search

Maximus5 / ConEmu

Customizable Windows terminal with tabs, splits, quake-style, hotkeys and more
https://conemu.github.io/
BSD 3-Clause "New" or "Revised" License
8.55k stars 571 forks source link

Carbon Black Defense anti-malware blocks ConEmu because of SetWindowsHookExW #1945

Open jthvedt opened 5 years ago

jthvedt commented 5 years ago

Versions

ConEmu build: 190623, 190331, 180626 x64 OS version: Windows 10 x64, version 1903 build 18362.175 Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): n/a

Problem description

At launch, ConEmu gets blocked, and the following event shows up in the application log:

The application "C:\program files\conemu\conemu64.exe" attempted to inject code into the process "C:\Program Files\ConEmu\ConEmu64.exe" by calling the function "SetWindowsHookExW". The operation was blocked and the application terminated by Confer.

The same thing happens for ConEmu builds 190623, 190331, and 180626. Build 161206 does not have the same problem.

Steps to reproduce

  1. Install Carbon Black
  2. Try to run ConEmu

Actual results

ConEmu does not run.

Expected results

Terminal joy.

Maximus5 commented 5 years ago

Hm. What do you expect I can fix here? The problem is only in Carbon Black. As their user I believe you may ask them how to run the application which is trusted by thousands of users. BTW, dozens of antiviruses don't block ConEmu. It's used by developers all over the world.

https://conemu.github.io/en/FalseAlarms.html

jthvedt commented 5 years ago

I see from your comment on issue #1214 that ConEmu is in fact injecting code. I can understand why this is seen as suspicious by Carbon Black. I was hoping that since an earlier version of ConEmu doesn't exhibit the same behavior that there might be a fix.

And yes, I am trying to get help from Carbon Black, but haven't heard anything yet. The weird thing is that whitelisting ConEmu doesn't do anything -- it still gets blocked.

Maximus5 commented 5 years ago

Nope. SetWindowsHookExW is not used for injecting code. This function is called only when you run some ChildGui application. Don't you try to run mintty in ConEmu as startup task? Don't do that.

The application "C:\program files\conemu\conemu64.exe" attempted to inject code into the process "C:\Program Files\ConEmu\ConEmu64.exe" by calling the function "SetWindowsHookExW"

Isn't that a precise text? Don't you think it's crazy? ;) CB does not allow ConEmu to inject code into the ConEmu?? It looks like a bug in CB or extra paranoia. The only thing I noted, paths differs in letter cases. May be that matters.

jchampeau commented 2 years ago

@jthvedt, were you able to get Carbon Black to allow ConEmu to run? I am encountering the same or similar issue with the a recent release of ConEmu (210912) and Carbon Black Cloud.

Maximus5 commented 2 years ago

I would recommend asking for help Carbon's authors. As you are the user of their program which blocks some legitimate operation. False alarms are often fixed fast by AV software authors.

Maximus5 commented 2 years ago

Anyway, I would not recommend running ChildGui applications in ConEmu if your AV blocks that feature. Just use proper Console Applications instead and the function SetWindowsHookExW will not be called.