Jump to content

Audit failure a2hooks.dll

Christianto
 Share

Recommended Posts

Christianto

Christianto

Posted
Posted

Hi , I'm Running EAM recent version with 1 year licenses (Windows 7 ultimate 32 bit..RAM 3 Gb)..and it's doing great  & smoothly ...

I just want to ask...when i open "eventvwr-windowslog-security" there is warning that say "audit failure"

 

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume2\Program Files\EAM\a2hooks32.dll    

 

 

What is means exactly...thx alot

sorry for my Bad English

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
On 7/15/2017 at 8:30 AM, Christianto said:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume2\Program Files\EAM\a2hooks32.dll 

a2hooks32.dll is the 32-bit DLL file that Emsisoft Anti-Malware injects into other running processes (specifically 32-bit processes, as we have a 64-bit version for 64-bit processes on 64-bit versions of Windows) and this allows the Behavior Blocker to open hooks to those running processes so that it has access to their memory, and can monitor their behavior. If there's a problem with this DLL file, and it can't be loaded, then the Behavior Blocker won't be able to monitor running processes and you will not see Behavior Blocker alerts or Anti-Malware Network notifications (when the safety of a running program is being verified). If you're still seeing alerts and notifications from the Behavior Blocker, then everything is working fine. ;)

Link to comment
Share on other sites
Christianto

Christianto

Posted
  • Author
Posted
42 minutes ago, GT500 said:

a2hooks32.dll is the 32-bit DLL file that Emsisoft Anti-Malware injects into other running processes (specifically 32-bit processes, as we have a 64-bit version for 64-bit processes on 64-bit versions of Windows) and this allows the Behavior Blocker to open hooks to those running processes so that it has access to their memory, and can monitor their behavior. If there's a problem with this DLL file, and it can't be loaded, then the Behavior Blocker won't be able to monitor running processes and you will not see Behavior Blocker alerts or Anti-Malware Network notifications (when the safety of a running program is being verified). If you're still seeing alerts and notifications from the Behavior Blocker, then everything is working fine. ;)

 

emsisoftPrintscreen.png

Link to comment
Share on other sites
GT500

GT500

Posted
Posted

The easiest way to test the Behavior Blocker is to run a batch file that contains the code from BatchGotAdmin. Here's a quick (and harmless) batch file that you can run to see if you get an alert from the Behavior Blocker (do not select "Allow always" in the alert, or it will lose any value for testing):
https://www.gt500.org/emsisoft/bb_test.zip

Download the above ZIP archive, open it, and double-click on the batch file inside to run it.

When you run it, you should see a notification on the right side of the screen that Emsisoft Anti-Malware is verifying its safety with the Anti-Malware Network. Once it has verified that there is not enough information to determine the safety of the file, an alert should be displayed by the Behavior Blocker asking you what to do with it. If you select "Allow once" then the alert will close, and Windows will ask you if you want to allow the Windows Command Processor to make changes to your computer (don't worry, all it does is reopen the test batch file and display a message that says "Test finished" and "Press any key to continue"). If you select "Block once" it will prevent the test batch file from asking for administrative rights, and it will close without displaying a message. If you select to quarantine the test batch file, then it will be deleted and a backup copy will be saved in the Quarantine.

Here's a picture that shows what the alert should look like:

bb_test_batch_file_alert.png

 

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
11 hours ago, Christianto said:

Thx sir.... so i think my EAM is ok... 

Correct, that's exactly what you should see if the Behavior Blocker is working. The batch file attempts to elevate its permissions, the Behavior Blocker catches it, and warns you about it. ;)

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/22/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...