Author Topic: App. is not working correctly, but does not seem to be s/boxed. What to do? [v5]  (Read 19078 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11862
There are a number of possible causes. Please run through these in order, as those later in the list may be more inconvenient or have greater effects on your security.

  • The application maybe sandboxed without your knowledge. When processor load is high, some sandboxed applications may be sandboxed without alerts or log entries. Also part of the application other than the main program executable may be sandboxed. These sandboxed files will normally appear either in Unrecognised Files or, if still running, show as sandboxed in the Active Processes List. Just remove all sandboxed files (presuming you trust them) from the sandbox by making them trusted or other methods as described here and reboot. Please note that a computer reboot is sometimes needed to unsandbox an application.
  • Inappropriate settings may have been created on updating to the new version or when importings settings. Please try completely unistalling CIS and re-installing (without importing settings) using this process here.
  • The application may load too early for CIS to sandbox it or make it trusted. To identify such files look on the Active Processes List in Defense plus for files with status=unknown and sandbox=disabled. Use the right click menu to make these trusted and reboot.
  • The application may hook into the operating system in ways that conflict with CIS. There is no reliable way of identifying such programs, though a few generate buffer overflow Defense plus event log entries.
    • The problems with many such applications can be resolved by making them exceptions on the Defense+ ~ Defense+ settings ~ Image execution control ~ Exclusions list and rebooting. This works even if there is no buffer overflow log entry. In some cases you may have to exclude all the executable files in the program directory, and any sub-directories, in this way, or even an installation, related copy protection executable, or other third party or common 'helper' or operating system programs[1]. Buffer overflow protection exemption works with Daemon Tools, and MS security essentials for example.
    • From version 5.8 of CIS you can also try selecting or unselecting enhanced protection mode under D+ ~ D+ settings + General settings and rebooting. On 64 bit systems de-selecting this will reduce the level of security offered by CIS.
  • The program, often a game or video, may be trying to display an alert, often a firewall or D+ alert, but cannot because the computer is in full screen mode. Please see the fix here.
  • The program may require greater permissions than trusted files, but be unable to ask for them. To get round this apply the installer updater predefined policy to all executable files in the program's directory, and any other executable files you know it uses, using Computer Security Policy ~ Defense Plus Rules ~Add.  You may need to ensure the policy is effective by using these techniques here. Then reboot. For security reasons do not do this for applications that you will use to run other unknown files.

Program(s) known not to work without disabling whole CIS modules: Virtual Box.

Programs known to require very special settings: Winsshd, Alcohol.



Footnotes
[1] If the program uses cmd.exe in some way (as for example terminal programs may) you may be able to solve problems by excluding cmd.exe from buffer overflow protection as described above.
[2] Many thanks to all who have discovered, helped discover or confirmed these fixes work-arounds, especially Rickrev, Endymion, SwissSteph, and Sderevyanko.
« Last Edit: March 17, 2013, 11:05:44 AM by mouse1 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek