simple as context menu extensions will trigger these types of alerts. You will likely be able to stop most of them by excluding the following processes:

 

audiodg.exe

mfpmp.exe

werfault.exe

werfaultsecure.exe

wermgr.exe

 

All of them are located in your Windows System32 folder. If you are using a 64 bit Windows version, you probably want to exclude the 32 bit versions of these processes in the SysWOW64 folder as well.

Unfortunately, the problem is not resolved. Reappeared two days ago.

 

I have been monitoring my event logs along with process execution using Process Explorer and believe I have a pretty good grip on what is going on. This issue manifests when a system process runs that EAM behavior blocker is monitoring that starts dynamically. Best and most frequent example I have observed is rundll32.exe. For example, rundll32.exe will be initiated for Win error diagnostics running the associated WER .dll. This will trigger a code violation alert every time when a2guard64.dll is injected into rundll32.exe.

 

Prior to the latest EAM release, I never once received a code violation because of a2guard64.dll. I will also add that for the above scenario, Eset's HIPS will also inject its .dll hook into rundll32.exe and I am not receiving any code violations for that .dll

 

Please fix this issue ASAP.  

Link to comment
Share on other sites

The exclusions may not be working at the moment. There's a bug where, at least on some computers, the whitelist is essentially being ignored until the Emsisoft Protection Service (a2service.exe) is restarted. To my knowledge, restarting a2service.exe will resolve the issue until your computer is restarted.

You can restart a2service.exe by doing the following:

  • Right-click on the System Tray icon for Emsisoft Anti-Malware.
  • Select Shut down protection from the menu.
  • Hold down the Windows key on your keyboard, and tap R to open the Run dialog.
  • Type in services.msc and click OK.
  • Look for the Emsisoft Protection Service in the list, and right-click on it.
  • Select Stop from the menu.
  • Once it has finished stopping, right-click on it again.
  • Select Start from the menu.
  • Close the list of services.
  • Open Emsisoft Anti-Malware from the icon on your desktop.
Link to comment
Share on other sites

The exclusions may not be working at the moment. There's a bug where, at least on some computers, the whitelist is essentially being ignored until the Emsisoft Protection Service (a2service.exe) is restarted. To my knowledge, restarting a2service.exe will resolve the issue until your computer is restarted.

You can restart a2service.exe by doing the following:

  • Right-click on the System Tray icon for Emsisoft Anti-Malware.
  • Select Shut down protection from the menu.
  • Hold down the Windows key on your keyboard, and tap R to open the Run dialog.
  • Type in services.msc and click OK.
  • Look for the Emsisoft Protection Service in the list, and right-click on it.
  • Select Stop from the menu.
  • Once it has finished stopping, right-click on it again.
  • Select Start from the menu.
  • Close the list of services.
  • Open Emsisoft Anti-Malware from the icon on your desktop.

 

You lost me with this reply. Setting exclusions as previously mentioned has nothing to do with the problem.

 

The problem as I posted previously for the most part involves rundll32.exe and EAM's .dll injection of a2guard64.dll into the process. Another example. If you use IE and you have configured it to delete browser history at browser shutdown, rundll32.exe does that activity. Every time it runs as such, a code violation from a2guard64.dll is recorded.  

 

Interestingly, a number of other system processes are monitored by EAM with resultant .dll injection w/o issue such as taskhost.exe. Most of those however are run by the desktop shell at boot time. On the other hand, taskhost.exe is used to run executables and not .dlls.

Link to comment
Share on other sites

Fabian said that excluding certain processes should stop the error messages in the Event Viewer. When you said you were still having the problem, I made the assumption that you had run into the exclusions bug.

Link to comment
Share on other sites

Fabian said that excluding certain processes should stop the error messages in the Event Viewer. When you said you were still having the problem, I made the assumption that you had run into the exclusions bug.

I did try to exclude the processes mentioned and it did not resolve the issue. I certainly do not want to exclude rundll32.exe since it is a main target of malware.

 

I will add that the issue w/rundll32.exe is not consistent. Yesterday I had to do a system restore for an unrelated issue. After the system restore and for the rest of yesterday, I received no code violation event log entries for a2guard64.exe. Today after boot, the issue is back.

Link to comment
Share on other sites

I will add that the issue w/rundll32.exe is not consistent. Yesterday I had to do a system restore for an unrelated issue. After the system restore and for the rest of yesterday, I received no code violation event log entries for a2guard64.exe. Today after boot, the issue is back.

That's because the System Restore reverted files back to older versions, and they had to be updated again.

Link to comment
Share on other sites

That's because the System Restore reverted files back to older versions, and they had to be updated again.

Restore was from a previous day restore point so doubt much updating was done.

 

Appears to me Emsisoft service is changing a2guard64.dll code prior to injecting it into rundll32.exe.

Link to comment
Share on other sites

  • 3 weeks later...

Since 1st July EAM update I have been getting the Security Audit failure:

 

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll 

 

Also in event viewer lots of various Service Control Manager errors 7009 and 7000: 

The... ( various ) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

 

I have uninstalled EAM and these errors do not happen any more. The defaulted Windows Defender integrates very well with Windows 10 without any problems or errors despite its anecdotal shortcomings. 

What can I do about these EAM errors please?

Link to comment
Share on other sites

Does the latest beta have any effect on this issue? Here's how to install it:

  • Open Emsisoft Anti-Malware.
  • Click on Settings in the menu at the top.
  • Click on Updates in the menu at the top.
  • On the left, under Update Settings, click on the box to the right of Update feed and select Beta from the list.
  • Click on the Update now button on the right side.
Link to comment
Share on other sites

Does the latest beta have any effect on this issue?

 

I first re-installed EAM and the Service Control Manager errors happened immediately it activated. I then changed to beta version and the errors have not happened although it may need more time to be absolutely sure. 

Is it ok to leave the settings on beta? Do you think the beta version will be stable?

 

Thankyou for your help.

Link to comment
Share on other sites

Right now I think the beta is better than the latest stable version, and you should be able to leave your update feed set for Beta (at least until we release a new stable version). If you do encounter any issues with the beta, then please be sure to let us know.

Link to comment
Share on other sites

"Right now I think the beta is better than the latest stable version, and you should be able to leave your update feed set for Beta (at least until we release a new stable version). If you do encounter any issues with the beta, then please be sure to let us know. "

 

Well BIG problem with your beta version. Basically NO surf protection. No notification pop ups for malware etc or Wicar.org. Nothing in the surf protection log either. I set the privacy risks to notify which normally produces oodles of notifications, but nothing. I went back to the stable version of EAM and now Surf protection is working normally again. Wicar.org gives malware notification again. Privacy risks are giving notifications again and Logs are working again. 

BUT my original problem with the stable version seems to be fixed!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...