topic Re: Web page evaluated twice in Endpoint

Web page evaluated twice

PIN64 — Thu, 02 Jul 2020 15:40:57 GMT

Our company use Endpoint Security E82.10 and I have an unusual behavior.

We use a batch file calling Internet Explorer to access a web page on an internal IIS web server and trigger an update .

The command in the DOS batch file is

Start "" "%ProgramFiles%\Internet Explorer\iexplore.exe" "http://servername.dom.net/page.aspx

Since we installed Endpoint Security the update is triggered twice and looking into IIS log I can confirm that the page is read twice.

If I remove Endpoint Security everything goes back to normal.

I would like to set up an exception, but I am unable to identify which blade is responsible for this.

I suspect it's Threat Emulation and Anti Exploit, but my attempt to create an exclusion for the website has been ineffective.

Any suggestion on the cause or a resolution?

Thanks in advance

Re: Web page evaluated twice

PhoneBoy — Thu, 02 Jul 2020 21:24:20 GMT

When you say "triggered twice" what do you precisely mean?
Does IE open up twice?
Are there corresponding Endpoint logs?

Re: Web page evaluated twice

PIN64 — Fri, 03 Jul 2020 09:18:04 GMT

The DOS batch file is executed as a Windows Scheduled task and it runs once.

Within the batch file there is the call to execute Internet Explorer to open a web page. As far as I can see, Internet Explorer is opened once. I have the same problem running the Internet Explorer line in a command prompt, so I don't think the scheduled task is a factor.

When I look into IIS logs, I see one "get" command at the time of execution, but the ASPX page is executed twice.

The webpage executes a command and mails a result. I receive the result twice

I don't know which Endpoint logs to examine, but a "dumb" search for the URL in the logs folders found the URL in the log sandblast_logs.log and in efr.db (I know this is not a log file, but it was a dumb search)

This an example of the log content

[03/07 11:07:27.191:001] IE_API (8792:1) Registered to IE events
[03/07 11:07:27.191:002] IE_API (8792:1) OnBeforeNavigate: New url = http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.206:003] IE_API (8792:1) SandBlast.isExcludedDomain(): excluded domains:
[03/07 11:07:27.206:004] IE_API (8792:1) SandBlast.isExcludedDomain(): domain didn't match any exclusion: servername.dom.net
[03/07 11:07:27.253:005] IE_API (8792:1) SandBlast.OnBeforeNavigate(): navigating to about:blank
[03/07 11:07:27.253:006] IE_API (8792:1) OnBeforeNavigate: New url = about:blank, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.253:007] IE_API (8792:1) Checking if background is up
[03/07 11:07:27.269:008] IE_API (8792:1) Background does not exist
[03/07 11:07:27.878:001] IE_API (9520:1) Registered to IE events
[03/07 11:07:27.987:002] IE_API (9520:1) OnBeforeNavigate: New url = sandblast://data/background_runner.html, flags = 256, frame = , Prev url = , hashcode = 43942917
[03/07 11:07:27.987:003] IE_API (9520:1) OnBeforeNavigate: END
[03/07 11:07:28.097:004] IE_API (9520:1) OnNavigateComplete: sandblast://data/background_runner.html
[03/07 11:07:28.097:005] IE_API (9520:1) Hiding background window
[03/07 11:07:28.128:009] IE_API (8792:1) OnBeforeNavigate: END
[03/07 11:07:28.175:006] IE_API (9520:1) ieInstance_DocumentComplete: sandblast://data/background_runner.html
[03/07 11:07:28.237:007] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Background registration pipe ReadLoop thread started for .CP_SBA4B_PIPE_DOM_!Backup
[03/07 11:07:28.253:008] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Waiting for next tab registration
[03/07 11:07:28.300:010] IE_API (8792:1) OnNavigateComplete: about:blank
[03/07 11:07:28.316:011] IE_API (8792:1) ieInstance_DocumentComplete: about:blank
[03/07 11:07:28.362:012] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Creating communication pipe .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.362:013] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Setting low integrity level
[03/07 11:07:28.362:014] PIPES (8792:1) IeClientPipe.TryRegisterPipeOnBackground(): Connecting to background
[03/07 11:07:28.362:015] PIPES (8792:1) IePipe.IsOtherSideOk(): pipeProcessPath = c:\program files (x86)\internet explorer\iexplore.exe ieProcessPath = c:\program files (x86)\internet explorer\iexplore.exe
[03/07 11:07:28.362:016] PIPES (8792:1) IeClientPipe.TryRegisterPipeOnBackground(): Registering .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_ in background
[03/07 11:07:28.362:017] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Waiting for background connection to tab communication pipe
[03/07 11:07:28.362:009] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Tab registration message received, message = .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_,about:blank
[03/07 11:07:28.378:019] PIPES (8792:1) IeClientPipe.ConnectToBackground(): Connection established from .CP_SBA4B_PIPE_DOM_!Backup to .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.378:018] PIPES (8792:1) IePipe.IsOtherSideOk(): pipeProcessPath = c:\program files (x86)\internet explorer\iexplore.exe ieProcessPath = c:\program files (x86)\internet explorer\iexplore.exe
[03/07 11:07:28.378:020] PIPES (8792:5) (8792:1) IeClientPipe.ConnectToBackground(): Communication ReadLoop thread spawned by tab
[03/07 11:07:28.362:010] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Tab registration complete
[03/07 11:07:28.362:011] PIPES (9520:4) (9520:1) IeServerPipe.Listen(): Waiting for next tab registration
[03/07 11:07:28.378:012] PIPES (9520:3) (9520:1) IeServerPipe.Listen(): Communication ReadLoop thread spawned by background
[03/07 11:07:28.378:013] PIPES (9520:3) (9520:1) IeServerPipe.Listen(): Connecting to tab communication pipe .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_
[03/07 11:07:28.409:021] IE_API (8792:1) ieInstance_BeforeScriptExecute: about:blank
[03/07 11:07:28.425:022] IE_API (8792:1) ieInstance_DocumentComplete: navigating back to http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory on frame
[03/07 11:07:28.425:023] IE_API (8792:1) OnBeforeNavigate: New url = http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory, flags = 256, frame = , Prev url = about:blank, hashcode = 43942917
[03/07 11:07:28.425:024] IE_API (8792:1) Checking if background is up
[03/07 11:07:28.425:025] IE_API (8792:1) OnBeforeNavigate: END
[03/07 11:07:28.441:014] ERROR (9520:1) callJsMethodRunner: HRESULT = Unknown name (0x80020006), method = cs_ie_send_message_invoked, args: %7B%22command%22%3A%22content_script_load%22%2C%22content_script_id%22%3A%2221da056f%22%7D, .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_, %7B%22mID%22%3A0%2C%22title%22%3A%22%22%2C%22url%22%3A%22about%3Ablank%22%7D
[03/07 11:07:30.894:026] IE_API (8792:1) OnNavigateComplete: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:30.956:027] IE_API (8792:1) ieInstance_DocumentComplete: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:30.972:028] IE_API (8792:1) ieInstance_BeforeScriptExecute: http://servername.dom.net/cron.aspx?lang=en&job=sync-active-directory
[03/07 11:07:31.003:015] ERROR (9520:1) callJsMethodRunner: HRESULT = Unknown name (0x80020006), method = cs_ie_send_message_invoked, args: %7B%22command%22%3A%22content_script_load%22%2C%22content_script_id%22%3A%223b0fa9b5%22%7D, .CP_SBA4B_PIPE_DOM_!Backup_8792_1_43942917_12189840_js_, %7B%22mID%22%3A0%2C%22title%22%3A%22NextOne%20Cron%20Execution%22%2C%22url%22%3A%22http%3A%2F%2Fservername.dom.net%2Fcron.aspx%3Flang%3Den%26job%3Dsync-active-directory%22%7D

I hope this answer your questions

Re: Web page evaluated twice

MikeB — Fri, 03 Jul 2020 14:14:41 GMT

As far I can tell, the exclusion is not being applied to your domain.

How did you apply the exclusion? I recommend not to use wildcards but the exact domain.

In my case the SBA Extension did not apply the exclusions well if I use wildcards in the domain excluded.

Re: Web page evaluated twice

PIN64 — Mon, 06 Jul 2020 10:45:20 GMT

The problem may be that I did not put the exception in the right place.

Where should I define the exception, in theSandBlast Agent Threat Extraction, Emulation and Anti-Exploit settings? And "domain" can be the FQDN name of the web server?

Re: Web page evaluated twice

MikeB — Mon, 06 Jul 2020 15:10:25 GMT

Yes. The exclusion should be applied in the following place:

Re: Web page evaluated twice

PIN64 — Tue, 07 Jul 2020 06:57:51 GMT

I made the change you suggested, but still the pages are executed twice and it says domain doesn't match any exclusion

[07/07 05:00:08.432:001] IE_API (6416:1) Registered to IE events
[07/07 05:00:08.448:002] IE_API (6416:1) OnBeforeNavigate: New url = http://welcome.mydomain.com/cron.aspx?lang=en&job=visits-gdpr, flags = 256, frame = , Prev url = , hashcode = 43942917
[07/07 05:00:08.448:003] IE_API (6416:1) SandBlast.isExcludedDomain(): excluded domains:
[07/07 05:00:08.448:004] IE_API (6416:1) SandBlast.isExcludedDomain(): domain didn't match any exclusion: welcome.mydomain.com
[07/07 05:00:08.651:005] IE_API (6416:1) SandBlast.OnBeforeNavigate(): navigating to about:blank
[07/07 05:00:08.651:006] IE_API (6416:1) OnBeforeNavigate: New url = about:blank, flags = 256, frame = , Prev url = , hashcode = 43942917

I put welcome.mydomain.com in the exclusions and verified the policy was updated on the client.

I don't understand why it would not be recognized.

Re: Web page evaluated twice

MikeB — Tue, 07 Jul 2020 22:22:28 GMT

Have you tried just with mydomain.com in the exclusions??

Re: Web page evaluated twice

PIN64 — Wed, 08 Jul 2020 07:01:27 GMT

I am reluctant to do this because it would include some sites that are not hosted internally, but I will make an attempt.

Re: Web page evaluated twice

PIN64 — Wed, 08 Jul 2020 07:15:32 GMT

I have tested the policy with the exclusion for the domain and it is still ignored/not recognized.

Re: Web page evaluated twice

PhoneBoy — Wed, 08 Jul 2020 13:51:24 GMT

Best to open a TAC case so we can investigate what's happening.