Comodo Issue?

I’m wondering if these errors are in any way related to Comodo. I’ve been having memory related issues and programs crashing out on me including sh.exe in Github Desktop.

Error messages below:
[at][at] -0,0 +1,21 [at][at]
Exception: STATUS_STACK_OVERFLOW at rip=7FFC22BB4FD7
rax=0000000000001250 rbx=00007FFBE1690360 rcx=0000000000000000
rdx=0000000180010018 rsi=00000000FFFFB960 rdi=FFFFFFFFFFFFFFFF
r8 =000000000276360E r9 =0000000180271780 r10=00000000FFFFA000
r11=00000000FFE03E00 r12=0000000000004FE0 r13=0000000000000000
r14=000000000276360E r15=0000000000000000
rbp=00000000FFFFB4F0 rsp=00000000FFFFB398
program=C:\Users\changsells\AppData\Local\GitHubDesktop\app-1.1.1\resources\app\git\usr\bin\sh.exe, pid 20448, thread unknown (0x4720)
cs=0033 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame Function Args
000FFFFB4F0 7FFC22BB4FD7 (0000276360E, 00000000000, 00000004FE0, FFFFFFFFFFFFFFFF)
000FFFFB4F0 7FFC1EB336C6 (000F0003FAB, 0000278B380, 0000278B380, 00180271780)
000FFFFB4F0 7FFC1EAA0E79 (000FFFFB820, 00000000224, 00000000000, 00180271780)
00000000420 7FFC1F15D7F6 (00000000001, 00000000000, 000FFFFB900, 00100000001)
00000000420 7FFC221FE4E3 (00000000020, 00000000000, 000FFFFBA80, 00000000001)
00000000420 001800AB022 (000FFFFBA20, 00000000000, 00000000000, 001803008C0)
000FFFFBAA0 001800ABBD5 (00100410FBB, 00000000000, 006000466C0, 001004E9740)
000FFFFBCA0 0018011C93B (00100410FBB, 00000000000, 006000466C0, 001004E9740)
000FFFFBCA0 00004A3E458 (00100410FBB, 00000000000, 006000466C0, 001004E9740)
End of stack trace

And these:
“An unhandled exception of type ‘System.AccessViolationException’ occurred in Unknown Module.
Attempted to read or write protected memory.”

or

“Unhandled exception at 0x00007FFD9D9F11C9 (AcLayers.dll) in ABC.exe: 0xC0000374: A heap has been corrupted (parameters: 0x0000000000000000).”

or

“Unhandled exception at 0x00007FF83510879B (ntdll.dll) in ABC.exe: 0xC0000374: A heap has been corrupted (parameters: 0x00007FF83516C6E0).”

No idea whats going on here. Any assistance would be greatly appreciated.

This sounds like an HIPS issue and “Memory Firewall.”

Where do I go to turn off this “Memory Firewall?” I’ve added exceptions into HIPS but it still throws errors. Restart required?

You want to try the shellcode injection exclusion Miscellaneous Settings, Virus Protection Software | Internet Security | COMODO

I’ll give this a shot and see what happens… Rather annoying as it is hindering productivity!

Do I need a restart in order for these settings to take effect?

Github is fixed!

Any clue for the heap corruption issues?

'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\Users\Optimus Prime\program\program\Program.exe.exe'. Module was built without symbols. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'PkJBLwhSsKHuNwKnzpCgyNQqqwbFA'. Module was built without symbols. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\Users\Optimus Prime\program\program\Python.Runtime.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll'. Cannot find or open the PDB file. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'Microsoft.GeneratedCode'. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'Anonymously Hosted DynamicMethods Assembly'. 'Program.exe.exe' (CLR v4.0.30319: Program.exe.exe): Loaded 'C:\Users\Optimus Prime\program\program\ZedGraph.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. An unhandled exception of type 'System.AccessViolationException' occurred in Unknown Module. Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Seems like this could be a solution:
https://forums.comodo.com/defense-sandbox-help-cis/visual-studio-2012-update-3-debug-problem-t98149.0.html

I’ll give it a shot and report back on details.

Update: Solution in the above link didn’t work. Adding C:/ to the exclusions just to test didn’t work. Adding the program and the folder to exclusions didn’t work.

add the all applications file group to the detect shellcode exclusions and reboot, then try again.

Will do… args.

No luck. The program keeps crashing even with All Applications.

‘System.AccessViolationException’ is a rabbit hole. No idea how to fix it, no idea where to start, no idea what causes it.

Hi Ebolamonkey,

Sorry for the inconvenience caused. Please check your PM and share us the requested logs by following the steps provided.
Thanks in advance.

Kind Regards,
PremJK

Seems heap corruption issue is not caused by CIS, though you could try to uninstall CIS to confirm.

Hi ebolamonkey,
so shellcode injection exclusion fixes sh.exe crash, right?
can you please clear exclusion and collect dump for sh.exe crash? we want to find root cause and fix this issue.

Regards
Haibo

Shellcode injection fixed the sh.exe problem.

Here’s the dump reports to the other problem:
https://www.dropbox.com/s/yxvg9wgu5ksnoui/TradersToolbox_x64.exe_180503_163759.dmp?dl=0
https://www.dropbox.com/s/qj10mcc8ps5pqly/TradersToolbox_x64.exe_180503_162604.dmp?dl=0

They want the memory dump from github desktop after removing the application from the shellcode detection exclusion, but it seems no memory dumps are actually created when I tried cloning a repo.

Github crash doesn’t crash out like this program and there isn’t a memory dump created. Github added to exclusion fixes the problem. I can revert it back and see if it does produce a memory dump but Github isn’t the issue that is more pressing, to me at least, but rather the other program not working.

Can you pls rename C:\windows\system32\guard64.dll and try TradersToolbox crash again?

Please check issues withComodo Internet Security v11.0.0.6580 - BETA2 thanks.