Possible false positive for Likno Windows Web Modal

I downloaded the .exe install file for Likno Web Modal Windows Builder from the vendor. I scanned it with Comodo and it was clean. Upon install I get the following warning:

Liknomodalwindowsbuilder.dll tried to execute shell code as a result of a possible buffer overflow attack.

Vendor says file is fine and he’s submitted it to Comodo to clear this up, but I don’t want to risk a problem.

product version 5.3.181415.1237
virus database 8496

screen shots attached.

Has anyone else run into this? Best course of action?

Thanks,
JJ

[attachment deleted by admin]

False Positives don’t exist for buffer overflows. Either it happens, or it doesn’t. This isn’t something Comodo can fix, the developer needs to take a closer look at his code.

If however, you feel this application isn’t trying to do anything malicious, you can add it to the execution control exclusions.

Defense+ → Defense+ Settings → Execution Control Settings → Exclusions.

Thanks for the rapid reply. False positive was a poor choice of words and I understand your point. I was trying to convey the idea that perhaps the code is OK, but being trapped anyway. I will refer this back to the developer.
JJ

This response from the vendor:

I can verify that we do not have any code that causes a buffer overflow.
The problem is probably caused by the anti-■■■■■ software we are using (EXECryptor).
I guess that COMODO cannot unlock and review the code, causing the error you see.

After all, the protected dll file which is said to cause the attack is NOT even called during the installation. It is only copied at that time. Ed note: that’s apparently when it was ‘caught’ by Comodo. As previously stated, the exe file scans clean. Hope this helps.

The buffer overflow protection has nothing to do with not being able to open and scan a file.

From the Help file:

Detect Shellcode injections (i.e. Buffer overflow protection) - Enabling this setting turns-on the Buffer over flow protection.

A buffer overflow is an anomalous condition where a process/executable attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits.

Turning-on buffer overflow protection instructs the Comodo Internet Security to raise pop-up alerts in every event of a possible buffer overflow attack. You can allow or deny the requested activity raised by the process under execution depending on the reliability of the software and it’s vendor. Click here for more details on the alerts.

Comodo recommends users leave this setting enabled (Default = Enabled).

As I’ve mentioned in my post above, you can exclude this application from BO protection if you trust it.

Thanks, again. I can understand why you’d want to guard against these overflows.
JJ

Hello, this is Kostas from Likno Software (and developer of the Likno Web Modal Windows Builder applciation).

As I have told JJ, I can personally verify that there is no buffer overflow issue in the specific dll file (and believe me, I do know what “buffer overflow” is).

Even if there was a buffer overflow problem in this dll, it would be impossible for this to occur during installation where the file is simply copied-over! It could only occur while actually using the application as this is the only time the dll is accessed!

Moreover, we test our products with several of the top antivirus products and they come up clean in ALL of them. This alone suggests that there is a problem in your antivirus and not in our application.

As a final note, we have contacted you several times over the past three months regarding this issue and have yet to receive an answer from you. As you can understand, this is affecting our sales since many people out there trust your software and we never have a chance to tell them that this is a false positive. I urge you to finally take some steps in fixing this, as it is getting TOO MUCH when you insist that there is a buffer overflow just because you can’t be bothered to double-check (or even fully read) the user’s claims…

regards,
Kostas
Likno Support

Hello Kostas. Welcome to the forums.

I am running the mod preview of the upcoming CIS v5.4. I downloaded the latest version of Likno Windows Web Modal, v2.0.212, and installed it. I did not get the BO alert. It looks like the problem has been fixed.

If I understand you correctly you have been in contact with somebody from Comodo. With who have you been in contact about this issue? Can you send a pm with his name?

You weren’t by chance installing the application inside Sandboxie were you Eric?

I’ve installed the software in both 5.3 and 5.4 and get the buffer overflow alert. If I install it inside Sandboxie, no alert.

Edit: The screenshot below is from the CIS 5.4 preview.

[attachment deleted by admin]

No Sandboxie on my system. What OS are you on? I am on Win 7 x86. CIS Proactive Mode with D+ in Safe Mode and Sandbox enabled.

I downloaded all tools from their download page and found only two BO alerts for:
LiknoWebAccordionBuilder.dll
LiknoWebTabsBuilder.dll

My main system is Win XP Pro, SP3, x86. CIS 5.3, Internet Security Mode with D+ in Safe Mode, sandbox enabled and set to restricted.

I also tested this on a VM with the same OS and CIS settings, but it is running the 5.4 preview release. Both CIS versions had the BO alert during installation.

Interestingly, I also got the BO alert when uninstalling the application on my main system, but not on the VM.

I didn’t try all the tools, just the Web Modal Windows Builder.

I have been trading some pm’s with Likno Support. He told me “The problem appears in each product’s license-handling dll, which is protected with EXECryptor. We had antivirus problems in the past with files that were protected, which is why I assumed that this is what causes the problem now too.”

At Kostas. The BO alert is not from the AV scanner of CIS. It is from the H.I.P.S. Defense + which is a different animal. The BO alert only notices the buffer overflow and will alert the user that there is a situation where your computer could get compromised if the program holds a malicious payload. Your programs do not hold malicious payloads so they can be added to the exceptions of the BO detector.

The best way to get Comodo’s attentions is to file a bug report about this as this specific problem is about a potential bug in the BO detection. That would require a fix in coding not in anti virus definitions.

I did a bit of testing and found I could trigger two BO alerts with Web Accordeon. One is when I start the application and is for LiknoWebAccordianBuilder.exe and for when starting the activation for LiknoWebAccordianActivationTool.exe. I haven’t totally finished testing and there seems one scenario that I need to look into later; but it is getting late here. So for now I am going to hit the bed.

@EricJH, HeffeD

I really want to thank you for taking the time to do all this! Initially I thought you were Comodo “representatives” (i.e. employers).The fact that you do all this without even being paid for it is appreciated even more.

I did a further search in our email database and indeed the Comodo problems were all OB-related. Although in several cases there was a weird behavior: You double-click on the application (e.g. modal windows), the splash screen appears for a 10th of a second and then nothing… no errors, no messages, no Comodo warnings. Still, after disabling Comodo the application would run without any problems.

I have also verified that the problem exists at least for:

Likno Web Modal Windows Builder
Likno Drop Down Trees
AllWebMenus
Likno Web Toolips Builder

Also I run my own tests in a XP SP3 32-bit VM and I saw both the OB during installation and the non-opening behavior.

The OB alerts may be generated:

  1. during the application installation
  2. while starting the application
  3. when clicking on the “Compile” button (because it checks the license again)
  4. when trying to activate (warning on the separate “activator” executable)

@EricJH

The URL where I posted the case as a false-positive was:

and the “trusted vendors” URL was:

Where should I file the “bug report”? directly at “desktopsupport@comodo.com”, or is there a specific place/email?

Thanks again for all your help.

When testing a bit with Accordeon I bumped into similar of the same problem that I did not totally repdroduce yet. It happens after starting the application several times in a row. After having started the application several times it won’t start again.

This is the sequence of testing:

  • Start Accordean, get a BO warning and choose Skip
  • The Wizard starts close down the wizard, get a second BO warning and choose Skip
  • Go to Help → Enter Activation Code → Get BO warning and choose Skip → Cancel the wizard
  • close the program

Last night I could do this sequence a couple of times until it would not start anymore; I was still in the pre testing phase last night trying to get a working test scenario for reproduction. Now after one such sequence it won’t start anymore. Adding LiknoWebAccordianBuilder.exe and LiknoWebAccordianActivationTool.exe to the BO (Execution Control Setting) Exclusions will suppress the alerts and the program will start successfully.

You can file a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!.

If one of your programs goes strange with CIS then try any of the workarounds in App. is not working correctly, but does not seem to be s/boxed. What to do? [v5]. When that does not solve strangeness you may be looking at a bug.

I am not familiar with your forums but I would suggest to make a sticky topic about the CIS BO warning; people do not always know what that is and what the consequences are. Tell that they are nothing but a warning for the situation where your system is vulnerable for BO attack. But since your files do not contain a malware payload to abuse that vulnerability there is no danger and the users can safely choose to Skip and let CIS remember the answer.

BO alerts points to programming errors. A couple of years ago a programmer told he used the, back then standalone, BO detector as part of his software testing. Gotta love that.:slight_smile: