ntvdm.exe

when my bro starts his SAP application defence + (CIS 5 Released) says ntvdm.exe is an unsafe application.
The app is SAP 33.0 Asset Accounting - CBT. is it unsafe??

Thanxx
Naren

NTvdm.exe is a driver/interpreter used by Windows to run MSDOS files, eg those run from .pif shortcuts. This may be the way some part of SAP is run.

First thing to do is to check the signature of the ntvdm.exe file to make sure you have not got a malware version. If its OK then there may be some form of bug.

You can use Run ~ siggverif.exe to do this. Point it at the directory (system32/64?) that ntvdm is in and see if it lists ntvdm as having no signature.

Can you clarify exactly what alert CIS gave - if a sandbox alert, it may be reacting the correct way in relation to an unknown .pif or similar file

There was a bug #244 regarding the way CIS treats msdos & pif files - it’s currently assigned for action. Not clear if it is supposed to be fixed yet, sorry.

Best wishes

Mike

Its a D+ alert. I clicked on ntvdm.exe mentioned on the alert & checked the properties, its a microsoft thing so I allowed it. 1 application currently running in the sandbox so I clicked on 1 & it was ntvdm.exe, I right clicked & performed online lookup & it was detected safe & added to the trusted files. I restarted the system & started the app, again the D+ alert and the app is currently running in the sandbox, sandbox level - partially limited & verdict unknown. But in trusted files ntvdm.exe is there. If I close the app & again start it the same D+ popup & now there are 2 entries in the sandbox 1 is the previous one & other is PID - 0 & User Name - Unknown. If I start the app 3 times the D+ popup appears but there are no changes in the sandbox entries. The previous 2 entries.

The question is if ntvdm.exe is detected safe & added to the trusted list then why the D+ popup appears & the app is running in sandbox whenever the app is started.

Thanxx
Naren

This behavior is indeed quite strange as, as soon as i open any microsoft word 2000 file i wrote myself, i am alerted fot ntvdm altough the said file is plain text and i don’t see how opening it could be related to msdos files and/or pif shortcuts.

No macro exists, word is disabled for every web editing property.

If i block, word does not open, complaining for “small utilities library (code 5)”

This behavior could be related to scripting language, and particularly installation of Microsoft Visual C++…itself installed by CIS as far as i remember.

The task manager only reports winword (and not wow).

ntvdm, as checked under system32 (xp sp3) has normal version and date informations.

Not that i really care, but ntvdm interventions are not an automatic pif/msdos call, and even if they are, ntvdm is, like rundll32, a generic process: as many different requests, as many alerts.

OK if someone would be kind enough to make an issue report using the standard format, and filling in all relevant fields, I’ll forward straight to verified bugs/issues. The format is here. APL and log and alert screenshots will help.

For interest, ntvdm.exe stands for NT’s virtual dos machine. It’s invoked whenever a 16bit program is run - and is used to create a virtual 16 bit environment in which to run the 16 bit program. Most are DOS, some are 16 bit windows. Maybe winword 2000 is calling a 16bit routine. NTVDM is a signed windows file

So everyone is right really.

Best wishes and many thanks in anticipation

Mouse

Now found this in the bug tracking system so no need for a report. Its number 244.

Best wishes

Mouse

I’ve linked this post in.

Is this fixed yet?

Older versions of Nero use ntvdm.exe. I use Nero 6 on a XP SP3 box. It has run problem free with versions 3.9 through 4 of Comodo. I recently upgraded to Comodo Version 5 and I am now having alerts from Comodo when Nero 6 runs and uses ntvdm.exe.

Is this fixed yet?

No.

Hi Brucine or someone, any chance of a bug report on this please? If you post it here, following the standard format, with all info available, I’ll transfer it to verified bugs.

Best wishes

Mouse

I haven’t use nero for a long time, but i reported this same bug using Microsoft Word 2000 (no reason whatsoever to see it run ntvdm if you write the document yourself in plain doc format, i mean with no macro or active content whatsoever).

I said in this regard to suspect the Microsoft Visual C++ 2008 redistributables, themselves automaticaly installed by CIS and of course running by default as a background Visual Basic editor as soon as you open Word.

I shall try to find some time to localize the bug by trial and error like i did for the cis custom settings story, but it promises to be a little difficult if my suspicions are right, as i am quite good with batch scripting but a total zero in modern scripting languages including vbs.

Altough this situation comes from several softwares (i shall document as soon as i use them), the word alerts don’t seem to be related to scripting (or not only to), but on interaction with the default printer
(Dell Laser 1100).

The test is made under cis3, but reproduces exactly in cis5 (in both instances proactive, firewall and defense+ set to highest levels and customized including for system, but with no word blocking rule).

Opening word:

http://brucine.hostoi.com/online/ntvdm1.jpg

If i deny, word closes with the following message:

http://brucine.hostoi.com/online/ntvdm2.jpg

If i allow, i receive the following set of alerts

Might the first one, opening the printers configuration ini file, be assimilated to a dos action?:
Screenshots 1 to 6 are not related to any printing action, and appear as soon as i open the document and modify it:

http://brucine.hostoi.com/online/word1.jpg

http://brucine.hostoi.com/online/word2.jpg

http://brucine.hostoi.com/online/word3.jpg

http://brucine.hostoi.com/online/word4.jpg

http://brucine.hostoi.com/online/word5.jpg

http://brucine.hostoi.com/online/word6.jpg

Actual printing requests asks for the 2 following rules, and printing is impossible until all rules have not been allowed.

http://brucine.hostoi.com/online/word7.jpg

http://brucine.hostoi.com/online/word8.jpg

just to say I also get a defense+ pop up about ntvdm and I checked its the legit file signed by microsoft yet it asks for permission for folder access and memory access, I tried the submit button on the defense+ pop-up yet when I checked the submitted files section of Comodo V5 it was not shown. I then decided to add the file to the unrecognized list so I could look the file up in the cloud manually and then it said it was safe and moved to safe files, is this bug any closer to being fixed and does it only affect this file or are there others that fail to get trusted even when digitally signed?

any reason why it failed to be listed as submitted and why the auto cloud check didnt detect it as safe?

I would be very very greatful for any light shed on this matter

ps how do you check the status of bugs that are submitted like the one mentioned above?

Hi brucine.

To work out exactly what is going on here, you need to use process explorer, and set it to highlight jobs, and watch what happens when you execute these new processes. Then just to be sure, check whether high-lit processes have comodo job names on the jobs tab in their properties. Also check these proccesses APL, as ‘child’ sandboxed processes do not always have jobs in CIS 5 (unlike CIS 4). What might be happening is that NTVDM script problems are causing all these other processes to be sandboxed.

If NTVDM is not involved, I would appreciate it if you would start another help trace to investigate the issues, posting the data from process explorer the APL and your logs. This can become a bug report when we have pinned it down.

If NTVDM is involved, or even might be, please post the same screenshots here.

I’m assuming you do not have ‘Block all unknown requests’ ticked - probably already asked this above.

Best wishes

Mouse

Seems to be a printer permissions issue, altough i don’t have a samsung one neither run a server (altough xp pro has terminal server abilities) or share the printer.

http://camie.dyndns.org/technical/samsung-smart-util-code-5/

But i didn’t find the solution at the time speaking, both cis 3 and cis 5 alert for ntvdm and, outside of this printers issue, ntvdm requests remain defectuous in cis (as i illustrated in the french forum from the defense+ reaction to eicar.com, also 16 bits).

I shall report further if i find something.

Today on boot up it asked for permission to create files and modify system and io.sys yet ntvdm.exe is the genuine one with a microsoft signature why is it not allowed to be trusted as its from microsoft, someone please answer as its getting worrying now :frowning:

ps I added ntvdm.exe to trusted and yet it still treats it as an unknown program

Hi there is an answer earlier in this topic.

NTVDM is essentially a virtual machione which is called to execute DOS and win16 programs. It’s sandboxing is a CIS issue/bug.

Would someone like to try a work-around? What you need to do is find out what is calling NTVDM and make it a trusted file. On typical scenario is that a .pif (program information file - essentially a shortcut) file is calling the Dos or Win16 application. If you make the PIF file trsuted, and then answer the ensuing alerts for NTVDM, asking CIS to remember your answer, that should prevent future alerts.

Similarly for any other file that causes NTVDM to be invoked.

Only do this if you trust the files involved of course. It is just a work-around - it does involve granting explorer the right to execute NTVDM, which may have some security implications, though both are signed trusted files so this should be OK.

Any advice from the devs on this one?

Best wishes

Mouse

The file itself is not relevant.

You can make the test by pasting eicar.com to your desktop, launching it, and of course ignoring the antivirus alert.

Even if i sandbox eicar.com as safe, the same ntvdm alerts occur as the ntvdm request is made from explorer.exe.

I don’t think that trusting ntvdm as safe for explorer is a good option, altough of course one would still be asked for what ntvdm does outside of explorer (ie, writing temp files).

You definitely need to rewrite the ntvdm behavior of cis, period…

Am writing to follow up on mouse1’s post above concerning the pif file. I had a NTVDM.EXE issue with CIS 5 that I didn’t have with CIS 3 (I skipped CIS 4). I’ve never had any printer issues with CIS. I am running Windows XP SP3.

The DOS program I was having difficulty with, after installing CIS 5, was Quicken 7.

After upgrading to CIS 5, making every related file “trusted,” including the PIF file which runs Quicken 7 and q.exe (Quicken 7’s program file which the PIF file runs) and ntvdm.exe, I am able to open and use Quicken 7 if, in my Defense+ settings (running in Safe mode), in the Execution Control Settings tab, with Image Execution Control Level “enabled,” with the checkbox for “Treat Unrecognized Files” ticked, I choose “Partially Limited.”

If I choose “Blocked,” which I’d like to select as my normal configuration, instead of “Partially Limited,” then whenever I run Quicken 7, a Comodo message box appears, with the path of the PIF file displayed in the top of the box, and in the body of the box it says:

“Windows cannot access the specific device, path or file. You may not have the appropriate permissions to access this item.”

I’ve added every related file to my Trusted Files that I can think of, to no avail. Quicken 7 for DOS is the only program that I can’t get to run with the “Blocked” setting.

So for now, since I access Quicken 7 often, I’ve selected “Partially Limited.” I am hoping that when the cure for the ntvdm.exe issues others are having is discovered, I will be able to run Quicken 7 for DOS even if I have chosen “Blocked” for how to “Treat Unrecongized Files.” Nella

That’s pretty much what I would expect.

[s]It may help in the follwing explanation if you think of ntvdm as an interpreter, like a basic interpreter, if you are not used to vitual machines.

What should happen is that CIS alerts and says it is sandboxing the Q.exe file, but actually sandboxes the NTVDM instance that is called to run it. Why? Because the user perceives that q.exe is executing command (so that’s what CIS alerts), but in fact Q.exe is using NTVDM to execute its commands (so that’s what CIS must sandbox).

What actually happens when q.exe is run from a .pif shortcut, is that CIS alerts and says it is sandboxing the .pif file, then actually sandboxes q.exe. When q.exe is running partially limited it can use NTVDM to execute its commands, when blocked it cannot.
[/s]

Edit - above crossed out. Less sure about this having experimented with a few more DOS and Win16 files. Behaviour seems variable. However work-around below may help.

Incidentally iyou can probably get round this by opening q.exe directly by double clicking on q.exe (first ensuring that it is a trusted file). It may depend whether q.exe actually needs the information in the q.pif file to execute properly. You might like to try this as a work-around. Should then be able to tolerate a treat untrusted as ‘blocked’ IEC policy.

Best wishes

Mouse