Alert concerning recent versions of Sun Java and CMF

[Guest]

[pudelein]

This post is to alert users of Comodo Memory Firewall to "yet-one-more" required exclusion: Sun Java JRE 6 updates 7 and 10 can produce the "runaway syndrome" in which a process takes over a CPU completely.  In at least two circumstances. this can cause serious issues.  The offending process is java.exe; there are normally two instances of this, one in %WinDir%\system32, the other in %ProgramFiles%\Java\...\bin.  The ellipsis is replaced by jre6 in the case of JRE 6u10 and by jre 1.6.0_07 in the case of JRE 6u7.

I encountered this issue while trying to install the newly released OpenOffice.org 3.0.  This occurred during installation of the JRE component (6u7 is distributed with OO.o 3) which launches java.exe; the latter eats all available CPU cycles.  It also occurs when running OO.o 3; the sequence Toolks | Options |OpenOffice.orf | Java launches java.exe with the same result.  In both instances it was the copy in %ProgramFiles%\Java\...\bin that was used, but there are surely situations in which this would occur with the other copy instead.

I would advise users of these applications to start the Task Manager or Process Explorer before installing these versions of JRS and OpenOffice.org.  That way the offending process can be terminated quickly; otherwise, it may even require power cycling.

[Kyle]

Thank you very much! Have you tested this with Safesurf?

[Jim__]

I also saw the 100% CPU issue with jqsnotify.exe (6u10). The java.exe problem has been around for years. So far I haven't needed to exclude any 3.0 oo exe (I did have the 100% cpu problem with one of the 2.4 exe files). I have another program (SwimMM2.exe) which also needs to be excluded to prevent the 100% cpu problem.

It is not clear what to tell the authors of these programs what they might be doing that causes this.

[pudelein]

[at]Kyle,

No, I don't use SafeSurf, so can't test it.

[at]Jim_,

The only issue for OO.0 3 is that it launches java.exe, so only that (or those, since there are two of them) needs excluding.  I was interested in jsqnotify.exe.  I did not want the Java QuickStarter or the OpenOffice.org one either, so I don't let them operate.  I remember the OO.o 2.4 problem (stclient _wrapper.exe), but that is not present in the new version.

As to the developers changing their ways: I have a list of about a dozen programs that need to be excluded, but this is only the tip of the iceberg, I'm afraid.  For example, most (but not all) of the Linux-like commands provided in the Cygwin package need excluding.  My suspicion (and it is only that) is the specific way each program unit returns to its parent may be the issue; the ones with a *nix heritage may be more likely than others to cause the issue.

[Dennis2]

I am wondering if it is nothing to do CMF or CPF3.
I install O.O. 3 in the last few days have been using  2.3, after using msconfig to shutdown all non microsoft processes I know this is not as good as uninstalling them will try that when the GA version of CIS is released.
I installed no problem till trying to open O. O. for the first time up pops java.exe 100% cpu uninstalled Java, then when through the opening first time for all accounts.

Install Java 6.7 from standalone file on the last part of install where the patches are install up pops java.exe taking 60/80% cpu had to kill java.exe after nothing happening for approx 4 mins. to finish installing successfully.
I remember now this happen the first time I installed 6.7 so I suspect it is Java that is causing the problem since version 6.7 (you have to install from the standalone file for this to happen).

I am running Open Office 3 now with no exceptions in CMF this problem only occurs when O. O. is being setup for the first time or access options/java as the pudelein has mention in his first post.
When CIS is released I will also uninstall CMF to see if the problem still occurs as it could be one of the files of CMF even though it is not running, and will post back.
Dennis

[pudelein]

Indeed, Dennis2, my experience and your agree totally.  However, putting java.exe in CMF's exclusion list deals with the OOo  part of the problem.  It probably deals with the Java install issue, but I haven't tried that explicitly.  I am using JRE 6U10 and OOo 3.0 with no more problems.  Even the old issue in OO.o 2.4.1 (stclient_wrapper.exe exclusion needed) is gone.

[Dennis2]

Sorry you were right and my suspicion were proved incorrect.
Uninstall CIS Beta /CMF install Java and checked java options in O.O. up pop java 6 in the screen no problems with both.

Installed CIS still no problems so it must be one of CMF files being loaded in Java or O.O. which is causing the problem even though I had stopped CMF from running.

Will posted back when I have installed CMF if I find which file it is.
Thanks
Dennis

[doktornotor]

My exclusion list... IMHO, Java is a piece of junk, I totally despise it... 

[SilentMusic7]

Thanks to pudelein for telling all of us about the work-around.  I originally saw pudelein's post on oooforum.org.

I experienced the same problems and work-around as pudelein when installing StarOffice 9.0, which is mostly the same as OOo 3.0.  I had Java 6 update 11 installed on WinXP Pro, with all older Java updates removed, before installing StarOffice 9.0.  While the web download of StarOffice does not offer this option, OOo users can download without installing the old Java 6 update 7 by unchecking the box entitled "Include the Java JRE with this download" at http://download.openoffice.org/other.html#en-US

After completing the installation of StarOffice 9.0, I removed the exclusions for Java from CMF, and I haven't seen the 100% CPU problem since.  I have disabled the Java quick start, automatic update checks, tray icon, console and running SunJavaUpdateSched at logon to improve system performance.  Has anyone been able to reproduce the Java interaction with CMF for a case besides StarOffice/OOo installation?  I would really appreciate a website link for a reproducable case.

I am hoping to continue without CMF exclusions for Java to improve security.  A reproducable case would also allow me to test Java 6 update 12 and later.

[Tags:]