Unexpected BOPs and HIPs alerts after installing the G-Buster banking security plugin

  • Article ID: 118656
  • Rating:
  • 5 customers rated this article 4.4 out of 6
  • Updated: 02 Mar 2016

Issue

After installing the Gas Technologia G-Buster plugin (Also known as 'Banco do Brasil G-buster plugin’, ‘Santander G-buster plugin' or 'Banco Itaú Unibanco Setup' and GPLUGIN) the endpoint reports a BOPS alert when opening Internet Explorer and also generates a HIPS alert in Explorer.exe. It has also been reported in Microsoft Office application executable files.

Example SAV.TXT entry:

Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'Buffer Overflow'.
%%INSERTION_TAG%%Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-002'.

This can also be seen in an increase in CPU utilization when using this plugin.

First seen in
Sophos Anti-Virus for Windows 2000+

Cause

The G-Buster plugin features a component that shares the common characteristics of a Ret2LibC buffer overflow detection. A HIPS alerts can also occur when the plugin loads hooks into Explorer.exe.

Newer versions of this plugin can also encounter higher system load due to HIPS interceptions of calls made by this plug-in.

What To Do

You may receive one or both types of detection alerts from endpoints.

If you are receiving a BOPs detection

  • The BOPS detection has been resolved by Gas Technologia. Please contact your banking provider to ask for an updated version of G-Buster that resolves the issue. This is believed to be version 4.0.1.1 or later. (The version number may differ between G-Buster branded variants)
  • If you are unable to acquire the latest version, you can disable 'Detect buffer overflows' to avoid further alerts, or switch to 'Alert only, do not block'  which will allow you to receive alerts and allow the affected application to operate as normal.

If you are receiving a HIPS detection

  • The HIPS alert should no longer present itself as an issue. Please ensure that SAV is fully up to date, and G-Buster is up to date. 

If you are encountering high CPU usage

  • You can verify this is a HIPS conflict by disabling HIPS locally, and confirming the issue does not continue.
  • To correct this, the following Exclusions should be set for On-Access scanning when using Sophos Enteprise Console or Standalone installations and Real-time scanning when using Sophos Cloud:

    • c:\Windows\System32\Drivers\wsddfac.sys
    • c:\Windows\System32\Drivers\gbpddreg64.sys
    • c:\Windows\System32\Drivers\gbpddfac64.sys
  • If the problem still continues after adding these exclusions, please add the following.

    • c:\Windows\System32\Drivers\gbpddreg32.sys
    • c:\Windows\System32\Drivers\gbpndisrdn.sys
    • c:\Windows\System32\Drivers\gbpkm.sys
    • c:\Windows\System32\Drivers\wsddpp.sys
  • Exclusions are not required for On- Demand/Scheduled scanning.

Note: Disabling protection features and authorizing applications should be used with caution, authorizing applications prevents further HIPS detection from taking place, disabling BOPS will no longer detect buffer overflow events on your endpoints.

We strongly recommend that you only change the policy settings on endpoints that are affected by the problem.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments