guard64.dll- hashes of an image file are not valid

Admin log keeps showing that this file keeps failing the audit, stating

“Code integrity determined that the image hash of a file is not valid.”

Any ideas other than to completely reinstall the firewall and lose all my program settings?

This file is one of the protected files and folders. May be CIS doesn’t allow the file to be probed. You can make an exception for program to access protected files. Go to the chapter about My Protected Files in the Help section for an explanation.

In case you want to reinstall you export your configuration. Go to Miscellaneous → Manage My Configurations → read the Help on how to do export (currently using 3.9 beta and this has some changes compared to 3.8).

Here’s an interesting little error:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          Thu 21 May 6:58:21 AM
Event ID:      6281
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Woodstock
Description:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.



File Name:	\Device\HarddiskVolume1\Windows\System32\guard64.dll	

This is on a fresh install of 7100 and a fresh install of 509.

I didn’t see this with 507 and earlier builds.

The installation of CIS completed with out problem although I did experience some issues with svchost freezing the system, until I adjusted the security of the firewall. Again, I didn’t see these problems in earlier builds.

The 7100x64 build is legit (downloaded from MS, hash checks). The hard disk, as mentioned in the error, has been checked and verified, there are no controller or disk issues.

I have been through this twice now, reformatting before and between installations, the error message is consistent.

For now I will revert to an earlier build.

This may be a bug. I am gonna move it to the bug boards to make sure the devs will see it.

Interesting catch Toggie,

I have the exact same thing.
It has been (as far as I can tell) running well though.

Wonder if it is completely unrelated to the Action Center format/recognition deal.

Later

I’m getting this too (guard32.dll). Never got it with any past versions of CIS but I have noticed in the past that I have gotten (and still do get) this with some SUPERAntiSpyware files as well:


Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:	\Device\HarddiskVolume1\Program Files\SUPERAntiSpyware\SASENUM.SYS	


Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:	\Device\HarddiskVolume1\Windows\System32\guard32.dll	

After installation of a CIS v6 I am experiencing the following audit failure in a event viewer under security log:

"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume5\Windows\System32\guard64.dll"

Anyone also is experiencing the similar issue. Should I be concerned?

Win 8 64-bit with a home media.

Now I see it in a previous post. Sorry for a double posting. It still not fixed.

Try running checkdisk on the affected partition and see where that takes us. After that try running Diagnostics from within CIS.

This problem exists even in x64 windows 8/CIS 5.12.2599 installations. Anyone using CIS 6(2708) or 5(2599) on Windows 8 x64 will have this error. I do not know if it occurs on Windows 7/Vista x64 It would be helpful if some Win7/Vista x64 users checked their event viewers and report back here on this thread so a bug report can be filled out. I have seen it so far on three windows 8 x64 Pc’s in the event viewer. two with cis 6 2708 and one with cis 5 2599. Diagnostics will pass believe it or not on both 5 or 6 CIS.

Nothing to be seen under Windows 7 x64. I tried turning everything on, but still nothing. I’ll watch it over the next day or so.

Windows 8 x64. I have this same problem.

And I’m VERY concerned after yesterday’s events, regardless of what happened to get these messages in the viewer.

I checked the logs of my Windows 8 x64 and found no such event while running CIS 6.1.276867.2813. It is unfortunate that drejwithyou did not report back if running checkdisk solved the problem for him or not.

CIS version 6.2.282872.2847.
This problem with an audit failure in a security log is still not solved.

Regards,

win 8 pro with a media center,

My updated Win8x64 machine is now giving me this audit failure. In previous versions of CIS on Win8x64 I hadn’t noticed this in the Event Viewer; I first noticed it running CIS v6.1.14723.2813.

CIS v. 6.3.294583.2937

Notice of an an audit failure of an image file in the security log does still appears.

Win 8 pro 64 bit.

[attachment deleted by admin]

Hi guys,

This is a new build with a fresh install of Windows 8 immediately upgraded to 8.1.

Comodo product version: 6.3.297838.2953

Comodo is turned on (Safe Mode). Windows Firewall is turned off.

I seeing lots of these in Event Viewer > Window Logs > Security:

Event ID: 5038

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\guard64.dll

…and…

Event ID: 6281

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\guard64.dll

…what to do?

I also have the same events in similar circumstances. An 8.1 upgraded from new preinstalled windows 8 64 bits.

I also see the same events running Windows 8.1 x64.
Seems like this issue has been reported many months ago but hasn’t been fixed yet… https://forums.comodo.com/empty-t91423.0.html

Can anyone shed more light on this?

What does this “security audit failure” really mean?

Do the devs actually know that there’s an issue and if so, what are they doing to address it?

It is happening with me also on Win 8.1. Apparently Windows is not allowed to access the file to check it. It may be caused by the self protection of CIS. In case of doubt check the digital signature in the Properties of guard64.dll. When the digital signature is intact it is the official CIS file and there is nothing to worry about.