Installed Comodo Memory Guardian ver 188.8.131.52 on WinXP SP2 +all updates and immediately had issues of around 50% CPU usage with “DropMyRights”, which I use for both Firefox and IE web browsing. Adding DropMyRights.exe to CMG allow list made no difference. Neither, did a reboot.
CMG Ver 184.108.40.206 had no problems with this program.
Other than this, all seems to be running well at this moment, especially with BOClean.
Please move this topic into a “Comodo Memory Guardian Beta v220.127.116.11 Bug Reports topic” when one becomes available.
A game which has a gameguard can’t work if I use Comodo Memory Guardian Beta v18.104.22.168 , but it can work well with Comodo Memory Guardian Beta v22.214.171.124 . http://kart.nexon.net/ , that is the address of the game in English . I don’t know whether the english and chinese version have the same gameguard , if they have same one , the english version will not work too .
Problem with .NET Framework 2.0 on Vista 32-bit. Upon installing MG a process C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe does not close and uses 100% CPU. Additionally, the ATI display driver tray icon(ATI drivers are created on .NET Framework 2.0) does not start. Cvtres.exe may be renamed or deleted to prevent this problem, and the ATI icon will then start properly. However, the custom display gamma/brightness/contrast that applies at startup no longer takes place. The only solution is to uninstall MG.
Heh, yep, it’s not seems like a false alert as soon as it’s buffer overflow (not ret2libc) and memory is really looks like stack… Don’t know if “allow” was a good idea. Where’ve you been with this explorer ? It look like .ani cursor exploit activity (though I saw the only one modification of such exploit with shellcode within the cursor’s file itself and it was made by me for internal use). The release version of CMG will inlcude loggin’ stack pages so such alerts will be more clear to me.
At the end of install, i could run all test, however, after these (i closed that window and maybe less than 1 min) explorer.exe caused a 100% cpu usage and i couldn’t kill it. I’ve tried to run taskmanager with the Ctrl-Shift-Esc buttons but it seems i just wasn’t able to terminate it.
I pressed reset cause i found no other way to get back to my system. After the log on i tried to run the guard asap and i got this error message:
Title: Error starting Comodo Memory Guardian
Error: Can not create LPC port, CMG is allready running ?
Description: Object name already in use (translated text)
It’s right, i found the little chief icon on the tray, but i dont know if this is normal or it should just open the program anyway (what would be a much wiser idea). Now the seems to run fine, is that a tester or 1st timne issue?
Applications on this system:
Windows blinds 5(5.51 (build97 x86) - shareware)
UpdateStar (checking program updates)
C-media 3d application (for sound card)
LogMeIn (remote admin)
Live MSN messenger
Time Zone 126.96.36.199 (Microsoft utility), TweakUI, Bootvis
The Dude (network mapping utility)
XPSP2 hun+latest patches, .net 3.0, c++ 2005, msxml 4.0sp2, msxml parser 6.0
User with admin rights.
I didn’t do anything “strange” I was surfing some familiar websites/forums, and was working with familiar software. I was sure that there was no security risk, that’s why I allowed it ( just once ). If it happens again I won’t allow it, and give you a more detailed report
I’m quite confident that the answesr will both be yes but I’ll ask anyway
Does this mean that the application stack test is not a ret2libc but actual executable code?
Does this mean that this Proof of concept is actually not using any Buffer Overflow?
From what I’ve understood sys-manage BufferShield provide an alternate support to Hardware based DEP because MS provided a way to disable this protection from within a program.
This decision was made in order to improve compatibility. Windows can still use a untouchable HW DEP protection but enabling that option will decrease compatibility. As there is a way to bypass MS compatible DEP mode, sys-manage provided a way to use a compatible mode that could not be bypassed.
This should mean that their POC is focusing on execution of code from zones were it shouldn’t be allowed. In order to do this they successfully disable MS DEP if the OS is using the compatible mode.
In order to prove this concept I guess they don’t really need a Buffer overflow.
So actually Comodo and sys-manage used two different approaches. CMG focus on BO prevention. A BO can be exploited in order to execute code from unauthorized zones. So blocking A BO prevents exploit code tooEDIT:READ about CMG protection in the next post ;D
Judging from sys-manage POC instead, it seems that they sure protect from code execution in unauthorized zones. But DEP protection doesn’t handle all types of BO.
So if you would like to test that software against Comodo BO tester please post the results in https://forums.comodo.com/general_security_questions_and_comments_not_product_related-b85.0/
and link them from here.
I would like to know if BufferGuardian handle ret2libc correctly. ???
Another thing to mention is that only latest P4 and upper CPUs have HW DEP support. So BO protection should protect more users.
No, the answers are “no” actually Their test just execute few instructions from stack, this is not a real shellcode, you can’t do anything without callin APIs, but CMG detects only API calls in shellcodes, not instructions.
P.S. Btw, do their BO-protection works ? It’s not workin’ on my PC somehow.