BSODs on Win 10 Home 1709+CIS with Proactive Firewall only v10.0.2.6420[M2332]

Dear experts,

Here is my info for the bug in the required format, followed by additional details on how I reproduced it, etc.
Sorry for long post - I am trying to provide details that might be helpful.

============================================================================

A. THE BUG/ISSUE: BSODs + freeze on clean Win 10 Home 1709 + CIS with Proactive Firewall only v10.0.2.6420
Can you reproduce the problem & if so how reliably?:
Takes many hours but can reproduce within a day or so. Have to run a script to reboot PC every so often; disable auto-reboot on BSOD (so I can catch the BSOD). More details on how I reproduce are below.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Please see details later in this post.
One or two sentences explaining what actually happened:
Clean Windows 10 1709 reinstall on recent PC runs fine for multiple days. Adding Comodo Firewall v10.0.2.6420 starts failing with different BSODs and occasional freeze.
One or two sentences explaining what you expected to happen:
No BSODs :slight_smile:
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Only software other than Comodo is Windows 10.
Any software except CIS/OS involved? If so - name, & exact version:
No other software installed.
Any other information, eg your guess at the cause, how you tried to fix it etc:
Please see below for how I tried to setup minimal environment to reproduce the issue.

B. YOUR SETUP
Exact CIS version & configuration:
version 10.0.2.6420 from verified offline download; Proactive configuration; Firewall only (not even AV). Other (likely less important) settings are described in post below.
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Firewall Safe mode, D+/HIPS Safe mode, VirusScope enabled, Auto-Containment disabled, Cloud-enabled lookup disabled
Have you made any other changes to the default config? (egs here.):
Please see exact steps of how I installed Comodo (twice) in email below in Details section
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No, brand new install.
Have you imported a config from a previous version of CIS:
No.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win 10 Home v1709, 64-bit, default UAC settings, the only account setup during Windows install (Administrator account type), no virtual machine
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
No other sofware installed. I do see Windows Defender is On. Windows Firewall is Off because Comodo firewall is On.

C. ATTACHMENTS
In Comodo UI, I went to (? icon) → Support → Diagnostics and it said it found issues that it could not fix. Generated diagnostics file does not show any error events. Please see it attached.
Also attached compressed Minidumps for some steps described below.
Finally, I uploaded to a Google Driver large (zipped) MEMORY.DMP files as well as system info (per futuretech instructions below). Please let me know if you’d like to access them.

============================================================================

I saw another couple of BSOD related threads here with Windows 10 v1709 but my stop codes and WinDbg analysis seem different. Those threads mention cmdhlp.sys but I did not see anything related to cmdhlp.sys in my BSODs.

I’ve been pulling my hair for over 2 months now, trying to narrow down the cause of BSODs. I am finally in a position to state that Comodo is the most likely culprit or rather some combination of Comodo with Win 10 v1709. I’ve been using Comodo with Win7 without issues and like it a lot, but a new computer runs Win10 Home v1709. Multiple times I would run the system in different combinations and the only common denominator is that when there is no Comodo, there is no BSODs, and when Comodo is installed, BSODs happen on occasion (and even more rarely, computer totally freezes). Finally, the latest cleanest experiment was the most conclusive. There is no other software involved: clean Windows install + Comodo, both with minimal config changes.

---------- Experiment Steps ----------

(1) Install brand new Win 10 Home v1709 (see details below). Run it for over 2 days periodically rebooting and scanning with Win Defender (to simulate some activity) with no issues.
(2) Install latest Comodo (Firewall only; Proactive; see details below) =>

  • first BSOD (stop code: Critical Structure Corruption) happened after 10 hours of occasional reboots + Windows Defender runs.
  • within another hour, another BSOD (stop code: Clock Watchdog Timeout)
    (3) Connected to internet (via wired connection) for the first time, updated all drivers and Comodo (Comodo update barely did anything as expected), Windows license got activated. Disconnected wire from internet.
    (4) Got more BSODs:
  • 20 minutes after updates, got BSOD (stop code: Critical Structure Corruption)
  • 10 minutes later, got another BSOD (stop code: IRQL NOT LESS OR EQUAL)
    (5) Connected (via wire) to internet, installed Windbg from Microsoft site (to examine dump files, but did not know how to interpret these well. I think they do not show same cause as different threads on this forum). Disconnected wire from internet.
    (6) Uninstalled Comodo from Program and Features (successfully). Just in case, uninstalled any other remnants using ciscleanuptool 2.0.0.3 which required 2 reboots as expected.
    (7) Wrote a simple bat script that automatically reboots the PC every 20 minutes. Ran it for over 2 days with occasional manual starts of Windows Defender to scan the system.
    No BSODs or freezes or issues for over 2 days and 140+ reboots.
    (8) Installed Comodo (Firewall only; Proactive; see details below): ~9am (Dec 18’17)
    (9) 3 BSODs + 1 freeze:
    (9a) ~3pm: Got BSOD (stop code: Critical structure corruption) ~6 hours after Comodo install and ~18 reboots, once every ~20 mins.
    (9b) 5:32pm ET: 2.5 hours later (and few minutes after starting a Windows Defender scan), got BSOD (stop code “IRQL NOT LESS OR EQUAL”).
    (9c) 6:02pm ET: after 2 more reboots, at 5:40pm and my script-based one 6:00pm, computer completely froze at 6:02pm timestamp. Hard shutdown was required.
    (9d) ~8pm: after another reboot at 7:55, got BSOD (stop code: Clock Watchdog Timeout)

---------- Details ----------

(A) Details for how I installed Windows (in Step 1)

“Install new Win 10 Home v1709” was done by completely reinstalling Windows using DVD created off of Windows media creation tool downloading Windows from the Microsoft website.
Options applied during the install:

  • select defaults for keyboard, time on first screen
  • answered as follows to questions that come up during install:
    Add a second keyboard layout SKIP; Connect to a network SKIP; Make Cortana your personal assistant NO
    Location OFF; Diagnostics BASICS; Relevant Ads OFF; Speech Recognition OFF; Taiored Experience with Diagnostic Data OFF
    Note: per Device Manager, while some device drivers did not get installed at first, that did not seem to matter and they all got installed and cleared up after connecting to internet in step (3) above.

Configuration of Windows 10 after the install:

  • Right click on desktop screen → Personalize
    → Background → picked Solid color
    → Taskbar → Location (dropdown): left
    → Lock Screen → Screen Timeout Settings → “Never” for both Screen and Sleep

Pinned to Start: Control Panel and created desktop icons for Event Viewer and Notepad
Changed Windows Explorer settings to show all files and all file extensions.

In order to detect BSODs without having to watch my computer 24/7, had to do disable auto-restart on failure:
Control Panel → System → Advanced System Settings → Advanced tab → Startup And Recovery Settings… button → unchecked Auto restart on system failure

Disabled bluetooth and wireless (only want wired Internet connection):
Settings → Devices → “Bluetooth & other devices” on LHS → set to Off
Settings → Network and Internet → Wi-fi → set to Off
Control Panel → Network and Sharing Center → “Change adapter settings”
→ right-click Wi-fi → Disable

(B) Details for how I installed Comodo (in Steps 2 and 8):

CIS version 10.0.2.6420 using offline download from Comodo

---------- Other Notes ----------

  • At one point earlier, i.e. before this latest experiment, I had also upgraded to Win 10 Pro, but that did not resolve the BSOD issues.
  • I attached to this message 3 Minidumps in zipped format for steps 9a, 9b, and 9d.
  • I have uploaded system info file (per request from futuretech below) and, for step (9), zipped up full MEMORY.DMP files to a Google drive. Please let me know if you’d like location of those (so far, I PMed these to futuretech and PremJK).
  • Security Event Logs indicate a failure where Code Integrity determined that image hash of a file is not valid for System32\guard64.dll. (Event id 5038, source “Security-Auditing” event). Claims file might be corrupt - I’ve seen this warning message before too and don’t know whether it’s important, or to be ignored. As I had mentioned, I tripple checked correct size, and both hashes as posted by umesh, so I am certain I have the right file downloaded.

Please help! I’d love to continue using Comodo with Windows 10, if I can!

Justin

[Update from Dec 19’17] updated above post to indicate I uploaded memory.dmp and system info files.

Hi Justin smith,

Thank you very much for your report in the standard format with all information supplied and sorry for the inconvenience brought to you.
We are checking the mini dumps provided.

[b]Please let me know how to send those over.[/b]

You can upload the Full memory dumps over any online storage like google drive and share us the link to download.
Thanks in advance.

Kind Regards,
PremJK

I’m guessing it has to with an implementation issue with enhanced protection mode which is enabled when you switch to proactive config. Try disabling enhanced protection mode under HIPS settings and check if blue screens still occur. Also attach a system information report from msinfo32 as described here.

I uploaded MEMORY.DMP and system info per instructions from PremJK and futuretech.

I IMed both of them the locations. Please PM me if you want the location of these files.

futuretech, I am going to disable enhanced protection mode and restart periodic reboots to see if it crashes in the next day.

Thanks,

Justin

Hi Justin Smith,

Thank you so much for providing requested dump. We are looking at it.

Kind Regards,
PremJK

Quick update: so far futuretech’s suggestion of disabling enhanced protection mode under HIPS has not reproduced a crash after 24 hours. So starting to look promising as far as locating the issue within Comodo… However, does this mean I am losing an important protection by turning this part of HIPS off?! (Especially since it’s turned on by default)

Update: After another almost 24 hours, still no crash; so it’s looking even more likely that futuretech’s hunch was right: i.e. there is a bug in “Enhanced Protection Mode”, or at least in how it interacts with 64-bit Windows 10 v1709.

Help describes this feature as:

“On 64 bit systems, enabling this mode will activate additional host intrusion prevention techniques to counteract extremely sophisticated malware that tries to bypass regular HIPS protection. Because of limitations in Windows 7/8/10 x64 systems, some HIPS functions in previous versions of CIS could theoretically be bypassed by malware. Enhanced Protection Mode implements several patent-pending ways to improve HIPS. CIS requires a system restart for enabling enhanced protection mode.”

With Proactive mode enabling this feature by default, how exposed is my system when I turn off this protection? This seems like a very important part of HIPS protection… ?

Any ETAs for a fix?

Thank you for quick responses! I hope my crash files and details on how to reproduce are helping.

Justin

With Proactive mode enabling this feature by default, how exposed is my system when I turn off this protection? This seems like a very important part of HIPS protection... ?
In my testing, it seems to help with HIPS monitoring even when an application removes the user-mode API hooks that are set by CIS. But the amount of malware that remove detected hooks inside its own memory address space is rare so you should be fine.

From Comodo Internet Security v10.1.0.6460 - BETA

- Due to increasing incompatibilities with upcoming Windows RS4 we have removed Enhanced Protection Mode(which was disabled by default) setting from HIPS ; there were advanced methods, which are no longer supported by Microsoft.

Therefore moving to resolved.

Is there plans to bring back these protections?

It sounds like sophisticated malware could get through without this feature.

Thanks!

P.S. There have been no crashes for over 3 days with Enhanced Protection Mode disabled (and repeated 20-minute reboots). After trying to enable it again yesterday, got 4 more BSODs over the next 12 hours. (Please see attached file, if needed, for minidumps and let me know if you’d like access to full dump files.)