5.1.8xx - Trusteer Rapport logs "Attempt to alter function LdrLoadDll blocked"

[BobbyZee67]

  Many thanks ClixTrix for bringing this problem to my attention and thanks to David and pk for
  help and advice. I had not looked at the Rapport weekly activity report(40 attempts to alter
  function LdrLoadDll blocked)since updating to 5.1.889

  I have sent a problem report to Trusteer Rapport and I await their answer before deciding
  what to do.

  Thanks guys, BobbyZee67

[BobbyZee67]

  Sorry pk, meant to say that you are correct. The error is in the Rapport logs, one can still use web browser for banking ops, Rapport is not blocking.

  Cheers, BobbyZee67

[ClixTrix]

Response from Trusteer follows (bold added for emphasis by me):

Hello Mr. xxxxxxxxxx,

Please note that we have analyzed the problem report you sent us and looked at the Process Alteration events to determine the cause of the incidents you encountered. These events were indeed triggered because of a Dll file belonging to Avast, as you yourself have discovered.

Please note that this should not interfere with your PC or cause you any other problems. Rapport's protection is not affected, and you can continue to conduct your usual activities, for now you can ignore these notifications.

We will whitelist this DLL so these events won't reappear in the future.

We would be happy to notify you once a version with the fix is released.

Sincerely,
Gil Solomon
Tier 3 and Escalation
Trusteer Technical Support

Ticket Details
===================
Ticket ID: RZV-704375
Department: General
Priority: High
Status: Customer-Pending


----------------------------

I'll test the fix and post my results when they notify me of fix release.  The Avast! folks are welcome to contact them with reference ticket number to coordinate any testing of the Dll issue for future changes.  I see they set it at Priority HIGH.   Good call on their part, as I see more are reporting-in with the problem.

[Vlk]

Thanks for giving us the feedback. Now the question is, how does Trusteer whitelist the DLL. I hope it won't be bound to a full hash of the file (i.e. exact match) as that would effectively mean that they would have to whitelist the file after each avast program update.

It would be good if they whitelisted it by the digital signature.

Thanks
Vlk

[MAG]

I got the same response from Rapport (but in my case the priority is only medium :'().

I have provide Rapport with a link to this thread and Vlk's suggestion.

All's well that end's well!

Thanks.

[Trusteer Support]

Dear avast! users,

We are glad to inform you that the issue you've encountered with Rapport has been resolved. The avast! DLL has been whitelisted and the fix will be released in the coming week. Rapport will update automatically and you will no longer receive these events from Rapport.

Should you need additional assistance, feel free to contact us via email: support@trusteer.com
We also have helpful information available in our FAQ: http://consumers.trusteer.com/frequently-asked-questions

Sincerely,

Trusteer Technical Support

[MAG]

Sorry to reopen an old thread, but the issue has not gone away for me, despite the Trusteer whitelisting of avast.

Of course it might not be anything to do with avast.

I have raised the topic with Trusteer again.

I was just wondering - is anyone else still getting this problem, or did the avast whitelisting fix it for you?

Thanks.

(By the way - might it not be an ideaa for avast to alert that something is blocking its attempt to monitor browser process activity by DLL injection (and say what if possible)? After all, that something might be malware rather than Rapport. Just a thought.)

[pk]

It's the question for Trusteer, they need to whitelist our DLL. They wrote me they already did it, but maybe we need to wait a while than it'll start working (?). I don't know how exactly it works in their product.

Please note, avast/Trusteer wasn't blocked - they just inform you, that someone injected DLL into the browser and hooked some functions there.

Thanks for new info, appreciate it.

[MAG]

It's the question for Trusteer, they need to whitelist our DLL. They wrote me they already did it, but maybe we need to wait a while than it'll start working (?). I don't know how exactly it works in their product.

Please note, avast/Trusteer wasn't blocked - they just inform you, that someone injected DLL into the browser and hooked some functions there.

Thanks for new info, appreciate it.

Thanks pk - Rapport say they are investigating, so I'll see what they find.

I have to say, the Rapport report does read as if it actually blocks the behaviour shield from injecting the DLL into the browser. Here is the Rapport report:

'Rapport blocked attempts to alter the following browser functions. Altering browser functions is a technique that allows taking over the browser and getting access to your sensitive information. This technique is used by malware but also by some legitimate software. Rapport blocks suspicious attempts to alter browser functions. This does not necessarily mean that you have malware on your PC. By blocking these attempts Rapport protects you whether the attempt was made by malware or by good software. You do not need to take any action.
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
etc, etc

[GetAGrip]

I have Avast 6.0.1000 with Virus Definitions 110309-0 and am experiencing the same problem.

I don't know if this is caused by Avast or another program, Trusteer Rapport does not identify the program that makes the attempts.

I tried to update Trusteer Rapport and received this message: "You are already running with the latest Rapport configuration."

So the program lastest version is still logging and preventing Avast from doing its job.  I don't know if this is because of the upgrade to Version 6.0.1000 of Avast.

Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked
Attempt to alter function LdrLoadDll blocked
Attempt to alter function NtProtectVirtualMemory blocked