BSOD with some comfigurations imported to CES 6 from CIS 5

Hi,

After installing CESM 3 RC1 and importing configurations from CIS 5 to CES 6, BSOD occurred periodically. It continued also after final release. Now I figured out reproducible situations when BSOD always happens. It happens when writing to network share on computer with same “faulty” CES configuration (e.g. localhost). Such console command crashes windows:
“echo COMODO Rulez!> \127.0.0.1\C$\tst.txt”
(sometime on second try)
But other CES configuration transferred from CIS 5, worked normally.
Sequentially deleting rules from both configurations I found difference (cfgx attached).
All firewall rules, file groups, vendors, protected files in this configs deleted, all defenses turned off. Difference remains only in one setting which is not reflected in GUI settings:

<Settings Mode="8667136" for BSOD config (8667136=0x00844000) <Settings Mode="278528" for noBSOD config (278528=0x00044000)

Difference is in one bit.

To these settings corresponds registry key
HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\ConfigNumber\HIPS\Settings

Experiments with CIS 5 showed that this bit (on) means “Deactivate the Defense+ permanently”, which is absent in CES/CIS 6 GUI.

Amusingly, in BSOD configuration when Defense+ should be deactivated permanently, CES popups HIPS alert when I try to write to CIS folder (hips turned off and all protected files removed from config)

Tested on 3 installations – 2 physical machines, one virtual. WinXP Prof SP3, workgroup.
CES 6.0.268128.2731, locally configured.

There is no BSOD with CIS 6.0.264710.2708

[attachment deleted by admin]

Hi lepota,

First question that has to be asked is why are you using RC1 (which had CIS). RTM version 3.0.60225.3
has been out since 25 February and has CES as it’s malware defense suite.

Regards,
Michel.

Hi Michel,

I am using release version of CESM and CES from there release. I mentioned RC1 just because from then I observe bsods’s. Don’t remember what version of CIS/CES were then. But preceding post relates to current release.

Best regards.

I have passed your observations on to our development team.

Will advise shortly…

Hello lepota,

Once again thank you for your investigation! This issue has been reported to CIS developers (this issue is from their area of responsibility). I will inform you on any updates on this issue.

Best Regards,

Hello Denis,

Please, take a look at https://forums.comodo.com/comodo-endpoint-security-manager/problem-on-cis-with-rdp-on-winxp-t92789.0.html
It seems to me that this is the same (or linked) old Defense+ bug (at least from CIS 5.0), which transformed now in CES 6 to Subject. So, if “I were developer”, I would start investigation from CIS 5.0 defense+ code.
BTW, it is desirable for me to have “Permanently disable Defense+” option (and working as it should do) in CIS/CES 6.

Thanks.

Hello lepota,

Could you please specify exact steps to reproduce for BSOD issue? With all CIS/CES versions and detailed description of your actions?

Thanks in advance!

Hello Denis,

I described everything above. Well…

  1. Load config (cfgx) from CIS 5 with “Permanently disable Defence+ (Reboot required)” checked. Or edit existing CES 6 config to set this bit. Or use attached BSOD.cfgx CES will ask for reboot. Reboot. (May works even without reboot, don’t remember)
  2. Try write file to any network share on system with same CES configuration (Permanently disabled Defence+). Shares on local system suit too. I attached cmd file which writes to file in admin share C$\ (to the root directory of disk C:) small file. Sometime you need to do it twice. And voilà - look at the blue screen.

Tested only on XP Prof SP3, 3 different systems.
CES 6.0.268128.2731, locally configured.

There is no BSODs with CIS 6.0.264710.2708 and CIS 6.0.264696.2707 (beta)

With CIS 5.x there was the different issue, look at referenced discussion and reference to my old bug report there.

Best regards.