Re: Another BLODA with Cylance PROTECT? Can't rebase

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Tim McDaniel]

Back in ml/cygwin/2017-04/msg00238.html, Wed, 19 Apr 2017 14:25:26
-0400, "Another BLODA with Cylance PROTECT? Can't rebase", I noted
that I couldn't install current cygwin, and asked for help on how to
proceed.

Someone at work did find the two interfering systems.
* BeyondTrust
* Cylance antivirus/antimalware was triggering on certain programs like dash
Both had to be dealt with.

-- 
Tim McDaniel, tmcd@panix.com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Brian Inglis]

On 2017-05-23 21:34, Tim McDaniel wrote:
> Back in ml/cygwin/2017-04/msg00238.html, Wed, 19 Apr 2017 14:25:26 
> -0400, "Another BLODA with Cylance PROTECT? Can't rebase", I noted 
> that I couldn't install current cygwin, and asked for help on how to 
> proceed.> Someone at work did find the two interfering systems.
> * BeyondTrust

BLODA product name is BeyondTrust PowerBroker Endpoint, Server, or both?

> * Cylance antivirus/antimalware was triggering on certain programs
> like dash
> Both had to be dealt with.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Tim McDaniel]

On Tue, 23 May 2017, Brian Inglis wrote:
> On 2017-05-23 21:34, Tim McDaniel wrote:
>> Back in ml/cygwin/2017-04/msg00238.html, Wed, 19 Apr 2017 14:25:26
>> -0400, "Another BLODA with Cylance PROTECT? Can't rebase", I noted
>> that I couldn't install current cygwin, and asked for help on how to
>> proceed.
>
>> Someone at work did find the two interfering systems.
>> * BeyondTrust
>
> BLODA product name is BeyondTrust PowerBroker Endpoint, Server, or
> both?

I am told "BeyondTrust PowerBroker for Windows", installed on a laptop.

>> * Cylance antivirus/antimalware was triggering on certain programs
>>    like dash
>> Both had to be dealt with.

-- 
Tim McDaniel

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Brian Inglis]

On 2017-04-24 23:25, Tim McDaniel wrote:
> On Fri, 21 Apr 2017, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:
>> On Apr 19 14:25, Timothy McDaniel wrote:
>>> $ ./0p_000_autorebase.dash
>>> creating empty /var/cache/rebase/rebase_pkg
>>>       0 [main] dash 12952 fork: child 12912 - died waiting for dll
>>> loading, errno 11
>>> /bin/rebaselst: 98: /bin/rebaselst: Cannot fork
>>> $ ./base-files-mketc.sh
>>>       0 [main] sh 13628 fork: child 10276 - died waiting for dll loading,
>>> errno 11
>>> ./base-files-mketc.sh: fork: retry: Resource temporarily unavailable
>>> ...
>> That's pretty bad, considering that ash only links against the Cygwin
>> DLL itself.
>>> Running /bin/rebaseall by hand, the old way, had no output and no
>>> effect.
>> No effect?  How do you know?
> My apologies.  I later ran with the verbose option, letting it choose
> an address, and later choosing a few myself.  There was output saying
> that it was rebasing each package.  Instead of "no effect", I should
> have written that the exact same error message came up when I tried to
> run anything slightly complicated.  (Simple commands work, but
> harmless-looking things like "time" and many pipes fail.)
>> If you're sure Cylance PROTECT is the culprit,
> I'm not.  It did not throw up any messages or log any events about
> blocking anything.  It's just that most BLODA appears to be antivirus
> systems, and it's the only substantial change that I know of in my
> work systems.  (We're still on the same version of Windows.)
> I have a little more information.  A co-worker told me that he uses
> "Babun", http://babun.github.io/.  It's Cygwin, but with a larger
> number of installed and configured packages and a moderately more
> convenient control system.  I installed it and it works fine ... but
> immeidately on installation, it's an old Cygwin.  (By defualt, each
> day it auto-updates to the current Cygwin.)
>     Jun 23  2015 libcygwin.a
> For example, Perl there is 5.14.4, but the current Cygwin Perl is
> 5.24.1.  pcre is 8.36, versus current 8.40.3.  But, like I said, it
> works.  If I update to the latest, though, it fails in exactly the
> same way as a regular Cygwin installation.
> So all I can say is that it seems that there was some change to
> libcygwin.a some time in the last 2 years to which my system is
> allergic for some reason, which is hardly any help.
> But I don't know how to proceed further, except by letting this 2015
> installation sit and never ever update it.  Or install a virtual
> machine with disk sharing and try to do my occasional UNIXy work with
> it.  Someone from the local support team has asked why I was asking
> about Cygwin, and why I'm interested in "Running OSes on top of
> OSes".  So I may have to go the VM route.

You could work with your support to run your tests on a laptop identical 
to yours, before and after the AV product is installed, to prove to 
yourself, them, and the AV vendor, that their product causes your 
problems, if that is in fact the case.
As usual with AV products, raise an issue with the vendor, and ask them 
to investigate the problem, and provide a solution.

This AV product is likely to cause a lot of problems, as all its 
detection mechanisms seem to be generic pattern based, which the major 
AV suites also use sometimes, but they're likely to have more problems 
once they start having to handle all the exceptions to their generic 
approach.

Technical tools often have issues with enterprise products like AV, 
that are fine if you only ever run MS Office based apps, or download 
malware, but don't work well with a large variety of non-vanilla 
apps. 
Your AV may be blocking anything that spawns other processes, if apps 
like time cause problems, although if it is more sophisticated, it may 
dislike the way Cygwin works around Windows lack of a working fork, and 
interfere with that operation, as many AV products do.

And educate your support guys: point out Cygwin allows use of thousands 
of open source packages, the same reason MS provides WSL, but rather 
than an isolated limited Ubuntu shell sandbox emulation, provides 
comprehensive Unix emulation, including daemons and X, full Windows 
integration, interop, and more up to date package releases and security 
patches than many Unix distros.

It is your support's job to remove impediments to you doing your job 
for the business, rather than question the tools you choose to use.
Your VM is likely to have the same problems with the same AV installed.
You could try using the Cygwin Time Machine to bisect the approximate 
Cygwin release where your problems occur; see:

http://www.crouchingtigerhiddenfruitbat.org/Cygwin/timemachine.html

if you start with your babun release, take snapshots, and work mainly 
forwards from working snapshots.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[cyg Simple]

On 4/25/2017 1:25 AM, Tim McDaniel wrote:

> Someone from the local support team has asked why I was asking
> about Cygwin, and why I'm interested in "Running OSes on top of
> OSes".  So I may have to go the VM route.

Often an issue for those who don't use the computer to actually do work.
 You may want to review your agreements to employment and use of
employers computers to ensure no legal backlash comes your way.

-- 
cyg Simple

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Tim McDaniel]

On Fri, 21 Apr 2017, Corinna Vinschen <corinna-cygwin@cygwin.com> wrote:
> On Apr 19 14:25, Timothy McDaniel wrote:
>> $ ./0p_000_autorebase.dash
>> creating empty /var/cache/rebase/rebase_pkg
>>       0 [main] dash 12952 fork: child 12912 - died waiting for dll
>> loading, errno 11
>> /bin/rebaselst: 98: /bin/rebaselst: Cannot fork
>> $ ./base-files-mketc.sh
>>       0 [main] sh 13628 fork: child 10276 - died waiting for dll loading,
>> errno 11
>> ./base-files-mketc.sh: fork: retry: Resource temporarily unavailable
>> ...
>
> That's pretty bad, considering that ash only links against the Cygwin
> DLL itself.
>
>> Running /bin/rebaseall by hand, the old way, had no output and no
>> effect.
>
> No effect?  How do you know?

My apologies.  I later ran with the verbose option, letting it choose
an address, and later choosing a few myself.  There was output saying
that it was rebasing each package.  Instead of "no effect", I should
have written that the exact same error message came up when I tried to
run anything slightly complicated.  (Simple commands work, but
harmless-looking things like "time" and many pipes fail.)

> If you're sure Cylance PROTECT is the culprit,

I'm not.  It did not throw up any messages or log any events about
blocking anything.  It's just that most BLODA appears to be antivirus
systems, and it's the only substantial change that I know of in my
work systems.  (We're still on the same version of Windows.)


I have a little more information.  A co-worker told me that he uses
"Babun", http://babun.github.io/.  It's Cygwin, but with a larger
number of installed and configured packages and a moderately more
convenient control system.  I installed it and it works fine ... but
immeidately on installation, it's an old Cygwin.  (By defualt, each
day it auto-updates to the current Cygwin.)

     Jun 23  2015 libcygwin.a

For example, Perl there is 5.14.4, but the current Cygwin Perl is
5.24.1.  pcre is 8.36, versus current 8.40.3.  But, like I said, it
works.  If I update to the latest, though, it fails in exactly the
same way as a regular Cygwin installation.

So all I can say is that it seems that there was some change to
libcygwin.a some time in the last 2 years to which my system is
allergic for some reason, which is hardly any help.

But I don't know how to proceed further, except by letting this 2015
installation sit and never ever update it.  Or install a virtual
machine with disk sharing and try to do my occasional UNIXy work with
it.  Someone from the local support team has asked why I was asking
about Cygwin, and why I'm interested in "Running OSes on top of
OSes".  So I may have to go the VM route.

-- 
Tim McDaniel, tmcd@panix.com

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Another BLODA with Cylance PROTECT? Can't rebase

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2348 bytes --]

On Apr 19 14:25, Timothy McDaniel wrote:
> I'm setting up a new Windows machine, and as usual, hitting a problem with
> installing Cygwin.
> 
> setup-x86_64.exe.  Package postinstall shows
> 
> Package: 0/Perpetual
> 	0p_000_autorebase.dash exit code 2
> Package: _/Unknown package
> 	base-files-mketc.sh exit code 254
> 	base-files-profile.sh exit code 254
> 
> "cd /etc/postinstall" and running by hand in ash shows
> 
> $ ./0p_000_autorebase.dash
> creating empty /var/cache/rebase/rebase_pkg
>       0 [main] dash 12952 fork: child 12912 - died waiting for dll
> loading, errno 11
> /bin/rebaselst: 98: /bin/rebaselst: Cannot fork
> $ ./base-files-mketc.sh
>       0 [main] sh 13628 fork: child 10276 - died waiting for dll loading,
> errno 11
> ./base-files-mketc.sh: fork: retry: Resource temporarily unavailable
> ...

That's pretty bad, considering that ash only links against the Cygwin
DLL itself.

> Running /bin/rebaseall by hand, the old way, had no output and no
> effect.

No effect?  How do you know?  Check the output of `rebase -si'.  The
DLLs shouldn't overlap, Did you run /bin/rebaseall from ash?
Other than that, if you have the file, rebaseall did its job, at least
for the DLLs not in use at the time (i.e., when running bash,
libreadline for instance).

> The new laptop has Cylance PROTECT on it.  It might be BLODA ... but
> it's not on the BLODA list, and I tried setting "export
> CYGWIN=detect_bloda" but the output doesn't change.

We just don't (and can't) know all BLODAs, and the bloda detection
was just a nice try.  It doesn't seem to catch a lot of culprits.

> There might be
> some other BLODA that I don't know about.  BTW, it's a work laptop and
> thoroughly locked down, so I can't change any settings for it.
> 
> Did I miss something in Web pages?  Any suggestions on how I might
> proceed?

If rebaseall did its job as outlined above, you should be mostly good to
go.

Talk to your admin guys.  If you're sure Cylance PROTECT is the culprit,
you (or your admins) may want to talk to their support.  We can also add
it to the BLODA list then for others encountering the same problem.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Another BLODA with Cylance PROTECT? Can't rebase

[Timothy McDaniel]

I'm setting up a new Windows machine, and as usual, hitting a problem with
installing Cygwin.

setup-x86_64.exe.  Package postinstall shows

Package: 0/Perpetual
	0p_000_autorebase.dash exit code 2
Package: _/Unknown package
	base-files-mketc.sh exit code 254
	base-files-profile.sh exit code 254

"cd /etc/postinstall" and running by hand in ash shows

$ ./0p_000_autorebase.dash
creating empty /var/cache/rebase/rebase_pkg
      0 [main] dash 12952 fork: child 12912 - died waiting for dll
loading, errno 11
/bin/rebaselst: 98: /bin/rebaselst: Cannot fork
$ ./base-files-mketc.sh
      0 [main] sh 13628 fork: child 10276 - died waiting for dll loading,
errno 11
./base-files-mketc.sh: fork: retry: Resource temporarily unavailable
...

Running /bin/rebaseall by hand, the old way, had no output and no effect.

The new laptop has Cylance PROTECT on it.  It might be BLODA ... but it's
not on the BLODA list, and I tried setting "export CYGWIN=detect_bloda"
but the output doesn't change.  There might be some other BLODA that I
don't know about.  BTW, it's a work laptop and thoroughly locked down, so
I can't change any settings for it.

Did I miss something in Web pages?  Any suggestions on how I might proceed?

-- 
Tim McDaniel, tmcd at panix.com






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple