Author Topic: App. is not working correctly, but does not seem to be s/boxed.[v6]  (Read 2875 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11853
There are a number of possible causes. Please run through these in order, as those later in the list may be more inconvenient or have greater effects on your security.

  • The application maybe Behavior Blocked without your knowledge. When processor load is high, some applications may be Behavior Blocked without alerts or log entries. Also part of the application other than the main program executable may be Behavior Blocked. These Behavior Blocked files will normally appear either in Advanced Settings ~ File Rating ~ Unrecognised Files or, if still running, show as sandboxed in the Advances Tasks ~ Watch Activity processes list. Just release all files (presuming you trust them) from the Behavior Blocker by making them trusted or other methods as described here and reboot. Please note that a computer reboot is sometimes needed to release an application.
  • Inappropriate settings may have been created on updating to the new version or when importing settings. Please try completely uninstalling CIS and re-installing (without importing settings) using this process here.
  • The application may load too early for CIS to sandbox it or make it trusted. To identify such files look in the Advanced Tasks ~ Watch Activity processes list for files with rating=unknown and restriction=disabled. Use the right click menu to make these trusted and reboot.
  • The application may hook into the operating system in ways that conflict with CIS. There is no reliable way of identifying such programs, though a few generate shellcode/buffer-overflow Defense plus event log entries.
    • The problem with many such applications can be resolved by making them exceptions on the Advanced Settings ~ Security ~ Defense plus ~ Behavior Blocker ~ Settings ~ Shellcode exceptions list and rebooting. This works even if there is no shellcode/buffer overflow log entry. In some cases you may have to exclude all the executable files in the program directory, and any sub-directories, in this way, or even an installation, related copy protection executable, or other third party or common 'helper' or operating system programs[1]. Buffer overflow protection exemption works with Daemon Tools, and MS security essentials for example.
    • You can also try selecting or unselecting enhanced protection mode under Advanced Settings ~ Security ~ Defense plus ~ HIPS ~ Settings and rebooting. On 64 bit systems de-selecting this will reduce the level of security offered by CIS.
  • The program, often a game or video, may be trying to display an alert, often a firewall or D+ alert, but cannot because the computer is in full screen mode. Please try using Game Mode
  • If you are using HIPS the program may require greater permissions than allowed and trusted files, but be unable to ask for them. To get round this apply the installer updater predefined policy to all executable files in the program's directory, and any other executable files you know it uses, using Advanced Settings ~ Security ~ Defense plus ~ HIPS ~ Rules ~Add.  You may need ensure the policy is effective using these techniques here. Then reboot. For security reasons do not do this for applications that you will use to run other unknown files.

Program(s) known not to work without disabling whole CIS modules: Virtual Box.

Programs known to require very special settings: Winsshd, Alcohol.



Footnotes
[1] If the program uses cmd.exe in some way (as for example terminal programs may) you may be able to solve problems by excluding cmd.exe from buffer overflow protection as described above.
[2] Many thanks to all who have discovered, helped discover or confirmed these fixes work-arounds, especially Rickrev, Endymion, SwissSteph, and Sderevyanko.
« Last Edit: March 17, 2013, 11:14:08 AM by mouse1 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek