Defense+ Conflict with Microsoft Office Starter

I am using:

COMODO 5.3.181415.1237
Windows 7 Home Premium 64-bit
Microsoft Office Starter 2010

Starting Words Starter 2010 gives a splwow64.exe application error: “The application was unable to start correctly (0xc0000005).” I have determined that Word is starting this process, which is a Windows system application that allows 32-bit processes to perform printing functionality. Excel Starter 2010 gives the same error but only when you actually attempt to print. Both applications are then unable to print.

I have found that Defence+ is the source of the problem because the problem disappears if I disable it using the “Deactivate the Defence+ permanently” option. But this is the only way to remove the problem. Setting the Defence+ security level to disabled does not stop the problem. I have not been able to find any other way to prevent whatever Defence+ is doing. I have put both Excel and Word into the Defence+ rules as trusted applications but this makes no difference.

I suspect part of the issue may be due to the somewhat exotic way in which Office Starter seems to be installed. The Windows Start Button entries actually launch a “Virtualization Handler”. The actual Word and Excel executable appear to be located in a Q “drive” but this is not a disk partition and even an administrator has no access rights to it. Because of this Defence+ will not allow me to add the Excel or Word executables to the trusted applications list.

I trust these applications so how do I stop Defence+ from interfering with them?

Hey and warm welcome to comodo forums!

I would like to see d+ logs (CIS → d+ → view d+ events)

you can meanwhile try to see if adding it CIS —> Defense+ —> Defense+ Settings —> Execution control Settings —> Detect shellcode injections (i.e. Buffer overflow protection) —> Exclusions —> Add —> Browse… helps

Regards,
Valentin N

Thanks for the quick response Valentin N.

Regarding the log, there is nothing in the log to indicate what Defence+ is doing - it is empty except for some entries about Process Explorer (which I’ve used to try and see what’s going on).

Similarly, I have already tried temporarily turning off Execution Control all together but this made no difference.

These are part of the reason I opened this in the bug section. I see that Dennis2 has moved this into the help section.

Switching from safe to clean pc in the defense+ setting, has been enough for me: some files related to winword was trapped in the ‘unrecognized files’ status.

You could also try to but d+ in training mode for a few min when you work with Star Office.

Regards,
Valentin N

I’ve only just realised that I haven’t been clear. This is Microsoft Office Starter edition.

add the complete Office folder in CIS —> Defense+ —> Defense+ Settings —> Execution control Settings —> Detect shellcode injections (i.e. Buffer overflow protection) —> Exclusions —> Add —> Browse…

Regards,
Valentin N

Thanks for your replies. No joy though.

  • Changing the Defense+ Security Level doesn’t make any difference: training mode, clean mode, even disabled makes no difference.

  • There are no entries in the event log for this.

  • Completely disabling Execution control Settings makes no difference.

  • I cannot add directories to exclusion rules because the “path” to the processes are in a “drive” that is not accessible to COMODO - see my first entry about the exotic nature of the installation.

  • In fact the only thing that makes any difference is using the option to completely de-active Defense+. I believe the key thing about this is that the COMODO code isn’t loaded into the process at all.

I believe the error code 0xc0000005 means access violation - ie the process is crashing on start up.

For these reasons my suspicion is that this is actually a bug in COMODO. I suspect that COMODO cannot cope with not being able to access the file path of the parent process and is crashing the process as a result. I don’t have any concrete evidence for this, though. But that is why I opened this as a bug report.

Hi BenBrereton,

Could you try to put the whole Q drive in a new group of Protected Files and Folders. To do that : Defense+ > Computer Security Policy > Potected Files and Flders > Goup > give it a name > apply

You’ll find your new group at the bottom of the list. Then right click on add files here > add > existing items > choose Q > drag to selected items > apply.

In Protected files and Folders : add > group > choose your new group > ok

In Computer Security Policy > Defense + rules > add > select > files group > choose your new group and give it the predefined policy installer/updater

Normally, Def+ will now let everything on drive Q run without problem.

NB: you’ll maybe will have also to click in Def+ Settings > sandbox settings :
automatically detect installers/updaters and run them outside the sandbox
automatically trust files from trusted installers

Tell me please if this works.

Boris

Hello Boris. Thanks for trying to help.

I’ve applied the changes you suggested. I’m afraid it still did not make any difference.

One interesting thing to note, though: in the dialog to add files to the group, the Q: drive was not listed at all, only the C: (hard drive partition) and D: (DVD) drives. I typed the drive path in manually instead.

If you add it manually you must write Q:* don’t forget the* to tell CIS it is the content of Q

Yes I did this. I temporarily added the C drive first to determine the right pattern.

Sorry to hear you still have your problem. You should maybe ask Microsoft how to unhide a partition under win7 and make it readable by 3d party sotwares.

In the meantime, why not give open office a try?

q: is not a partition, is a protected filesystem, a virtual partition. see this:

An overview of Microsoft Office Click-to-Run for Office 2010

and this:

start\control panel\programs and features\ to uninstall it, but I’m not sure about consequencies, I’ve not tried, actually.

Thank you Peterle for clarifying what the Q: drive actually is. The article makes it clear that the Q: drive is not readable by other software by design.

I don’t really consider this a solution. The PC in question is a Dell laptop newly purchased by my mother-in-law, which I am configuring for her. It came pre-installed with Microsoft Office Starter and this is perfect for her needs. It also came pre-installed with an internet security system which I don’t rate so I have replaced it with COMODO for the firewall and another package for the anti-virus.

Honestly, I am more likely to de-activate Defense+ than remove Office.

I still think this is a bug in Defense+, albeit because it’s being presented with a new mechanism that it hasn’t previously had to cope with.

Could you make bug report in the bug report? Thanks

Regards,
Valentin N

Hi Valentin N. I originally opened this task in the bug reports area but it was quickly moved out of there by the moderator, Dennis2. Perhaps my opening entry wasn’t clear enough?

I’ll open another task in the bug reports area referencing this one to see if I can get it moved back.

For info, I have reported it as a bug. It turns out the problem with my first attempt was probably that I didn’t use the right format. This has now been moved to the verified section. The topic is here:

https://forums.comodo.com/format-verified-issue-reports-cis/defense-conflict-with-microsoft-office-starter-nbz-t70696.0.html

Just for the record - this solution worked perfectly for me.

My issue was Word Starter 2010 would not recognize any printers as being installed when Defense+ was in Safe mode, but in Clean PC mode everything worked fine. In Safe mode D+ would flag certain Word files as Unrecognized Files no matter how many times I would “Move to > Trusted Files” that file.

Thank you Boris, D+ is now running in Safe mode and my printers are working perfectly!

Does this fix survive a reboot? If so you are lucky!