Comodo Memory Firewall not compatible with DropMyRights

I downloaded Comodo Memory Firewall 2.0.2.12 yesterday and installed it on my Windows XPSP2 (fully patched) without incident. The machine is a Dell Dimension 4400 (P4, 1.7 GHz) with 512 MB RAM and 40GB HD; old enough not to have DEP. I am using CFP 3.0.14.276, BOClean 4.25 [both with no issues at all], AVG Free, and some demand spyware scanners which were not active during my tests.

Unfortunately, this morning I found a direct conflict between CMF and Microsoft’s DropMyRights procedure, which I use to run my e-mail utilities with reduced (that is, ordinary user) rights.

What I find is this: when CMF is installed, DropMyRights starts and launches the required application (in my case this is the e-mail monitor PopTray), but then consumes essentially all of the CPU resources (about 96%) forever, instead of turning control over to PopTray and exiting. This occurs when “Restricted PopTray” (that is, DropMyRights running PopTray) starts with Windows or when I start it manually. Killing DropMyRights manually from ProcessExplorer puts things back where they should have been without manual intervention.

This conflict is serious enough that I have uninstalled CMF and will not install it again until the conflict is removed.

Further to my earlier post above, I have tried again to install CMF on my system, this time excluding %ProgramFiles%\MSDN\DropMyRights.exe from CMF’s protection. This worked out correctly: two different “restricted” applications run via DropMyRights start correctly and DropMyRights did not consume all the CPU resources, but ran too briefly to see with ProcessExplorer and then stopped, as it should.
:■■■■

pudelein,

Thanks for your post. I had the same issue.

However, things might not be so fine and dandy in candyland. One of the primary apps we’re most interested in protecting from buffer overflow are the browsers. The browsers are also likely what we use DropMyRights with. By excluding DropMyRights.exe from CMF, haven’t we just disabled buffer overflow checking on the browsers?

I don’t use DMR, but I would say no.

I think all the program does is modify the security rights of a program before launching it. Your browser is still running in its own process, so would be protected.

To restrict a program’s rights using DropMyRights, it is typically invoked as follows:

C:\PathToDropMyRights\DropMyRights.exe “\C:\Program Files\Internet Explorer\iexplore.exe”

Although the source code is available to DMR, I haven’t really investigated how it works. But from the above line, it appears IE may become part of the DropMyRights.exe process.

Either way, this still seems like a bug in CMF.

I can now answer the questions asked above about DropMyRights, browsers, and CMF; it took me quite a little time to get all of ducks organized properly!

First, one significant thing that CMF does is to inject the file cmfdll32.dll into every protected process [that dll is the one for x32 systems; presumably there is a similar one for x64 systems]. If one starts ProcessExplorer, selects a running process, and activates the lower panel DLL display, a list appears of all the DLLs in that process’s space. If it is protected by CMF, then cmfdll32.dll will appear in the list. If it is not protected this dll will be absent.

Second, again using ProcessExplorer, select a running process, right-click, and select Properties from the context menu. The Security tab will display the application’s permissions in the lower panel. These are pretty arcane, with names like SeChangeNotifyPrivilege and can be labeled Enabled, Default Enabled, Disabled, and maybe other things,

When Firefox (my preferred browser; all should be very similar) is launched directly, there are five privileges listed as enabled or default enabled and fifteen others that are listed as disabled. The CMF dll is listed in the Firefox process space. Incidentally, Firefox is shown as a child process of explorer.exe.

However, when Firefox is launched via DropMyRights, only one privilege is listed as default enabled and no other ones are listed at all. Nevertheless, the CMF dll appears in the Firefox process space. Finally, Firefox is shown not as a child of explorer.exe, but as a child of the System Idle Process.

So, it is clear that CMF protects processes started by DropMtRights, even though it does not protect DMR itself. It is also clear that DMR actually does lower the rights extended to processes that it launches.