Comodo blocks memory injection of an application after exclusion.

I’m game/software developer. I recently started working a program, I won’t be revealing program names, but. There are 3 programs.

Program 1 starts (normally), finds the socket.
Program 2 is activated by Program 1 when socket found, it needs to start.
Program 3 needs to deliver additions to Program 2, as it is started but before is intractable with user.

Here’s the problem, Program 3 attaches itself to Program 2, and makes Program 2 dependent of Program 3.
Program 3 is being blocked by Comodo, and Program 2 crashes, makes entire 3 programs useless.

I looked up to exclusions, I added Program 2 and Program 3 (only ones without certificate, Program 1 has officially recognized certificate from Symantec), giving them free hand.

But every time, Program 3 is attached and tries to edit memory of Program 1. “Blocked Intrusions” goes up by 2, and the messages that are in there are: http://s000.tinyupload.com/index.php?file_id=63494697188260126505 (click on the name of file).

I don’t know what Comodo thinks, but this Program 3, surely isn’t a virus or anything that would try to invade Comodo, it is very trusted program of quite thousands of people, but just without certificate.

I tried communicating with your “GeekBuddy”, but he said nothing really useful, said that the GeekBuddy in unpaid version is a trial, and that I should call a number in I don’t even know where, where they’ll probably let me hang on mobile for 30 minutes.

After re-reading this post, I realized something. I’m not a hacker or cracker or anything. Program 3 is addition to online game which is Program 2, which allows to edit it’s GUI, but requires editing the memory, which Comodo prohibits.

What you are seeing is the self protection of CIS at work. No program is allowed to access CIS files in memory.

There are two ways to go. Adapt your code to accept it cannot be injected in all processes or allow memory access for program 3 to CIS files.

It’s understandable.

Neither program nor source-code are mine.

How would I allow this to the program? Is there a link to “Book of the Knowledge” you could send, on how to make Comodo do this? Look, if Comodo really thinks it’s a threat, like, it tries it to modify layers of Comodo’s security, go ahead block, but if it requests injection, can’t just Comodo respond with return 0; and make program think referred file is empty?

Just as a side note. Program works just fine without any anti-virus, or with avast! and AVG. I wouldn’t know why it would prefer “attacking” Comodo, when it has entirely different purpose and program. Also, the logs are referring to “cmdagent.exe”, which seems to be part of Comodo’s Firewall if I’m not mistaken. Why would Program 3 like to modify the firewall, if it already has itself updated, account verified on the same IP and port? It’s not like malicious file can’t be blocked by Comodo, and Firewall has nothing to do with blocking on-drive viruses.

One of our members made a video on how to do this:

Look, if Comodo really thinks it's a threat, like, it tries it to modify layers of Comodo's security, go ahead block, but if it requests injection, can't just Comodo respond with [b]return 0;[/b] and make program think referred file is empty?

I'm not a programmer so I cannot answer this question.

Just as a side note. Program works just fine without any anti-virus, or with avast! and AVG. I wouldn't know why it would prefer "attacking" Comodo, when it has entirely different purpose and program. Also, the logs are referring to "cmdagent.exe", which seems to be part of Comodo's Firewall if I'm not mistaken. Why would Program 3 like to modify the firewall, if it already has itself updated, account verified on [u]the same[/u] IP and port? It's not like malicious file can't be blocked by Comodo, and Firewall has nothing to do with blocking on-drive viruses.

Comodo Internet Security suite also protects the host by looking what is happening underneath the hood of Windows. Blocking memory access is a general protection measure. Memory access in its self is not by definition malicious but it is dangerous enough to make sure CIS executables are protected from it: it will allow full control over the executables. Sometimes blocking memory access upsets other programs as you noticed. In that case an exception can be made to allow memory access.

I see, modified it, but why would Comodo block verified files? Those that were already scanned for being entirely safe? League of Legends by Riot Games is verified file by Symantec (Windows also recognizes that (bar in UAC changes to blue)). League of Legends has 2 executables, one that is regular file, for regular user, another one is with administrator permissions, if the regular non-elevated file cannot be executed, due to insufficient permissions for example, the elevated one is executed instead. Still, if I run non-elevated executable, Comodo blocks it, and forced the application to run it’s elevated “brother”. Why? If file is verified, it’s safe, isn’t it? Program runs, when administrator permissions are granted, but it should also work, when they’re not.

I do get the fact that Comodo is protecting itself from other executables and traces, but heck, if the file is verified, what could go wrong?
(reference, look at attachments)

[attachment deleted by admin]

Also a verified file or a digitally signed file can be injected with malware code and this file should not access Comodo’s memory, that’s not a normal behaviour, even for a “secure” file.

Hello. My english is very bad, but i try to say about my problem. Its trouble with blocking of memory TOO. But more hard. The program wich blocked - is Adobe After Effects… Comodo give to run this, but give ONLY 0.4 Gb of RAM instead about 4.4 And nothing help. I try to put AE (after effects) in excepion of Defens+ and do what was on video… but NOHTING help… Even i turn off ALL services of comodo - change nohting. And ONLY uninstall of comodo get work AE good, its become use full memory. Idk there is this block and how to avoid this block. And of couse AE rules was like system application… Can somebody help me?

Can you try adding AE executable(s) or the entire AE installation folder Detect shellcode injections and see if that helps?

Do you have other security programs installed that run in the background alongside CIS? Are you running the suite CIS of just the firewall? In case you’re running CIS you can also try to add AE to the AV exclusions just to be thorough.

Im just do it - add AE folder in shellcode exception and in AV too. No, i have no any security programm, only comodo. Im running CIS. But… nothing change… i told - even i CLOSE comodo, nothing change. Only uninstall… its so PRIMARY level of block wich i cant imagine ) like in bios )) LOL… Then i uninstall comodo AE run so process like ‘dinamyclinkmanager’ and ‘Adobe QT server’. Of couse i add it in system application rules, but its not help. I can run this process by total commander, but self AE not run it… Only after uninstall comodo… very very SAD… ((

I think we’re looking a bug here. If you have the time and energy please consider filing a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!.

Reporting of bugs is strictly moderated to make sure Comodo gets clear bug reports. So, please make sure you closely follow protocol. That way your report will certainly be seen by Comodo staff.

thx… i will try… but its some hard then u not good know english…

Hello. I have a godd idea. Can i take all forms for report of bag, then fill it and post it here? To avoid wrongs in report. Couse i told i not good in english. Here u can see this say what wrong if needed i fix it and then post my report of staff place. And u can later delete it here after looking and fix my mistakes.

You can post it in the bug board. You will be helped with the report to make sure it is ok before it is sent to the Format Verified board.

ok. thx one more time. will do it.