bugs.

bug 1
Incorrect handling of variables, by using “string” instead of ‘string’ resulting in invalid chars is being parsed instead of ignored and breaking code, ie ';:<>(){} etc
example 1
go to firewall rules, and paste in 2.1.1.2, will result in an ip of 211.200.0.0 because . is join
example 2
& in file name, breaking alert, mount & blade is fine, from steam, no unusual hips for a game of that era. Just an invalid char, and the reason why i installed it.

https://i.postimg.cc/d31Z1vtf/wtf8.png

bug 2
regardless of the driver in the network card interface and the tap interface, any connection of any application will show up as “windows operating system” when using openvpn unless there is a explicit application rule for said application. Even then it do not allays bring clarity to firewall logs.

bug 3
win 7 64 bit
there is a very high probability this is just a display bug displaying child process instead of parent.
no registry keys in log file,
when allowed no registry keys being written to file
no ntfs alternate data streams on file
procmon (saved) only found comodo accessing the said file.
parent process writing a lot of registry keys.

https://i.postimg.cc/XqpyqqZB/wtf11.png

bug 4
There is a big difference between reading a protected registry key and writing to it, when choosing allow or deny, be more specific.
half the time registry keys do not show up in alert

Not bugs, mode paranoid is active;
Driver vídeo not request registry key;

;int :equal <>copy and past, line... () variable {}open and exit code

Safe mode or setting default is excellent. With comodo internet security in safe mode protect your leak data. :stuck_out_tongue:

■■■: Liovânio de Santana

For bug 1 with regards to IPv4 address input box, it has nothing to do with the . and is a long standing issue where it expects 3 digits and will fill each section until 3 numbers are enter before moving to the next box. So in cases such as 10.1.43.10, you would copy it like this 010001043010 so in other words you wold need to copy leading zeroes. I do however confirm the & in file name messing with the alert description.

Bug 2: You are setting up block rules with logging enabled in global rules instead of using the application rules. Global rules are applied to the WOS kernel, and outgoing connections are processed first by application rules then global rules, inbound are processed by global then application rules.

Bug 3 is caused by you adding nvidia to heuristic command-line analysis which takes the file passed to the applications command-line and interprets actions coming from that file. per help documentation.

Run heuristic analysis on certain applications
This setting instructs CIS to perform heuristic analysis on programs that execute code, like Visual Basic scripts and Java applications.

Example file types that are checked are wscript.exe, cmd.exe, java.exe and javaw.exe.

For example, the program wscript.exe can be made to execute Visual Basic scripts (.vbs file extension) via a command similar to 'wscript.exe c:/tests/test.vbs'. If this option is selected, CIS detects c:/tests/test.vbs from the command-line and applies all security checks based on this file.

If test.vbs attempts to connect to the internet, for example, the alert will state 'test.vbs' is attempting to connect to the internet.</blockquote>

Take a .bat file that is processed by cmd.exe, if the .bat file contains code/commands to say create a new file, then when you run the bat file by double clicking it, then HIPS will treat that .bat file as if it were a regular executable and warn you that it is trying to create a new file. This is how CIS protects you from scripts that are normally executed by trusted applications. Without this then cmd.exe could be used to mess with the system.

bug 4: When applications call RegCreateKey/RegCreateKeyEx to access a registry key, the key will be created if the key does not already exist and according to MSDN documentation:

Access for key creation is checked against the security descriptor of the registry key, not the access mask specified when the handle was obtained. Therefore, even if hKey was opened with a samDesired of KEY_READ, it can be used in operations that create keys if allowed by its security descriptor.

However if an application where to use the RegOpenKey/RegOpenKeyEx function instead to open a key with read access, you will not get a HIPS alert because RegOpenKey does not create the key if the key does not exist.

Thanks!
I appreciate the effort and detail.

For bug 3
Agreed that text files can be renamed into a vast array of executables So i can understand the rationale behind the filtering especially to an executable child process being text based or compiled outside of its container/permissions model.

first thought was most likely heuristics pattern based recognition of registry key as an output of nvcontainer base, in which case :
It appears that this being written to the log files possibly is responsible for the alert:

#0(I)[2019-02-24 01:28:29,098]{000000BC} Loaded C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem/Watchdog/NVDisplayPluginWatchdog.dll

Which is fair enough .log harmless enough as is unless parsed
I didn’t spot this initially an easily overlooked

At least i hope this is the case

Bug in driver nvidea - an update solved problem

Thanks! liosant

Came up with a sane way of fixing: bug 1 example 1

Developers might be stuck on distinguishing, did this come from the clipboard?
Looking at api calls etc, just sidestep all that headache.

Bear with me if you will, error tolerance is a bit tricky.
Human brain reaction time is between 8ms and 10ms, not factoring in nerves and muscles and so on.
Including muscles and nerves, unexpected reaction times is allot bigger Human Benchmark your looking at human average ~200ms.
Predictive reaction with sound (faster brain processing) and visual. is a different story
From gaming, ie gear change on rpm and sound i used to seem to float around 14 - 18ms on average.
This does give us a fair eternity of lag tolerance though in local processing world.
Unknown: 12 or 23 etc, run a competition company wide for entertainment purposes and testing, but 1. in less than 10ms? unlikely.
Measure and display warning about high cpu/ram/hdd breaking fault tolerance if exists within a grace period.

i don’t know your language or gotyas, so semi psudocode if you will.

on input while <10ms
set maxlengh say 20 char (+4 or more to handle trailing / leading white-space)
immediately run a regex replace though, remove any but 0-9 or . replace with ‘’’
//not a double quote, not a space, not a null, replace with whats between single quotes, which is nothing, to delete.
sanity check, make sure its not inserting null bytes, an regex not broken by them possible language gotya
make sure not null
// i don’t think garbage clean needed here (head getting fuzzy)
concatenate any new input dump in a var not an int
//make sure to use ’ instead of " to safely handle this

After 10ms
regex replace any but the first four . if any, count them.
if any . regex and explode.
Run though the rest of error checks as per normal, over 255, partial pastes etc.

Ugly, inelegant, but simple, easy, bugfix.

Example 2 also breaks logs, Application rules ok.
Also check company name etc for this type of bug, Gui may need a full audit.

Website also orphans replies, previous page, when session cookie timeout and modifying post

While double posting is frowned upon
I think its warranted to make sure an oversight in the above code, is noted:

Make those concatenates counted and limited.

Sorry but yeah, low potential, but plausible.

bug 3 not fixed. please put back in right forum.
clean install 1
with latest control center, revoked certificate registry key and many others on remove
post install log file asked for only revoked certificate key

clean install 2,
latest game ready, asked for revoked key, and to launch cmd

clean install 3 auto update latest game ready
used rundll32.dll driver signing certificate to install instead of NVIDIA
certificate was “ok” but not sure of ocsp hard fail
asks for all certificate registry keys

  • only showed up because of shell code detection which raises questions about registry hips
  • its a log file not an executable
  • 3rd party verification by liosant?
  • consistent on boot
  • win7u x64 gtx 660m

    https://i.ibb.co/vkBMwdY/wtf14.png

I already explained why bug 3 is not a bug, it has to do with heuristic command-line analysis of whatever application you added to the list.

yes a heuristic command line of a log file, that’s not writing any registry keys into said log.
here is the offending log:

https://ufile.io/5lalp

there is nothing at all that should trigger any herustics, aside from a few forward slashes, let alone very specific herustics targeting security certificates or executing dos.
if its the parent process responsible for the alerts then it should be displaying the parent process instead of the offending non executable .log file

so yes your dam right its a bug, or something much worse, and im starting to think you don’t know what shell commands are and are just coping and pasting documentation.

Please restrict your posts to actual issues and do not pass on your opinions on the abilities or percieved lack thereof of other users who are attempting to help you.

Personal attacks are NEVER viewed favourably here and continuing in this manner can result in further action.

Ewen :slight_smile: