- Unable to forward or rewind the file in Windows media file.
- Activity Logs does not show which signatures has been triggererd
- When disabling HIP API engine playback works fine. However, HIP API is the engine which handles the enforcement of signatures.
Agent logging is set to ALL for firewall and IPS. Although, on our implementation the only service enabled is IPS.
How should I know the root cause of the problem.
Message was edited by: mycheladam on 3/1/10 10:26:07 PM CSTMessage was edited by: mycheladam on 3/1/10 10:26:40 PM CST
Please do the follow to see if there is possibly a signature trigger of when the issue happens:
Disable the HIPS module and all the HIPS services and re-name the HIPShield.log. From IPS logging, unchecked all the options and only check 'Security Violations'. Re-enable the HIPS module and services and see if you can duplicate the issue. Do you see any sigs triggered in the HIPShield.log?
Disable the HIPS module and the services as in the earlier step, make a back-up copy of Kevlar_API_Hook_List.dat, delete every thing from in there and only leave a couple of black lines in there. Re-enable HIPS module and the services. Could you now still duplicate the issue?
Make sure to restore the Kevlar_API_Hook_List.dat backed up earlier after the test.
You didn't mention if it was the media player plug-in for IE, Firefox or the standalone.
The stand alone WM process is wmplayer.exe.
If the issue 'did' go away after editing Kevlar_API_Hook_List.dat, troubleshooting further, you would need to comment out the references to wmplayer.
There are 4 handlers (functions) referring to wmplayer.exe. You would do this one at a time to try and determine if the issue is caused by a handler function. (think of a handler as an entry point for a signature and must be initialized whenever the respective process starts.
If it was a WM plug-in you were referring to, the reference would be to iexplore.exe in the Kevlar hook list. Also, because some of the control functionality is affected, it could be an ActiveX conflict too. The iexplore.exe process is referenced in many more hook list handlers. You could go by halves or quarters with "find and replace" to bracket which one may be causing an issue.
If you locate a specific handler that is the culprit, open a support case and inform the engineer. If you don;t want to go through this by yourself, open a support case and they can assist.
I will note, these types of hook list handler issues are few and far between. The most common cause of issues like yours are that a signature is simply triggering and impeding the functionality.
The error has been resolved when we upgraded Media Player to version 11 (standalone). Support replied and asked me to perform the upgrade. He says that the cause of issue is Rule ID 3792.He did not further explain why it happened so I can't tell the details of the issue.
I will still want to test your suggestions. I just don't have time to visit my client.
Thanks for your help. You may archive this topic.