Avast claims Comodo FW bug

KGeek · March 21, 2011, 7:31pm

Avast has been releasing beta updates to their version 6.0 AV. Their most recent refresh, 6.0.1035, caused BSODs for some users. Avast has traced the problem back to Comodo FW. A member of their staff wrote on the Avast forum –

I still add new & new features even between two public builds. In 1035 build I included better win32k.sys & ntdll.dll hooking, however Comodo IS wasn't expected such non-standard hooking variant (in fact, its component guard64.dll corrupted ntdll.dll file which led to wininit.exe crashes). I removed the problematic part, because we won't wait than they'd fix it.

The upshot is that they will work around the issue. What is most interesting is the charge that guard64.dll is corrupting ntdll.dll. That seems to me like a very significant issue. Would someone from Comodo care to comment?

pk_asw · March 21, 2011, 8:22pm

haha, that was fast! ;D

I wrote that post… comodo’s author of guard64.dll component can contact me directly (kurtin@avast.com). I can provide him some technical details. I modified syscalls patching and I think comodo didn’t disassembled it well.

Citizen_K · March 21, 2011, 10:10pm

I send a pm to egemen the head developer pointing to this topic.

ArtemisF0wl · March 25, 2011, 11:13pm

any update on this?

voltron · March 29, 2011, 5:22pm

This is interesting…any news about this…

Citizen_K · March 29, 2011, 11:01pm

I sent the message again. May be something hiccupped with the pm system…

zappe · March 30, 2011, 9:43pm

So this is why i have ntdll.dll crashes like this…

Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58
Exception code: 0xc0000005
Fault offset: 0x0007c506
Faulting process id: 0x1a50
Faulting application start time: 0x01cbe9a9e9143577
Faulting application path: C:\Windows\SysWOW64\rundll32.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 31938262-559d-11e0-b3d4-001fc6f3c270

Is it enough to uninstall Comodo to get the “uncorrupted” ntdll.dll?

Citizen_K · March 30, 2011, 10:29pm

I got a reply from egemen and he said Comodo and Avast are on speaking terms about it. It is being worked on.

voltron · April 1, 2011, 7:43pm

I have AIS ver6_1035 in one of old pc here. Not experienced that problem…well personally (just my own opinion) Avast ver6 is still buggy(there’s a weekly RC update there…now at 1044). The claim should not be on just CIS but both ethically speaking.

jebuchanan · April 2, 2011, 1:17am

And as noted above, this IS being worked on.

Jorgosch · April 6, 2011, 6:04pm

I assume those crashes only happen if Defense+ is monitoring the system for applications that hook into the core.

cmillar6 · April 20, 2011, 12:52am

I see Avast has officially released 6.0.1091 Has this issue been resolved?

Citizen_K · April 20, 2011, 3:00pm

It was not on the change logs:

kazza5:

http://forum.avast.com/index.php?PHPSESSID=hu0oc13h9usp27cs8cbddl4j31&topic=76488.0

Here's a list of most important changes: - solved a compatibility problem with ZoneAlarm (WinXP) - added WebRep Chrome extension - improved installation of the WebRep plugins (especially Firefox) - various fixes and improvements in the avast sandbox - setup programs now smaller by ~20% - Community features and the Welcome screen can now be turned on/off directly from program settings - solved a compatibility problem with Outpost firewall - solved a bug related to the AutoSandbox offer (WinXP) - gadget can now be removed by simply closing it - solved a compatibility problem with GameGuard and sXe - SafeZone improvements - improved sandbox logging - SafeZone is now a standalone setup package (can be installed/uninstalled separately) - improvements in password processing - improvements in the program uninstaller - solved a memory leak in the avast gadget - fixes in the File System Shield transient cache - various stability/compatibility improvements

pk_asw · April 22, 2011, 9:32pm

yes, we fixed it, because comodo refused to fix it in their library

sharpey · April 23, 2011, 8:04pm

Real professional Comodo

zappe · September 5, 2011, 6:34am

That’s really bad, I’d hope they would fix this since it’s not only affecting AVAST users.