Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ClixTrix on January 16, 2011, 02:56:37 PM
-
Trusteer Rapport is logging the subject message with each use of one of the protected browsers. Systems involved are WinXP SP3 with IE8/Firefox/Chrome. The message logs within 1 minute of launch of browser or new tab. The message implies the possibility of Malware infection, and can result with normal use in hundreds of logged errors over a week. Opened at Avast Support Center as ticket CJN-238295 on 1/9/2011. Confirmation by other Rapport users would be helpful.
The problem started with upgrade from free 5.0.677 to 5.1.864 and now current 5.1.889. I have done secondary testing on a fresh-build system with clean install of XP with Rapport and Avast with identical results to a production system. The only solution (thus far) is to retro back with uninstall of 5.1.8xx to reinstall the old 5.0.677 version. Install sequence of the two products doesn't change the result. Note, Rapport is required for use by some Banks for access.
The disable of Avast from system tray does not stop the errors. The disable of the Rapport Security Policy "Block Browser Process Alteration" does stop the errors (for the obvious reason). However, I would not recommend the later.
-
Well... sounds like a conflict between what avast! wants to do and Rapport doesn't want to allow - but I'm not exactly sure what response you expect.
Disable avast! security features because of Rapport?
-
In reporting the problem, which began with Update to the 5.1 version series, it's unclear whether this is something that can be fixed by Avast! I don't know exactly what change was made from 5.0 to 5.1 that caused the conflict. They needed to be alerted due to the False Positive implications, as that can cause a user to conclude they have a Malware problem. I was literally down for days trying to isolate the Malware problem. Rapport operates as a passive protector and doesn't do pop-up type alerts. So, you only discover the problem if you look at the log or use the automatic weekly report feature. What would you conclude if you suddenly went from no errors of that type to hundreds in your Rapport log? I had to put my home business system in quarantine and run backups, malware scan checks, and restores.
Hopefully, any other Rapport users can confirm my observations.
I don't know if there is any way to disable the specific conflict cause in Avast! The only solution which maintains protection and both products is to move back to 5.0.677, which is the best choice so far. Otherwise, the false positives might mask a real problem.
If a Bank requires use of Rapport to connect to online Banking services, you're stuck. Most are recommending and not requiring the product, but that could change. Look at the list of Banks using Rapport at bottom of Trusteer homepage, including Bank of America:
http://www.trusteer.com/
-
My Bank offers it, but I trust avast more than I trust Trusteer Rapport.
-
One of the banks I use is listed, but doesn't require Trusteer Rapport. When it is required, I'll simply change banks. ;D
-
I can confirm the issue. Have you tried reporting to Rapport? They have been fairly interested in the past when I have raised possible conflict issues with them.
Given the timing of the issue that you report (I confess I hadn't noticed it), then I guess it may be associated with the behaviour shield? Since that is currently mainly only working in passive data-gathering mode I (think) you could probably safely disable it for the time being.
If it is actually due to the avast web shield, then if there is any risk that it is impairing avast web shield operation I would rather do without the rapport browser protection function.
-
Hi mag,
Thank you sincerely for your confirmation. I was only hesitant to alert Trusteer without confirmation by either the Avast! Support lab (no specific reply to that ticket yet to confirm) or others in the Forum. Was considering whether it was more appropriate for Avast! to open discussion with Trusteer, given the False Positive issue. This honestly could be one of those "Who's problem is it?" issues.
The fact that someone can now google search that error and find this thread may alert more folks to the problem cause. I'm thinking this is a hidden time-bomb, and I'm just the lucky guy that was doing some post system update log checks and found it first.
What is your specific configuration OS/browser(s) with problem, if I may ask? Also, have you tried regression to 5.0.677 as fix?
-
Mag,
In response to your edited update, I did try disabling all shields from the systray and selectively disabling the Behavior shield from the user interface window, but neither stopped the Rapport log errors. Puzzling why disabling Avast! has no effect... ???
I also tried adding the two rapport task execs to the Behavior Trusted Processes. That had an odd result with IE that I was just retesting. It didn't seem to fix the problem with any of the three browsers until I removed those execs from that list, and then IE seemed to at least temporarily NOT report the error. I'm still puzzling over that one and trying to repeat it and see if reboots or other changes make it stick as a fix.
Are you also seeing the long delay between browser launch and the Rapport error log incrementing?
-
I haven't done any investigation of this (I hadn't spotted it at all).
My log showed 178 such events (W7). Then I opened FF, and added another two, then then Chrome, and added another three!
As I said, whilst I would like both Rapport and avast to work, I am concerned that rapport shouldn't interfere with avast web shield correct functioning - and might be inclined to disable the interfering rapport function if I thought that was happening - which I would like anyone knowledgeable to advise on if possible.
-
There is discussion on this topic at hxxp://forum.kitz.co.uk/index.php?topic=8484.0
'Hi Renluop,
Rapport blocked attempts to alter browser functions. Altering browser functions is a technique that allows taking over the browser and getting access to your sensitive information. This technique is used by malware but also by some legitimate software. Rapport blocks suspicious attempts to alter browser functions regardless of their origin. NtProtectVirtualMemory is just another one of the many browser functions that may be altered in order to take over the browser.
This does not necessarily mean that you have malware on your PC. By blocking these attempts Rapport protects you whether the attempt was made by malware or by legitimate software. There is nothing you need to do with regard to these events as Rapport protects you from any potential threat by blocking the execution of these alterations.
If the activity report presents hundreds of these events, please report a problem from the Rapport console and let us know about this, so we can check if this is malicious software or legitimate software that may need to be approved by Rapport.
Best Regards,
Trusteer Technical Support team'
So it looks like if you report it to Rapport they should be able to exclude the avast browser process modification from detection/block by Rapport (I suspect they previously may have done so - but avast have changed something in 5.1 and aren't recognised by Rapport any more).
(If Igor is in a more helpful frame of mind he may be able to confirm/refute (he has a gruff manner (or did in his initial response to you), but I'm sure he has a heart of gold underneath it all - though sometimes I'm a bit surprised they put him front of house :)). I think avast will want this sorted out, as rapport will).
I have reported the problem to Rapport.
-
mag,
Good find....
I just used the Rapport Console method to report the problem, as that method also sends the logs. I added the Avast! Support Center ticket number and that I'd posted a thread in Avast! Forum.
If you'd like to do the same, the more reporters the quicker/better response (hopefully). ;)
I have a feeling the Avast! folks are a little busy responding to all the reports of problems with the latest release. I didn't want to get on their BAD side by pushing the issue with Trusteer. Maybe it just needs a tweak in Rapport to add Avast! 5.1.xxx ..... fingers crossed. I'll report back as soon as I've got a response from Trusteer.
-
<snip>
So it looks like if you report it to Rapport they should be able to exclude the avast browser process modification from detection/block by Rapport (I suspect they previously may have done so - but avast have changed something in 5.1 and aren't recognised by Rapport any more).
(If Igor is in a more helpful frame of mind he may be able to confirm/refute (he has a gruff manner (or did in his initial response to you), but I'm sure he has a heart of gold underneath it all - though sometimes I'm a bit surprised they put him front of house :)). I think avast will want this sorted out, as rapport will).
I have reported the problem to Rapport.
Personally I don't feel he was gruff, matter of fact would be nearer the mark.
Essentially the web shield is the sane as it was in avast 5.0.677, with one exception that I'm aware of is that it doesn't just monitor port 80 on HTTP traffic, it also monitors other ports, see the avastUI, Settings, Troubleshooting, Redirect Settings, HTTP port(s). I don't know if it is these additional ports that are being reported by rapport.
It is trusteer rapport that is blocking (throwing up the messages) what the avast web shield is doing and not avast that is blocking rapport. So disabling the web shield to cater for rapport rather than the other way round seems back to front.
-
It is trusteer rapport that is blocking (throwing up the messages) what the avast web shield is doing and not avast that is blocking rapport. So disabling the web shield to cater for rapport rather than the other way round seems back to front.
No - I have no intention of disabling the web shield (and didn't expect igor to suggest it).
As I said in my earlier post, my concern is that rapport may be interfering with correct functioning of the web shield, and if it is I will be inclined to disable the rapport browser process protection function until this is sorted.
I think perhaps the response that the OP could have looked for from avast team was a sympathetic suggestion that avast might communicate the problem to rapport directly themselves?
-
Yes, that may well be the case for you but Igor's reply wasn't directed to you but the OP was certainly not going to disable rapport.
The disable of Avast from system tray does not stop the errors. The disable of the Rapport Security Policy "Block Browser Process Alteration" does stop the errors (for the obvious reason). However, I would not recommend the later.
That no doubt is what drove the comment by Igor.
-
New behavior shield in 5.1 monitors processes activity. This is done by using DLL injection into the most running processes and it monitors suspicious activity (several API functions are hooked: e.g. NtProtectVirtualMemory, LdrLoadDll, ...). Rapport checked the running process (web browser) and it found out it was somehow modified. Yes, it could be done by malware, keylogger, etc. Rapport doesn't know which application did it.
I don't know Rapport so I'm not really sure how to set it right... please tell me:
- The error is only in Rapport log and you can still use web browser for banking operations, Rapport doesn't block it. Is that correct?
It would be hard for Rapport to identify that the process was modified just by avast. I think the only remedy lies in avast's fix. Firstly, I'll need to install Rapport and get to know it better.
-
Many thanks ClixTrix for bringing this problem to my attention and thanks to David and pk for
help and advice. I had not looked at the Rapport weekly activity report(40 attempts to alter
function LdrLoadDll blocked)since updating to 5.1.889
I have sent a problem report to Trusteer Rapport and I await their answer before deciding
what to do.
Thanks guys, BobbyZee67
-
Sorry pk, meant to say that you are correct. The error is in the Rapport logs, one can still use web browser for banking ops, Rapport is not blocking.
Cheers, BobbyZee67
-
Response from Trusteer follows (bold added for emphasis by me):
Hello Mr. xxxxxxxxxx,
Please note that we have analyzed the problem report you sent us and looked at the Process Alteration events to determine the cause of the incidents you encountered. These events were indeed triggered because of a Dll file belonging to Avast, as you yourself have discovered.
Please note that this should not interfere with your PC or cause you any other problems. Rapport's protection is not affected, and you can continue to conduct your usual activities, for now you can ignore these notifications.
We will whitelist this DLL so these events won't reappear in the future.
We would be happy to notify you once a version with the fix is released.
Sincerely,
Gil Solomon
Tier 3 and Escalation
Trusteer Technical Support
Ticket Details
===================
Ticket ID: RZV-704375
Department: General
Priority: High
Status: Customer-Pending
----------------------------
I'll test the fix and post my results when they notify me of fix release. The Avast! folks are welcome to contact them with reference ticket number to coordinate any testing of the Dll issue for future changes. I see they set it at Priority HIGH. Good call on their part, as I see more are reporting-in with the problem.
-
Thanks for giving us the feedback. Now the question is, how does Trusteer whitelist the DLL. I hope it won't be bound to a full hash of the file (i.e. exact match) as that would effectively mean that they would have to whitelist the file after each avast program update.
It would be good if they whitelisted it by the digital signature.
Thanks
Vlk
-
I got the same response from Rapport (but in my case the priority is only medium :'().
I have provide Rapport with a link to this thread and Vlk's suggestion.
All's well that end's well!
Thanks.
-
Dear avast! users,
We are glad to inform you that the issue you've encountered with Rapport has been resolved. The avast! DLL has been whitelisted and the fix will be released in the coming week. Rapport will update automatically and you will no longer receive these events from Rapport.
Should you need additional assistance, feel free to contact us via email: support@trusteer.com
We also have helpful information available in our FAQ: http://consumers.trusteer.com/frequently-asked-questions
Sincerely,
Trusteer Technical Support
-
Sorry to reopen an old thread, but the issue has not gone away for me, despite the Trusteer whitelisting of avast.
Of course it might not be anything to do with avast.
I have raised the topic with Trusteer again.
I was just wondering - is anyone else still getting this problem, or did the avast whitelisting fix it for you?
Thanks.
(By the way - might it not be an ideaa for avast to alert that something is blocking its attempt to monitor browser process activity by DLL injection (and say what if possible)? After all, that something might be malware rather than Rapport. Just a thought.)
-
It's the question for Trusteer, they need to whitelist our DLL. They wrote me they already did it, but maybe we need to wait a while than it'll start working (?). I don't know how exactly it works in their product.
Please note, avast/Trusteer wasn't blocked - they just inform you, that someone injected DLL into the browser and hooked some functions there.
Thanks for new info, appreciate it.
-
It's the question for Trusteer, they need to whitelist our DLL. They wrote me they already did it, but maybe we need to wait a while than it'll start working (?). I don't know how exactly it works in their product.
Please note, avast/Trusteer wasn't blocked - they just inform you, that someone injected DLL into the browser and hooked some functions there.
Thanks for new info, appreciate it.
Thanks pk - Rapport say they are investigating, so I'll see what they find.
I have to say, the Rapport report does read as if it actually blocks the behaviour shield from injecting the DLL into the browser. Here is the Rapport report:
'Rapport blocked attempts to alter the following browser functions. Altering browser functions is a technique that allows taking over the browser and getting access to your sensitive information. This technique is used by malware but also by some legitimate software. Rapport blocks suspicious attempts to alter browser functions. This does not necessarily mean that you have malware on your PC. By blocking these attempts Rapport protects you whether the attempt was made by malware or by good software. You do not need to take any action.
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
etc, etc
-
I have Avast 6.0.1000 with Virus Definitions 110309-0 and am experiencing the same problem.
I don't know if this is caused by Avast or another program, Trusteer Rapport does not identify the program that makes the attempts.
I tried to update Trusteer Rapport and received this message: "You are already running with the latest Rapport configuration."
So the program lastest version is still logging and preventing Avast from doing its job. I don't know if this is because of the upgrade to Version 6.0.1000 of Avast.
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked