Resources for bug reporters

[Guest]

[gibran]

• Making a screenshot
• Appending a file to a topic
• Reporting your Killswitch processes.
• Checking a file signature
• Saving and appending log files
• Finding or creating dump files
• Reference links in case you have trouble with dump files
• Determining the cause of a manual scan hang
• What is a virtual machine?
• Using a virtual machine to test CIS
• Doing a clean reinstall of CIS without losing (hardly any) settings.
• Trying out a standard configuration without losing settings.
• Backing up and restoring your settings.
• Why we use the standard format
• Configuration changes you need to tell us about

[gibran]

How to find crashdumps in Windows XP
In order to confirm that Dr.Watson MS Crashdump utility is enabled run  drwtsn32 -i


Windows XP uploads the crash logs to Microsoft but does not save a local copy. You need to enable this option running a file contained in Windows Error Reporting.zip

If some application crashed and you think it is related to CFP please run drwtsn32.exe without any options or switches and look for a crash dump in the path listed in Dr.Watson dialog (Make sure it was created at the time the crash happened) please confirm that Dump symbol table, Dump all thread contexts, Append to existing log file and Create crash dump file checkboxes are enabled. "Create crash dump file" checkbox is the most important option to enable.

[gibran]

How to find crashdumps in Windows Vista
Windows Vista uploads the crash logs to Microsoft but does not save a local copy. You need to enable this option running a file contained in Windows Error Reporting.zip
You need to uncompress Windows Error Reporting.zip and then run Windows Error Reporting.reg

NOTE: in some cases you will only see the name Windows Error Reporting without the .zip or .reg part . You can right click and coose Properties to confirm the filetype.

When an application crashes you can find the required crash informations in %LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue

Just paste that bolded text in explorer and hit go


Be sure to include the following files in a compressed zip file:

WERxxxx.tmp.mdmp
This is the most important file. It contains the crash dump that can be opened inside Visual Studio or other Windows debuggers.

WERxxxx.tmp.version.txt
Contains the operating system version and other hardware information.

WERxxxx.tmp.appcompat.txt
Lists all of the DLLs loaded at the time of the crash with their version information.

[mouse1]

If the windows error reporting (WER) dialog for the crash is still open
Do not answer the dialog (the devs have said that the info may not be valid if collected on second or subsequent dialogs). Go to Advanced Tasks ~ Monitor Activity and open Killswitch. Find the process that WER is saying has crashed or hung and right click to take a full dump.

If not you may be lucky and find the dump file (it will probably be a small dump file), zipped up with other files in:
%LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue
OR
C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Just type the strings above into Windows explorer and hit <return> to see if they are there. You can append the whole zip file.



Failing that, or if the WER dialog is not open and you want a full dump file (which the devs prefer) you need to set up local crash dump collection using the appended .reg file, and await another crash.

To do this just
a) make a restore point (not really needed but better to be safe)
b) download the appended file
c) extract it
d) double click on the .reg file on it
e) say OK when you get the usual warning regarding changes to the registry.

From then on you will find your dump files, as .dmp files, in:

%localappdata%\crashdumps

Just type the string above into the explorer address bar and press enter.

[mouse1]

In Win7/8 & or Vista:
CIS 5.x
Navigate to Defense plus ~ Computer Security Policy ~ Defense plus rules. Then select the CIS group. Choose Edit ~ Customise ~ Protection settings ~ Interprocess memory access ~ Modify ~  allowed applications ~ add taskmgr.exe. Save/apply all settings. Invoke the task manager using <cntrl> <Alt> <delete> and right click on the process, then select "create dump". (In win 8 you'll need to choose 'more details' first). You'll need to zip the resulting file, and upload it to the Cloud, as it will be large.

CIS 6.x
Navigate to Advanced tasks ~ Watch activity and open Killswitch. Do not attempt a dump of cmdagent. Right click on any other CIS process. Choose to create a full dump. You'll need to zip the resulting file and upload it to the Cloud, as it will be large,


In Windows XP
CIS 5.x
1. Install the latest version of process explorer and allow it in memory access to CIS
Download Process Explorer from here. Install and run it. Navigate to Defense plus ~ Computer Security Policy ~ Defense plus rules. Then select the CIS group. Choose Edit ~ Customise ~ Protection settings ~ Interprocess memory access ~ Modify ~  allowed applications ~ add procexp.exe. Save/apply all settings

2. Make the hang dump
When the hang/freeze occurs open process explorer and right click on cfp.exe and cmdagent.exe, choosing to create a mini memory dump. Zip this file before uploading it to the forum please.

CIS 6.x
Please follow instructions for Win 7/Vista

[mouse1]

Where:
You'll find these in the following directory:

XP
%AllUsersProfile%\Comodo\CISDumps

Vista and later
C:\ProgramData\Comodo\CisDumps


What to do
Don't be confused by the % signs. Just type this path exactly as above into Windows Exlorer, or any windows file selection dialog box and you will go to the right place.

There should be zipped and unzipped versions of the crash file. The zipped version is the one you want and should be named after the file that crashed eg cfp.zip, cmdagent.zip.


Notes
You will probably have been prompted to submit a crash dump by email - this has not been working for a long time at time of posting 1 November 2011

The unzipped file name is crash.dmp, and it is created by Comodo crashrep.exe, not Drwtsn.exe.

[mouse1]

Normally you will find:

• A full dump in a file called Memory.dmp (a 'full dump') your %SystemRoot% directory, normally C:\Windows
• A minidump in a file called <date><time>.dmp or minidump.dmp in your %SystemRoot%\Minidump directory normally C:\Windows\Minidump

Check the time and date of the dump file against the incident you wish to report. If you have both a full and a minidump with the correct time and date, use the full dump if it's not of inconvenient size. (Dump files shrink significantly when zipped, but full dumps are still normally better posted in the cloud with a link in the forum).

To access %SystemRoot% just type it into a Windows explorer address bar and hit <Return>

If there's no dump in either of the locations please follow the more detailed guidance below:



----------------------------------------------------------------------------------------------
The following guidance was compiled by Gibran, and has been reposted with edits by Mouse.

Setting up your machine to help you record BSOD error messages

Disable reboot on blue screen of death

Sometimes our computer restarts after showing us a blue screen of death. It might be important for us to note down the error message that caused the blue screen of death to troubleshoot the problem. To disable rebooting the computer after you see a blue screen of death follow the below steps:

1) Goto Control Panel ---> System ( or Press Windows key + Pause)  then (in some OS) go to 'Advanced System Settings'

2) Click the Advanced Tab

3) Under the 'Startup and Recovery' section click on Settings

4) Under 'System Failure' section uncheck 'Automatically Restart'

5) Click on 'OK'

Setting up your machine to record minidumps or fulldumps

Configure the dump type

To configure startup and recovery options to use the small memory dump file, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer.
If they are, see your product documentation to complete these steps.

• Click Start, point to Settings, and then click Control Panel.
• Double-click System.
• Click the Advanced tab, and then click Settings under Startup and Recovery.
• In the Write debugging information list, click Small memory dump (minidump) or Kernel memory dump (Full dump)

To change the folder location for the small memory dump files, type a new path in the Dump File box (or in the Small dump directory box, depending on your version of Windows).

Find your minidumps or full dumps
Paste the Small or Full dump directory string you found in Startup and Recovery Dialog  (eg. %SystemRoot%\Minidump) in explorer and hit go




NOTE: According to Microsoft, there are several reasons why the Memory.dmp file is not being created when your computer encounters a STOP message:

•The Memory.dmp file already exists and the option Overwrite Any Existing File (found in Control Panel System) is not selected. It is a good idea to leave this box checked and to move or copy the current Memory.dmp file.
•The paging file on the boot drive is not large enough. To use the "Write Debugging Information To" feature to obtain a complete memory dump file, the paging file on the boot drive must be at least as large as physical memory + 1 MB. When you create a kernel memory dump file, the file is usually around one-third the size of the physical memory on the system. Of course, this quantity will vary, depending on your circumstances.
•The paging file is not on the %systemroot% partition. When the STOP error occurs, the system crash dump is written out to the pagefile on the root of the %systemroot% drive.
•There is not room for the Memory.dmp file in the path specified in Control Panel for writing the memory dump.
•It is possible that the SCSI controller is bad or the system crash is caused by a bad SCSI controller board.
•If you specify a non-existent path, a dump file will not be written. For example, if you specify the path as C:\Dumpfiles\Memory.dmp and no C:\Dumpfiles folder exists, a dump file will not be written.

[mouse1]

Virtual machine software allows you to run a virtual computer, running any operating system, in a window on your normal computer. The virtual computer is called a virtual machine.

It can be very helpful to install CIS on a virtual machine and use it to test CIS. The advantages are:

• You can test CIS in a standard environment, and so determine what bugs are inherent to CIS and what issues are the result of interaction with other software
• If testing a beta version of CIS you can test without much risk to your production machine, and without much risk to your main machine's security
• You can create a dedicated testing enviroment with all the tools at hand you need to test CIS

If you do please do NOT use VirtualBox as CIS does not work reliably when VirtualBox is installed. A free alternative is Vmware player. Vmware workstation works well too but is not free. You need to exclude the Vmware progrm directory from shellcode injections under D+ settings ~ Execution control ~ Exclusions.

Brief tips: I've installed mine on a XP machine with 3 GB of accessible memory & it runs OK - installation was smooth though - when creation of the Windows virtual machine is included - slow. You must start with a licensed version of Windows with a licence key - the key may be on the back of your computer or your OS disk. I find you need at least 10Gb of free disk space per Windows Virtual machine, if you include .NET, but its wiser to set a higher limit to the size of a given virtual machine when installing it. It's important to keep the virtual disk file (the largest file) defragmented, and don't use the <Cntrl> <alt> <delete> sequence in the virtual machine.

[mouse1]

EXAMPLES OF CONFIGURATION CHANGES CONSIDERED MAJOR:

AV
Cloud disabled
Heuristics Medium or High

Firewall
Any level apart from 'safe'
Removed any preset rules
Added any global rules or safe zones manually
Not using Comodo DNS servers
TrustConnect set to encrypt all public connections

HIPS
'Block all unknown requests if the application is closed' ticked.
Enhanced mode turned on or off
Any level apart from safe
Any preset (eg operating system or CIS) rules deleted

File rating
Trusted Software Vendors list deleted
Cloud disabled

Behavior Blocker
Registry hack in place to virtualise unrecognised files
'Treat unrecognised files as' changed
Detect installers off
Heuristics Off
Shellcode off

Sandbox
Do not virtualise access to files unticked
Do not virtualise access to registry keys ticked and keys defined

[mouse1]

We ask for the the information in the bug reports because it helps developers fix bugs quickly. This is particularly important for free software, as the development teams a usually small.

To fix a bug quickly and efficiently developers need to:

• Understand. Understand precisely what is happening and why you think it's a problem
• Replicate. Be able to make the bug/issue happen themselves, so they can fully diagnose it and tell when it is fixed
• Find info. Have all the information in a standard format so they can find any specific peice of information quickly

Here's why we ask for the information we do in specific sections of the bug report.

The bug/issue
This section is mainly about helping the developer to understand what is happening and why the user thinks it is a problem. One question asks whether the user can make the bug happen again - this helps the developers reproduce the issue on their computers.

A. THE BUG/ISSUE (Varies from issue to issue)

• What actually happened or U actually saw:
  
• If not obvious, what U expected to happen or see:
  
• Can U reproduce the problem & if so how reliably?:
  
• If you can, precise steps to reproduce it. If not say what you did before it happened:
  
• If a software compatibility problem have U tried the conflict FAQ?:
  
• Any software except CIS/OS involved? If so give name, exact version, & download link:
  
• Any other information, eg your guess at the cause, how U tried to fix it etc:
  

Appended files
These serve to illustrate or add information to the above sections.
- Screenshots are often worth a thousand words in helping devs to understand a bug.
- The Killswitch Process List shows what software your machine is running, and how CIS may be restricting it
- Random BSODS, crashes & hangs cannot be diagnosed at all without dump files
- CIS configuration files make it easy to give detailed information about settings to devs.

A. 8. Always attach: Diagnostics file, Killswitch processes, dump (if freeze/crash). If complex: CIS logs & config, screenshots, video.

Your set-up
This section is mainly about helping the developers to reproduce the problem on their computers. Users often think that bugs they experience are happening to everyone using the sofware. In fact most bugs occur only:
- in a specific CIS version or with specific CIS settings
- in conjunction with other security or utility software
- on specific operating systems or with specific OS settings
So developers really do need to know ALL this information if they are to reproduce a bug.

B. YOUR SETUP (Likely the same from issue to issue, users can copy forward)

• CIS version & configuration:
  
• Modules enabled & level. Defense+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
  
• Have U updated (without uninstall) from a previous version of CIS:
  
  • if so, have U tried a a clean reinstall - if not please do?:
    
• Have U imported a config from a previous version of CIS:
  
  • if so, have U tried a standard config - if not please do:
    
• Have U made any other major changes to the default config? (egs here.):
  
• OS version, SP, 32/64 bit, UAC setting, account type, & virtual machine used :
  
• Other security & sandbox software a) currently installed b) installed since last OS install:
  

[mouse1]

Application crash dump files can be created by CIS or by the operating system - you can tell which by whether the message informing you of the crash is a Windows or an CIS message. OS crash dumps are always created by the operating system. Hang dumps have to be specially requested using the OS or a third party utility.

If you have CIS 6.x you probably won't have to worry about finding crash dumps for CIS processes, they should already be in your Diagnostics file which you always have to append to bug reports. However please do check that the right dump file is there. If it isn't or if you need to find crash dumps for other applications, hang dumps or OS crash dumps, please see the guidelines below.

• How to find application crash dumps created by CIS.
• How to find application crash dumps created by Windows XP.
• How to find application crash dumps created by Vista.
• How to find application crash dumps created by Win7/8.
• Setting your machine for and finding OS crash minidumps & BSOD information.
• Creating an application hang dump.

[This list created by Mouse as a guide mainly to Gibran's work. Gibran's original first post is now obsolete and has been moved].

[mouse1]

Option 1 - Append a file (better for small files)
When you create a topic or reply to one you will find a little arrow and the red words 'Additional options' just below the text box. Just click on this and use the attach sub-option. You'll need to zip the files, unless they are in common image or text formats. If you have any problems please PM an active mod.

Option 2 - Upload to the Cloud (better for bigger files)
Upload to your favorite Cloud drive provider, and post the public shortcut to the file. You can get a Comodo Cloud account for free.

[mouse1]

Virtual machine software is software that allows you to run multiple 'guest' computers on a host computer. The computers can use the same operating system as the host computer or a different one.

It can be very helpful to use a virtual machine to test CIS. If you do please do NOT use VirtualBox as CIS does not work reliably when VirtualBox is installed. A free alternative is VMware player. More info here.

[mouse1]

If you are happy to install additional software, Faststone is a very good free program. It allows to to take screenshots of a whole window scrolling down aromatically - very useful for Killswitch process lists. Also you can capture any part of your screen. (Depending on the version used you may need to make it a Defense plus trusted file and restart it). This post here explains how to use Faststone.

Without installing additional software the easiest way is to:

• In Windows XP and Vista Take a copy of the whole screen (you cannot select parts) using the <PRTSC> key. This places the image in your cut and paste buffer. Paste it into any program that allows you to save images (eg Microsoft Paint), and save it as an PNG (.png), GIF (.gif) or JPEG (.jpg) file. The first two are higher quality so text will be more readable, the third lower quality but smaller (size limit is 12.5Mb)
• In Windows 7 and 8 and some Vista versions Use the Windows snipping tool to take a copy of the area of interest. Under Start ~ All Programs ~ Accessories in Windows 7. You can append the default .png file

Note that image formats other than JPEG, GIF or PNG may need to be archived (eg placed in a zip file) before posting.

[mouse1]

Use the appended adapted Microsoft sysinternals software to do signature checks

How to do this:

• Just unpack appended zip archive to C:\program files\SysInternalsSuite (Spelling - note double S - and location of directory must be exact)
• Make a system restore point just in case
• Navigate to the directory and double click on the sigcheck.REG file - this adds a registry key. You may be told that the publisher is unrecognised, asked to grant the files admin privs, and/or asked to confirm the addition of a key to the registry. Please say yes to all these.
• That's it! Now if you right click on any file. You should now see a menu item 'signature'. Choose this to check the file's signature, and make a screenshot of the results. You may get a 'run' alert for installers - just say yes, it will not run the installer.

This is better then using Windows signature tabs because it covers catalogue signed files (eg Windows files) as well as normal signed files, and checks for certificate revocation. The formal signer name can be checked against the CIS trusted vendor list.

If you wish the latest version of the executable in the zip file can be downloaded from Microsoft here but the version in the zip file work perfectly well.

[Tags:]