Author Topic: 5.1.8xx - Trusteer Rapport logs "Attempt to alter function LdrLoadDll blocked"  (Read 15471 times)

0 Members and 1 Guest are viewing this topic.

Offline ClixTrix

  • Newbie
  • *
  • Posts: 6
Trusteer Rapport is logging the subject message with each use of one of the protected browsers.  Systems involved are WinXP SP3 with IE8/Firefox/Chrome.  The message logs within 1 minute of launch of browser or new tab.  The message implies the possibility of Malware infection, and can result with normal use in hundreds of logged errors over a week.  Opened at Avast Support Center as ticket CJN-238295 on 1/9/2011.  Confirmation by other Rapport users would be helpful.

The problem started with upgrade from free 5.0.677 to 5.1.864 and now current 5.1.889.  I have done secondary testing on a fresh-build system with clean install of XP with Rapport and Avast with identical results to a production system.  The only solution (thus far) is to retro back with uninstall of 5.1.8xx to reinstall the old 5.0.677 version.  Install sequence of the two products doesn't change the result.  Note, Rapport is required for use by some Banks for access.

The disable of Avast from system tray does not stop the errors.  The disable of the Rapport Security Policy "Block Browser Process Alteration" does stop the errors (for the obvious reason).  However, I would not recommend the later.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Well... sounds like a conflict between what avast! wants to do and Rapport doesn't want to allow - but I'm not exactly sure what response you expect.
Disable avast! security features because of Rapport?

Offline ClixTrix

  • Newbie
  • *
  • Posts: 6
In reporting the problem, which began with Update to the 5.1 version series, it's unclear whether this is something that can be fixed by Avast!  I don't know exactly what change was made from 5.0 to 5.1 that caused the conflict.  They needed to be alerted due to the False Positive implications, as that can cause a user to conclude they have a Malware problem.  I was literally down for days trying to isolate the Malware problem.  Rapport operates as a passive protector and doesn't do pop-up type alerts.  So, you only discover the problem if you look at the log or use the automatic weekly report feature.  What would you conclude if you suddenly went from no errors of that type to hundreds in your Rapport log?  I had to put my home business system in quarantine and run backups, malware scan checks, and restores.

Hopefully, any other Rapport users can confirm my observations.

I don't know if there is any way to disable the specific conflict cause in Avast!  The only solution which maintains protection and both products is to move back to 5.0.677, which is the best choice so far.  Otherwise, the false positives might mask a real problem.

If a Bank requires use of Rapport to connect to online Banking services, you're stuck.  Most are recommending and not requiring the product, but that could change.  Look at the list of Banks using Rapport at bottom of Trusteer homepage, including Bank of America:

http://www.trusteer.com/

« Last Edit: January 17, 2011, 02:10:18 PM by ClixTrix »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
My Bank offers it, but I trust avast more than I trust Trusteer Rapport.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2100
One of the banks I use is listed, but doesn't require Trusteer Rapport.  When it is required, I'll simply change banks. ;D
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

Offline mag

  • Advanced Poster
  • **
  • Posts: 742
I can confirm the issue. Have you tried reporting to Rapport? They have been fairly interested in the past when I have raised possible conflict issues with them.

Given the timing of the issue that you report (I confess I hadn't noticed it), then I guess it may be associated  with the behaviour shield? Since that is currently mainly only working in passive data-gathering mode I (think) you could probably safely disable it for the time being.

If it is actually due to the avast web shield, then if there is any risk that it is impairing avast web shield operation I would rather do without the rapport browser protection function.
« Last Edit: January 17, 2011, 07:16:01 PM by mag »

Offline ClixTrix

  • Newbie
  • *
  • Posts: 6
Hi mag,

Thank you sincerely for your confirmation.  I was only hesitant to alert Trusteer without confirmation by either the Avast! Support lab (no specific reply to that ticket yet to confirm) or others in the Forum.  Was considering whether it was more appropriate for Avast! to open discussion with Trusteer, given the False Positive issue.  This honestly could be one of those "Who's problem is it?" issues.

The fact that someone can now google search that error and find this thread may alert more folks to the problem cause.  I'm thinking this is a hidden time-bomb, and I'm just the lucky guy that was doing some post system update log checks and found it first.

What is your specific configuration OS/browser(s) with problem, if I may ask?  Also, have you tried regression to 5.0.677 as fix?
« Last Edit: January 17, 2011, 07:34:05 PM by ClixTrix »

Offline ClixTrix

  • Newbie
  • *
  • Posts: 6
Mag,

In response to your edited update, I did try disabling all shields from the systray and selectively disabling the Behavior shield from the user interface window, but neither stopped the Rapport log errors.  Puzzling why disabling Avast! has no effect...  ??? 

I also tried adding the two rapport task execs to the Behavior Trusted Processes.  That had an odd result with IE that I was just retesting.  It didn't seem to fix the problem with any of the three browsers until I removed those execs from that list, and then IE seemed to at least temporarily NOT report the error.  I'm still puzzling over that one and trying to repeat it and see if reboots or other changes make it stick as a fix.

Are you also seeing the long delay between browser launch and the Rapport error log incrementing?

Offline mag

  • Advanced Poster
  • **
  • Posts: 742
I haven't done any investigation of this (I hadn't spotted it at all).

My log showed 178 such events (W7). Then I opened FF, and added another two, then then Chrome, and added another three!

As I said, whilst I would like both Rapport and avast to work, I am concerned that rapport shouldn't interfere with avast web shield correct functioning - and might be inclined to disable the interfering rapport function if I thought that was happening - which I would like anyone knowledgeable to advise on if possible.

Offline mag

  • Advanced Poster
  • **
  • Posts: 742
There is discussion on this topic at hxxp://forum.kitz.co.uk/index.php?topic=8484.0

'Hi Renluop,

Rapport blocked attempts to alter browser functions. Altering browser functions is a technique that allows taking over the browser and getting access to your sensitive information. This technique is used by malware but also by some legitimate software. Rapport blocks suspicious attempts to alter browser functions regardless of their origin. NtProtectVirtualMemory is just another one of the many browser functions that may be altered in order to take over the browser.

This does not necessarily mean that you have malware on your PC. By blocking these attempts Rapport protects you whether the attempt was made by malware or by legitimate software. There is nothing you need to do with regard to these events as Rapport protects you from any potential threat by blocking the execution of these alterations.

If the activity report presents hundreds of these events, please report a problem from the Rapport console and let us know about this, so we can check if this is malicious software or legitimate software that may need to be approved by Rapport.


Best Regards,
Trusteer Technical Support team'

So it looks like if you report it to Rapport they should be able to exclude the avast browser process modification from detection/block by Rapport (I suspect they previously may have done so - but avast have changed something in 5.1 and aren't recognised by Rapport any more).

(If Igor is in a more helpful frame of mind he may be able to confirm/refute (he has a gruff manner (or did in his initial response to you), but I'm sure he has a heart of gold underneath it all - though sometimes I'm a bit surprised they put him front of house :)). I think avast will want this sorted out, as rapport will).

I have reported the problem to Rapport.
« Last Edit: January 17, 2011, 09:28:42 PM by mag »

Offline ClixTrix

  • Newbie
  • *
  • Posts: 6
mag,

Good find....

I just used the Rapport Console method to report the problem, as that method also sends the logs.  I added the Avast! Support Center ticket number and that I'd posted a thread in Avast! Forum.

If you'd like to do the same, the more reporters the quicker/better response (hopefully).  ;)

I have a feeling the Avast! folks are a little busy responding to all the reports of problems with the latest release.  I didn't want to get on their BAD side by pushing the issue with Trusteer.  Maybe it just needs a tweak in Rapport to add Avast! 5.1.xxx ..... fingers crossed.  I'll report back as soon as I've got a response from Trusteer.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
<snip>
So it looks like if you report it to Rapport they should be able to exclude the avast browser process modification from detection/block by Rapport (I suspect they previously may have done so - but avast have changed something in 5.1 and aren't recognised by Rapport any more).

(If Igor is in a more helpful frame of mind he may be able to confirm/refute (he has a gruff manner (or did in his initial response to you), but I'm sure he has a heart of gold underneath it all - though sometimes I'm a bit surprised they put him front of house :)). I think avast will want this sorted out, as rapport will).

I have reported the problem to Rapport.

Personally I don't feel he was gruff, matter of fact would be nearer the mark.

Essentially the web shield is the sane as it was in avast 5.0.677, with one exception that I'm aware of is that it doesn't just monitor port 80 on HTTP traffic, it also monitors other ports, see the avastUI, Settings, Troubleshooting, Redirect Settings, HTTP port(s). I don't know if it is these additional ports that are being reported by rapport.

It is trusteer rapport that is blocking (throwing up the messages) what the avast web shield is doing and not avast that is blocking rapport. So disabling the web shield to cater for rapport rather than the other way round seems back to front.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline mag

  • Advanced Poster
  • **
  • Posts: 742


It is trusteer rapport that is blocking (throwing up the messages) what the avast web shield is doing and not avast that is blocking rapport. So disabling the web shield to cater for rapport rather than the other way round seems back to front.

No - I have no intention of disabling the web shield (and didn't expect igor to suggest it).

As I said in my earlier post, my concern is that rapport may be interfering with correct functioning of the web shield, and if it is I will be inclined to disable the rapport browser process protection function until this is sorted.

I think perhaps the response that the OP could have looked for from avast team was a sympathetic suggestion that avast might communicate the problem to rapport directly themselves?
« Last Edit: January 17, 2011, 11:02:52 PM by mag »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Yes, that may well be the case for you but Igor's reply wasn't directed to you but the OP was certainly not going to disable rapport.

Quote from: ClixTrix
The disable of Avast from system tray does not stop the errors.  The disable of the Rapport Security Policy "Block Browser Process Alteration" does stop the errors (for the obvious reason).  However, I would not recommend the later.

That no doubt is what drove the comment by Igor.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
New behavior shield in 5.1 monitors processes activity. This is done by using DLL injection into the most running processes and it monitors suspicious activity (several API functions are hooked: e.g. NtProtectVirtualMemory, LdrLoadDll, ...). Rapport checked the running process (web browser) and it found out it was somehow modified. Yes, it could be done by malware, keylogger, etc. Rapport doesn't know which application did it.

I don't know Rapport so I'm not really sure how to set it right... please tell me:
- The error is only in Rapport log and you can still use web browser for banking operations, Rapport doesn't block it. Is that correct?

It would be hard for Rapport to identify that the process was modified just by avast. I think the only remedy lies in avast's fix. Firstly, I'll need to install Rapport and get to know it better.