chrome access system memory

shmu26 · January 29, 2017, 2:01pm

I just got a HIPS alert that google chrome wants to access system memory.
I am puzzled by this, for two reasons:
1 chrome is a trusted process
2 I was not actively browsing the internet. Although I had gmail open, it was not the active window.

I blocked it, although I am almost certain that it was not malicious

can anyone understand what this was all about?

CFW 10
windows 10

DecimaTech · January 29, 2017, 2:18pm

Can you show the HIPS event log that indicates the access attempt? Also do you happen to have enabled use adaptive mode under low system resources in HIPS settings?

shmu26 · January 29, 2017, 2:48pm

I don’t have adaptive mode enabled, attached screenshot of chrome events
well, I am getting an error message from the site about uploading files, so I am attaching a link to my screenshot
https://dl.dropboxusercontent.com/u/64699661/Capture.PNG

DecimaTech · January 29, 2017, 10:10pm

I wouldn’t worry to much about it, most likely a one off event, unless you can reliably replicate it. Maybe chrome was trying to accesses one of the its own processes which was not running at the time of access and the HIPS just put System as the target.

shmu26 · January 30, 2017, 6:30am

thanks
when I allow it, it creates a HIPS rule for chrome. If I delete the rule, then the alert repeats itself a little later in the day.

qmarius · January 30, 2017, 8:53am

What’s listed under ‘Related alert’ in your screenshot?
Also, provide a screenshot of the (extended) info that’s listed in your HIPS alert.

Although I’m not a Google Chrome user, it doesn’t sound right as their approach was to not rely on such access rights in order to improve security. (simply said)
Perhaps something like that happens in initiation (before sandboxing) or it’s triggered by an extension or a specific flag, configuration of Google Chrome.

qmarius · January 30, 2017, 9:03am

It could be triggered with an injected DLL, I think. You should check loaded modules. (in the sense that another application causes it)
Not sure what to say.

shmu26 · January 30, 2017, 9:15am

I am running HitmanPro.Alert, and it injects DLLs everywhere. maybe that is it.
Anyways, I decided I am not going to worry about it. If chrome needs an extra click to allow it to do things, let it be.
Also, I have a couple chrome flags enabled, one of them is appcontainer lockdown.

I am happy to see that COMODO HIPS is awake and protecting the system even for trusted processes.