Pool leak in inspect.sys revealed by Poolmon [M371] [v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?: Yes. It happens all the time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened: Memory flows constantly from the start of the system. Maybe it starts with the initialization of a network connection.
  • If not obvious, what U expected to happen:
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version: see attached
  • Any other information, eg your guess at the cause, how U tried to fix it etc: see attached
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration: Hardware independent problem. Software: Win7 Ultimate x64 RUS, (I do not remember version of CIS, because I delete your product in connection with the problem. But CIS was updated 18.04.2013 (bug appeared) and 19.04.2013 (bug was not fixed) ).

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: All standard options.
  • Have U made any other changes to the default config? (egs here.): No.
  • Have U updated (without uninstall) from a CIS 5?: No.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS: No.
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used: Win7 Ultimate x64 SP1 RUS, UAC Disabled, Account: administrator, no VM.
  • Other security/s’box software a) currently installed b) installed since OS: a)None b)None
    [/ol]

PS. Sorry for google translator.

[attachment deleted by admin]

Thank you very much for your issue report.

We would very much appreciate it if you would be kind enough to edit your report to put it in the standard format and add any additional information requested, as this will make it much easier for the developers to diagnose and fix the problem.

The reasons we need all the information in the format, though they may not seem directly relevant to the issue are explained here.

If you are able to do this we will forward this post to the format verified board, where it is more likely to get looked at by developers. You can find assistance using red links in the format and here. If you need further help please ask a mod. If you do not add the information after a day or two we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report in standard format or not. However we may remind you if we think a bug of particular importance.

Many thanks again

Mouse

Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.

We are sorry to trouble you further but there are some items of information missing or unclear in your post:

  • your exact CIS version (Build number will do)
  • Your ‘Watch Activity’ process list
  • Your diagnostics report

The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.

We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.

Many thanks again

Mouse

  • your exact CIS version (Build number will do): 6.1.275152.2801
  • Your ‘Watch Activity’ process list: attached
  • Your diagnostics report: attached

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Hi Lex,

This behavior does not reproduce on my machine, can you give step-by-step details on how you used poolmon and how long you have to wait before it starts to leak?
It might be only occurring if the driver hits special network traffic or something?

Was e.g. torrent running during this or some other network application causing network traffic trough the firewall?

Leak starts immediately after startup. It visible not only in Poolmon but in task manager (nonpaged kernel memory growing by 1 MB in 2 seconds. With disabled firewall it takes 77 MB, but if firewall active nonpaged memory fills all memory). With windows starts VMware Workstation 9.0.2 build-1031769, USB Safely Remove 5.1.3.1186, nVidia control panel 7.1.740.0, Netgear genie 2.0.0.5, Hamachi 2.1.0.296, THX TruStudio PRO 1.02.00, Connectify 3.6.0.24540 Pro and VIA HD Audio Deck 8.3.00.32. I will try boot in safe mod and give you more information tomorrow.

Thanks, could you also try to set FW to ‘Training mode’ and see if that still leaks after reboot?

Internet connection using VPN. Leakage does not depend on traffic or active VPN connection. At least from the traffic through the browser. Viruses is unlikely. Hosts file and autorun is clean. Register does not contain records of foreign shell. System was tested by Dr. Web and your product.

It leaks even without reboot. Turn switcher on - leak starts. Turn off - leak stops. In any mod (Training mode too). Reboot doesn’t change anything. I try booting in safe mod, but comodo in this mod don’t loaded… It is the first antivirus i see don’t loaded in safe mod. Wait few minutes please, I try do something.

PS. Looks like leak starts before user login.

If it leaks before logon it’s probably a combination with a service running that causes this.
Could you try to set the non-default-windows services to manual/stopped 1 by 1 to see if we can pin-point which one triggers the leak?

Memory leak is. When the fault is corrected?
Why enter the password twice if you disable antivirus and behavioral analysis? Blocking access to the program after it is not included.

When they have found the cause.

Can you please provide all your system details just as the original poster did, the more details we have the easier it get’s to determine what is causing this.
Maybe something in common on both your systems etc… please don’t forget this info is vital to get this fixed.

Nonpaged memory of 758 MB.
19573 descriptors.

Correct the problem did not begin until the unexpected.
Turn on version 5.10.

[attachment deleted by admin]

Can you provide these also, including the screenshots please

  • your exact CIS version (Build number will do):
  • Your ‘Watch Activity’ process list:
  • Your diagnostics report:

Yes, I understand that. I’ve already tried to run windows in diagnostic mode. Leaking stops. But there are many services in there. In this moment I have no time to check all of it. But I check about a half. Looks like leak starts before running Network Connections Service or Remote Desktop Services. I check it out then I have time.

PS. It definitely does not depend on autorun and programs in there.

? Or driver maybe. There was a leak caused by an SQL database driver in previous version.

Information.

[attachment deleted by admin]

Correct the problem, and then the system will crash with a small amount of RAM.

inspect.sys is driver, yes =) Non-paged memory leak can only be caused by driver or system core.