CIS 5 new requirements regarding defense+ image execution control exclusion

I have been unable to run Wordzap (a word game) since the CIS 5 update. No messages of any kind appeared and no log entries were generated. I just figured out that CIS 5 has introduced a new requirement that I define wordzap.exe as an Image Execution Control Exclusion. I just did this.

I have lost faith in this product in that it shipped an update without some detailed warning of it’s impact. I am a geek, so I can figure this out (eventually), but I worry that the dozen+ people to which I have recommended this product are going to be ■■■■■■■ by this.

This strikes me as something that will undermine the usability of your product for many people.

Hello nexus,

I do believe that you have a legit reason to argue,
but What happened with that program i do believe is what programmers call a buffer overrun,

I would point this issue out to the authors of the game, for as CIS it was doing its job, protecting explorer.exe;

However I do believe that once you/i/we submit the file to Comodo, it will then be fixed…

My two cents

Jake

Thanks Jake, However, from Comodo…

“The application may hook into the operating system in ways that conflict with CIS. There is no reliable way of identifying such programs, though a few generate buffer overflow Defense plus event log entries. The problems with many such applications can be resolved by making them exceptions on the Defense+ ~ Defense+ settings ~ Image execution control ~ Exclusions list and rebooting. This works even if there is no buffer overflow log entry. In some cases you may have to exclude all the executable files in the program directory, and any sub-directories, in this way, or even an installation, related copy protection executable, or other third party or common ‘helper’ or operating system programs[1]. Buffer overflow protection exemption works with Daemon Tools, and MS security essentials for example.”

No entries appeared in the Defense+ log, so I question whether the buffer overrun is at play here. My issue is about a change in design in CIS that catches me/us unawares. Where is the warning that implementing CIS 5 may cause some programs to stop working?

I have been in contact with the developer, and Wordzap V7 will be in beta soon.

nexus,

My apologies nexus; Installing any type of security program there is always a possibility of something going wrong, I’m now officially addicted to Wordzap lol

Thanks for sharing the Game title :smiley:

In my Defense+ Event Logs it shows the following
Wordzap.exe - Shellcode Injection - Date

Jake

Thanks again Jake, and my apologies for not warning you about the, um, addictive qualities if this game.

I do not see the entry you refer to in my log, and now I wonder about settings for log recording?

From the developer, Michael Crick: “Version 6.90 used a protection scheme from a company that went out of business. Maybe Comodo had an issue with their software. WordZap 7 uses a new protection scheme which we hope will work better.” I am not sure to what Michael is referring regarding a protection scheme, but evidently my troubles made sense to him.

To recap my situation:

  1. This issue did not arise on CIS 4 (or 3).
  2. My defense+ log does not reflect any entries (with the exception of the initial sandbox event to which I replied don’t isolate) regarding this program.
  3. Adding entries for trust in Firewall Network Security Policy and Defense Computer Security Policy did not resolve this problem.
  4. Setting Security Mode for all Comodo functions (Sandbox, Defense+, Firewall, Antivirus) to disabled did not allow this program to run. Only de-installing Comodo gave me a clue that Comodo was the problem.

At this point I want two things:

  1. When your product decides to suppress the execution of a program, I need more information flowing my way so that I know what is going on.
  2. The exception process in this case is unreasonably difficult for a non-technical person. I can navigate to Comodo —> Defense+ —> Defense+ Settings —> Execution Control Settings —> Exclusions —> Add and then navigate through my file structure until I find my executable, but do you really expect a non-technical person to do this?
  1. In my installing of wordzap, and execution i was notified with a buffer over flow attack, but I press’d Ignore and checked the box ‘Skip this application in the future’
    http://help.comodo.com/topic-72-1-155-1150-Understanding-Alerts.html#Defense_alert
    then It work’d each time (Also after installation i went to the directory of its location, and open’d the ntcfg or something rather ‘wntipcfg.exe’ allowed that to install a hook, then Run the game from there and It worked!;

  2. Very True! and no I do not believe that a non-technical person to do that.

Hope this helps

- Jacob Kilgore
C-O-M-O-D-O Forum Moderator

Thanks Jake,

Great, now how do I get my installation of Comodo to send me such a message?