RivaTuner utility - D3DOverrider - has trusted/installer privilieges

[Guest]

[WxMan1]

I've recently noticed that a component of Riva Tuner (a 3rd party nVidia graphics tweaking utility), i.e., D3DOverrider, is indicated as having trusted/installer privilieges.  Nowhere, for the liife of me, can I finger out where that is established, i.e., neither app is digitally signed, nor is any vendor associated with said apps; no digital signature either private or CSA issued exists for either app.  Therefore the problem can not stem from trusted vendor listing.  Secondly, no D+ securiity policy exists whereby such privileges are confered to either Rivauner or D3DOverrider; RivaTuner.exe & D3DOverrider.exe both live in the trusted files domain of CIS D+.  HOWEVER, RivaTuner.exe merely has 'trusted' privilieges (per CIS active process listing).

I'm not concerned that either app is malware; they are not.  Nor do I have an issue with them being 'trusted' per se - they belong in the trusted file domain in so far as the CIS cloud detection system/servers shouldn't be bothered with these things.

I question why D3DOverrider.exe has been conferred 'trusted/installer priviliges by CIS; when 'installer' functionality is outside of the app's putative purpose. 

[Jacob]

Hello WxMan1,

Most likely it is on the whitelist;
Can you open up CIS > Defense+ > Defense+ Settings
Make sure "Create rules for safe applications" is checked;
And then run the app again and once you do you should see The app's name in the Defense+ Computer Security Policy;

Did this help?

Jake

[WxMan1]

If it is in the whitelist, why as 'trusted/installer'?  Trusted, yes, installer, categorcially: NO

Moreover, "Create rules for safe applications' is unchecked; I make the rules.

Furthermore, the app was, previous to my noticing this phenomena, not listed in D+ Security Policy; I manually put it there - all premissions for Security Policy access-name set to 'ask' - and restarted D3DOverrider from Start, RivaTuner, D3DOverrider.  It should not have installer permissions, unless there's a gotchyer with its design inherent its putative functionality, i.e., over-ride video-card driver level-functionality and 'auto-detect installer/updaters and run outside of s-box' option ticked (FWIW: I have 'auto-trust files from trusted installers' unticked).

Is it possible that this phenomena is a vestige from an imported proactive config?  The one I'm running on is v4.x derived 'tweaked' s/a to include additions of default v5...1135 out-of-the-box.  Specifically, I was unaware of the functionality that the  '|' symbol conferred to CIS operation (as seen in 'protected files / folders').  There were some other issues that related to registry entries that were also addressed; I found some pre-existing default v4.x entries that wren't preent in the out-of-box v5 that a CIS developer extroidenaire said: keep; so I kept.

Succinctly: I am absolutely confident that I brought up my pre-existing - v4.x - proactive config utterly to v5 level w/regards to missing default functionality.  IF it is a whitelisting issue inheriited from old version proactive config, then exporting my existing proactive config, and reinsinstalling CIS v5...1135 from scratch, and re-importing the custom proactive config shoujld resolve the issue, eh?

Edited note: re-install and importation of present v5.1135 proactive config would only perpetuate the problem IF the cause is that the D3DOverRider was originally in the v4.x whitelist

[Jacob]

If it is in the whitelist, why as 'trusted/installer'?  Trusted, yes, installer, categorcially: NO

Moreover, "Create rules for safe applications' is unchecked; I make the rules.

Furthermore, the app was, previous to my noticing this phenomena, not listed in D+ Security Policy; I manually put it there - all premissions for Security Policy access-name set to 'ask' - and restarted D3DOverrider from Start, RivaTuner, D3DOverrider.  It should not have installer permissions, unless there's a gotchyer with its design inherent its putative functionality, i.e., over-ride video-card driver level-functionality.  I do have 'auto-detect installer/updaters and run outside of s-box' ticked (FWIW: I have 'auto-trust files from trusted installers' unticked).

Is it possible that this phenomena is a vestige from an imported proactive config?  The one I'm running on is v4.x derived 'tweaked' s/a to include additions of default v5...1135 out-of-the-box.  Specifically, I was unware of the functionality that the  '|' symbol conferred to CIS operation (as seen in 'protected files / folders).

Succinctly: I am absolutely confident that I brought up my pre-existing - v4.x - proactive config utterly to v5 level w/regards to missing default functionality.  IF it is a whitelisting issue inheriited from old version proactive config, then exporting my existing proactive config, and reinsinstalling CIS v5...1135 from scratch, and re-importing the custom proactive config shoujld resolve the issue, eh?

It's not recommended to import old configurations; It's best to start with fresh configuration

Just to verify;

You do have CIS in Paranoid Mode For Defene+ Correct? (Right Click CIS Icon > Defense+ Security Level)
and In Defense+ Computer Security Policy You See The Application Listed As Trusted/Installer? Or Did you see this in the Event Viewer?
Did you have this application in v4 Policy?
I do aplogize; I'm trying to get more background info of this situation

Jake

[WxMan1]

Everything appears to be working fine.  I noticed an issue w/security privelege of an app that used to be enabled.  To answer your questions succinctly:

1)  
2) yes
3) the entire overarching app had previously - at the time of CIS v4.x - been installed to a folder other than where it lives at present; after re-installation of RivaTuner (same vesrion as before), it was necessary to specify RivaTuner.exe as a 'trusted' app under the auspices ov v5...1135; until recently D3DOverrider had not been active; however, its old D+ Security policy under v4.x did exist at the time I launched it under the new and improved CIS v5...1135; FWIW: D3DOverrider is reqiured of the user to launch manually and stipulate: launch at boot; that I did.
4) understood.

 

I understand what you're saying, and my position is that I'm trying to preserve existing config established over the course or 8+ months.  I can NOT allow this issue to stand if a clan wipe will resolve the inherent security risk; what assurance can there be that nothing else suddendly pops up w/extreme security privilidge. FWIW: in v4.x I was running in 'safe mode' (now, due to enhanced understanding of CIS functionality I'm 'paranoid').

 

[Jacob]

Everything appears to be working fine.  I noticed an issue w/security privelege of an app that used to be enabled.  To answer your questions succinctly:

1)  
2) yes
3) the entire overarching app was installed to a different folder in v4.x; it was necessary to establish the core component, i.e. RivaTuner, as a 'trusted' app; until recently D3DOverrider wasn't active; it reqiures the user to launch it and stipulate: launch at boot; that I did.
4) understood.

 

Simply Remove The Whole Rule of the App that is in question;
maybe a few pop ups will be presented but will be much more productive then just starting from fresh

Can you post a screen shot of the rule of the app that is in question?

Also Go to Defense+ > Computer Security Policy > Purge To remove invalid items


Jake




Edit: Updated

[WxMan1]

If I understand properly:

delete D+ rules for both

E:\RivaTuner\RivaTuner.exe

E:\RivaTuner\Tools\D3DOverrider\D3DOveridder.exe

in D+ Computer Security Policy.

How do I post a 'screenshot'?  It does not appear to be an option in the available controls.  I send URL to your PM; it is immaterial what desktop I have; despite intense desire to show it all watching.

[Jacob]

How post a 'screenshot'?  It does not appear to be an option in the available controls.

That is correct

There is a key On your key board says "Print Screen" once you press that you go to start > run > mspaint
Ctrl + P
and save it as a jpeg file and upload it here in your next post. (Reply > Additonal Options > Chose File)


I'll notify other mods to come assist you in this matter


Jake

[WxMan1]

Just where is that 'additional option' option?

I'm sorry if macular degeneration is something only old-timers are subject...

Quite frankly it may be something I have to deal with at 50.  BTW, you should have my PM by now.

ALL that notwithstanding, is immaterial...

I've imaged %SysDrive% (as a form of restore-point), uninstalled CIS, and then reinstalled CIS and allow it to catch everything from scratch...

 

That is a bad, bad, baaaaaad, way of doing business.  You do that once to sombody, that's one thing; that happens twice and there be bad feelings; there will be NO third time.

[jay2007tech]

There is a key On your key board says "Print Screen" once you press that you go to start > run > mspaint
Ctrl + P
and save it as a jpeg file and upload it here in your next post. (Reply > Additonal Options > Chose File)

If your computer is anything like mine, I don't have the print screen I'm not familiar with all the ways to do it from windows, the one I you is "winsnap"
http://www.filehippo.com/download_winsnap/
When I'm done with winsnap.  I just use comodo's program manager or revounistaller to remove it and all traces of it
It's just an idea, if you need an alternitive method (I don't know if its the best solution, but it is a solution)

Also,

Please try to understand, It's always harder to help someone online then it is helping someone in person (whether pinpointing a solution or finding the exact problem)

We are just volunteers here helping other people for fun, hobby, and/or for whatever reason that maybe , we don't get paid to do this.  (Unfortunately, We can't always solve 100% of someone's problem in every case , We'll try our best too!!!!

D3DOverrider, is indicated as having trusted/installer privilieges.  Nowhere, for the liife of me, can I finger out where that is established, i.e., neither app is digitally signed, nor is any vendor associated with said apps; no digital signature either private or CSA issued exists for either app.  Therefore the problem can not stem from trusted vendor listing.  Secondly, no D+ securiity policy exists whereby such privileges are confered to either Rivauner or D3DOverrider; RivaTuner.exe & D3DOverrider.exe both live in the trusted files domain of CIS D+.  HOWEVER, RivaTuner.exe merely has 'trusted' privilieges (per CIS active process listing).

While I can't be much help as I never used those software. (My computer doesn't use nVidia) other wise I would be more then happy to download it and see what the problem is  Anyway,  Since sandbox is part of Defence +,  We can rule out if it's comodo's sandbox or not. (It's just for the sake of narrowing down the problem like a section-by-section approach )
1) in defence +, click on "defence + settings" ----> Go to sandboxbox settings --->  move lever down to "disable"  ----> click "OK"
2) Log off the computer and then Log back in (Not powering down or restart because that would be a waste of time)
3)See if the problem is still there

If not, In defence+ settings (do you have a check mark on "Block all unknown requests if application is closed)


 

[Tags:]