No Security Solutions for Windows 64-bit on GPT Partitions

Hello,

As a system builder, I strive to build with the best hardware and software available at the time. The next evolution is here, and it is UEFI GPT Boot partitions for Windows 7 64-bit platforms. GPT is faster, and more secure than a Master Boot Record Partition (MBR). The GPT disk partition format is well defined and fully self-identifying. Data critical to platform operation is located in partitions and not in hidden sectors. GPT disks use primary and backup partition tables for redundancy, and CRC32 fields for improved partition data integrity and break the 2 TB partition limits in Windows. The number of partitions on a GPT disk is not constrained by temporary schemes such as container partitions as defined by the MBR Extended Boot Record (EBR). Combine this new partition style with an SSD, and see boot times reduced to 15 seconds, and shut down times are virtually instant.

However, there are no decent “Antivirus Products” for the platform. Over the years, I had used many products before settling on ESET NOD32, and Outpost Firewall Pro by Agnitum. This tandem proved impenetrable. However, on a UEFI GPT Partition, Agnitum is useless. In fact, I watched in horror as a system containing a Corsair Force GT 240, the fastest SSD on the face of the earth, had its blazing boot, and shut down times crushed by Agnitum software in a UEFI, GPT boot environment.
This discovery left me looking for a security package that will run properly on the partition, which led me to try Comodo Internet Security Pro 2012. Matousec’s 64-bit challenge results list Comodo as the top product on 64-bit platforms. However, real world usage gives me reason to disagree. The advanced Installation of the software went fine until I realized that the installation marks the “COMODO Internet Security Helper Service” to interact with the desktop, which in my opinion is a big mistake. [b]Windows stopped allowing services to interact with the desktop long ago after discovering the negative affect that configuration had on PC Security. While Comodo’s impacts on boot and shutdown times are less than that of Outpost Firewall Pro, and Outpost Security Suite, it still violates the Windows AppInit_DLL mechanics by producing the same Wininit error 11. See Log below…

[b][b]Strangely enough, the products that are horrible meaning, they could not find an infection or intrusion if they had GPS coordinates, such as Norton, or McAfee, do not create this boot issue. Additionally, ESET NOD32 5, and Smart Security 5 do not suffer from this boot issue either. However, parts of the Smart Security 5 such as the Anti-Spam Engine, and the installer, have other issues with GPT. Therefore, the results of my search have me reinstalling ESET NOD32 5. “A little stick is better than no stick when fighting a gang”!

Someone needs to do something about this issue because even though error 11 is a warning, it does affect performance. Besides, who here can say that Microsoft has never classified an error category incorrectly?
For the record, I sent an email to Matousec about their 64-bit challenge results and they responded saying, “The results are valid for Windows 7 64-bit regardless of the hardware used.” Yeah OK if you say so"…[/b][/b]

InSearchOf

Log Name: System
Source: Microsoft-Windows-Wininit
Date: 6/9/2012 5:18:55 PM
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: P8Z68-V-PROGEN3
Description:
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Event Xml:



11
0
3
0
0
0x4000000000000000

34376


System
P8Z68-V-PROGEN3



1
<Data Name=“String”> C:\Windows\system32\guard64.dll

[attachment deleted by admin]

Sounds to me like you get paid by ESET to promote your product here…

I am not a programmer, just a volunteer with a badge, but the Comodo Internet Security Helper Service needs to communicate with the client program. Something tells me things that will not change lightly.

Apparently that technique is deprecated by Microsoft but there are no exploits or problems associated with CIS using this. CIS also has a very tough self protection making it very hard to exploit or shut down the service.

You are stating " However, real world usage gives me reason to disagree." implicating security issues because of using this deprecated technique". Apparently you have proof other than just pointing to the use of a deprecated technique. Could you please step forward and report it Comodo?

No Seany 007, i don’t work for ESET. I’m just a guy trying to understand why “ALL” the good security software developers are missing this issue. It does hinder performance in various degrees across various products, Agnitum being the worst. I think it needs to be dealt with… And as far as reporting it to Comodo, i thought i just did.

You passed my KGB lie test LOL! ;D I see. You did. The Q now if Comodo will fix this if that’s the case.

I am still waiting for the “real world” reasons other than a deprecated programming technique.

The real world reasons are in paragraphs 2 and 3, and also in the attached log…

there is nothing attached

Sorry about that languy99. I posted the log

New to Comodo, I too am experiencing the dreaded Windows Warning Error 11 regarding “guard64.dll.” Please see my post https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/no-security-solutions-for-windows-64bit-on-gpt-partitions-t84807.0.html

While this issue is marked resolved in Comodo’s forums, see post https://forums.comodo.com/resolvedoutdated-issues-cis/wininit-warning-message-on-every-bootreboot-t83267.0.html;msg594548#msg594548 it is far from resolved.
While Microsoft says, you can safely ignore this error, in my opinion, that depends on the effects the error is posing on the system. My particular case does not make that a possibility.
Warning error 11 creates a domino reaction that slows boot performance. It has direct ties to error 1530 “User Profile Service,” and a service control error naming Comodo as the application leaving the Windows hive open in the first place. I wish I had time for this forum but the truth is I do not. I need to find an app that does not create this issue on a UEFI Boot GPT Partition.

On a positive note, Comodo is less of a hindrance on system performance than say Outpost Security Suite, or Outpost Firewall Pro. The Agnitum products bring boot and shutdown times to a crawl, again making it impossible to ignore Warning Error 11, which is the suggested resolution of Microsoft in regards to Windows AppInit_DLL mechanics.

Sincerely,
InSearchOf

This is more a question of technical strategy than a bug, I think. And since it isn’t a bug in a sense this is double posting.

I’ve read the various posts and have a few thoughts:

1. It is maybe no accident that Mousotec finds CIS s superior to most other solutions on a 64bit platform. Maybe it’s because of the technical strategy CIS uses (global DLL injection).

2. Regarding division of CIS into service and GUI elements (if that is what you feel is deprecated), maybe this is for security reasons. It’s probably more difficult to make an executable with an integrated GUI bomb-proof. So maybe it makes sense to divide it up so the essential bit, which must be kept running, is separate.

My thoughts are just speculation - I have no detailed knowledge of security program technical strategy.

I’ll merge this with your other thread if you don’t mind.

Best wishes

Mouse

This is my last post, last day evaluating Comodo Internet Security Pro. Not because the trial period has expired, but because like many other security products, it is not as advertised. At first, I thought these performance issues came from installing on a Windows GPT partition. However, I have read many posts from Master Boot Record Partition users as well.

Strangely enough, CISP is light on system resources, but hinders software performance and boot times, but not shutdown times. Malwarebytes manual scan also resides on the system, set to ignore Comodo of course. In addition, Comodo is set to ignore Malwarebytes. A scheduled scan of the C drive with Comodo at 7 PM EST found no threats. The system sat idle until around 10:30 PM so that “Trim, and Garbage Collection,” could run and refresh the SSD drive’s performance. At 10:33 PM, I started a manual scan with Malwarebytes and it discovered a threat. For the record, Comodo settings are set to scan memory at startup for real-time, manual, and scheduled scans. See attached scan logs.

In closing, let me say again, having COMODO Internet Security Helper Service run set to interact with the desktop is not smart imho. It just could be the reason for the programs shortcomings like, the generation of Event 11, and Event 1530…
I have never been a fan of forum troubleshooting because all forums have egos. You post something in the wrong place, its gets moved, no one sees it, and ■■■■, the issues continues to exist and is marked resolved because of an ego. Because I am not a programmer, this is all I have to contribute and I sincerely hope this information helps. Good luck…

InSearchOf

[attachment deleted by admin]

Two things first you didn’t have malware. You did at one point in time but all that was found was a registry key. A key without a file is useless, it just takes up space but is not a threat. Second your problem with comodo not identifying the key is totally separate from what you came in here talking about. It seems like you came in here trying to find something not to like about it and picked something really weird. Something that really does not matter.

First, this is what’s wrong with forum support. Second, I did not pick the issue, its there for many others and me as I discovered by browsing this forum. The other day someone accused me of working for ESET. Therefore, I guess now that I have uninstalled CISP for Kaspersky, I guess I am here to bad mouth Comodo with Kaspersky now, so I must have gotten a new job… Guess what, I am not found of Kaspersky either, but so far it has not degraded system performance…

Listen, I had issues with Comodo, end of story. On my GPT partition, I suffered performance loss! As I stated earlier, Comodo was not as bad as Outpost Security Suite, or Firewall Pro, but performance loss nonetheless. Boot times were extended which led me to Event 11, and Event 1530. Malwarebytes went from scanning 200000+ objects in 1.5 minutes, back to 22 seconds with Kaspersky installed. I believe that number in a previous Mbam log I posted with Comodo installed increased scan time to 1.5 minutes! Still say the issue doesn’t matter? SEE LOG BELOW!

Malwarebytes Anti-Malware 1.61.0.1400

Database version: v2012.06.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
P8Z68-V-PROGEN3 [administrator]

6/15/2012 2:41:16 PM
mbam-log-2012-06-15 (14-41-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202039
Time elapsed: 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

The difference is, Kaspersky does not install their service configured to interact with the desktop, and neither does Eset. However, the software I tried that does install with that particular configuration does create degradation in PC performance period! So do not tell me the issue doesn’t matter!

Instead of talking all this s***, why don’t you solve the problem Hot-Shot! Now I’m done!

InSearchOf

[attachment deleted by admin]

Are you running the free or paid version of MBAM?

To be sure we are on a level playing field it is best to run clean up tools for security programs you have in the past. That is to exclude the possibility that a left over service or driver from a program that was installed in the past interferes. You can find a list of clean up tools here: ESET Knowledgebase .

I believe you had issues with CIS but the reasons you give are not convincing. Nor is your attitude in all of this.

May be there is an issue with GPT partitions or may be there isn’t but with your information that is not established.

If you have not completely given up on Comodo I would be interested to see what happens after running the clean up tools.

Eventid 11 is happening with every user. It gives a minor bleep on the radar.Never I have heard that such a thing influences booting. What I have seen influencing booting is the event that reads close to this: "Blablabls server did not respond to DCOM within 30,000 ms…etc… ".

Eventid 1530 happens during shut down and as such would not effect boot time.

Languy99, mouse1 and I are not Comodo employees nor hotshots. We are just volunteers and end users like yourself. There is one thing I can tell from experience and that is that the arguments of your technical analysis does not suffice to explain the reported performance issues…

I run the free version of Malwarebytes (manually). Not that Malwarebytes has anything to do with the performance issue I inquired about in the first place. Concerning uninstalling security software, there are no tools that come close to manually uninstalling with the help of Revo-Uninstaller Pro, and JV16 Power Tools. Those are my tools, and they allow me to get all the leftovers from any installation including the .sys drivers, and their LEGACY entries in the windows control sets that are always leftover. No uninstaller on the ESET support page does that!

In addition, I did not post in this forum to convince you or anyone else of the issue. I posted to get information that would help resolve the issue so I could buy a subscription. Now, because you people have never run across this issue, I guess that means it does not exist. I do not think so!

Furthermore, it has been my experience that all logs lead somewhere when it comes to troubleshooting software and hardware on any Windows Platform. As for my attitude, I am supposed to take your condescending rhetoric and swallow it like tripe because you say I should. I think not!

So in closing, let me leave you with something perhaps you did not know. Error 1530, or the user profile service, now built in to Windows 7 is far different from the service in XP. It is just as different as edit access to the Windows Kernel. However, if one sees this warning error in their logs, one should investigate the program causing the issue. In my case, it was CISP! Now perhaps because my OS is loaded on a Solid State Drive intensified the affects of Errors 1530, and 11, because speed is the easiest thing to notice when it is gone. Because now, without CISP installed, both errors are gone. Malwarebytes is back to scanning the platform in 22 seconds, not the 1.5 minutes it took with CISP installed. To insure the result of uninstalling the CISP 30-Day Trial, I cleared the logs yesterday after removing CISP and you can look for yourself, No errors, NONE!

See Attachment Below!

The defense rests… In addition, speaking of defense, you people have a lot of nerve putting me in a position to defend my findings, as if I was an idiot and had no clue of what I was trying to resolve. If you are under the impression that what you do constitutes volunteerism, I got news for you it is the opposite. Moreover, in life, someone will always know a little more than you will so it really does pay to be humble. You people ought to try that for a change. In the meantime, go f*** yourselves!

Don’t worry, I found my way in here; I can find my way out!

Sincerely,
InSearchOf

[attachment deleted by admin]

I must say that your gratuitous, and somewhat random, use of insults almost had me sold on the veracity of your arguments.

Topic locked.

For all readers I add the following comment of egemen, the head developer about event ID 11: