DLL injection - Internet Security 2014
Hi
Possibly related to Internet Security 2014 (F-Secure 1.99 build 192)
I recently noticed the following warning message in the (Windows 7, 32-bit) event viewer, in the System log:
"Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications."
Is anyone else seeing this? Is this functionality provided by F-Secure to secure processes somehow? (Googling around it seems to be a common symptom when using Kaspersky AV).
Alternatively , could this be caused by EMET?
Thanks
Roger
(Detailed XML error message from log below)
Log Name: System
Source: Microsoft-Windows-Wininit
Date: 10/08/2014 09:04:41
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: mysystem
Description:
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2014-08-10T08:04:41.019861100Z" />
<EventRecordID>68966</EventRecordID>
<Correlation />
<Execution ProcessID="1032" ThreadID="1056" />
<Channel>System</Channel>
<Computer>mysystem</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="StringCount">0</Data>
<Data Name="String">
</Data>
</EventData>
</Event>
Comments
-
I previously also had system warnings logged but about registry leaks from an F-Secure process. They stopped when I upgraded to a new version of Internet Security. Your version 1.99 is not the latest, it's 2.06. If you have a standard retail version you can upgrade here
Looking at the bottom of the detailed XML message, no DLL is specified(Count = 0), so maybe it's a false warning:
<EventData>
<Data Name="StringCount">0</Data>
<Data Name="String">
</Data>
</EventData>I haven't seen this warning on my Win7 32-bit and I'm also using EMET(5.0). Next time you see a warning check the ProcessID and see if that process is still running.
With Process Explorer you can enable the lower pane(Ctrl+L) to list all DLL's loaded in a process/program. It also has the ability to check each DLL on VirusTotal. In this short example you can see both EMET and F-Secure's "hook" as DLL's running in Internet Explorer.