cancel
Showing results for 
Search instead for 
Did you mean: 

ExP:Invalid Call

Hello,

I'm getting a lot of this exploit prevention : invalid call wich was detected as an attempt to exploit C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE or C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

I want to know  if it's a false alarm or if you are aware of this problem.

Any help would be really appreciated!

thanks 

3 Replies
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: ExP:Invalid Call

Hello,

Both IEXPLORER and CHROME fall under the list of possible Buffer Overflow affected applications but bear in mind that such vulnerabilities are fixed in the background from their vendors.

I do not see full details of the event you get but at first sight it seems that external process tried to reach memory used by these processes. Since they both interact with OS components it is possible that it is a legitimate event but in case you suspect malicious activity you can run a GetSusp on that machine, clean the browsers cache and run a full scan.

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

Re: ExP:Invalid Call

Hello, 

thanks for your response 

you can see below the complete event :

2019-02-27 12:07:02 timestamp="2019-02-27 12:07:02.607", AutoID="399916666", signature="ExP:Invalid Call", threat_type="IDS_THREAT_TYPE_VALUE_BOP", signature_id="18055", category="hip.bo", severity_id="2", event_description="A suspicious call was detected and blocked", detected_timestamp="2019-02-27 12:05:22.0", file_name="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE", target_hash="a839ebb5d127a9872a897fe81c2a861b", detection_method="Exploit Prevention", vendor_action="blocked", AnalyzerContentCreationDate="2019-01-31 22:45:48.0", AnalyzerContentVersion="10.6.0.8966", AnalyzerRuleID="6013", AnalyzerRuleName="Suspicious Function Invocation - CALL Not Found", SourceDescription="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE --CHANNEL=205868.119.1156748700\1582519969 C:\USERS\DIETZTR\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F608DHH5.DEFAULT\GMP-WIDEVINECDM\4.10.1196.0 -GREOMNI C:\PROGRAM FILES (X86)\MOZILLA FI", TargetSigned="1", TargetSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessSigned="1", TargetParentProcessSigner="C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=MOZILLA CORPORATION, CN=MOZILLA CORPORATION", TargetParentProcessName="FIREFOX.EXE", TargetParentProcessHash="79b2c84686d2aa43ad202d3bfd2013b0", TargetName="PLUGIN-CONTAINER.EXE", TargetPath="C:\PROGRAM FILES (X86)\MOZILLA FIREFOX", TargetFileSize="103376", TargetModifyTime="2018-12-07 0

I don't inderstand the reason of this invalid call 

would you have an explanation for this ?

thanks, 

regards, 

 

Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: ExP:Invalid Call

 

 

Hello,

To me it looks like false positive because both source and target are clearly Mozilla processes.

You can fid additional information here:

https://support.mozilla.org/bg/kb/what-is-plugin-container

Also it seems there is a know behavior with rule 6015 and event id 18055:

https://kc.mcafee.com/corporate/index?page=content&id=KB90074

For additional information this is the rule description:

Capture.PNGSignature 6015

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino