No log entries regarding other consequences of BO exclusion [278]

I was having a problem with Alcohol 52% - both the app itself and its installers - after upgrading to CISv5.
After some investigation and experimentation I was eventually able to resolve the problem by adding an exception to the shellcode injection check. However there was no entry in the Defense+ event log to say that there was a problem - by comparison I get lots of Defense+ events for SetPoint.exe trying to write into cfp.exe
If it had logged the attempted injection it would have saved several hours of looking in the wrong place.

  1. What you did:
    Tried to run Alcohol 52%, or to install later version. (First time since upgrading to CIS v5)
  2. What actually happened or you actually saw:
    Alcohol 52% didn’t run correctly, the install failed with an internal error.
  3. What you expected to happen or see:
    The app to run correctly, and the install to work.
  4. How you tried to fix it & what happened:
    uninstalled and tried to install latest version of Alcohol 52%. Still won’t install.
    Went to their website and got pointed to a entry for “Commodo Firewall” (their spelling) - tired turning off the Firewall to no effect.
  5. Details (exact version) of any software involved with download link:
    Alcohol 52% retail installer (for versions 2.0.1.2033, 2.0.1.1820, 2.0.0.1331, and1.9.8.7612) but any app that triggers a shell injection should do.
  6. Any other information you think may help us:

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS version 5.0.163652.1142
    AV database 6277
  2. Whether you imported a configuration, if so from what version:
    Yes but don’t know what version.
  3. Defense+ and Sandbox OR Firewall security level:
    Defense+ on all boxes ticked except the 3 on the first tab. Unknown treated as partially limited.
  4. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7 64 bit home pro (UK) UAC on admin account.

In fact the shell code exemption option exempts from a few more things other than shell code.

So I think I will rephrase this “No log entries regarding other consequences of BO exclusion” then that would be a useful issue to raise.

So if a program is needs exemption from guard32.dll to run the request for the priv blocked by guard32 should be logged.

I will do that, if its OK, then forward to verified.

Best wishes

Mouse

“No log entries regarding BO exclusion” might be better.

So if a program is needs exemption from guard32.dll to run the request for the priv blocked by guard32 should be logged.

I will do that, if its OK, then forward to verified.

Best wishes

Mouse


This also implies that you should to add more details to the help page - so that developers seeing the problem can get sufficient information to know what to look for in their own code. Also you might want to rephrase the dialog - if it is just buffer overruns regardless of shellcode then renaming it to buffer overruns might clarify the usage - current wording implies it is only for shellcode BOs.

Thanks for your suggestions please feel free to post your help addition and test change: here.

I understand that CIS is pretty comprehensive re BO exploits, maybe a dev will confirm. (It rolled in a specialist BO tool). THere’s a BO protection tester somewhere on this site. Sorry forgotten where!

Many thanks again

Mouse