Open Bug 1444030 Opened 4 years ago Updated 3 years ago

Avast prevents DLL blocklist from blocking DLLs (BlocklistInitFailed)

Categories

(Core :: General, defect)

defect
Not set
normal

Tracking

()

Tracking Status
firefox-esr52 --- affected
firefox58 --- affected
firefox59 --- affected
firefox60 --- affected

People

(Reporter: cpeterson, Unassigned)

References

(Blocks 1 open bug)

Details

According to bug 1369361 comment 51 and later, installing Avast prevents our DLL blocklist from blocking Lenovo DLLs ActiveDetect64.dll and WindowsApiHookDll64.dll. All of bug 1369361's crash reports have "BlocklistInitFailed: 1".
Avast is one of the most used antivirus software according to Telemetry data, so this is pretty important.
Should we reach out to them?
Aklotz can you investigate if Avast always breaks the blocklist?
Flags: needinfo?(aklotz)
I don't see ActiveDetect64.dll and WindowsApiHookDll64.dll in the installation I just added. I did see other Avast DLLs present that were loaded very early during process startup.

Here's how that works:

* Avast allocates a page of executable VM in our address space and uses a detour-style hook in ntdll!LdrLoadDll to jump to it;
* kernel32.dll is always loaded by ntdll.dll via ntdll!LdrpInitializeProcess;
* When the main thread executes ntdll!LdrpInitializeProcess and goes to load kernel32.dll, it calls LdrLoadDll. That call to LdrLoadDll is redirected to the Avast code.
* The Avast code then restores LdrLoadDll to its original state, then calls LdrLoadDll to inject its DLLs and load kernel32.dll.

I didn't look into what the Avast DLLs do once they have been injected, but BlockListInitFailed is an indicator that we couldn't hook LdrLoadDll because something else got to it first. I expect that once injected, the Avast DLLs would then re-hook LdrLoadDll themselves.

(In reply to Marco Castelluccio [:marco] from comment #1)
> Aklotz can you investigate if Avast always breaks the blocklist?

Yes, they poke at LdrLoadDll and probably get to it before we do.
Flags: needinfo?(aklotz)
You need to log in before you can comment on or make changes to this bug.