Unexpected BOPs and HIPs alerts after installing the G-Buster banking security plugin

  • Article ID: 118656
  • Rating:
  • 3 customers rated this article 6.0 out of 6
  • Updated: 17 Oct 2014

Issue

After installing the Gas Technologia G-Buster plugin (Also known as 'Banco do Brasil G-buster plugin’, ‘Santander G-buster plugin' or 'Banco Itaú Unibanco Setup' and GPLUGIN) the endpoint reports a BOPS alert when opening Internet Explorer and also generates a HIPS alert in Explorer.exe. It has also been reported in Microsoft Office application executable files.

Example SAV.TXT entry:

Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'Buffer Overflow'.

Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-002'.

First seen in

Sophos Anti-Virus for Windows 2000+

Cause

The G-Buster plugin features a component that shares the common characteristics of a Ret2LibC buffer overflow detection. A HIPS alerts can also occur when the plugin loads hooks into Explorer.exe.

What To Do

You may receive one or both types of detection alerts from endpoints.

If you are receiving a BOPs detection

  • The BOPS detection has been resolved by Gas Technologia. Please contact your banking provider to ask for an updated version of G-Buster that resolves the issue. This is believed to be version 4.0.1.1 or later. (The version number may differ between G-Buster branded variants)
  • If you are unable to acquire the latest version, you can disable 'Detect buffer overflows' to avoid further alerts, or switch to 'Alert only, do not block'  which will allow you to receive alerts and allow the affected application to operate as normal.

If you are receiving a HIPS detection

  • The HIPS alert is still under investigation by both parties as a priority. As an immediate workaround (in business critical situations only), you can authorize the reported processes IExplore,exe and Explorer.exe in your Sophos Console to avoid further alerting. 

Note: Disabling protection features and authorizing applications should be used with caution, authorizing applications prevents further HIPS detection from taking place, disabling BOPS will no longer detect buffer overflow events on your endpoints.

We strongly recommend that you only change the policy settings on endpoints that are affected by the problem.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments