CD conflicting with EMET's "Certificate Trust"

Hi,

Can somebody please help?

I’ve posted here…

https://forums.comodo.com/news-announcements-feedback-cd/cd-and-emet41-t101678.0.html

but finding the problem not as first thought. If I am alone having this hassle then maybe somebody might suggest what system service or setting I could check?

I have EMET 4.1 set as recommended: system settings ‘Opt-In’ and Certificate Trust enabled.

If CD added to EMET ( its a browser and that’s the whole point of EMET)…

CD will run un-sandboxed with all EMET mitigations turned on for it. Won’t run sandboxed unless ALL five ROP mitgations: Loadlib, MemProt, caller, SimExecFlow and StackPivot are off.

That’s fair enough and easily sorted. Just setting the scene.

Because getting CD to run isn’t much use because…

With EMET’s ‘Certificate Trust’ enabled and even if CD is deleted from EMET:- CD (unsandboxed) experiences random problems getting onto websites whether https secured or not. Have to shut CD and run CCleaner… can then access sites once, if lucky, before problem returns.

Find nothing sensible (to me) in eventviewer’s CAP12 logs (certificate verification) other than occasional errors: "The revocation function was unable to check revocation because the revocation server was offline. [ value] 80092013 "… but can’t time these events to what’s happening with CD.

Site access problems only resolve when EMET’s Certificate Trust is turned off.

So… either evryone else running EMET 4.1 is finding CD wrecked if Certificate trust is enabled and whether or not CD is added to EMET or there’s some setting on my system that needs repair?

Seems a conflict over certificate verification but way beyond my pay grade to fathom out alone. My cryptographic service is running, and I thought certificates are updated through Windows Update and that’s working fine too.

My certificates folder “certmgr” only holds non-expired ‘Comodo Code Signing CA 2’ and ‘Verisign Class 3 Code Signing 2010 CA’ certs while this forum’s cert refers to “Comodo Extended Validation Secure Server CA” in its issuer path. Is that a clue that my trust certs aren’t being updated correctly?

I’d really appreciate some help. Guess I can just toggle EMET’s Certificate Trust on only when using Internet Explorer, but would like just to know if I’m alone in having these issues with CD and EMET 4.1? I kinda like being able to use different browsers for different things.

Cheers in advance and thanks for your time. :slight_smile:

Mmm… nobody?

So, spent more hours testing CD against EMET 4.1’s settings and reinstalled CD twice (updater wouldn’t work either) and found same hassle opening random websites, whether https or not… so I un-installed CD again and decided this time to download a fresh copy in case my recently saved installer file was b******d.

Fresh instal turned out to be version 31.1. I’d been running ver 30.0. Who knew? :embarassed: Re-read the help file and thought maybe the setting for “Check for server certificate revocation” might ought to be ticked (no idea really, just getting desperate).

Left dragon.exe added to EMET with five ROP mitigations off and ran it unsandboxed…

So far, after cycling through opening it and navigating to various sites and closing it, and repeating and even running CCleaner and doing it over agin, CD can now access all sites even with EMET 4.1’s "Certficate Trust(Pinning) enabled. :o

My system hasn’t changed. So either version 30.0 was crocked or one setting was all it took. It shouldn’t be this hard… or lonely. :cry: But themn again, is it really fixed this time? Off now to try using CD sandboxed with EMET 4.1…

Does Chrome have the same problem? Glad that CD 31.1 helped. I think no one helped because they did not know how to fix the problem. Good luck with CD in the future. :slight_smile: