[4.0.135239.742] Problem with games STILL not solved! [SOLVED - PROBABLE BUG]

Hey,

The problem/bug I’m referring to was described here: https://forums.comodo.com/beta-corner-cisv4/one-strange-peculiarity-about-cis-sandbox-t51719.0.html

To cut the story short, it is still present in the latest build. Every time I try to launch CoD with auto-sandboxing enabled nothing happens. I get NO notification at all (although I should)!

You can’t even imagine how ■■■■■■ I am seeing that such a serious bug has not been fixed yet (:AGY).

To tell you the truth, I was dithering whether I should post this or not as my faith in COMODO has been drastically diminished lately. I’ll keep bumping this topic until I get a response from a dev.

My system details:
Vista Home Premium SP2 64bit (fully patched)
COMODO Firewall, avast free (latest), linkscanner beta, win defender (disabled), win firewall (enabled)

If you need any info, please ask.

I was able to get games to run with V4. What I noticed was that when I started the game I would get the popup asking if I should continue running it in the sandbox. I selected to never run it in the sandbox. The game would still fail, but the next time that I ran it it asked me about a different file. I believe that even when you select not to run it in the sandbox that the decision only affects the next time it runs.

Did you receive any popups at all? Nothing for the firewall, defense+, or the sandbox.

The problem is relatively fixed for me (although not quite as fixed as I would like). I did have to jump through hoops to get it running.

I have never received any sandbox popup, never seen one in my computer.
Having disabled auto-sandboxing, I launched the game, received 2 D+ popups and the game loaded perfectly.

Thanks for your interest in the topic
Regards

As promised: BUMP

Are you guys looking into this issue?

Sorry you are having such serous problems. I’ve encountered sandboxing without alerts myself. First try defining the file as trusted, and see of you get an alert when you close and open it again.

If this does not work, I know this sounds potty, but have you tried defining the temporary file sandboxed by CIS as an installer in D+?

If this does not work, I think I would try watching what happens when you open the game using sysinternals process explorer (just google these 3 words). If you disable highlighting of packed images under options, everything that comes out coloured brown, apart from Google chrome, Comodo Dragon, and wmiprsrv, is probably sandboxed.

Unsandbox stuff by adding to My Safe files or defining as an installer.

Please report back - the bug may not have been nailed because it has been found difficult to replicate.

Hope this helps

Best wishes

Mouse

A little update:

Even with the latest version I still cannot launch CoD even though every time I try to run the game, I receive a sandbox notifiation (finally :D) telling me that it has isolated ~e5.001. Despite selecting “Do not run this app in the sandbox again”, the game does not start :-.

Any thoughts?

Turn off Sandboxing >>> remove any COC files from the C:\sandbox Directory >> Goto Defense+ and put the COC running files in “My Safe Files” list. Turn on sandboxing, reboot and then try it.

Had simular issue with WOW previously.

Thanks for your response. Actually yesterday I managed to launch CoD with sandboxing enabled but it happened at the second or third attempt. It turned out that the file ~e5.001 had found its way into My Safe Files (manually adding it does not work). However, after a while it disappeared from there and I had troubles launching the game yet again :-. I think it depends on when this file is modified as it is probably dynamically generated every time I run the game.

We really need to understand if and why this file is being sandboxed. Are you willing to go through this systematically? It will help Comodo to fix this if you do!

If so would you mind installing Microsoft (Sysinternals) Process Explorer? (Just google it!). If you do then navigate to Options ~ Configure highlighting and untick everything except jobs. Process explorer will then show sandboxed items (which run as jobs), plus a few operating system and browser jobs, in brown. Then start the game and watch what opens what, and whether they are coloured brown, in the default hierarchical view.

What I half expect to see is that another file is getting sandboxed, and is opening the .001 file as sandboxed. (BTW you have been inconsistent in the number of zeros you have typed, which may cause problems if you are making manual entries). If this is so be sure to take a note of the name and path sandboxed file which is opening the .001 file and report back.

Also could you see if you can find the .001 file on a) the hard disk b) the CD, so we can see if it is being dynamically generated or not.

If you decide to accept this mission, good luck :slight_smile:

Best wishes

Mike

Thanks for your interest Mike! I do appreciate it.

So, my findings:

  1. Upon clicking on the desktop shortcut, I see two new processes appearing in brown (iw3sp.exe and ~e5.0001). iw3sp.exe is the game’s executable.
    There’s also one more, called Sf.bin. It appears only for a short while (in green) and is innitiated by AvastSvc.exe.

  2. I get a sandbox popup asking me whether I’d like to take ~e5.0001 out of it. I opt to do so.

  3. The game does not lauch.

  4. The two processes in point 1 are still in brown.

As for my inconsistence - sorry for it. The file is called ~e5.0001, not ~e5.001.
I have it in C:\Users\username\AppData\Local\Temp. I couldn’t find it in the game’s cd.

Thanks

That’s great. I see you didn’t self destruct in 10 seconds!

From what you say I guess iw3sp.exe is the parent of ~e5.0001. You can confirm this by double clicking on ~e5.0001 in process explorer.

So what is probably happening is that ~e5 (for short) is being sandboxed because iw3sp.exe is. So can you stop iw3sp.exe being sandboxed by putting it in ‘My Safe Files’ and, critically, then rebooting. Check ‘My Safe Files’ after rebooting to see if it is there.

Then try launching the game again to see what happens. See if ~e5 is still being sandboxed, and report back, if that’s OK. If it is please check if ~e5 is there (ie on the hard disk) when the game is closed and you have subsequently rebooted. (This is to try to understand why it disappears from my safe files).

Good luck again

Mouse (aka…)

ha ha

That’s true.

I did it, but it did not help. ~e5 sometimes gets into ‘My Safe Files’ list, but sometimes doesn’t. When it does, I am able to launch the game.

I am still receiving popups regarding ~e5.
Yes, the file is present after reboot in the directory I wrote about in my previous post.

Just to check - did you put iwsp3.exe into My Safe Files, and did it stay there through a reboot cycle. Sorry to ask but your reply could be read two ways. (I’m assuming that neither iwsp3.exe or ~e5 appear in the computer security policy, please check and tell me what policy (eg trusted) they come under if they do.)

If so, as a hypothesis, because ~e5 is getting dynamically generated, it is different each time. CIS sees it as an executable because it is being opened by iwsp3.exe with execution privs. CIS being too bright for its own good says ‘You have to tell me again this is safe, cos its different’. You can check this by taking copies of different ~e5’s (~e5s after sucessive runs of COD) and running file compare fc on them from the DOS prompt. (If you are lucky the ~e5’s lengths may be different and fc won’t be needed).

If this process confirms that the ~e5s are different this is a CIS design limitation, and needs reporting as a bug/wishlist item. (Maybe the wishlist item is to exclude specific files from this form of identity checking)

Meanwhile the only way over it is to try and fool CIS. Here’s some possibilities.

  1. (Faint hope) is ~e5 code signed (don’t really see how it could be, but worth trying to add it via [at]My Trusted Software Vendors’)

  2. With ~e5 in My Safe files and not having run COD since then, make ~e5 ‘read only’, and see if COD objects when you run it again.

  3. After taking ~e5 out of My Safe Files, try adding ~e5 in the Computer Security Policy as an ‘Installer/Updater’ (i.e. applying the predefined ‘installer/updater’ policy to it).

Others may have found different work arounds, but let’s see if these work first.

Hope this helps

Best wishes

Mouse

Another possibility or two:

  1. Try manually sandboxing ~e5 as unrestricted, with or without virtualisation
  2. Or (another hypothesis) try adding .0001 as a file extension to the executables group. (My protected files ~ groups ~add) then seeing if ~e5 will stay in My Safe Files

Yes I did put iwsp3.exe into My Safe Files and it did stay there after a reboot. Both files are listed in computer security policy as “Custom policy”.

You’re probably right. As for the second part - could you be more specific about the “file compare fc” thing? What is it? How to use it?

~e5.0001 is not a signed file.

This method does not work.

Wow! With ~e5.0001 set as installer/updater CoD starts properly every time. I do not get sandbox popups any more. ~e5 no longer gets listed in My Safe Files.

Big thanks to you Mike for troubleshooting this issue with me :). You really helped me!

That’s great to know. Many people don’t stick with a systematic approach, so kudos to you for doing so, and critically, doing so carefully.

Partly from these interactions have now done a FAQ entry on solving unsandboxing problems, so I’ve made good use of your work.

Re fc, would still like to know if you have time. Start by putting the two copies of ~e5 files (collected after different runs of the game) in your ‘my documents’ directory, changing the name of the second copy slightly.

To run file compare go to Start~Run and type in cmd . You’ll get a DOS window probably showing C:\documents and settings<username>. Type cd “My Documents” to change directories. Then type fc . The filenames must be in double inverted commas if they have spaces. If they are the identical it will say FC: no differences encountered. If not it will spew a lot of garbage out do +C to stop it if you need to!

Hope this helps

Mike

OK, thanks.
I’ve compared the two instances of the same file but cmd could not find any differences between them. However, I still think that ~e5 changes after some time but probably not every time I run the game.

I’m gonna take a copy of the file after I’ve started the game after a reboot and come back with my findings.

Thanks

Hmm, again no differences ???. It seems that the file stays always the same, only the date of modification changes.

P.S.
I’m gonna add “SOLVED” to the subject of the topic.

Be my guest :slight_smile:

Changing dates may be enough I guess. My bet is on that.

Otherwise is the game on a removable disk, BTW? Not sure of the significance but I understand that Comodo treats files on removable disks differently, so maybe treats a ~e5 if copied from a removable disk differently, or an iw3sp.exe run from a removable disk differently.

Best wishes

Mike

The game will not start without its dvd being in the dvd drive, so yes, it is on a removable disc.

Thanks