After installing the Gas Technologia G-Buster plugin (Also known as 'Banco do Brasil G-buster plugin’, ‘Santander G-buster plugin' or 'Banco Itaú Unibanco Setup' and GPLUGIN) the endpoint reports a BOPS alert when opening Internet Explorer and also generates a HIPS alert in Explorer.exe. It has also been reported in Microsoft Office application executable files.
Example SAV.TXT entry:
Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'Buffer Overflow'. %%INSERTION_TAG%%Process "C:\Windows\explorer.exe" exhibiting suspicious behavior pattern 'HIPS/ProcInj-002'.
This can also be seen in an increase in CPU utilization when using this plugin.
First seen in Sophos Anti-Virus for Windows 2000+
The G-Buster plugin features a component that shares the common characteristics of a Ret2LibC buffer overflow detection. A HIPS alerts can also occur when the plugin loads hooks into Explorer.exe.
Newer versions of this plugin can also encounter higher system load due to HIPS interceptions of calls made by this plug-in.
You may receive one or both types of detection alerts from endpoints.
Note: Disabling protection features and authorizing applications should be used with caution, authorizing applications prevents further HIPS detection from taking place, disabling BOPS will no longer detect buffer overflow events on your endpoints.
We strongly recommend that you only change the policy settings on endpoints that are affected by the problem.
Tutti i commenti qui inseriti vengono letti (dal team di supporto), ma non verranno inviate risposte specifiche ad alcun quesito tecnico. Nel caso richiediate supporto tecnico, vi invitiamo a postare il vostro quesito nella nostra community. Altrimenti, se la richiesta di supporto riguarda un prodotto con licenza, vi invitiamo ad aprire un ticket per il team di supporto.