Hi Guys, Having installed CIS4 I have had a few problems which I have managed to get rid off by disabling the sandbox. It even sandboxed winword.exe and then wanted to go through it all again the following day. The sandbox I think is till too much in it’s infancy and far too much hassle, so it’s disabled. I do have a problem I can’t resolve with this new version of CIS as outlined below and any help would be appreciated. However as this has occurred before in version 3, and I never found a solution and it was cured by an update this may be one for the Devs. A touch of De javu for me.
1.CPU (32 bit or 64 bit) = Athlon 4200X2 64bit
2…Operating System information = XPPro SP2 with additional security updates
3.Actively-running security and utility applications CIS 4.0.138377.779 only
4.Specific symptoms of the bug, and steps you can take to reproduce it = After installing CIS 4.0.138377.779 Techland Xpand Rally game version 1.1.0.0oem will not run. Click on Icon to start game. Game does not run. Disable Defence+ fully (requires restart) game runs ok as previously on CIS 3.14 with D+enabled. Renable D+ game does not run
5.Specific steps you have taken to try to resolve it. = Added Techland\Xpand Rally\xpandrally.exe to D+ Computer Security Policy, Allowed all access rights and allowed to run as executable. Added all relevant files in the program to My Safe Files. Checked all settings in CIS 3.14 on another computer for this game and they are identical to the settings in CIS4 on this computer, but the game will not run on this PC. Re- Installed CIS 4 as a clean install and repeated all the above. Game will still not run.
6.Brief description of your Defense+ and Firewall+ mode = Tried all modes for D+ only fully disabled successful, normally run in Safe Mode for Firewall and D+. plus mention if you modified any setting in ADVANCED section of D+ and F+ = Only as noted in 5. above
7.If you pc reboots or you have a BSOD post in BSODs: Please add your minidump files here =N/A
8.Report if you are using an Administrator account Or a Limited User account. = Administrator
Additional Information - I have examined the various logs for Techland Xpand Rally and cleared the crash log and attempted to run the game again with D+enabled the results of the crash log are attached these seem to be java related but it is really beyond my skills to know where to go from here. This problem occurred in an earlier version of CIS, CIS3.9 rev 509 I think, but I never found a resolution to the problem. It cured itself when an update was available and applied a few days later.
Any help or a cure will be much appreciated otherwise it looks like going back to 3.14 as I have a few other issues with CIS4 I am currently investigating :-\
Thanks for the reply, tried that just the game folder without the sub folders and has not worked will try a few other options.
Just a note to add that I found the version that caused this problem previously, I keep all my old copies of software backed up in an archive and add notes where any problems are observed. The CIS Version that caused this problem previously was CIS 3.10.530 shortly after it was updated to CIS 3.10.531 which was ok and allowed Xpand Rally to run with no hiccups.
Worked further with this. Added the Xpand Rally folder to my safe files again, did not work.
Tried to uninstall Xpand Rally for a re-install would not uninstall, uninstall package stalled straight to finish. Would not even recognise the game CD with D+ enabled.
With D+ disabled fully managed to get the uninstall to run after a couple of attempts and uninstalled Xpand Rally, cleaned out all old files and registry for both Techland and Xpand rally and cleared the program from my safe files, checked no traces left.
Re-enabled D+
Program CD would not autorun, started program install manually, install ran ok had D+ in paranoid mode to ensure I got alerts to accept which I did. Program installed ok but still won’t run with D+ enabled no matter which mode selected.
Added program folder to my safe files again still program will not run with D+ enabled.
Looks like it’s back to 3.14 for me too many bugs still to be ironed out with CIS4
Downloaded the latest version today before doing the above. Not helped at all. Very frustrating
Thanks for the very thorough bug report. Is there anything relevant in the D+ logs? If you paste the log into the message someone may be able to help.
I seem to remember that some Java files used to have a problem with either image execution control or buffer overflow control. You could try disabling and rebooting. Guard32.dll was also a problem with some Java files, and could be neutered by renaming (probably in repair directory as well) & rebooting - but it was an important part of the way CIS defends itself, so maybe not wise.
Do you have to disable D+ permanently to make it work, or just disable using the slider?
Sometimes running games as installers or ‘Windows system’ solves problems. Not that this gives the game high privileges, so only use it if you really trust the game.
Hello Mouse,
Thanks for your suggestions, I will paste the D+ log although there does not seem to be much relevant to the bug and all the entries off the bottom of the page relate to the logitech profiler before I allowed it memory access, this always happens. It almost seems as though CIS 4 does not see the Expand Rally application. I also found that Dr. Watson log has quite a few entries relating to this bug, so I will paste that too. I am ok with PC’s but not an expert so a lot of what is in this log is a bit beyond my capabilities.
You mention Java files problem with image execution and buffer overflow and disabling and rebooting, what should I disable? I fear I am being thick here. It definitely appears to be java related to do with java swing! according to the crash log, my guess is xpandrally.exe needs to access these to start the game and is being prevented by D+. expandrally.exe runs briefly in running processes, about 10secs, when attempting to run the game then it stops and nothing else happens. This particular game is a very very slow loader so it can take a while to realise it is not starting.
I am reluctant to interfere with guard.dll but may try this if it will help to solve the problem.
I definitely have to disable D+ permanently disable by slider does not work.
I have tried the game as an installer that did not work I will try as Windows System.
I think it is significant that this happened before with CIS 3.10.530 and was resolved by CIS 3.10.531 !!
I guess I seem to be making a bit of a fuss about this issue which is after all only a game and there are other issues with CIS4 but I use the game as a stress reliever and if there are java issues here then it may affect other java related applications.
Mouse,
I note you asked me to paste the logs and I have actually attached them at the bottom of the post, I can’t open them for some reason but then I can’t open any other attachments in the forum. It may be my browser settings but if no one else can open them then I will paste them, the Dr Watson log is rather large though.
OK if the installer trick does not work then the sandbox is pretty much eliminated. (My safe files is not always enough).
To disable image execution control for the file go to D+ ~ image execution control ~ exclusions. I’d suggest excluding the entire program directory plus the Java directory, to start with, you can be more focussed later if it works.
If this does not work you can try disabling checks on the D+ monitoring settings tabs. Not sure if all are turned off when you set the D+ slider to ‘disabled’. Some work instantly but I think some need a reboot to be effective. Maybe disable all, assuming you know you have no malware, reboot, and see if the problem goes away.
Else its guard32, but CS4 may not allow this - have not tried myself!
I can read them, ta. Can you tell me what F:\starter.exe and F:\setup.exe are? One (starter) seems to modify the other which is the sort of thing that can cause D+ some problems.
Hi Mouse,
Thanks for your time. First I can now read the attachments have just installed Comodo Dragon, was on IE6 before, never really trusted it and IE7 was a mess so never bothered with IE8.
F:\ is one of my DVD drives in this case a writer, the starter.exe and setup.exe will be from the re-install of Techland Xpand Rally and your point about D+ is why maybe I had to start the install manually. To make the logs clearer HDD is partitioned as C, D, H and I, DVD rom and writers are E, F and G
Have tried the game as an installer and windows application (that is adding expandrally.exe in the D+ computer security policy) again a no go.
The sandbox is disabled by the way it was sand boxing to many legitimate applications including winword.exe
I will now try your other suggestions I have tried the D+ monitoring settings tabs but did not realise a reboot was necessary for some of them, so we’ll do that again
One further idea, if the game requires you to have the disk in the CD drive to start it. You may need to give starter.exe, and any other program on the CD which is run when the game runs, some privs. If so try making it an installer, as it may create key files on your hard disk every time the game runs.
Do you ever sleep, I am assuming you are in USA. But again your time is most appreciated and now we know where the problem is. It is definitely Guard32.dll. CIS 4 allowed me to rename it and as you suggested I renamed Guard32.dll to Guard32.old in windows and the repair file. The program ran fine.
To be sure I undid all the other measures including exclusions for the program folder and java folder. Removed all the entries for the application from My Safe Files and removed the application from D+ Computer Security Policy. Set D+ to paranoid to ensure I got an alert to accept which I did. The program ran ok.
To be really sure I repeated the sequence again as below:
Renamed Guard32 back to it’s proper name in both locations and Xpand Rally will not run.
Repeated the rename Guard32.dll to Guard32.old in windows and the repair file and Xpand Rally runs ok
Renamed Guard32 back to it’s proper name in both locations and Xpand Rally will not run.
So I personally am now certain it is Guard32.dll as you suggested that is preventing Xpand Rally running, thank you so much for your help
What happens now, how do we get this resolved? and what are the risks of leaving guard32 disabled? It is currently enabled.
Oh yes don’t worry, I’m in the UK - glad to be of help.
My understanding of guard32.dll is rather limited - its involved in protecting CIS (cfp.exe?) from closure by malware I think, but not sure what else it does. Forty_7 knows more I think - you could pm him and ask him to contribute to this topic (so his thoughts are in the bug report). I seem to remember I still got D+ alerts with it disabled, and got no infections but that might be good luck!
I was not clear if you had tried defining starter.exe (or other CD based file run on prog start) as an installer, or if maybe it was inapplicable because the CD is not required to start the program. Don’t think it will help, but maybe worth trying, as this gives the file it is applied to and, critically, any other file it runs, a pretty deep level of exemption from D+ controls as I understand it.
Well off to be now…
Anyone else out there know what is lost if you stop guard32 from loading?
Glad I was not keeping you up I am in UK too. No the game does not need the CD in to run I just did not get round to purging the entries in D+ and of course just now it requires a bit more effort to clear the logs, just as well really.
I am not that experienced in forums, only a member of this one and the AV forums. I post stuff that I think is useful or when I need help but I am not sure about pm ing people but will have a go and see if I can pm Forty_7 and ask his advice and input. I would like it resolved without resorting to risky work arounds, other than this and the Sandbox being buggy CIS4 does not seem too bad and I would then consider installing it to the other machines in house and friends who are currently on 3.14. But before I do I really want to be confident.
Meanwhile you might want to try the installer/updater fix I suggested above - even if not running from a removable drive. Defining a file as installer updater ensures all the file it rus and all the files that they run operate with a high level of privs.
No guarantees, just rather less dramatic than disbling guard32 as only one app (and anything run by it) is affected.
I did try as an installer/updater and as windows system, neither worked. We do have this program on a couple of other PC’s (friends and family) but for the moment I am leaving them on CIS3.14 until this can be resolved.
Again all your help has been really appreciated, I note you have been pretty active through the forum when I was looking for Forty_7. Wish I could be so useful, I do a bit better on the AV forums.
Well, I’m not an expert myself. If I recall correctly all these kind of issues were related to Memory Firewall back then when it was still developed. Some applications didn’t like that Memory Firewall injected DLL into theirs memory. Memory Firewall is now integrated with CIS and I think that is what guard32.dll is doing in CIS. So if you ‘disable’ guard32.dll then you will lose Buffer Overflow Protection.
You said that renaming guard32.dll helped so I would try to rename it back to its original filename and then disable the Detect Shell Injections in Defense+ → Image Execution Control Settings → General. After that I would try to run a game and see the results. Also, since you suspect that the files causing the issue might be related to Java, I would make sure that I use the latest one. Java Runtime Environment is quite frequently updated.
Many thanks for your input on this one, I did run the memory firewall during the earlier editions of CIS before it was integrated, this did not at that time affect the running of Xpand Rally.
As you suggested I have updated Java, I was only a couple of revisions behind, this has however not helped.
Also as you suggested with Guard32.dll enabled I disable Detect Shell Injections in D+ this did not work either.
The only thing that seems to work is Guard32 disabled, I have checked all my other programs and nothing else seems to be affected by this issue. The only common denominator seems to be CIS3.10 rev530 did the very same thing.
I very much appreciate your input and the information you have provided. I really do wish with the effort that you and Mouse1 have put in that it would have been rewarded with success.
Mouse, I note that you are thinking of closing this one, does that mean that no further action will be taken to resolve this issue, or is this now something the Development Team will take on board as they progress through the various bug reports. I do appreciate that at this time they have a lot on their hands…
It is definitely