Event Viewer reports failed file security audit

[Kick]

Hi,
An interesting and recent problem which is proving difficult to understand and resolve: The Event Viewer reports an IBM Trusteer Rapport file as failing the security audit when the computer starts. This has suddenly happened with no obvious cause.

I've already contacted IBM Trusteer but they have been unable to help. They did suggest running secpol.msc but that is only included in Windows 7 Professional and higher and not available in Windows 7 Home premium which I have. They suggested I contact Microsoft - I have done this via the Microsoft Community but so far suggestions have not worked.

The error I get is:
==================================================
Record Number : 145537
Log Type : Security
Event Type : Audit Failure
Time : 28/06/2016 18:57:39
Source : Microsoft-Windows-Security-Auditing
Category : 12290
Event ID : 6281
User Name :
Computer : Chris-PC
Event Data Length : 0
Record Length : 352
Event Description : Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume3\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys
==================================================
I have tested the hard drive by running a hard drive check using HD Tune which reported no errors. Likewise Windows ChkDsk reported no errors, sfc /scannow found and repaired a couple of corrupted but not related files (a subsequent run reporting no corrupted files). I have also run a disk cleanup of the C: partition and run CCleaner for good measure. None of these provided a resolution. A Microsoft support engineer suggested, among other things, that I temporarily disable my anti-virus software and restart the system - made no difference. I also did a repair installation of the anti-virus without success. Next I did a complete uninstall of Rapport and reinstalled it - the result after the next system start, two different Rapport files, and not the original were shown in the Event Viewer as failing the security audit. On the next restart, the two new files were no longer reported but the original was back as failing the audit and that is the current position.

As far as running the computer is concerned everything seems fine and Rapport appears to be working fully too (my bank requires me to have Rapport for on-line activity so I don't really want to ditch it). A scan with Malwarebytes and a full system scan with Avast 2016 reveal there are no threats.

Any ideas and potential solutions would be gratefully received as would any reassurances that there is nothing to get worried about.

Cheers and best regards, Kick.

 

[starbuck]

my bank requires me to have Rapport for on-line activity so I don't really want to ditch it)

Do they actually require you to use it or do they advise you to use it? .. 2 completely different things.
My bank recommends that I use it... but I wouldn't in a million years.

To be honest, I hear nothing but problems with this software.
This article sums up my feelings about it: Is Trusteer Rapport Worth the Effort?

 

[Kick]

Hi Starbuck,

The bank is quite insistent but I actually get no problems with Rapport and have been using it for several years with barely a hiccup. I suspect the Event viewer issue is more to do with Windows than Rapport and see that, on the internet, there are many other reports of similar 6281 events relating to various different drivers. My problem seems to have coincided with the latest Windows updates - that might be coincidence of course but Windows updates are not unknown to cause problems - the problem started suddenly at a time when the only system changes made were Windows updates
.
Any way, as I have said, I have experienced no other problems on the system so am treating this as a false positive for the time being.

Thanks for your interest, cheers and regards.

 

[Kick]

UPDATE:

It appears that the problem is not unique to Rapport on my system as yesterday having scanned my computer with Malwarebytes Anti-Malware and Malwarebytes Anti-Rootkit, they were logged by the Event Viewer as having code integrity problems. Looking closely at the Event Viewer logs shows a pattern whereby the item is logged as installed followed by the logging of the 'code integrity' problem followed by the logging of the item being installed again. This sequence can range in duration from half a minute to a minute and a half with no other unrelated logs appearing within that period. The programs relating to the logged events all work normally

The problem appeared at about the same time as I installed a Microsoft Silverlight update last week (not in the regular Patch Tuesday updates for June) although I cannot see why this might have caused the problem - perhaps I should uninstall the update and even Silverlight as I suspect I do not visit sites that require it.

The Microsoft Community (MSC) forum has been very quiet on the issue - since the initial response I received when I first posted the problem details on the MSC forum, I have heard no more. Any suggestions and advice would be welcome.

Thanks and cheers, Kick

 

[allheart55 (Cindy E)]

Personally, I think it's just an unexplained glitch in the Event Viewer.
Are you having any problems with the operation of your computer?

 

[Kick]

Hi Cindy,

I'm sure you are right but nevertheless it is frustrating. I'm having no operation problems and the Event Viewer appears to let the reported items through on their second attempt. Possibly the occurrance of the problem at the same time as the Silverlight update is coincidental but one wonders if that update affected the working of the Event Viewer. I have to ask why on my system as there no other recent reports of similar situations?

One of Microsoft's little mysteries I suppose - it makes life interesting.

Cheers, Kick.

 

[Bill M.]

Hi Kick, I have been quietly watching this thread and have two thoughts. There have actually been incidents where an MS update did cause problems and sometimes the answer has been to roll back the MS update, or the last several.
My second thought is that there is no immediate downside to uninstalling the current, updated version of Silverlight. If you find you do use web sites that require Silverlight, you might look for an earlier version and use it.

 

[AWS]

I find that event viewer can be rather chatty at times. I have see things like this before if you use custom view. Maybe try using the default view and remove any custom views.

 

[Kick]

Hi Bill and AWS,

Thanks for your comments - I'll try removing Silverlight to see if that makes any difference and then consider the view setting for the Event Viewer. I'm a bit busy at the moment but will report back later.

Cheers, Kick.

 

[Kick]

Hi All,

I removed Silverlight although that did nothing to help resolve the problem but there is good news at last. Suddenly there was a spate of replies on the Microsoft Community forum. Some of these seemed to treat the issue as some major incident which meant updating the BIOS and hardware drivers. I was sure the problem was simpler than that and sure enough it was. One person who repeatedly came back with advice and suggestions told me to run the Windows Clean boot facility and try to troubleshoot in that environment. I set up the clean boot, disabling all non-Microsoft services and rebooted. Other than error messages relating to Comodo Firewall which had services disabled, The Event Viewer listed no problems. I wasn't sure what to do on the troubleshooting front so thought I could ask for more information but I would carry out a normal boot. I half expected the problem to to show again after the normal boot but it didn't. I presume that in disabling services for the clean boot and then re-enabling them in the normal boot triggered something that cleared a conflict between services. Anyway the outcome is that things are back to normal (but I am touching wood).

Regards, Kick.

 

[Tony D]

Thanks for the update.
That's a bit strange, but glad it resolved your problem.

 

[Kick]

Hi All,
I thought I had added a post to this thread to inform you that I had spoken too soon. Although I had a complete (several hours) session without the code integrity problem recurring, the next time I booted up it reappeared. However, a fortnight later, I now believe the problem is actually resolved as it has not reappeared after several sessions over a couple of days. It seems that in attempting to deal with a completely unrelated problem, by coincidence I resolved the code integrity issue.

The unrelated problem was an Avast Anti-Virus 2016 program update (not one of the automatic regular virus definitions updates). The update would not complete correctly so that, after the required restart, the notification area icon showed a red cross and the three protection shields were shown as disabled. I later discovered that the problem had been acknowledged by Avast and that the protection was actually active but a bug meant that the GUI was not showing this. Thankfully Avast have now resolved the issue.

Initially, being unaware of all this, I tried several things, including a repair installation of Avast, without success. In navigating through the the faulty program's options and menus I locked up my system and resorted to a hard power off to escape. This meant on the next boot I was confronted with a screen explaining the incorrect shutdown and offering several start-up options including 'Normal Start-up' and 'System Repair'. I chose the latter (which claimed to leave all my personal files intact). After the repair, the system booted normally and Avast had returned the previous program version. I have since been able to install the amended Avast program update. Since this upheaval, I have noticed that the Event Viewer no longer reports a code integrity error and this has been true after every restart over the last couple of days. It seems that the 'System Repair' was able to sort the code integrity problem where other options such as 'chkdsk' and 'sfc scannow', that previously I had tried, could not.

Cheers and regards.